Effective date: June 10, 2026
This Privacy Policy explains how Ivan Zamesin (sole proprietor / individual entrepreneur, "we", "us", "our") collects, uses, and protects personal data when you use nextmovetheory.com and its subpages (the "Site") — including the Next Move Theory canon, books, blog, and the newsletter.
We designed the Site to collect as little personal data as possible: there are no ads, no third-party ad trackers, and we never sell your data. Analytics runs only if you explicitly agree to it.
Contact for anything privacy-related: ivan@nextmovetheory.com
1. Who is the data controller
The data controller (the entity that decides why and how personal data is processed) is Ivan Zamesin, reachable at ivan@nextmovetheory.com.
2. What data we collect, and why
2.1. Newsletter subscription
When you subscribe to the newsletter, we collect:
- your email address;
- a record of your consent — the time of subscription, the consent text version, your IP address, and your browser's user-agent string (kept to demonstrate that consent was given, as GDPR requires);
- the page or feature you subscribed from (e.g. the home page or a chapter), so we understand which content brings readers.
Purpose: sending you notifications about new chapters, theses, and materials. Legal basis (GDPR): your consent (Art. 6(1)(a)). You can withdraw it at any time — every email contains a one-click unsubscribe link, or you can write to us.
2.2. Analytics (only with your consent)
We use PostHog, a product-analytics service, to understand how the Site is read — which chapters people open, how far they read, and where readers come from. Analytics is strictly opt-in: nothing is collected until you press "Accept" on the cookie banner. If you press "Decline" (or ignore the banner), no analytics events are sent.
If you accept, we collect:
- usage events — pages viewed, chapters opened and completed, scroll depth, navigation clicks, subscription form interactions;
- technical context — browser and device type, screen size, language, approximate location derived from your IP address (country/city level), and the referring site;
- session replays — anonymized recordings of how the page is used; all text you type is masked and never recorded;
- cookies and local storage used to remember your device between visits and keep session continuity (see Section 5).
Purpose: improving the content and the reading experience. Legal basis (GDPR): your consent (Art. 6(1)(a)), given via the cookie banner. You can withdraw it at any time by clearing the Site's cookies/local storage for this site in your browser; analytics will stay off until you accept again.
2.3. Technical logs
Our web server automatically records standard access logs (IP address, requested URL, time, HTTP status, user-agent). These logs exist for security — detecting attacks, abuse, and operational failures — and are rotated and deleted on a regular schedule.
Legal basis (GDPR): our legitimate interest in keeping the Site secure and operational (Art. 6(1)(f)).
2.4. Reading preferences
Your reading preferences (font size, typeface) and reading progress are stored locally in your browser (localStorage). They never leave your device and are not transmitted to us.
2.5. What we do NOT collect
We do not collect or process: payment data; government identifiers; precise geolocation; biometric data; special categories of data (health, beliefs, etc.). The Site is informational — there is nothing to buy on it.
3. Who we share data with (processors)
We never sell or rent personal data. We share it only with service providers ("processors") that run the Site's infrastructure on our behalf, under data-processing agreements:
| Provider | What it does | Where data is processed |
|---|---|---|
| PostHog Inc. | Product analytics (only after your consent) | United States |
| Resend | Sending newsletter emails | United States |
| Supabase | Database hosting | United States |
| DigitalOcean | Server hosting | United States |
We may also disclose data if required by law, court order, or to protect our legal rights — and only to the extent required.
4. International data transfers
We are based outside the EU, and our providers process data in the United States. Where GDPR applies to you, transfers rely on the providers' compliance mechanisms — the EU-U.S. Data Privacy Framework and/or Standard Contractual Clauses, as published by each provider. By the nature of the Site (a US-hosted service), your data is processed in the US.
5. Cookies and similar technologies
The Site uses:
- Strictly necessary storage — the early-access cookie (remembers that you entered the access password) and your cookie-banner choice. These are required for the Site to function and don't track you.
- Analytics cookies / local storage (optional) — set by PostHog only after you accept the cookie banner, to recognize your device across visits.
You can delete cookies at any time in your browser settings. Deleting them resets your banner choice and signs you out of early access.
6. How long we keep data
- Newsletter data — until you unsubscribe or ask us to delete it; after unsubscribing we keep the minimal suppression record (email + status) so we don't email you again.
- Analytics data — retained in PostHog under its standard retention; we periodically review and delete what we no longer need.
- Server logs — short-term, rotated automatically.
- Consent records — for as long as the law requires us to be able to demonstrate consent.
7. Your rights
7.1. If you are in the EU/EEA/UK (GDPR)
You have the right to: access the data we hold about you; rectify inaccurate data; erase your data ("right to be forgotten"); restrict or object to processing; data portability; and to withdraw consent at any time (without affecting the lawfulness of processing before withdrawal). You also have the right to lodge a complaint with your local supervisory authority.
7.2. If you are a California resident (CCPA/CPRA)
You have the right to: know what personal information we collect and why (this Policy is that disclosure); access and delete your personal information; correct inaccurate information; and non-discrimination for exercising your rights. We do not sell or share personal information as defined by the CCPA/CPRA, and we have not done so in the preceding 12 months. The categories we collect are described in Section 2: identifiers (email, IP), internet activity (usage events — only with consent), and inferences are not drawn for profiling purposes.
7.3. Other US states
Residents of states with comprehensive privacy laws (Virginia, Colorado, Connecticut, Utah, and others) have analogous rights of access, correction, deletion, and opt-out of targeted advertising. We do not engage in targeted advertising or sell personal data.
7.4. How to exercise your rights
Email ivan@nextmovetheory.com from the address in question (or with enough information for us to verify you). We respond within 30 days (GDPR) / 45 days (CCPA). Exercising your rights is free.
8. Security
We use HTTPS everywhere, store data with access-controlled providers, restrict administrative access, and apply server hardening and monitoring. No internet service can guarantee absolute security, but we keep the attack surface deliberately small — the Site stores almost nothing about you.
9. Children
The Site is not directed to children under 16, and we do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us and we will delete it.
10. Changes to this Policy
We may update this Policy as the Site evolves. The current version always lives at nextmovetheory.com/privacy with its effective date at the top. For material changes affecting how we use already-collected data, we will notify newsletter subscribers by email.
11. Contact
Questions, requests, complaints: ivan@nextmovetheory.com.