Legal

Privacy Policy

Last updated: May 2026 · Effective for all visitors and account holders

This policy describes what information Divergence collects when you visit divergence.news or use the API, why we collect it, who else sees it, and how to delete it. Plain English, no dark patterns.

1. Who we are

Divergence is operated as a sole proprietorship based in Georgia, United States. Reach us at support@divergence.news. For privacy-specific requests (data access, correction, deletion), use the same address; we read everything that comes in. The operator's legal name is available on request to anyone with a legitimate need (legal process, billing dispute, takedown).

Postal address:
5579 Chamblee Dunwoody Road, Ste B PMB 5032
Atlanta, GA 30338, United States

2. What we collect

If you only browse the public site (no account): nothing tied to your identity. We see anonymized pageview counts and aggregate traffic patterns through Vercel Analytics, which does not set tracking cookies and does not store IP addresses. Cloudflare, which fronts the site for DDoS and DNS, sees standard request metadata (IP, user agent, requested URL) for security purposes.

If you create an account:

Data	Why we have it
Email address	Login, account recovery, transactional notices, optional digest emails
Username	Public identifier on your account
Password (hashed; we never see the raw password)	Authentication
Signup date and email-verification status	Account management, fraud prevention
Founding-member flag and grant expiry	Apply your founding-year benefit
API key prefixes and SHA-256 key hashes	Authenticate API requests; we never store full key values
Per-day request counts per key	Enforce rate limits and show usage on your account page

If you subscribe to a paid plan:

Data	Why we have it
Stripe customer ID	Link your Divergence account to billing records held by Stripe
Subscription status, plan, and current-period end date	Provision and revoke paid features as your subscription state changes

Payment card details are entered directly into Stripe's hosted checkout. We do not see, store, or transmit card numbers, expiration dates, CVCs, or bank account information.

What we do not collect: we do not collect IP addresses at signup, do not log per-request IPs against your account, do not track which articles or pages you read once logged in, do not build behavioral profiles, do not sell or rent your data to anyone, and do not use third-party advertising trackers.

3. Cookies

We set the minimum cookies needed for the site to function:

Session cookie — keeps you logged in between visits. HttpOnly, Secure, SameSite=Lax. Expires after 30 days of inactivity.
CSRF token — stored inside the session cookie; protects forms from cross-site attacks.
Founding popup dismissal — a small flag so the founding-member popup does not re-appear after you close it.

We do not set advertising cookies. Vercel Analytics is cookie-less and aggregates pageviews without identifying individuals.

4. Third parties that handle your data

Provider	What they receive	Purpose
Stripe	Email, card details (entered directly to Stripe), subscription metadata	Payment processing, subscription billing
Resend	Email address, message content of transactional emails	Send verification, welcome, and digest emails
Cloudflare Turnstile	IP address, browser fingerprint at signup/login	Bot and abuse prevention
Vercel	Anonymized pageview counts, request routing, application hosting	Site hosting and infrastructure
Cloudflare	Request IP and headers	DNS, DDoS mitigation, edge caching
Google Fonts	Browser request to fetch typefaces (includes IP)	Render typography on each page

Each provider has its own privacy policy and is responsible for the data it processes. Divergence does not share your account information with any party not listed above.

5. Email and unsubscribing

We send three kinds of email: account-related (verification, password resets, billing receipts), the optional newsletter digest if you signed up for it, and replies to your support questions. You can unsubscribe from the digest at any time using the link at the bottom of every digest email. Account-related emails are sent only when needed and cannot be unsubscribed without deleting the account, since they are required to operate the service.

6. How long we keep data

Active accounts: for as long as the account exists.
Deleted accounts: the email and password are removed and the account row is anonymized immediately upon deletion request. We retain the numeric account id so historical aggregate counts (events analyzed, traffic patterns) remain consistent. Stripe holds billing records on its own retention schedule (typically 7 years for tax compliance).
API key usage counts: per-day counts older than 7 days are pruned.
Anonymous analytics: aggregate site traffic data is retained indefinitely in non-identifying form.
Backups: may contain your data for up to 30 days after deletion before being overwritten.

7. Your rights

If you are in the European Union, the United Kingdom, California, or other jurisdictions with data protection laws, you have the following rights with respect to data we hold about you:

Access — request a copy of what we have
Correction — fix anything that is wrong
Deletion — remove your account and associated data (also available self-serve at your account page)
Portability — request your data in a machine-readable format
Objection or restriction — limit how we process your data
Withdraw consent — for anything you previously opted in to

To exercise any of these, email support@divergence.news from the address on the account. We respond within 30 days.

8. Legal basis (GDPR / UK GDPR)

We process the data above on the following legal bases: contract (delivering the service you signed up for, including authentication, billing, and support), legitimate interest (security, abuse prevention, basic site analytics), and consent (the optional digest newsletter). You can withdraw consent for the digest at any time without affecting the rest of your account.

9. International data transfers

Divergence is operated from the United States, and several of our processors (Stripe, Resend, Vercel, Cloudflare) are also US-based or operate globally with US data centers. By using the service you understand that your data may be transferred to and processed in the United States. We rely on Standard Contractual Clauses or equivalent mechanisms with our processors where applicable.

10. Children

Divergence is not directed at children. You must be at least 13 years old to create an account. In the United Kingdom and the European Union, the minimum age is 16. We do not knowingly collect data from anyone below these ages. If you believe a child has created an account, email us and we will delete it.

11. Security

We hash passwords with PBKDF2-SHA256, hash API keys with SHA-256 (the raw key is shown to you exactly once at creation and never stored), use HTTPS for every connection, and set HttpOnly, Secure, SameSite cookies. No system is perfectly secure; if a breach affecting your data occurs we will notify you within 72 hours of becoming aware of it, in line with GDPR Article 33.

12. Changes to this policy

We may update this policy as the service evolves. Material changes (new data categories, new third-party processors, changes to retention) will be announced via the digest newsletter and a banner on the site at least 14 days before they take effect. Minor edits (clarifications, contact updates) take effect when posted. The current version is always at divergence.news/privacy.

13. Contact

Privacy questions, data requests, complaints: support@divergence.news.

If you are in the EU and unsatisfied with our response, you have the right to complain to your national data protection authority. In the UK, that is the Information Commissioner's Office (ICO).

Want to delete your account? You can do it yourself at your account page. No email required, no waiting.