Effective date: Sept. 5, 2025
Last updated: Sept. 5, 2025
This privacy policy is governed by the laws of the Commonwealth of Massachusetts and applicable United States federal law.
What we collect: Your name, email, payment details (handled securely by Stripe) and device information via Google Analytics 4 (with IP anonymized). We don't collect sensitive information like Social Security numbers or children's data.
Why we collect it: To run our news site, send newsletters, process memberships and donations, analyze site use and keep things secure. We use it for journalism, support and limited marketing only with your consent.
Who we share with: Trusted vendors like Ghost, HubSpot, Google and Stripe under strict contracts — no selling your data. We share if legally required (e.g., subpoenas) or in business changes.
Your choices and rights: Manage cookies; request access, update or delete your information by emailing wdowd@marbleheadindependent.com. For children under 13: we don't target you, but parents can request removal. Massachusetts residents get strong security protections; non-United States visitors may have extra General Data Protection Regulation rights.
Security and breaches: We follow Massachusetts laws with encryption, training and a security plan. If a breach happens, we'll notify you fast if required and offer help like credit monitoring.
Contact us: Reach out at wdowd@marbleheadindependent.com for questions or for security reports. Full details below — read on for the legal information.
Full privacy policy
1. Scope and who we are
This privacy policy applies to The Marblehead Independent ("Independent," "we," "us"), a small, reader-funded, digital-first newsroom based in Massachusetts. It covers our website at https://www.marbleheadindependent.com, newsletters, events and related services. It does not apply to third-party sites we link to or services we don't control, such as social media shares. We operate on Ghost(Pro) content management system for content management, Stripe for payments, HubSpot for forms, customer relationship management and email, Google Analytics 4 (GA4) for analytics with IP anonymization. Google Workspace for email and documents. We prioritize journalistic integrity and reader privacy.
2. Key definitions
Personal information (PI): As defined in Massachusetts General Laws chapter 93H, a Massachusetts resident's first name and last name (or first initial and last name) combined with: (a) Social Security number; (b) driver's license or state identification number; or (c) financial account, credit or debit card number (with or without access codes that allow account access). This excludes publicly available information or government records lawfully shared.
Personal data: Broader term for any information identifying or relating to you, like email, device identification or browsing habits — distinct from PI but protected similarly under our policies.
Breach of security: Unauthorized acquisition or use of unencrypted data (or encrypted data with its key) that creates a substantial risk of identity theft or fraud (per Massachusetts General Laws chapter 93H).
Other terms: "Service providers" are vendors like Stripe (processor for payments) and HubSpot (processor for customer relationship management and email); we act as controller for your data.
3. Information we collect
We collect minimal data to operate as a newsroom.
Directly provided: Name, email, address, phone (e.g., via HubSpot forms for memberships, newsletters, event RSVPs, surveys or letters to the editor); payment information (processed by Stripe — we don't store full card details); communications like emails or source tips.
Automatically collected: Device and browser type, IP (anonymized in GA4), cookies, usage data (pages viewed, time spent); referral links via Bitly.
From third parties: Payment confirmations from Stripe; email open and click metrics from HubSpot.
Sensitive data: We do not seek Social Security numbers, health information or other sensitive categories. We avoid collecting data from children under 13 (see Section 14). No racial, ethnic or biometric data unless voluntarily shared in journalistic contexts (handled confidentially).
4. How we use information (purposes)
We use data fairly and only as needed (per Federal Trade Commission Act Section 5 against unfair and deceptive practices).
Provide services: Publish content, deliver newsletters, process memberships and donations via Stripe, host events.
Billing and support: Handle payments, respond to inquiries via Google Workspace and HubSpot.
Security and fraud: Detect threats, comply with laws.
Analytics: Aggregate data in GA4 for site improvements (limited retention).
Marketing: Send updates or promotions only with consent, per Controlling the Assault of Non-Solicited Pornography And Marketing Act and Telephone Consumer Protection Act.
Legal: Respond to subpoenas or audits.
5. Legal bases and United States compliance notes
In the United States, we rely on consent (e.g., for marketing), contract (e.g., memberships), legitimate interests (e.g., journalism and security) or legal obligations. We apply journalism exceptions where data use supports free press but always secure PI (per 201 Code of Massachusetts Regulations 17.00). No deceptive practices (Federal Trade Commission Act Section 5).
For visitors outside the United States (General Data Protection Regulation and United Kingdom General Data Protection Regulation): If you're in the European Union or United Kingdom (though we don't target you), we process data as controller on bases like consent, contract or legitimate interests (e.g., providing news). Rights include access, rectification, erasure — contact wdowd@marbleheadindependent.com. Transfers to United States use Standard Contractual Clauses (SCCs) or Data Privacy Framework (DPF) if applicable; we're not DPF-certified but use SCCs with vendors. This section applies only to non-United States visitors.
6. Cookies, analytics and
We use cookies for functionality:
Types: Strictly necessary (site operation), analytics (GA4 for aggregated insights — IP masked, no personal ads), functional (preferences).
GA4: Configured with anonymization; data retained approximately 14 months.
Opt-out: Use browser settings or GA opt-out tool (link: https://tools.google.com/dlpage/gaoptout). We honor Do Not Track signals where possible. Manage preferences via site footer link.
No cross-site tracking for ads; limited to internal use.
7. Payment information Payments are processed by Stripe as our Payment Card Industry Data Security Standard-compliant processor — we do not store full card numbers or card verification values. We receive only tokenized information and billing addresses for verification. Stripe handles Payment Card Industry Data Security Standard; we ensure our integration complies (e.g., Hypertext Transfer Protocol Secure). Data is encrypted in transit and rest.
8. Email and newsletters Emails via HubSpot comply with Controlling the Assault of Non-Solicited Pornography And Marketing Act: clear sender identification, physical address The Marblehead Independent, 217 Humphrey Street, Marblehead, Massachusetts 01945, one-click unsubscribe (honored in 10 days).
9. Sharing and disclosure We share data minimally:
Service providers: Ghost (hosting), Stripe (payments), HubSpot (customer relationship management and email), Google (analytics and Workspace) — under contracts requiring safeguards (per 201 Code of Massachusetts Regulations 17.00).
Law enforcement: Only if legally required (e.g., subpoena); we challenge overbroad requests.
Business transfers: In mergers and acquisitions, data transfers with protections.
No selling personal information; no targeted ads on sensitive data; no resale.
10. Massachusetts data security program and safeguards We maintain a Written Information Security Program compliant with 201 Code of Massachusetts Regulations 17.00, designating a coordinator for oversight. It includes risk assessments, employee training on threats, access controls (e.g., role-based), encryption for PI in transit (Hypertext Transfer Protocol Secure) and on portables, firewall and malware protection, vendor due diligence (contracts mandating compliance) and incident response. We use Transport Layer Security for transmissions; data at rest encrypted where feasible. Annual reviews ensure effectiveness.
11. Data retention and disposal We retain data only as needed: analytics (14 months), customer relationship management and memberships (24 months post-activity or while active), payments (seven years for taxes). Transcripts deleted after use unless archived with consent. Secure disposal per Massachusetts General Laws chapter 93I: shred paper, erase or wipe electronic so PI can't be reconstructed.
12. Massachusetts breach notification If a breach of security (per Massachusetts General Laws chapter 93H) affects Massachusetts residents' PI, we'll notify the attorney general, Office of Consumer Affairs and Business Regulation and impacted residents as soon as practicable without unreasonable delay. Attorney general and Office of Consumer Affairs and Business Regulation notices include breach nature, affected count, steps taken (but residents' notices exclude breach nature and count). If Social Security number involved, offer 18 months free credit monitoring; for financial accounts with access codes, 42 months. We'll provide police report rights and security freeze information.
13. Your choices and rights United States readers: Access, update or delete data via wdowd@marbleheadindependent.com; cookie controls (browser and GA tool).
We voluntarily extend access and rectification rights to all for transparency (not Massachusetts-mandated).
For non-United States visitors (General Data Protection Regulation and United Kingdom General Data Protection Regulation): If applicable, rights to object, restrict, portability; complain to supervisory authority. Contact wdowd@marbleheadindependent.com.
14. Children's privacy Per Children's Online Privacy Protection Act, our site isn't directed to children under 13 — we don't knowingly collect their data. If we learn of such, we'll delete it. Parents: contact wdowd@marbleheadindependent.com for review and removal; we require verifiable parental consent for any under-13 processing.
15. Source confidentiality (journalism-specific note) Reader and member data is separate from journalistic sources. We protect source anonymity per our ethics policy — but this privacy policy doesn't promise anonymity; consult our sourcing guidelines.
16. International transfers (if applicable) Data is hosted in the United States. For European Union and United Kingdom visitors, transfers use SCCs with vendors (as we're United States-based, no European Economic Area storage).
17. Changes to this policy We'll post updates here; for material changes (e.g., new uses), notify via site banner or email. Changes effective on posting unless stated.
18. Contact Mail: The Marblehead Independent, 217 Humphrey Street, Marblehead, Massachusetts 01945 Email: wdowd@marbleheadindependent.com (questions and rights) Security reports: wdowd@marbleheadindependent.com (vulnerabilities and breaches)