Legal

Privacy Policy

How we collect, use, and protect your data. Last updated: May 2026.

1. Data Controller

The data controller responsible for data processing on this website is:

We take the protection of your personal data seriously. This privacy policy explains how we handle your data when you use our website (closelook.net), our newsletter publication (substack.closelook.net), and related services.

2. Access Data and Hosting

You can visit our website without providing personal information. Each time a page is accessed, the web server automatically stores a server log file containing the requested file name, your IP address, date and time of access, data volume transferred, and the requesting provider. This data is used solely for ensuring trouble-free operation and improving our services, pursuant to Art. 6(1)(f) GDPR.

2.1 Hosting — Cloudflare

Our website is hosted via Cloudflare, Inc. (101 Townsend St, San Francisco, CA 94107, USA). Cloudflare acts as our hosting provider and content delivery network (CDN). All access data is processed on Cloudflare’s servers. Cloudflare is certified under the EU-U.S. Data Privacy Framework (DPF).

Cloudflare may process data including IP addresses, system configuration information, and other information about traffic to and from our website for security, performance, and analytics purposes.

2.2 Newsletter Platform — Substack

Our newsletter is operated via Substack, Inc. (111 Sutter Street, San Francisco, CA 94104, USA). When you subscribe to our newsletter on substack.closelook.net, Substack collects your email address, subscription preferences, and reading activity. Substack’s own privacy policy governs data processing on their platform. Substack processes data in the United States under the EU-U.S. Data Privacy Framework.

3. Payment Processing

Subscription payments are processed by Stripe, Inc. (354 Oyster Point Blvd, South San Francisco, CA 94080, USA) via Stripe Payment Links on /subscribe/. When you make a payment, Stripe collects your payment information (credit card details, billing address, email) directly on Stripe-hosted checkout pages. We do not store your credit card information on our servers. Stripe is certified under the EU-U.S. Data Privacy Framework. For details, see Stripe’s Privacy Policy.

For paid newsletter delivery, your Stripe customer record is imported by Substack Pro to grant access to subscriber-only newsletter content. Substack does not act as payment processor under this architecture.

4. Cookies and Tracking Technologies

4.1 General Information

We use cookies and similar technologies on our website. Cookies are small text files stored on your device. Some cookies are deleted after your browser session ends (session cookies), while others remain on your device to recognize your browser on subsequent visits (persistent cookies).

Strictly necessary cookies are used without consent to provide the requested service. For all other cookies and tracking technologies, we obtain your consent before activation via our consent management tool.

4.2 Consent Management — Cloudflare Zaraz

We use Cloudflare Zaraz Consent Management Platform to inform you about cookies and tracking technologies used on our website, and to obtain, manage, and document your consent pursuant to Art. 7(1) GDPR. When you interact with the consent modal, your consent preferences are stored in a first-party cookie. You can change your consent preferences at any time by clearing your browser cookies and revisiting the site.

4.3 Google Analytics 4

We use Google Analytics 4 (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) for statistical analysis of website usage. Google Analytics uses cookies to collect information about your visit including pages viewed, time spent, referral source, and device/browser information. Your IP address is anonymized. This processing is based on your consent pursuant to Art. 6(1)(a) GDPR. Google Analytics only activates after you consent to the “Analytics” purpose in our consent modal.

Google is certified under the EU-U.S. Data Privacy Framework. You can opt out of Google Analytics at any time by withdrawing your consent or installing the Google Analytics Opt-out Browser Add-on.

4.4 LinkedIn Insight Tag

We use the LinkedIn Insight Tag (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland) to measure the effectiveness of our LinkedIn advertising campaigns and to understand how visitors interact with our website after clicking on LinkedIn content. The Insight Tag collects data about page visits, referral URLs, IP addresses, device and browser characteristics, and timestamps. This processing is based on your consent pursuant to Art. 6(1)(a) GDPR and only activates after you consent to the “Marketing” purpose in our consent modal.

LinkedIn is certified under the EU-U.S. Data Privacy Framework. For details, see LinkedIn’s Privacy Policy.

5. Data Processing for Communication

When you contact us (e.g., via email or contact form), we collect personal data you voluntarily provide pursuant to Art. 6(1)(b) GDPR to process your inquiry. After complete processing, your data will be deleted unless you have consented to further use or we are legally required to retain it.

Data relating to customer inquiries will be restricted after complete processing and deleted after expiry of statutory retention periods (tax and commercial law) pursuant to Art. 6(1)(c) GDPR.

6. Social Media Presence

We maintain online presences on LinkedIn and X (formerly Twitter). When you visit our profiles on these platforms, the respective platform operator may collect and process data for market research and advertising purposes. Please refer to the privacy policies of each platform for details:

• LinkedIn Privacy Policy
• X / Twitter Privacy Policy

7. AI Search Engines and Machine-Readable Data

7.1 llms.txt and AI Bot Access

We provide machine-readable files (llms.txt and llms-full.txt) at the root of our website to help AI search engines (such as Perplexity, ChatGPT, Google Gemini, and Claude) understand and accurately represent our content. These files contain publicly available information about our research products, frameworks, and services. They do not contain personal data of users or subscribers.

Our robots.txt file explicitly permits crawling by AI bots including GPTBot (OpenAI), ClaudeBot (Anthropic), PerplexityBot, Google-Extended, and Amazonbot. This is done to ensure our research is accurately cited by AI-powered search engines. No personal data is shared with these services through crawling. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in accurate representation of publicly available content).

7.2 Schema.org Structured Data

We embed Schema.org structured data (JSON-LD) on our pages to help search engines and AI systems understand our content structure. This includes metadata such as article titles, publication dates, author names (Thomas Look), organization information (Closelook Venture GmbH), product descriptions, and breadcrumb navigation. All structured data reflects publicly available information and does not contain personal data of visitors or subscribers.

8. Newsletter and Subscription Services

8.1 Substack — Content Delivery

Our newsletter is operated through Substack Inc. (San Francisco, CA, USA). When you subscribe to our newsletter via Substack, Substack processes your email address and subscription preferences. Substack acts as a joint controller for subscriber data. This processing is based on your consent pursuant to Art. 6(1)(a) GDPR when you subscribe.

Substack may use tracking technologies in emails (open tracking, click tracking) to measure newsletter performance. For details, see Substack’s Privacy Policy. You can unsubscribe at any time via the unsubscribe link in every email.

8.2 Stripe — Payment Processing

Subscription payments to the C+ Portfolio tier are processed directly by Stripe, Inc. (San Francisco, CA, USA) via Stripe-hosted Payment Links. When you subscribe, Stripe processes your payment information (credit card data, billing address) on its own infrastructure. We do not receive or store your full credit card number. After payment, Substack Pro imports your Stripe customer record so paid newsletter content reaches your inbox. Stripe is certified under the EU-U.S. Data Privacy Framework. For details, see Stripe’s Privacy Policy.

9. Hosting and Content Delivery

9.1 Cloudflare Pages

Our website is hosted on Cloudflare Pages (Cloudflare Inc., San Francisco, CA, USA). Cloudflare provides content delivery network (CDN) services, DDoS protection, and web application firewall functionality. When you access our website, Cloudflare may process your IP address, browser information, and request data for security and performance optimization purposes. This processing is based on Art. 6(1)(f) GDPR (legitimate interest in secure and performant website operation).

Cloudflare is certified under the EU-U.S. Data Privacy Framework. For details, see Cloudflare’s Privacy Policy.

9.2 Self-Hosted Fonts

We serve web fonts (DM Sans, Source Serif 4, JetBrains Mono) directly from our Cloudflare-hosted infrastructure. Fonts are not loaded from third-party CDNs, so no personal data is transmitted to font providers when you load our pages.

10. Third Country Data Transfers

Some of our service providers are based in the United States. Where applicable, data transfers to the US are covered by the EU-U.S. Data Privacy Framework adequacy decision. Where service providers are not certified under the DPF, we rely on EU Standard Contractual Clauses as appropriate safeguards.

Despite all contractual and technical measures, the level of data protection in third countries may not be equivalent to that in the EU. In particular, local authorities may have access rights to personal data that are not sufficiently limited from a European data protection perspective.

11. Your Rights

As a data subject, you have the following rights under the GDPR:

• Right of access (Art. 15) — request information about your personal data we process
• Right to rectification (Art. 16) — request correction of inaccurate data
• Right to erasure (Art. 17) — request deletion of your data, subject to legal exceptions
• Right to restriction (Art. 18) — request restriction of processing in certain circumstances
• Right to data portability (Art. 20) — receive your data in a structured, machine-readable format
• Right to lodge a complaint (Art. 77) — file a complaint with a supervisory authority

Right to Object

Where we process personal data based on legitimate interests (Art. 6(1)(f) GDPR), you may object to such processing at any time with effect for the future. For direct marketing purposes, you may exercise this right at any time without restriction. For other purposes, objection is possible where grounds relating to your particular situation apply.

12. Contact

For questions regarding the collection, processing, or use of your personal data, or to exercise your rights, please contact us at:

This privacy policy applies to closelook.net, operated by Closelook Venture GmbH. Last updated May 2026.