Privacy Policy
What happens to your data when you visit vibemyway.com or sign up for the newsletter. Written to be read, not skimmed. If something is unclear, email us and we'll answer plainly.
Section 01
Who is responsible for your data
The data controller for vibemyway.com is:
Federico Pizzutto — sole proprietorship
Luxembourg, European Union
VAT: LU34016608 · RCS: A44145
Contact: federico [at] vibemyway.com
We are based in Luxembourg and operate under the EU General Data Protection Regulation (GDPR) and Luxembourg's data protection law. The supervisory authority is the CNPD (Commission nationale pour la protection des données).
Section 02
What data we collect, and why
We only collect data when you choose to give it to us, or when it is strictly necessary to serve the website.
When you visit the site
The site is a self-hosted static website. The server logs a minimal record of each request — IP address, timestamp, page requested, and browser user-agent — strictly to keep the site running and to spot abuse. These logs are not used to profile you and are not sold or shared.
Legal basis: legitimate interest
Operating and securing the website. Server access logs are kept no longer than 30 days, then overwritten.
Analytics and session recording (PostHog)
If you accept analytics cookies through our cookie banner, we use PostHog to understand how the site is used and to improve it. PostHog collects:
- Product analytics — which pages you visit, in what order, how long you stay, which buttons or links you click, and technical context (approximate country from IP, browser, device type, screen size, referring site).
- Session recordings — an anonymized replay of your visit. Input-masking is on: text you type into forms is replaced with asterisks before leaving your browser. Your IP address is not stored alongside the recording.
A pseudonymous identifier is assigned to your browser so page views and recordings from the same visit can be grouped. This identifier is not linked to your name or email unless you sign up for the newsletter, in which case it may be associated with your subscriber record within PostHog for product analytics only — never resold, never shared.
Legal basis: consent
Given through the cookie banner. Withdraw at any time by opening the banner again or clearing your browser cookies. PostHog event data is retained up to 12 months; session recordings up to 30 days. If you decline analytics cookies, PostHog does not load at all.
When you sign up for the newsletter
If you enter your email into the newsletter form, we collect:
- Your email address
- The date and time of sign-up
- The page or source you signed up from (if we tag the link)
- Your interactions with our emails — whether you open them and which links you click
This data is processed through Sender.net so we can send the newsletter and understand which content lands.
Legal basis: consent
Withdraw at any time by clicking "unsubscribe" in any email we send. After unsubscribing, Sender.net retains your record according to its own retention policy.
When you email us
If you email federico [at] vibemyway.com, we receive whatever is in your message and keep it in Proton Mail to reply and maintain a record of the exchange.
Legal basis: legitimate interest or consent
Depending on context. Retained for up to 24 months after the conversation closes.
When you purchase a product
Paid products are sold through Lemon Squeezy (Lemon Squeezy, Inc.), which acts as the merchant of record and as a separate data controller for the payment transaction. When you check out, Lemon Squeezy collects the data it needs to complete the sale: your name, billing address, email address, VAT ID (if you provide one), and payment details. We never see your full card number — that stays between you, Lemon Squeezy, and their payment processors.
From that transaction we receive and store the order record (order ID, product purchased, amount, country, tax applied, email address, and — if you provided one — your VAT ID and business name), so we can deliver the product, support you afterwards, and meet our tax and accounting obligations.
Legal basis: performance of the sales contract, and legal obligation (Luxembourg tax and accounting law)
Payment-related records are retained for the period required by Luxembourg tax law — generally 10 years for invoices (see Section 7). Lemon Squeezy processes the data it collects under its own privacy notice; please read it for details of what they do with the data they control.
Section 03
Cookies and similar technologies
Categories we use
| Category | Purpose | Consent required? |
|---|---|---|
| Strictly necessary | Make the site function (e.g., remembering that you dismissed the cookie banner) | No |
| Analytics & session recording | PostHog — see below | Yes |
| Newsletter-related | Sender.net — set only when you interact with the newsletter form or click a tracked link in our emails | Yes (covered by newsletter opt-in) |
No analytics cookies are set before you give consent. If you decline or ignore the banner, those scripts do not load at all.
PostHog cookies
| Cookie / identifier | Purpose | Duration |
|---|---|---|
ph_<project-key>_posthog |
Assigns a pseudonymous ID so page views and recordings from the same visit are grouped | Up to 12 months |
ph_<project-key>_posthog_session_id |
Marks the current session for session recording continuity | 30 minutes of inactivity |
| Session recording buffer | Holds the anonymized replay in-browser before sending to PostHog | Session only |
Sender.net cookies
| Cookie / identifier | Purpose | Duration |
|---|---|---|
| Form session | Allows the newsletter form to submit and prevents duplicate sign-ups in the same session | Session |
| Tracking ID | Identifies you when you click a link in our newsletter, so we can record opens and clicks at the subscriber level | Up to 12 months |
| Form performance | Records whether a form was shown, submitted, or abandoned | Up to 12 months |
These are only set once you actively engage with the newsletter. For the authoritative list see sender.net/privacy and posthog.com/privacy.
Your choices
- Use the cookie banner to accept or decline analytics.
- Re-open the banner at any time via the "Cookie settings" link in the site footer to change your choice.
- Block or delete cookies in your browser at any time. This may affect features that rely on them but does not affect your ability to read the site.
- Unsubscribe from the newsletter using the link at the bottom of every email.
Section 04
Do Not Track and Global Privacy Control
Our analytics provider (PostHog) honours the Global Privacy Control (GPC) signal when sent by your browser. If GPC is enabled, analytics and session recording are disabled automatically, even if you haven't interacted with the cookie banner.
Section 05
Who we share your data with
We do not sell your data. We share it only with the service providers we need to run the site, the analytics, and the newsletter. Each one acts as a data processor under a written data processing agreement (DPA) with us.
| Service | Role | Where data is processed |
|---|---|---|
| PostHog (PostHog Inc.) | Product analytics and session recording | EU — Frankfurt, Germany (PostHog EU Cloud) |
| Sender.net (UAB "Sender") | Newsletter sending, list storage, click/open tracking | Lithuania (EU) |
| Proton Mail (Proton AG) | Email correspondence | Switzerland (adequate country under GDPR) |
| Web hosting provider | Serving the static website | EU data centre |
| Lemon Squeezy | Payment processing, tax compliance, invoicing | United States (with EU Standard Contractual Clauses) |
We will update this list if a processor changes.
Section 06
International transfers
Most data stays within the EU / EEA.
- PostHog: we use the EU Cloud region (Frankfurt, Germany). Data is stored and processed inside the EU. PostHog Inc. is US-incorporated, so in the limited cases where support staff access EU data, that access is covered by the EU Standard Contractual Clauses and PostHog's supplementary measures.
- Sender.net is established in Lithuania (EU) — no extra safeguards required.
- Proton Mail is based in Switzerland, which has an EU adequacy decision — your data receives equivalent protection.
- Lemon Squeezy processes checkout and billing data in the United States under the EU Standard Contractual Clauses and Lemon Squeezy's supplementary technical and organisational measures.
Section 07
How long we keep your data
- Server logs: up to 30 days.
- PostHog product analytics events: up to 12 months, then deleted.
- PostHog session recordings: up to 30 days, then deleted.
- Newsletter subscription data: for as long as you remain subscribed. After unsubscribing, retention follows Sender.net's own schedule.
- Email correspondence: up to 24 months after the last exchange, then reviewed and deleted if no longer needed.
- Payment records (future): the period required by Luxembourg tax law — generally 10 years for invoices.
Section 08
Your rights under GDPR
You have the right to:
- Access the data we hold about you.
- Correct it if it is wrong or incomplete.
- Delete it ("right to be forgotten"), subject to legal retention obligations.
- Restrict or object to certain processing.
- Port your data to another service in a machine-readable format.
- Withdraw consent at any time, without affecting the lawfulness of processing done before withdrawal.
- Lodge a complaint with the CNPD or the data protection authority in your country of residence.
To exercise any of these rights, email federico [at] vibemyway.com with "Privacy request" in the subject line. We will respond within 30 days, and usually much sooner.
For newsletter-specific requests (change your email, delete your subscriber record), you can go directly to Sender.net's subscriber preferences link included in every email. For analytics-specific requests, we can delete the PostHog record tied to your pseudonymous ID on request.
Section 09
Security
We apply standard technical measures: HTTPS across the site, strong passwords and two-factor authentication on the accounts that access your data, and restricted access to systems that handle personal information. The service providers listed in Section 5 apply their own security controls, documented in their respective policies.
No online service is absolutely secure. If a breach that affects your personal data occurs, we will notify the CNPD within 72 hours and, if the risk to you is high, notify you directly as required by GDPR.
Section 10
Children
The site and the newsletter are not directed at children under 16, and we do not knowingly collect data from them. If you believe a child has signed up, email us and we will delete the record.
Section 11
Automated decisions and profiling
We do not make automated decisions that produce legal or similarly significant effects on you. PostHog's engagement data and Sender.net's open/click data may be used to group visitors and subscribers into coarse segments (for example, "reads the newsletter regularly" vs. "new visitor") so we can send more relevant content. This is ordinary segmentation, not automated decision-making in the GDPR sense. You can opt out at any time by withdrawing consent or unsubscribing.
Section 12
Changes to this policy
We will update this policy when something material changes — for example, when a new processor is added or a retention period changes. The "Last updated" date at the top tells you when the most recent change happened. For significant changes affecting active subscribers, we will send a short notice by email before the change takes effect.
Section 13
Contact
Email: federico [at] vibemyway.com
Use "Privacy request" in the subject line for privacy matters.
Supervisory authority (Luxembourg):
Commission nationale pour la protection des données (CNPD)
15, Boulevard du Jazz, L-4370 Belvaux, Luxembourg
cnpd.public.lu