None of the below changes reflect any shift in our stance on anything: we just clarified some outdated legalese, removed incorrect info (such as boilerplate copy about "sharing with third-party advertising companies", which we've never done), and pulled out our subprocessors into a formal table.
We just pushed a round of updates to our legal pages — partly prompted by good feedback from a customer working through GDPR compliance on their end, and partly because some of these docs were overdue for a refresh. Here's what changed:
Data processing agreement
Our DPA now includes:
- A processing details annex (Annex 1), spelling out the subject matter, duration, types of personal data, and categories of data subjects — everything Article 28(3) of the GDPR asks for.
- A reference to our sub-processor list in Section 5, so you have a stable URL to point to in your records.
- A GDPR precedence clause in Section 12, clarifying that EU, UK, and Swiss data protection law takes priority over US governing law where there's a conflict.
- An updated international transfers section (Section 8) that honestly acknowledges data is processed in the US and references Standard Contractual Clauses as the transfer mechanism.
Privacy policy
The privacy policy hadn't been updated since October 2019 — long overdue. The main changes:
- Removed a reference to third-party advertising companies that was carried over from a template we used years ago. Buttondown has never shared subscriber data with ad networks, and the old language contradicted what we say on our GDPR compliance page. It's gone now.
- Updated contact information from a personal email to support@buttondown.com across the board.
- Fixed a broken anchor link and a heading formatting inconsistency.
Sub-processor list
We added two missing entries to our sub-processor list: Stripe (payment processing) and Seline (privacy-focused analytics, which replaced Vercel Analytics earlier this year).
GDPR compliance page
The GDPR page previously said data was only shared "for the purposes of sending your newsletter" — but sub-processors like AWS, Cloudflare, and Sentry aren't really about newsletter delivery. We updated the language to "providing the service" and linked directly to the sub-processor list and DPA.
Cookie policy
We also published a new cookie policy that documents every cookie Buttondown sets, organized by category: essential, functional, and analytics. No third-party advertising cookies, no surprises.
If you're working through your own GDPR compliance and something's missing or unclear, let us know — this latest round of updates came directly from a customer asking good questions.
deliver to
Buttondown, LLC
406 W Franklin St. #201Richmond, VA 23221
United States