Beta
Sign inSubscribe

Supercomputing News - Privacy Policy

Supercomputing News ("we", "us", "our") publishes original reporting on supercomputing at https://supercomputing.news. This policy explains what personal data we collect when you read the site, subscribe to the newsletter, log in, or pay for article access - and what we do with it.

We try to keep this short and in plain English. If something here is unclear, email us at [email protected] and we'll do our best to explain.

Who we are

Supercomputing News is operated by Supercomputing News, LLC. For data-protection inquiries, contact [email protected].

Our notice address is 522 W Riverside Ave Ste N, Spokane, WA 99201-0581, USA. Our general contact address is [email protected].

What we collect

We only collect what we need to run the publication. Specifically:

  • Email address. Stored as a subscriber record in our Payload CMS users collection when you sign up for the newsletter or log in via magic link. We may also store an optional first name and last name if you provide them.
  • Email verification timestamp (emailVerifiedAt). Set the first time you click a magic-link confirmation. We use this as the gate before syncing a subscriber to our newsletter provider — unverified addresses are never sent to Buttondown.
  • Authentication session cookie. A single first-party JWT cookie set when you log in. See "Cookies and sessions" below.
  • Subscription and tier metadata. Your reader tier (currently only free) and newsletter status (subscribed / unsubscribed / complained). When paid editions launch (Pro Q4 2026, Team Q1 2027) we will add billing-processor metadata to this list and update this policy.
  • Newsletter provider ID (buttondownId). An opaque identifier returned by Buttondown after a verified subscriber is synced, so we can keep records aligned.
  • Analytics. When the corresponding environment variables are configured in production, we load Google Analytics (via NEXT_PUBLIC_GA_ID) and Ahrefs Analytics (via NEXT_PUBLIC_AHREFS_KEY). These scripts collect standard web-analytics signals (pages viewed, referrer, approximate location, device class). They are not loaded in development or preview environments, and are not loaded at all when the variables are unset.
  • x402 / USDC payment metadata. When a reader or an AI agent pays for article-level access using the x402 micropayment protocol, we observe the payer's wallet address and the transaction hash on the Base network. Please note: payments on Base are on-chain and inherently public — anyone can inspect that wallet and that transaction. We do not associate wallet addresses with email accounts unless you choose to link them.
  • Server logs and IP-derived signals. Our servers receive standard HTTP request metadata (URL, user agent, timestamp). For rate-limiting and abuse mitigation we read the client IP. In our default Cloudflare → Railway topology, IP is taken from the cf-connecting-ip header set by Cloudflare; the TRUST_FORWARDED_FOR toggle is reserved for alternative trusted-proxy deployments. We do not associate IPs with reader identity for any other purpose.

We do not collect: payment-card numbers (we have no paid-edition billing integration today; when it launches it will be handled directly by the chosen processor); precise device location; biometric data; or data from advertising networks.

How we use it

  • Send the newsletter and weekly digest. Verified subscribers are synced to Buttondown, which handles delivery.
  • Authenticate sessions. Magic-link login emails are sent through Resend; once you click the link, you receive the session cookie described below.
  • Fulfill x402 micropayments. We verify on-chain settlement and grant the corresponding article access.
  • Security and abuse mitigation. Rate limiting, suspicious-traffic detection, and incident investigation.
  • Product analytics. Aggregate measurement of which articles are read and how readers reach the site.
  • Transactional notices. Account-related email (magic links, welcome emails, important changes to this policy or to your subscription).

We do not sell personal data. We do not run advertising networks. We do not share subscriber lists with third parties for marketing.

Third-party processors

We use the following service providers. Each one only receives the data it needs to do its job.

  • Payload CMS (self-hosted on Railway). Stores subscriber records, emailVerifiedAt, tier, and related account state. Runs on our infrastructure.
  • Neon Postgres. Our primary database - the underlying store for everything in Payload.
  • Buttondown. Newsletter delivery. Only verified subscriber emails are synced (sync happens after emailVerifiedAt is set, never before).
  • Resend. Transactional email delivery - magic-link login emails and welcome emails.
  • Cloudflare R2. Object storage for images and other media assets.
  • Cloudflare (edge). CDN, DDoS protection, and the source of trusted client-IP headers for our origin.
  • Coinbase CDP and the x402 facilitator. Settlement of USDC micropayments on Base (mainnet) and Base Sepolia (testnet).

We may add, remove, or change processors as the product evolves. Material changes will be reflected in this policy.

Data retention

  • Authentication session cookie: 30 days. This is an increase from the previous 2-hour session. Magic-link login means re-authenticating is a full inbox round-trip, so a longer session meaningfully improves reader UX. There is no banking data behind the session and ordinary readers cannot perform write actions.
  • Unverified subscriber records: held for 30 days from creation, then deleted. These are never synced to Buttondown.
  • Verified newsletter records: retained until you unsubscribe. Unsubscribing removes you from active mailings; we may retain a minimal suppression record so we don't accidentally re-add you.
  • Server logs: retained for approximately 7 days, then rotated out.
  • x402 / on-chain payment records: on-chain data is permanent and outside our control. Our internal entitlement records tied to a payment are retained as long as the entitlement is meaningful.

Cookies and sessions

We use a single first-party cookie for authentication:

  • Type: JSON Web Token (JWT) issued by Payload.
  • Attributes: httpOnlysecureSameSite=Lax.
  • Expiry: 30 days from issuance.
  • Purpose: identifies your logged-in session.

We do not set third-party advertising cookies. The Google Analytics and Ahrefs Analytics scripts may set their own cookies, but only when their environment variables are configured (production only); they are not loaded in development or preview, and not loaded at all when unset.

Your rights

You can:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Delete your account and associated subscriber record.
  • Export your data in a portable format.
  • Unsubscribe from the newsletter at any time, via the unsubscribe link in any newsletter email or by emailing us.

To exercise any of these, email [email protected] from the address on file. We will respond within a reasonable period.

Security

We use industry-standard safeguards to protect personal data in transit and at rest. No online service can guarantee perfect security; we do our best and we keep our stack small to reduce the attack surface.

We do not claim any formal certifications (SOC 2, ISO 27001, etc.). If we ever obtain one, we will say so here.

To report a security vulnerability, please email [email protected]. We appreciate responsible disclosure and will acknowledge legitimate reports promptly.

Children

Supercomputing News is intended for a general adult audience interested in AI and high-performance computing. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

International transfers

Our processors operate in multiple jurisdictions. By using the site or subscribing to the newsletter, you understand that your data may be processed in countries other than your own. Where transfer mechanisms are required by law in the United States, we rely on the standard mechanisms made available by each processor.

Changes to this policy

We will update this policy as the product changes. The "Last updated" date at the top will always reflect the most recent revision. For material changes — for example, adding a new category of data, a new processor that touches subscriber data, or a meaningfully different retention period — we will notify subscribers by email and post a notice on the site before the change takes effect.

Contact

  • General privacy questions: [email protected]
  • Postal: 522 W Riverside Ave Ste N, Spokane, WA 99201-0581, USA
  • Entity: Supercomputing News, LLC