This page lays it out: what I can see when you visit gan111.com, what I cannot see, and what gets done with the bits that are visible. Everything is on the table — there are no tracking scripts buried in some corner, and there is no scheme where your data gets sold to an ad network, because this site does not run ads. I would rather over-disclose than under-disclose, especially for readers visiting from the United States, the European Union and the United Kingdom, where the regulatory baseline for what privacy notices have to say is much higher than the global norm. There is a long, dedicated §9 US/EU section at the bottom that gets specific about CCPA, GDPR Articles 15-20, the EU-US Data Privacy Framework, FTC Section 5 enforcement and the actual escalation channels you have if you think I have mishandled your data.

§1What gets collected

The only data-collection tool actively running on this site is Google Analytics 4 (GA4), configured with IP anonymisation. In anonymised form it collects:

The system does not collect your name, email address, phone number, government ID or financial information — unless you proactively send me an email, in which case I obviously can see whatever you wrote and attached. The email and its contents are then stored in my mail provider's inbox until I delete them or you ask me to.

What I look at this data for is straightforward: I want to know which articles people actually read versus which ones nobody clicks. Articles nobody reads do not get rewritten, they get retired. There is no profiling, no audience-segmentation work, no lookalike-modelling and no resale.

§2Cookies

GA4 sets a cookie in your browser containing a randomly-generated identifier. Its only purpose is to recognise that successive page requests in the same browser session belong to the same anonymous visitor — that is how it knows you read three articles instead of three separate visitors each reading one. No cookie on this site stores personally-identifying information directly.

You can disable cookies for this site in your browser settings. If you do:

All major browsers (Chrome, Safari, Firefox, Edge, Brave, Arc) expose a "site settings → block cookies" toggle that takes about five seconds to find. If you are reading from the EU or UK, you already have a stronger right to refuse — see §9 below.

§3Third-party services

This is the complete list of third-party services this site loads. There are no others:

No ad-retargeting cookie. No third-party remarketing pixel. No Facebook Pixel, no TikTok Pixel, no Pinterest Tag. No fingerprinting library. No "look-alike audience" data feed. No CRM enrichment.

This site is not run as an ad business, so those things were never plugged in to begin with, and there is no plan to plug them in. If that ever changed, the change would be announced on the homepage with seven days of banner notice and recorded in the corrections center before it took effect.

§4Affiliate-link data

When you click an exchange link on this site (Binance, OKX, Bybit, Bitget, Gate), the exchange knows that "this signup originated from gan111.com's referral code XG188" — that is how the affiliate system is designed to work. It is not optional and it is not hidden tracking; it is the entire point of an affiliate link.

However, there are several things I cannot see from my side of the affiliate relationship:

What the exchange shows me is aggregate statistical data only: how many new users registered through my code this month, how much trading volume those users produced in aggregate, and what my percentage share of the marketing-spend pool comes to. The user identity layer is protected on the exchange side, not on mine. The exchanges have to do this for KYC and AML compliance — they cannot legally share customer identifying information with affiliates.

For the full commercial disclosure (FTC + ESMA + AMF compliant), see disclaimer §4.

§5Your rights

Wherever you are reading from, if GDPR (EU/UK), CCPA/CPRA (California), Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, China's Personal Information Protection Law, or any analogous regional regulation applies to you, you have the following rights:

GA4 retains anonymised event data for 14 months by default (the maximum retention I can configure in the GA4 console). I do not have a manual interface to delete a specific anonymised visitor ID before that 14-month window expires — but after 14 months the data is automatically purged by Google.

To delete an email you have sent me, simply reply to that thread with "please delete my prior email" addressed to [email protected], and I will delete it within seven business days.

§6Where the data physically lives

An honest privacy policy has to say where the bits actually sit on disk:

For readers visiting from mainland China: traffic routes through Cloudflare's international PoPs (the site is not ICP-licensed for domestic Chinese hosting), which means access speed is somewhat slower than a domestically-hosted Chinese site, but it also means your data does not get co-located in any unexpected jurisdiction beyond what is already implied by Cloudflare's published list of points-of-presence.

§7Children

This site contains discussion of speculative financial instruments and is not directed at children under 18 (or under 13 for COPPA purposes in the United States, or under 16 for GDPR purposes in most EU member states). I do not knowingly collect data from children. If you are a parent or guardian and believe a minor has interacted with this site or sent me an email, contact me at [email protected] and I will delete any related records promptly.

§8Policy updates

This policy does not change often. When it does change, I commit to doing two things:

  1. Updating the Last updated timestamp at the bottom of this page
  2. If the change is material — for example, adding a new third-party service, or changing the legal basis for processing — a banner notice will appear on the homepage for at least seven full days before the new policy takes effect

I will not silently amend this page and pretend it always read that way. Every revision is also logged in the corrections center with a date stamp and a brief note on what changed and why. That is the EEAT-grade discipline I have committed to elsewhere on this site, and it applies to legal documents as much as to articles.

§9For US / EU / UK readers · privacy supplement

This is the section that matters most if you are reading from the United States, the European Union or the United Kingdom — and it is also the section that almost every crypto-publisher privacy policy either skips or fills with a copy-pasted line from 2018 that was already out of date the day they pasted it. I want to walk through the specific regulatory ground you actually stand on, and the specific channels you can use if you think your privacy rights have been violated. This is the kind of detail the FTC and EU DPAs increasingly expect publishers to be precise about.

California · CCPA and CPRA

The California Consumer Privacy Act, as amended by the California Privacy Rights Act (CPRA), gives California residents specific enumerated rights against businesses that collect their personal information. As a California reader of this site, you have the right to: (1) know what personal information has been collected about you, (2) know whether that information has been sold or "shared" in the CPRA-specific sense (it has not — this site does not sell or share for cross-context behavioural advertising), (3) request deletion of your personal information, (4) opt out of any future sale or sharing via a "Do Not Sell or Share My Personal Information" signal (your browser's Global Privacy Control signal is honoured automatically), and (5) be free from retaliation for exercising these rights (there is no scenario where exercising your CCPA rights changes what content you see). To exercise any of these rights, email [email protected] with the subject line "CCPA request." Verifiable requests will be honoured within 45 calendar days as the statute requires.

Other US state privacy laws

Virginia's VCDPA (effective 2023-01-01), Colorado's CPA (2023-07-01), Connecticut's CTDPA (2023-07-01), Utah's UCPA (2023-12-31), Texas's DPSA (2024-07-01) and a growing list of additional state regimes all provide rights of access, correction, deletion and opt-out broadly analogous to CCPA. If you are a resident of one of those states, the same email address handles your requests, and the same 45-day response window applies. I do not maintain separate procedural channels per state, because that would just be theatre — the underlying data inventory is the same.

EU / UK · GDPR Articles 15-20

The General Data Protection Regulation (Regulation EU 2016/679, and the corresponding UK GDPR after Brexit) gives EU and UK residents a more granular set of rights than US state laws do. The specific GDPR articles that matter for a reader of this site:

The legal basis I rely on for processing GA4 analytics is legitimate interest under Article 6(1)(f), narrowly scoped to operating and improving the publication. Email-handling falls under Article 6(1)(b) (performance of a contract, namely the contract you implicitly form when you initiate correspondence). I do not process any special-category data under Article 9 and I do not make any automated decisions producing legal effects under Article 22.

EU-US Data Privacy Framework

Since 10 July 2023, transfers of personal data from the EU/EEA to the United States are governed by the EU-US Data Privacy Framework (DPF), which replaced the invalidated Privacy Shield. Google has self-certified under the DPF, which means GA4 analytics data flowing from EU visitors to Google's US servers is covered by an adequacy decision. If the DPF is ever invalidated again (a real possibility given ongoing Schrems-III-style legal challenges), the fallback would be EU standard contractual clauses, which Google also relies on. As a practical matter: if you are an EU/EEA reader and you do not want your anonymised GA4 events flowing across the Atlantic, disabling cookies prevents the GA4 client from firing, and no data crosses any border.

Cookie consent · the EU vs US asymmetry

This is the part where US and EU privacy norms diverge most sharply. In the EU under GDPR plus the ePrivacy Directive, the default rule is strict opt-in — non-essential cookies should not be set until the user affirmatively consents, and dark-pattern consent banners are increasingly being enforced against by national DPAs. In the US, the prevailing norm is notice-only — cookies can be set by default as long as the user has notice and can opt out. This site currently sets the GA4 cookie on first visit regardless of region, because the GA4 cookie is anonymised and IP-stripped. If you are visiting from the EU and prefer a strict opt-in posture, blocking cookies in your browser before visiting achieves that result without requiring me to maintain region-specific consent infrastructure that would itself collect additional location data to function.

FTC Section 5 enforcement (US)

The US does not have a single federal privacy law equivalent to GDPR, but the Federal Trade Commission enforces against unfair or deceptive practices under Section 5 of the FTC Act. The FTC has brought enforcement actions against publishers and platforms that misrepresented their data practices, leaked data through poor security, or failed to honour stated retention promises. If you believe this site has materially deviated from what this privacy policy describes, you can file a complaint at reportfraud.ftc.gov, and the FTC has jurisdiction to investigate. I would rather you tell me first so I can fix whatever is broken, but the FTC channel is the formal remedy available to you.

Right channels for US/EU/UK readers

Here are the working escalation channels by jurisdiction, in order of how I would actually use them:

None of these channels are fast. DPA investigations typically take 12-24 months. But the formal complaint is the way to create a permanent regulatory record, and DPAs explicitly publish aggregated complaint data to inform their enforcement priorities. Filing matters even when it does not produce immediate resolution.

§10Contact

For any privacy-related question, or to exercise any of the rights described in §5 or §9, email is the most reliable channel:

[email protected]

Please include "Privacy request" in the subject line so it gets prioritised. First-touch response within seven business days. Full resolution within 45 calendar days as required by CCPA/CPRA and within 30 days as required by GDPR (extendable by an additional 60 days for complex requests with notice to you, also as GDPR permits).

Last updated · 2026-05-28 gan111.com · Gan · @mor_xiaogan