Privacy at The Iceberg

The Iceberg is owned and operated by Mark Steadman. Here’s our approach to your privacy.

Privacy policy

Our newsletter service runs entirely through Mark Steadman’s Europe-based infrastructure. We use a third-party service to perform the mechanical operation of sending emails at scale, but that service does not track clicks, subscriptions or other interactions. However, we track when an email is opened or a link is clicked – and how many times – but this information is never revealed to any third party.

Any new subscriber must follow a link sent to their email address in order to confirm they wish to opt in to receive emails from The Iceberg newsletter. If someone unsubscribes from our newsletter, we keep their email address listed so we know not to send the next issue to that person, until or unless they re-subscribe. We don’t require confirmation to unsubscribe.

Each newsletter issue carries a link to unsubscribe, which is unique to the subscriber and to the issue. This helps us determine if we sent out an issue that people really hated.

We have provided a purge form, which allows anyone subscribed to The Iceberg – or who thinks their data might be in use by this email newsletter service – to remove such data from our database. In this event, a confirmation email is sent to the email address provided which contains a link that, once clicked, ensures all contact information for that person is removed from our database, and any historical data on open rates or links clicked is anonymised in a way that cannot be linked to the original recipient.

We collect email addresses for our newsletter using our own newsletter server. Our email list is not available to any third party. We will not use your email address for any purpose other than to send you the newsletter that you have subscribed to.

We collect your name along with your email address so we can improve the likelihood of newsletter issues not being flagged as spam.

We use Google Analytics so we can see how many people are viewing the site, which links they click, how long they stay, whereabouts they’re from (roughly), all in accordance with EU regulation.

Our advertising system collects your email address, and payment is taken via Stripe, which stores but anonymises your billing informtion (name, postal code and credit or debit card number). We do not store that info, and we only ever have access to the last 4 digits of your credit/debit card number, which can be used to track down an errant payment.


We use a cross-site request forgery (CSRF) cookie to ensure that you have visited a page that contains a form, before submitting that form. This is used to try and prevent bots from adding their email addresses into our database (at least without having the decency to visit the site first).

We use the following services, which leave cookies to identify you as a returning visitor (these services do not have access to your email address or any otehr personal information).

  • Facebook – occasionally we run Facebook ads. The Facebook Pixel cookie helps us identify which visitors came to this site via one of the Facebook ads we placed.
  • Google Analytics – a service that can be used to track your behaviour across multiple sites, so we know what link you might have clicked that brought you here, how long you stayed, what sort of device you’re using, and roughly where in the world you are. Your IP address is anonymused when passed to Google’s servers, in accordance with EU regulation. Opt out
  • Hotjar – we very occasionally record anonymous browser activity, to help us improve the site. Hotjar records mouse movements and clicks, but does not record any personal information you share with us, such as your name or email address.

Safeguarding your data

In accordance with the EU’s General Data Protection Regulation (GDPR), this is how we look after your data.

Data in transit

All transactions relating to personal information are performed over SSL. This means communication between all parties involved is encrypted, using standards-compliant encryption algorithms (eg SHA-256).

Financial records

We do not keep financial details. Our payment provider (Stripe) provides a mechanism to access your debit or credit card for specific, stated purposes (all transactions will appear on your bank or credit card statement with the name “The Iceberg”), and for the processing of refunds. We store a token which represents your debit or credit card, and cannot use that token for any purpose out-of-scope of the services we provide.

In the event of a breach

Data breaches are unlikely, but not impossible. In the event of a breach (in which data we hold about you is exfiltrated from our data centre), we will first take the following remedial steps, and also do everything in our power to discover the nature of the breach, and how the information was obtained, so that we can prevent further such breaches.

In the event that Stripe subscription tokens are leaked (and only if our live Stripe API key is also leaked), we will generate a new Stripe API key pair, thus invalidating the old pair. (Stripe subscription IDs can only be used with a valid Stripe secret API key).

In the event that API credentials are leaked that would allow users to upload, update or delete content stored at our host’s object store (this includes audio files and images uploaded via our service), these API credentials will be invalidated and new keys obtained.