You agree to the privacy policy below, and the Privacy Policy for Substack, the technology provider.

PUBLISHER PRIVACY POLICY

Last updated: June 19, 2026

1) Who we are & scope

This Publisher Privacy Policy (“Policy”) explains how PAG Project, LLC (“PAG,” “we,” “us”) collects, uses, and shares information when you use:

  • Our Substack Publication (posts, email delivery, comments, Chat, Notes, recommendations/referrals, paid tiers);

  • pagproject.com and related subdomains (if any);

  • our newsletters/emails and all @pagprojectHQ social/community properties (X, YouTube, Instagram, Rumble, TikTok, Discord, LinkedIn); and

  • our podcast

(collectively, the “Sites & Channels”).

Layered privacy. Substack’s own Privacy Policy also applies to your use of Substack’s platform and services (e.g., account creation, app behavior, platform analytics, email delivery). This Policy describes what PAG does with data we receive or control, and supplements our Terms of Use.

Contacts (privacy requests): contact@pagproject.comMail: PAG Project, LLC, 5900 Balcones Drive, STE 100, Austin, TX 78731.

We do not sell personal information for money. If we ever engage in “targeted advertising” or “sharing” (cross-context behavioral advertising) as defined by applicable law, we will provide opt-out controls and honor Global Privacy Control (GPC) and other recognized universal opt-out signals where required.


2) Journalistic, expressive & publicly available information (important)

PAG is an investigative-journalism, petitioning, and public-commentary publisher. A substantial part of our activity is the collection, analysis, retention, publication, and archiving of information for journalistic, editorial, expressive, historical, and public-interest purposes. That activity is protected by the First Amendment and the Texas and Florida Constitutions and, to the fullest extent permitted by law, is outside the scope of, or exempt from, consumer-data-privacy statutes (which generally exempt processing for journalistic and noncommercial expressive purposes and exclude “publicly available information” from “personal data”).

Accordingly, this Policy governs the consumer/operational data we handle as a publisher (such as subscriber emails and site analytics). It does not restrict, and you should not read it to restrict, our right to gather, keep, use, publish, re-publish, and archive information — including information about identifiable persons — as part of our reporting, commentary, petitioning, source work, and archives. Nothing in this Policy limits our journalistic or expressive activities, our reservation of rights and privileges in our Terms of Use and Legal & Disclaimers, or our retention of materials for legal, archival, or public-interest reasons.


3) Information we collect

  • You provide: name, email; messages and user content you submit (comments, posts, uploads, DMs); forms you complete (tips, support); referral details when you invite others.

  • Automatically (Sites & Publication): IP address, device/browser info, pages viewed, timestamps, referral/UTM data, coarse location inferred from IP, and cookie/SDK events via analytics (e.g., Google Analytics 4) or Substack metrics.

  • Platform/social data: When you interact on Substack (Chat, Notes, comments, payments) or on our social pages, Discord, or podcast platforms, those services may share limited analytics, engagement, or account metadata with us under their terms.

  • Payments/contributions (if enabled): If you contribute funds or buy paid access, payment processors (e.g., Substack/Stripe) collect payment details; we do not store full card numbers.

  • Sensitive data: We do not seek sensitive personal data and ask that you not submit it. We will not sell sensitive data without consent where required by law. (Tipsters/sources: see Section 12.)


4) How we use information

We use information for any of the following purposes, and for any other purpose disclosed at collection or reasonably compatible with these purposes:

  • Operate, secure, and improve the Sites & Channels (including moderation, anti-abuse, spam prevention, and debugging);

  • Communications: send newsletters and updates you request and transactional messages (receipts, account notices);

  • Analytics and measurement: measure reach and performance and improve features and content;

  • Community & growth features: run referrals, recommendations, attribution, and discovery within Substack’s ecosystem;

  • Develop new and existing products, services, features, and offerings, and conduct internal research and analysis;

  • Journalistic, editorial, expressive, archival, and public-interest purposes, including reporting, commentary, petitioning, fact-checking, source verification, and maintaining our archives;

  • Establish, exercise, and defend legal claims, and protect our rights, our sources, our personnel, and the public;

  • Enforcement & compliance: enforce our Terms, comply with legal obligations, and respond to lawful requests.

Aggregated and de-identified data. We may create and use aggregated, anonymized, or de-identified data — which is not personal information — for any lawful purpose without restriction, including research, analytics, benchmarking, product development, training and improving analytical systems, and publication, and we may retain and share such data indefinitely. We will maintain de-identified data as de-identified and not attempt to re-identify it except to test our de-identification.

Consent to described uses. By providing information to us or using the Sites & Channels, you consent to the uses described in this Policy. Where we wish to use personal information for a materially different purpose, we will provide notice or obtain consent where required by law.


5) Legal bases / lawful grounds (where applicable)

  • Contract (to provide requested services);

  • Legitimate interests (security, analytics, fraud/abuse prevention, service improvement, and journalism/public-interest documentation);

  • Consent (newsletters and certain cookies/analytics);

  • Freedom of expression and information (journalistic and expressive processing, including under GDPR Art. 85 and analogous exemptions where applicable);

  • Legal obligations (records/tax compliance and lawful requests).


6) Cookies, ads & analytics; your choices

We use cookies/SDKs for essential functions and Google Analytics 4 for analytics; Substack also performs its own analytics and email instrumentation. If we ever run targeted advertising, that may constitute “sharing” under some state laws, and we will present “Your Privacy Choices / Do Not Sell or Share” controls and honor GPC and other recognized universal opt-out signals where required.

Your controls:

  • Use any cookie banner/controls we provide to disable non-essential cookies/analytics;

  • Enable GPC in your browser to send a universal opt-out signal we honor where required;

  • Unsubscribe from emails using the link in any message;

  • Configure your browser to block or clear cookies.


7) Your privacy rights (state and international)

Depending on where you live, you may have rights to access, delete, correct, and port your personal data, and to opt out of targeted advertising, “sale,” or certain profiling. We honor these rights as and to the extent required by applicable law, including the Texas Data Privacy and Security Act (Tex. Bus. & Com. Code Ch. 541) and other state privacy laws that apply to us. Many such laws exempt small businesses and/or journalistic and noncommercial expressive activity; where an exemption applies, we may rely on it, but we will still address verified requests reasonably.

How to exercise rights. Email contact@pagproject.com with the subject “Privacy Request” and describe your request. We may verify your identity and will respond within applicable timeframes. If we deny a request, you may appeal by replying “Appeal,” and where required we will explain how to contact your state Attorney General.

International (EU/UK) users. If you are in the EU/UK, we process limited data on the bases above (including legitimate interests and, for our reporting, the journalistic exemption). You may have rights of access, rectification, erasure, restriction, objection, and portability, subject to the journalistic and expression-related exemptions that apply to a news publisher.

Automated decision-making. We do not use your personal data for automated decisions that produce legal or similarly significant effects about you.


8) Sharing with service providers & transfers

We share personal information with service providers under contracts limiting their use to our instructions (hosting/CDN, email/newsletter tools, analytics, community platforms, anti-abuse/security providers, and, if enabled, payment processors). We may also disclose information to comply with law, to respond to lawful requests, to protect rights, safety, our sources, or the public, to enforce our Terms, or in connection with a corporate transaction (e.g., merger, financing, reorganization, or asset transfer), in which case this Policy will continue to govern the transferred information or you will be notified of any new policy.

We are U.S.-based. Data may be processed in the U.S. or other countries by our providers, with appropriate safeguards.


9) Data retention

  • Accounts & user content: retained until you request deletion or we remove it under our moderation policies; minimal residual copies may persist in backups for a limited period.

  • Email lists: retained until you unsubscribe or your address bounces.

  • Logs/analytics: retained up to 24 months, then aggregated or deleted.

  • Payment/transaction records (if enabled): retained 7 years for tax/recordkeeping.

  • Journalistic, source, and archival materials: retained indefinitely as part of our reporting record and archives, consistent with Section 2.

  • We may retain any data longer when necessary for legal, security, fraud-prevention, abuse-prevention, or public-interest reasons.


10) Security & breach notification

We use reasonable technical and organizational measures (HTTPS, access controls, and provider encryption at rest where supported). No system is 100% secure. Where a security incident affects personal information, we will notify affected individuals and authorities as and to the extent required by applicable law, including the Florida Information Protection Act (Fla. Stat. § 501.171) and other breach-notification laws.


11) Children

The Sites & Channels are not directed to children under 13, and we do not knowingly collect data from children under 13. We do not sell the personal data of a known minor or the precise geolocation of a child without consent where required. If you believe a child provided data, contact us and we will delete it.


12) Community spaces & public posting

Community posts, comments, Chat, and voice/text channels may be public or visible to other members. Moderators may review reported content for safety and compliance. Do not post sensitive personal data. Content you make public may be seen, copied, and re-shared by others, and we may quote, retain, or describe it consistent with Section 2 and our Terms.


13) Source submissions / tipline

Unsolicited tips or documents you send are non-confidential unless we expressly agree otherwise in a signed writing. Do not send materials you are not legally permitted to share or that were illegally obtained. You represent you have the right to share what you send. We may publish, investigate, summarize, archive, or decline to act on any submission. Where legally permitted, we may notify you of legal requests for your data; we require lawful process to disclose records and will assert reporter’s privilege and other defenses when applicable.


14) Corrections / takedowns (non-copyright)

If you seek removal or correction of non-copyright content, email Review@pagproject.com with the exact URL/timestamp, the specific content at issue, the legal basis for your request, and supporting documentation. Defamation/accuracy disputes are handled under the Notice-of-Concern procedure in our Legal & Disclaimers and Terms of Use (including the Florida § 770.01 and Texas Defamation Mitigation Act procedures). For copyright, follow our DMCA process in the Terms.


15) Governing law

This Policy is part of your relationship with PAG and is governed by, and subject to, the governing-law, forum, and cascade provisions in our Terms of Use (Texas law and Travis County, Texas as the primary/exclusive forum for those bound by the Terms, with the fallback reservations stated there). Nothing in this Policy waives any right or protection reserved in our Terms of Use or Legal & Disclaimers.


16) Changes

We may update this Policy; material changes will be posted with a new “Last updated” date. Continued use after posting means you accept the updated Policy.

Questions or requests? contact@pagproject.comTakedowns/Corrections: Review@pagproject.com — PAG Project, LLC, 5900 Balcones Drive, STE 100, Austin, TX 78731. Available in alternative format on request.