Sign in
The Autonomy Review

Privacy Policy

Last updated: March 27, 2026

This Privacy Policy describes how The Autonomy Review (“we,” “us,” or “our”) collects, uses, discloses, and otherwise processes personal information in connection with our website, newsletter, and related services (collectively, the “Services”). By using the Services, you acknowledge that you have read this notice.

We may update this Privacy Policy from time to time. If we make material changes, we will take steps to notify you as required by applicable law, including by updating the “Last updated” date above and (where appropriate) by email or an on-site notice.

If you have questions, contact us at legal@theautonomyreview.com.

1. Who is responsible for your information?

The Services are operated by The Autonomy Review. For privacy-law purposes, The Autonomy Review is the controller of the personal information described in this policy.

This policy does not apply to third-party websites, applications, or services that we do not control, even if they are linked from the Services.

If you need the name of the legal entity responsible for the Services or an address for formal privacy notices, contact us at legal@theautonomyreview.com.

2. Information we collect

We collect information that you provide directly, information we receive automatically when you use the Services, and limited information from service providers involved in subscriptions, payments, or authentication.

2.1 Information you provide

  • Email address. When you subscribe, sign in, or contact us, you may provide an email address. We use it to deliver the newsletter, send transactional messages (such as magic-link sign-in and subscription confirmations), and respond to inquiries.
  • Account and profile details. If you create or maintain an account, we may store details you provide (such as an optional display name) and records associated with your subscription tier or account status.
  • Communications. If you email us, we retain the content of the communication and associated metadata (such as your email address and timestamps) as needed to respond and maintain our records.

2.2 Information collected automatically

  • Cookies and similar technologies. We use cookies and related technologies primarily for essential functions such as operating the Services, maintaining sessions, protecting against abuse, and remembering preferences where applicable. Essential session cookies may include identifiers that allow our servers to associate your browser with an authenticated session after you sign in. If we use non-essential cookies or similar technologies, we will obtain any consent required by applicable law before doing so.
  • Device and usage data. Our servers and service providers may collect technical information such as IP address, browser type, device identifiers, and standard server log information when you interact with the Services.
  • Security and anti-abuse signals. We may process technical data to detect, investigate, and help prevent fraud, spam, unauthorized access, or other misuse of the Services.

2.3 Passkeys (WebAuthn) and sign-in security

If you choose to register a passkey (sometimes labeled Touch ID, Face ID, or device sign-in), your device creates a cryptographic key pair. Typically, the private key remains on your device, and we store the public key and related metadata (such as credential identifiers and sign-in counters) needed to verify future sign-ins. We do not receive your biometric data; biometric verification, if any, is performed locally by your device or browser.

2.4 Payment and subscription information

Paid plans are processed by our payment processor (currently Stripe). We collect and store certain subscription identifiers (such as customer and subscription IDs) and plan details needed to administer access. Payment card numbers and similar payment instrument details are handled by Stripe according to its policies and industry standards (we generally do not store full payment card numbers on our systems).

3. How we use personal information

We use personal information to:

  • Provide, operate, maintain, and improve the Services;
  • Create and manage accounts, authenticate users, and fulfill subscriptions;
  • Send transactional and service-related communications (including security notices, confirmations, and subscription messages);
  • Send the newsletter and editorial content in line with your preferences, including honoring unsubscribe requests;
  • Analyze usage in aggregated or de-identified form to understand readership and improve product quality and reliability;
  • Comply with law, enforce our terms, and protect rights, safety, and security; and
  • Carry out other purposes disclosed to you at collection, or with your consent where required.

4. Legal bases (where applicable)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we rely on one or more of the following legal bases under applicable data protection law:

  • Performance of a contract — to provide the Services you request (for example, delivering the newsletter to subscribers);
  • Legitimate interests — to secure the Services, prevent abuse, understand aggregate usage, communicate about the Services, and improve functionality, balanced against your rights and expectations;
  • Consent — where required for certain cookies, marketing communications, or other processing for which consent is mandated by law; and
  • Legal obligation — where processing is necessary to comply with applicable law.

5. How we share personal information

We share personal information with service providers and partners who perform services on our behalf (as “processors” or “subprocessors”), including:

  • Email delivery providers (currently Resend) to send newsletters and transactional messages;
  • Payment processors (currently Stripe) to bill subscriptions and manage payments;
  • Hosting, infrastructure, and security vendors to operate our website, APIs, databases, and supporting systems; and
  • Analytics or logging providers solely as needed to operate and protect the Services (we aim to minimize unnecessary tracking).

We may also share information if required by law, legal process, or governmental request; to enforce our policies or agreements; to investigate security incidents; or to protect the rights, property, or safety of our readers, the public, or us. If we are involved in a merger, acquisition, financing, reorganization, or sale of assets, information may be transferred as part of that transaction, subject to standard confidentiality arrangements.

We do not sell your personal information in the conventional sense, and we do not “share” personal information for cross-context behavioral advertising as defined under certain U.S. state privacy laws—if we ever change this approach, we will update this policy and provide legally required choices.

6. International transfers

We may process and store information in the United States and other countries where we or our service providers operate. Those countries may have data protection laws that differ from those where you live. Where required by law, we implement appropriate safeguards (such as Standard Contractual Clauses) for international transfers.

7. Retention

We retain personal information for as long as necessary to provide the Services and fulfill the purposes described in this policy, unless a longer period is required or permitted by law. For example, we may retain:

  • Account and subscription records for the life of the relationship and for a reasonable period afterward to resolve disputes and comply with tax, accounting, and legal requirements;
  • Security and server logs for a limited period consistent with operational and security needs; and
  • Marketing suppression lists (such as unsubscribe records) indefinitely where necessary to honor your choices.

8. Security

We implement technical and organizational measures designed to protect personal information against unauthorized access, loss, or alteration. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

9. Your privacy choices and rights

Depending on your location, you may have rights to:

  • Access, correct, or update certain personal information;
  • Delete certain information, subject to legal exceptions;
  • Object to or restrict certain processing;
  • Withdraw consent where processing is based on consent; and
  • Port personal information you provided where technically feasible.

Residents of certain U.S. states (including California) may have additional rights under local laws, such as the right to know categories of personal information collected, the right to request deletion, and the right not to be discriminated against for exercising privacy rights. Residents of the EEA, UK, and Switzerland may have the right to lodge a complaint with a supervisory authority.

To exercise applicable rights, contact us at legal@theautonomyreview.com. We may need to verify your identity before fulfilling certain requests. Authorized agents may submit requests where permitted by law. If we deny a request, you may have the right to appeal as provided under applicable law.

You may opt out of marketing emails by using the unsubscribe link in our messages or by contacting us, subject to certain transactional notices we must send.

10. Children

The Services are not directed to children under 13 (or the minimum age required in your jurisdiction), and we do not knowingly collect personal information from children. If you believe we have collected information from a child, contact us and we will take appropriate steps to investigate and delete it where required.

11. Region-specific disclosures

California. If you are a California resident, you may request additional details about categories of personal information we collect, the purposes of collection, and categories of recipients, as described above. In general, we collect identifiers (such as email address, account identifiers, and device or cookie identifiers), commercial information related to subscriptions, internet or other electronic network activity information, and communications you send us. We do not use or disclose “sensitive” personal information for inferring characteristics in a manner that would trigger opt-out rights under the CPRA beyond what is necessary to provide the Services.

EEA / UK / Switzerland. If you are located in these regions, you may contact us for more information about transfers and to exercise GDPR (or local equivalent) rights. Our representative contact for general privacy inquiries is the email address listed above.

12. Related terms

Our Terms of Service contain additional provisions regarding accounts, acceptable use, and disputes.