Legal
Privacy Policy.
1. Who we are
The data controller is Superdots S.r.l., with registered office at Via Ferrini 11, Paderno Dugnano (MI), Italy (P.IVA: 09171640965), operating under the brand name “Superdots” (“we”, “us”). We operate the website superdots.sh (the “Site”).
For questions about this policy or to exercise your data protection rights, contact us at privacy@superdots.sh.
2. What data we collect
We collect the minimum data needed to run this Site:
| Data | Purpose | Legal basis (GDPR) |
|---|---|---|
| Privacy-friendly analytics (page URL, referrer, browser, OS, device type, country) via Umami Analytics (self-hosted) | Understand which content is useful so we can improve the Site — no cookies, no personal data stored, no cross-site tracking | Legitimate interest — Art. 6(1)(f) |
| Usage analytics (page views, referrer, device type) via Google Analytics 4 | Understand which content is useful so we can improve the Site | Consent — Art. 6(1)(a) |
| Session replays via Umami Replays (self-hosted) | Understand how visitors interact with pages so we can improve usability — recordings are anonymised (form inputs masked), no personal data stored, auto-deleted after 30 days | Consent — Art. 6(1)(a) |
| Heatmaps and session recordings via Microsoft Clarity | Understand how visitors interact with pages so we can improve usability | Consent — Art. 6(1)(a) |
| Ad conversion data and retargeting identifiers via Reddit Pixel | Measure the effectiveness of Reddit advertising campaigns and build retargeting audiences for ads | Consent — Art. 6(1)(a) |
| Ad conversion data and retargeting identifiers via Meta Pixel | Measure the effectiveness of Meta (Facebook/Instagram) advertising campaigns, build retargeting and lookalike audiences | Consent — Art. 6(1)(a) |
| Affiliate link click attribution via Skimlinks | Automatically convert outbound product links into affiliate links so Superdots can earn a commission from merchants | Consent — Art. 6(1)(a) |
Theme preference (sd-theme in localStorage) |
Remember your light/dark mode choice | Legitimate interest — Art. 6(1)(f) |
| IP address & server logs (via Cloudflare) | Deliver pages, protect against abuse | Legitimate interest — Art. 6(1)(f) |
| Email address (newsletter signup) | Send you our newsletter with articles and updates about AI at work | Consent — Art. 6(1)(a) |
We do not collect names, payment information, or require user accounts. The only personal data we ask for is your email address if you choose to subscribe to our newsletter.
3. Cookies and similar technologies
See our Cookie Policy for the full list of cookies, their purposes, durations, and how to manage them.
4. Third-party data processors
| Service | Purpose | Data shared | Privacy policy |
|---|---|---|---|
| Umami Analytics (self-hosted) | Privacy-friendly traffic analytics + session replays (consent-gated) | Aggregated, anonymous page-view metrics (page URL, referrer, browser, OS, device type, country derived from IP — no IP stored, no cookies). Session replays (only with consent): anonymised recordings of clicks, scrolls, and navigation with form inputs masked. Recordings auto-deleted after 30 days. | Self-hosted on Superdots infrastructure (EU) — no third-party data transfer |
| Google Analytics 4 | Traffic analytics | Pseudonymised usage data, IP address (anonymised by default in GA4) | Google Privacy |
| Microsoft Clarity | Heatmaps & session recordings | Pseudonymised interaction data (clicks, scrolls, mouse movements) | Microsoft Privacy |
| Reddit, Inc. | Ad conversion tracking and retargeting (Reddit Pixel) | Pseudonymised ad conversion events, page visit data, click IDs for campaign attribution | Reddit Privacy |
| Meta Platforms, Inc. | Ad conversion tracking and retargeting (Meta Pixel) | Pseudonymised ad conversion events, page view data, content interactions for campaign attribution and lookalike audiences | Meta Privacy |
| Taboola, Inc. (Skimlinks) | Affiliate link attribution | Outbound product link clicks, merchant referral data for commission tracking | Skimlinks Privacy |
| Cloudflare Pages | Hosting, CDN, DDoS protection | IP address, request metadata | Cloudflare Privacy |
| Mautic (self-hosted) | Newsletter contact management, subscription lifecycle, and marketing automation — sole contact database | Email address, subscription status, consent metadata (timestamp, IP, source), email engagement data (opens, clicks) | Self-hosted on EU infrastructure controlled by Superdots — no third-party data sharing |
| Resend | Email delivery (SMTP relay only) — Resend does not store subscriber contact data | Email address (transit only), delivery metadata (bounce/open events) | US-based, EU–US DPF-certified; DPA |
5. International data transfers
Umami Analytics and Mautic are self-hosted on Superdots infrastructure located in the European Union — no international data transfer occurs for these services.
Google, Microsoft, Cloudflare, and Resend process data in the United States. All four providers are certified under the EU–US Data Privacy Framework (DPF) and incorporate Standard Contractual Clauses (SCCs) in their data processing agreements as additional transfer safeguards.
Reddit, Inc. (Reddit Pixel, activated only with marketing consent) processes data in the United States. The transfer is governed by Standard Contractual Clauses (SCCs) as the legal mechanism under Art. 46(2)(c) GDPR. Reddit Pixel cookies are only set after you explicitly grant marketing consent.
Meta Platforms, Inc. (Meta Pixel, activated only with marketing consent) processes data in the United States. The transfer is governed by the EU-U.S. Data Privacy Framework and Standard Contractual Clauses (SCCs) under Art. 46(2)(c) GDPR. Meta Pixel cookies are only set after you explicitly grant marketing consent.
Taboola, Inc. (Skimlinks, activated only with marketing consent) processes data in the United States. The transfer is governed by Standard Contractual Clauses (SCCs) under Art. 46(2)(c) GDPR. Skimlinks cookies are only set after you explicitly grant marketing consent.
Newsletter subscriber data (email addresses, engagement metrics) is managed by Mautic (self-hosted on servers located in the European Union) and delivered via Resend. Resend is US-based and DPF-certified — see their DPA for transfer safeguards.
You can review each provider’s transfer documentation: Google, Microsoft, Cloudflare, Resend, Reddit, Skimlinks.
6. Data retention
- Umami Analytics data: aggregated page-view metrics retained on our self-hosted server. No personal data or IP addresses are stored. Session replay recordings (consent-gated) are automatically deleted after 30 days.
- Google Analytics data: retained for 14 months (GA4 default), then automatically deleted.
- localStorage (theme): persists until you clear your browser data.
- Microsoft Clarity data: session recordings and heatmap data retained for 30 days by Microsoft, then automatically deleted.
- Reddit Pixel data: conversion and audience data retained by Reddit per their data retention policy. The
_rdt_uuidcookie has a 2-year lifetime; data associated with it is retained by Reddit for up to 2 years. - Meta Pixel data: conversion and audience data retained by Meta per their data policy. Both the
_fbpand_fbccookies have a 90-day lifetime; data associated with them is retained by Meta for up to 2 years. - Skimlinks data: affiliate click attribution data retained by Taboola per their privacy policy. Cookies have a maximum 30-day lifetime.
- Cloudflare logs: retained per Cloudflare’s standard retention (typically 72 hours for edge logs).
- Newsletter email addresses (confirmed): retained until you unsubscribe. Upon unsubscription, your email and engagement history are immediately deleted from our marketing automation system (Mautic, self-hosted, EU).
- Newsletter email addresses (unconfirmed): retained for up to 30 days after signup. If you do not confirm your subscription within this period, your email and related data are automatically deleted.
7. Newsletter {#newsletter}
If you subscribe to our newsletter, we collect your email address solely to send you articles and updates about AI at work. The legal basis is your explicit consent (Art. 6(1)(a) GDPR).
- Opt-in: We use a confirmed opt-in process. After entering your email, you will receive a confirmation email. Your subscription is only active once you click the confirmation link.
- Pre-confirmation storage: When you submit the signup form, we temporarily store your email address and related data (IP address, timestamp) to send and process the confirmation email. The legal basis for this pre-confirmation processing is Art. 6(1)(b) GDPR (necessary to perform the steps you requested before entering into an agreement). If you do not confirm within 30 days, your data is automatically deleted. Unconfirmed contacts are technically blocked from receiving any newsletter content.
- What we send: New articles, curated links, and practical guides about AI at work — no more than once per week. We do not send promotional or product marketing content via the newsletter.
- Tracking: Our marketing automation system (Mautic, self-hosted) uses a tracking pixel (a tiny invisible image) to detect email opens, and link rewriting to measure which links you click. This data is associated with your email address and used solely to improve our content. You can prevent open tracking by disabling remote image loading in your email client.
- Unsubscribe: Every email contains a one-click unsubscribe link. You can also email privacy@superdots.sh to be removed. Unsubscription triggers immediate deletion of your contact and engagement data from Mautic.
- Data processors: Your subscriber data (email, consent records, engagement history) is stored exclusively in Mautic, self-hosted by Superdots on EU servers. All emails (confirmation and campaign) are delivered via Resend (US-based, DPF-certified; DPA), which acts as an SMTP relay only and does not retain subscriber contact data.
8. Your rights
Under GDPR (and Italian D.Lgs. 196/2003 as amended by D.Lgs. 101/2018), you have the right to:
- Access the personal data we hold about you (Art. 15)
- Rectification of inaccurate data (Art. 16)
- Erasure (“right to be forgotten”) (Art. 17)
- Restrict processing (Art. 18)
- Data portability (Art. 20)
- Object to processing based on legitimate interest (Art. 21)
- Withdraw consent at any time for analytics cookies (GA4/Clarity), marketing cookies (Reddit Pixel, Meta Pixel, Skimlinks), or newsletter subscription, without affecting the lawfulness of prior processing (Art. 7(3)). Note: Umami Analytics runs without cookies and does not require consent — you can still object to this processing under Art. 21.
To exercise any of these rights, email privacy@superdots.sh. We will respond within one month. If your request is complex or we receive a high volume of requests, we may extend this period by up to two additional months; if so, we will notify you within the first month and explain the reason for the extension (Art. 12(3) GDPR).
9. Complaints
If you believe your data protection rights have been violated, you may lodge a complaint with:
- Garante per la protezione dei dati personali (Italian Data Protection Authority) — www.garanteprivacy.it
- Or your local EU supervisory authority under Art. 77 GDPR.
10. Changes to this policy
We may update this policy from time to time. Changes are effective when posted on this page. The “Last updated” date at the top reflects the most recent revision.