Privacy Policy

Last updated: April 2026

1. Introduction

Ether's, operating as Elite Outsiders ("we," "us," or "our"), collects, uses, stores, and protects personal data of users visiting or interacting with eliteoutsiders.com (the "Website").

This policy describes how we handle your data and your rights under the General Data Protection Regulation (GDPR), the UK-GDPR, the California Consumer Privacy Act (CCPA/CPRA), and other applicable privacy laws.

By using our Website, you agree to the terms of this Policy.

2. Data We Collect

2.1. Data You Provide Voluntarily

• Identity: first name (when you submit the Trauma Map or subscribe to the newsletter).
• Contact: email address. We capture your email at any of these moments: newsletter signup, Trauma Map submission, account login (one-time email code via Cloudflare Access), Cal.com booking on /workwithalex, purchase via Lemon Squeezy or Stripe, optional rating submission. All these touchpoints land your email in a single internal contact base used to serve our relationship with you (transactional emails, newsletter when opted-in, dashboard at /me).
• Self-assessment data: your responses to the Trauma Map interactive assessment, including calculated scores, severity levels, and your reading profile.
• Comments and ratings: any text you submit voluntarily on /library posts or via the rating widget on assessment results.
• Payment data: processed securely by Lemon Squeezy and Stripe. We do not store card details.

What we do with your email after capture: we add you to our internal client base. We send you marketing emails (newsletter, content drops) only if you explicitly subscribed via the dedicated checkbox. A login-only capture (no other action, no newsletter checkbox) means your email sits in our base in "very cold" status and never receives marketing emails. You can request deletion at any time — see Section 6 (Your Rights).

2.2. How We Use This Data

• Deliver your personalized Trauma Map results.
• Send email sequences related to your assessment (via Kit/ConvertKit and Resend).
• Send the newsletter (with your consent).
• Process purchases of digital products (via Lemon Squeezy).
• Provide customer support and moderate user-submitted content (comments, ratings).
• Comply with legal and accounting obligations.

2.3. Data Collected Automatically

All automatic data collection below qualifies for the CNIL "mesure d'audience" exemption: first-party only, no advertising, no profiling, no cross-site tracking, IP not stored, anonymized session-level. You can disable it on your device by visiting any page with the URL parameter ?eotrack=off (sets a persistent localStorage flag).

• Traffic attribution: UTM parameters (source / medium / campaign) when present in the URL, stored first-touch in your browser's localStorage as eo_utm.
• Session metadata: a random session ID (in sessionStorage as eo_sid, lifetime = current browser tab), the referring URL, and your user agent string.
• Funnel events: page views, scroll depth (25/50/75/100%), time on page, outbound link clicks (target hostname only), and CTA clicks (assessment started, completed, etc.). Stored in our D1 database tied to the session ID. The session ID is never linked to your email or identity unless you submit the assessment, in which case the link is used solely to power the personal results page (/me/trauma-maps) — never for marketing profiling.
• Anonymous click coordinates (heatmap): when you click on the page, we record the relative X/Y position as a percentage of viewport (e.g. "67% from left, 42% from top"), the element tag/id/short text, and the page path. No screenshot, no recording, no replay. Used solely to identify which UI elements are confusing or under-used.
• IP address: never stored in our analytics tables. We read your IP only at request time for: (a) abuse prevention, (b) self-exclusion of internal team traffic. No persistence.
• Hashed IP: for rate-limiting comments and likes on /library, IP addresses are hashed (SHA-256, salted) before storage. The raw IP is never persisted.

We do not use Plausible, Google Analytics, Cloudflare Web Analytics, Meta Pixel, Hotjar, Mixpanel, or any third-party tracker. No cross-site tracking. All analytics are first-party and stored in our own EU-hosted D1 database. We do operate one first-party email open-rate pixel — see "Email open tracking" below — bundled into the newsletter subscription opt-in (a single explicit checkbox covers both: subscription and open-rate measurement, with clear wording at signup).

Cloudflare Turnstile (anti-bot): on certain forms (e.g. the Trauma Map submission), we may use Cloudflare Turnstile to protect against automated abuse. Turnstile is privacy-preserving (no tracking cookies, no fingerprinting beyond what's needed to detect bots) and only runs at form-submission time. Cloudflare privacy.

Cloudflare email-decode (anti-scraping): Cloudflare automatically obfuscates email addresses on the page to protect them from scraping bots. This injects a small inline script (email-decode.min.js) on pages where email addresses are visible. It is not a tracker, sets no cookie, and reads no behavior — purely client-side decoding when a real visitor clicks.

3. Cookies

We do not use tracking cookies. We use minimal first-party browser storage (localStorage for UTM attribution, sessionStorage for session ID) strictly necessary to operate the site and attribute conversions.

Cloudflare Access (used to gate certain pages such as the Manifesto reader) sets a session cookie (`CF_Authorization`) for the duration of an authenticated session. This is required for the gated experience and is removed when you log out or the session expires.

You can manage cookie and storage preferences via your browser settings at any time.

4. Third-Party Services

We share data with the following service providers, strictly for the purposes described:

• Cloudflare, Inc. — hosting, CDN, D1 database (EU region), and Cloudflare Access for gated pages. Privacy policy
• Lemon Squeezy — checkout and payment processing for digital products. Acts as merchant of record (handles VAT). Privacy policy
• Cal.com — appointment booking. Privacy policy
• Kit (ConvertKit) — email marketing and automation. Stores your name, email, assessment results, and tags. Privacy policy
• Resend — transactional email delivery. Privacy policy
• Substack — long-form content surfaced via RSS in our Library (no user data shared with Substack). Privacy policy

We never sell your personal data. We never share it with advertisers.

4b. Email Open Tracking (audience measurement)

When you subscribe to our newsletter, we embed a 1×1 transparent pixel image in the emails we send through Kit. The pixel is hosted on our own domain (eliteoutsiders.com) — not on a third-party tracker. Its only purpose is to measure whether you opened the email, so we can improve content and timing. This is "mesure d'audience" under CNIL terminology and is treated as an integral part of the newsletter service. You can opt out of tracking at any time without unsubscribing — see "How to opt out" below.

Data collected on each open:

• Your email address (the recipient).
• Open timestamp.
• Your IP address.
• Your User-Agent (browser / email client identifier).
• A campaign and email-type identifier we set ourselves (e.g. type=sequence&campaign=trauma_recovery).

Legal basis (RGPD art. 6.1.a): consent — you tick a single, non-pre-checked checkbox at signup ("Subscribe to Elite Outsiders.") and open-rate measurement is treated as an integral part of the newsletter service, transparently disclosed in this Section 4b. The checkbox is opt-in only. You can withdraw tracking consent without unsubscribing via the opt-out link below, or fully unsubscribe at any time via the unsubscribe link in any email.

Retention: 13 months from the open event for raw, identifiable rows (email, IP, User-Agent, timestamp), then automatic deletion. Deleted immediately if you withdraw tracking consent or unsubscribe. Anonymized aggregate counts (per month, per campaign type, no individual identifiers) are archived to a private Cloudflare R2 bucket and kept indefinitely for long-term content performance analysis — these aggregates contain no personal data and fall outside RGPD scope.

Sharing: none. The data never leaves our Cloudflare D1 database (EU region). It is not shared with Kit, advertisers, or any third party.

How to opt out without unsubscribing:

• Use the "Disable open tracking" link in any of our emails (footer).
• Or visit /api/opt-out-tracking?email=YOUR_EMAIL (replacing YOUR_EMAIL with your address). We immediately revoke tracking consent and delete all your previously logged opens.
• Or email contact@eliteoutsiders.com with subject "GDPR — stop tracking".

Unsubscribing fully from our emails (via the unsubscribe link in any email) also stops tracking automatically.

5. Self-Assessment Data (Trauma Map)

When you complete the Trauma Map, your responses are processed in your browser to generate personalized results. If you provide your email, the following data is sent to our systems:

• Your first name and email address.
• Your answers to the assessment questions.
• Your computed Past and Current Trauma Level scores, your Inner and Outer Journey readings.
• The UTM source (which platform referred you), if available.

This data is stored in Cloudflare D1 (EU region) and transmitted to Kit for email personalization. It is not shared with any other parties.

Sensitivity notice: We understand that self-assessment data related to trauma and emotional patterns is sensitive. We treat this data with the highest level of care and use it solely to personalize your experience and improve our services.

6. International Data Transfers

Some of our service providers (Lemon Squeezy, Kit, Resend, Cal.com, Cloudflare for some services) are based in the United States. When your data is transferred outside the EEA/UK, we rely on adequate safeguards including the European Commission's Standard Contractual Clauses and equivalent mechanisms.

7. Data Retention

• Email subscriber data: retained as long as you remain subscribed. Deleted upon unsubscribe request.
• Assessment submissions: retained for internal analytics. You may request deletion at any time.
• Email open events (pixel-tracked, identifiable): 13 months for raw rows (email, IP, User-Agent), then automatic deletion. Deleted immediately on tracking opt-out or full unsubscribe.
• Email open aggregates (anonymized): kept indefinitely in a private R2 archive (per month / type / campaign counts, no individual identifiers). Used for long-term content performance analysis only.
• Consent records (kit_consents): retained for 3 years after withdrawal as legal proof of valid consent (RGPD audit trail), then deleted.
• Funnel events / heatmap / scroll / outbound clicks: kept up to 24 months for analytics, then deleted via a periodic admin purge endpoint (/api/admin/purge-old-events).
• Comments and ratings: retained until deletion is requested or content is moderated out.
• Payment records: retained for the legally required period (10 years in France for accounting purposes).
• UTM and session data in your browser: cleared when you clear your browser storage.

8. Your Rights

Under GDPR / UK-GDPR:

• Access your personal data.
• Rectify inaccurate data.
• Request erasure ("right to be forgotten").
• Restrict or object to processing.
• Data portability.
• Decide the fate of your data after death (France-specific).

Under CCPA/CPRA (California):

• Right to know what personal information we collect.
• Right to request deletion.
• Right to opt-out of sale or sharing (we do not sell data).
• Right to non-discrimination for exercising your rights.

To exercise any of these rights, email contact@eliteoutsiders.com. We will verify your identity before processing your request and respond within 30 days.

You may also lodge a complaint with the French data protection authority (CNIL, cnil.fr).

9. Children's Privacy

Our services are not intended for individuals under 18. We do not knowingly collect data from minors.

10. Data Security

We apply appropriate technical and organizational measures to protect personal data — including encryption in transit (HTTPS), restricted access controls, salted hashing of IPs, and gating of any product/admin areas via Cloudflare Access. However, no system is completely secure and we cannot guarantee absolute protection.

11. Changes to This Policy

We may update this Policy from time to time. The "Last updated" date at the top indicates the latest revision.

12. Contact

Data Controller: Ether's — Elite Outsiders

• SIREN: 879 425 049
• Address: Ether's — Paperboy — 6372, 20 quai de Lorraine, 11100 Narbonne, France
• Email: contact@eliteoutsiders.com