Skip to content
No Margin Left
45 articles · 5 clusters · tools · data

What is collected, on what legal basis, and what is not

Privacy policy

Plain language, in full. The short version: as little as possible, lawfully, and never sold.

Last updated 26 May 2026

This policy explains how No Margin Left ("the site") handles personal data, the legal bases on which it does so, and the rights you have over that data. It is written to be read, but it is also intended to satisfy the transparency requirements of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the Belgian Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data. Where any term of this policy conflicts with a mandatory right granted to you by the GDPR or other applicable law, that right prevails.

1. Who is responsible (the controller)

The site is operated from Belgium. For the purposes of the GDPR, the operator of No Margin Left is the data controller — the party that decides why and how personal data is processed. The controller can be reached via the contact page. The operator's full legal identity and postal address are available on request to any data subject exercising their rights, and to the competent supervisory authority. The operator is a small publisher and is not required to appoint a Data Protection Officer; the contact page reaches the person responsible for these questions directly.

2. The data processed, and why

The site is built to function with as little personal data as possible. The categories below are the only ones processed, each tied to a specific purpose and a specific legal basis under Article 6(1) GDPR.

  • Email address — only if you subscribe to the newsletter or contact the operator. Purpose: to send the newsletter and product updates you asked for, or to reply to you. Legal basis: your consent, Art. 6(1)(a), for the newsletter; the steps taken at your request, Art. 6(1)(b), and the operator's legitimate interest in replying, Art. 6(1)(f), for correspondence.
  • Message content — anything you choose to write when you contact the operator. Purpose: to understand and answer your message. Legal basis: legitimate interest, Art. 6(1)(f).
  • Technical connection data — when any website is visited, the hosting provider's servers automatically receive the data your browser sends: IP address, the page requested, date and time, referring page, and user-agent string. Purpose: to deliver the page, keep the service secure and stable, and defend against abuse. Legal basis: legitimate interest in a secure, working service, Art. 6(1)(f). This data is not used to identify or profile you and is not combined with any other data the site holds.

Providing this data is never a statutory or contractual obligation. You are free not to subscribe and not to make contact; the only consequence is that the site cannot email you or reply to you.

3. Analytics

The site does not currently run analytics that profile or identify you. If aggregate, privacy-respecting analytics are ever added to see which pages are read, the aim is a provider that does not build an advertising profile, does not identify individual readers, and — where the provider allows — does not set tracking cookies. Any such analytics that read or store information on your device beyond what is strictly necessary will be activated only after you have given consent, and this page will be updated before they go live.

4. Cookies and similar technologies

The site sets no cookies of its own — no tracking cookies, and none used to profile you. Because nothing non-essential is stored on or read from your device, no cookie-consent banner is shown, consistent with the ePrivacy rules and the Belgian transposition. If that ever changes through the analytics or advertising described here, a compliant consent prompt will appear first, and consent for any non-essential cookie will be requested before it is set and will be as easy to refuse or withdraw as to give.

5. The email list

If you subscribe, your email address is stored by the email provider solely to send you the newsletter and any product updates you asked for. The legal basis is your consent, which you can withdraw at any time with no detriment: every email carries a one-click unsubscribe, and unsubscribing removes you from the list. The address is retained only until you unsubscribe or ask for it to be deleted, after which it is removed (a minimal suppression record may be kept solely to ensure you are not re-added). Your address is never sold, rented, or shared for anyone else's marketing.

6. Advertising and affiliate links

No third-party advertising or behavioural-tracking cookies are set on the site at present. If that changes, it will be described here and in Disclosure, and any non-essential tracking will be loaded only after you consent.

7. Who else processes the data (recipients and processors)

Personal data is not sold, rented, or disclosed to third parties for their own purposes. It is handled on the operator's behalf only by the service providers strictly needed to run the site — at most a hosting provider, an email-delivery provider, and any privacy-respecting analytics provider later adopted. Each such provider acts as a processor under a data processing agreement that meets Article 28 GDPR, may process the data only on the operator's documented instructions, and may not use it for its own ends. Data may also be disclosed where the operator is legally required to do so, for example in response to a lawful order from a competent authority.

8. Transfers outside the EEA

The operator keeps processing within the European Economic Area (EEA) where practical. Some providers (for example a US-based email or hosting service) may process data outside the EEA. Where that happens, the transfer relies on a lawful safeguard under Chapter V GDPR — an adequacy decision of the European Commission (such as participation in the EU–US Data Privacy Framework), or the EU Standard Contractual Clauses with supplementary measures where needed. You can ask for details of the safeguard used for any given provider.

9. How long data is kept (retention)

  • Newsletter email address: until you unsubscribe or request deletion.
  • Correspondence: for as long as needed to deal with your message and a reasonable period afterwards, then deleted, unless a legal obligation requires longer.
  • Server logs: kept by the hosting provider only for the short period needed for security and diagnostics, then deleted or anonymised in the ordinary course.

10. What is not collected

  • No accounts, so no passwords.
  • No selling or renting of personal data, ever.
  • No reader-level profiling for ad targeting by this site.
  • No automated decision-making or profiling that produces legal or similarly significant effects on you (Article 22 GDPR does not arise).
  • No special-category data is sought or knowingly collected.

11. Children

The site is intended for adults and is not directed at children. It does not knowingly collect personal data from anyone under 16. If you believe a child has provided personal data, get in touch via the contact page and it will be deleted.

12. Security

The site is served over encrypted connections (HTTPS), and the operator relies on reputable providers with their own technical and organisational safeguards. No method of transmission or storage is perfectly secure, but the operator takes measures appropriate to the limited, low-sensitivity data involved. In the event of a personal-data breach that is likely to pose a risk to your rights, the operator will notify the supervisory authority, and you where required, in line with Articles 33 and 34 GDPR.

13. Your rights

Under the GDPR you have the right to:

  • Access — confirmation of whether your data is processed, and a copy of it (Art. 15).
  • Rectification — correction of inaccurate or incomplete data (Art. 16).
  • Erasure — deletion of your data where the conditions apply (Art. 17).
  • Restriction — to limit processing in certain cases (Art. 18).
  • Portability — to receive data you provided in a portable format, or have it sent to another controller (Art. 20).
  • Objection — to object to processing based on legitimate interests, and to object to direct marketing at any time (Art. 21).
  • Withdraw consent — at any time, without affecting the lawfulness of processing before withdrawal (Art. 7(3)).

To exercise any of these, get in touch via the contact page. The operator will respond within one month, extendable by two further months for complex requests, and will tell you if an extension applies. Exercising your rights is free unless a request is manifestly unfounded or excessive. The operator may ask for information to confirm your identity before acting, solely to protect your data.

14. Complaints

If you believe your data has been mishandled, you may lodge a complaint with a supervisory authority, in particular in the EU member state of your residence or workplace. In Belgium that is the Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données), Rue de la Presse 35 / Drukpersstraat 35, 1000 Brussels. You retain the right to a judicial remedy as well.

15. Changes to this policy

This policy may change as the site or the law evolves; the date above marks the current version. Material changes that affect your rights or the processing of your data will be made clear, and where the law requires it, your fresh consent will be sought before any new processing begins.