This page lays it out: what I can see when you visit gan111.com, what I cannot see, and what gets done with the bits that are visible. Everything is on the table — there are no tracking scripts buried in some corner, and there is no scheme where your data gets sold to an ad network, because this site does not run ads. I would rather over-disclose than under-disclose, especially for readers visiting from the United States, the European Union and the United Kingdom, where the regulatory baseline for what privacy notices have to say is much higher than the global norm. There is a long, dedicated §9 US/EU section at the bottom that gets specific about CCPA, GDPR Articles 15-20, the EU-US Data Privacy Framework, FTC Section 5 enforcement and the actual escalation channels you have if you think I have mishandled your data.
§1What gets collected
The only data-collection tool actively running on this site is Google Analytics 4 (GA4), configured with IP anonymisation. In anonymised form it collects:
- Anonymised IP · used to infer your approximate geographic region (country level, not street level)
- Pages viewed · which articles you read, how long you stayed on each
- Device type · phone / desktop / tablet, plus browser family and operating system
- Referrer · whether you arrived from a Google search, a link on X (Twitter), a direct URL entry, or a referral from another site
- Approximate timestamp · the day and hour of your visit, used for traffic-pattern analysis
The system does not collect your name, email address, phone number, government ID or financial information — unless you proactively send me an email, in which case I obviously can see whatever you wrote and attached. The email and its contents are then stored in my mail provider's inbox until I delete them or you ask me to.
What I look at this data for is straightforward: I want to know which articles people actually read versus which ones nobody clicks. Articles nobody reads do not get rewritten, they get retired. There is no profiling, no audience-segmentation work, no lookalike-modelling and no resale.
§2Cookies
GA4 sets a cookie in your browser containing a randomly-generated identifier. Its only purpose is to recognise that successive page requests in the same browser session belong to the same anonymous visitor — that is how it knows you read three articles instead of three separate visitors each reading one. No cookie on this site stores personally-identifying information directly.
You can disable cookies for this site in your browser settings. If you do:
- Site functionality is not affected — there is no login, no shopping cart, no preferences pane that depends on cookies
- GA4 will simply not be able to see you, which is fine for you and a small loss for me
- The BTC chart, halving countdown, dominance tool, support/resistance tool and every article remain fully functional
All major browsers (Chrome, Safari, Firefox, Edge, Brave, Arc) expose a "site settings → block cookies" toggle that takes about five seconds to find. If you are reading from the EU or UK, you already have a stronger right to refuse — see §9 below.
§3Third-party services
This is the complete list of third-party services this site loads. There are no others:
- Google Analytics 4 · anonymised traffic analytics, as described above
- Cloudflare · content delivery network, DDoS protection, edge caching · global anycast network
- Google Fonts · web fonts (Inter, Source Serif 4, JetBrains Mono, Noto Sans). If you disable third-party fonts in your browser, text falls back to system fonts and the site remains fully readable
- CoinGecko / Binance public API / Mempool.space · live BTC price tick on the masthead. These are called client-side from your browser, with no personal data attached — only an anonymous public-data request
No ad-retargeting cookie. No third-party remarketing pixel. No Facebook Pixel, no TikTok Pixel, no Pinterest Tag. No fingerprinting library. No "look-alike audience" data feed. No CRM enrichment.
This site is not run as an ad business, so those things were never plugged in to begin with, and there is no plan to plug them in. If that ever changed, the change would be announced on the homepage with seven days of banner notice and recorded in the corrections center before it took effect.
§4Affiliate-link data
When you click an exchange link on this site (Binance, OKX, Bybit, Bitget, Gate), the exchange knows that "this signup originated from gan111.com's referral code XG188" — that is how the affiliate system is designed to work. It is not optional and it is not hidden tracking; it is the entire point of an affiliate link.
However, there are several things I cannot see from my side of the affiliate relationship:
- I do not see the email address or phone number you used to register
- I do not see your deposit amount, the tokens you trade, or your trading volume
- I do not see your P&L — neither gains nor losses
- I do not see the IP, device or geographic location used during your registration
What the exchange shows me is aggregate statistical data only: how many new users registered through my code this month, how much trading volume those users produced in aggregate, and what my percentage share of the marketing-spend pool comes to. The user identity layer is protected on the exchange side, not on mine. The exchanges have to do this for KYC and AML compliance — they cannot legally share customer identifying information with affiliates.
For the full commercial disclosure (FTC + ESMA + AMF compliant), see disclaimer §4.
§5Your rights
Wherever you are reading from, if GDPR (EU/UK), CCPA/CPRA (California), Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, China's Personal Information Protection Law, or any analogous regional regulation applies to you, you have the following rights:
- Right of access · to know what data I hold about you (which is exactly what §1 above lists)
- Right to erasure ("right to be forgotten") · to demand deletion of any data tied to you
- Right to rectification · if you have emailed me, you can request that I delete or correct that email thread
- Right to opt out · disable cookies in your browser, and GA4 stops being able to observe you
- Right to portability · request an export of any personal data I hold about you in a machine-readable format
- Right against automated decision-making · I do not run any automated profiling or scoring on visitors, so this right is trivially satisfied
GA4 retains anonymised event data for 14 months by default (the maximum retention I can configure in the GA4 console). I do not have a manual interface to delete a specific anonymised visitor ID before that 14-month window expires — but after 14 months the data is automatically purged by Google.
To delete an email you have sent me, simply reply to that thread with "please delete my prior email" addressed to [email protected], and I will delete it within seven business days.
§6Where the data physically lives
An honest privacy policy has to say where the bits actually sit on disk:
- GA4 event data · stored on Google servers in the United States and the European Union, governed by Google's terms of service for analytics customers
- Cloudflare edge logs · stored at the nearest Cloudflare global anycast node to your physical location (typically rotated within hours)
- Site content · served from a virtual private server located in Tokyo, Japan, fronted by Cloudflare's international network
- Email contents · stored on the mail provider's servers, encrypted at rest
For readers visiting from mainland China: traffic routes through Cloudflare's international PoPs (the site is not ICP-licensed for domestic Chinese hosting), which means access speed is somewhat slower than a domestically-hosted Chinese site, but it also means your data does not get co-located in any unexpected jurisdiction beyond what is already implied by Cloudflare's published list of points-of-presence.
§7Children
This site contains discussion of speculative financial instruments and is not directed at children under 18 (or under 13 for COPPA purposes in the United States, or under 16 for GDPR purposes in most EU member states). I do not knowingly collect data from children. If you are a parent or guardian and believe a minor has interacted with this site or sent me an email, contact me at [email protected] and I will delete any related records promptly.
§8Policy updates
This policy does not change often. When it does change, I commit to doing two things:
- Updating the Last updated timestamp at the bottom of this page
- If the change is material — for example, adding a new third-party service, or changing the legal basis for processing — a banner notice will appear on the homepage for at least seven full days before the new policy takes effect
I will not silently amend this page and pretend it always read that way. Every revision is also logged in the corrections center with a date stamp and a brief note on what changed and why. That is the EEAT-grade discipline I have committed to elsewhere on this site, and it applies to legal documents as much as to articles.
§9For US / EU / UK readers · privacy supplement
This is the section that matters most if you are reading from the United States, the European Union or the United Kingdom — and it is also the section that almost every crypto-publisher privacy policy either skips or fills with a copy-pasted line from 2018 that was already out of date the day they pasted it. I want to walk through the specific regulatory ground you actually stand on, and the specific channels you can use if you think your privacy rights have been violated. This is the kind of detail the FTC and EU DPAs increasingly expect publishers to be precise about.
California · CCPA and CPRA
The California Consumer Privacy Act, as amended by the California Privacy Rights Act (CPRA), gives California residents specific enumerated rights against businesses that collect their personal information. As a California reader of this site, you have the right to: (1) know what personal information has been collected about you, (2) know whether that information has been sold or "shared" in the CPRA-specific sense (it has not — this site does not sell or share for cross-context behavioural advertising), (3) request deletion of your personal information, (4) opt out of any future sale or sharing via a "Do Not Sell or Share My Personal Information" signal (your browser's Global Privacy Control signal is honoured automatically), and (5) be free from retaliation for exercising these rights (there is no scenario where exercising your CCPA rights changes what content you see). To exercise any of these rights, email [email protected] with the subject line "CCPA request." Verifiable requests will be honoured within 45 calendar days as the statute requires.
Other US state privacy laws
Virginia's VCDPA (effective 2023-01-01), Colorado's CPA (2023-07-01), Connecticut's CTDPA (2023-07-01), Utah's UCPA (2023-12-31), Texas's DPSA (2024-07-01) and a growing list of additional state regimes all provide rights of access, correction, deletion and opt-out broadly analogous to CCPA. If you are a resident of one of those states, the same email address handles your requests, and the same 45-day response window applies. I do not maintain separate procedural channels per state, because that would just be theatre — the underlying data inventory is the same.
EU / UK · GDPR Articles 15-20
The General Data Protection Regulation (Regulation EU 2016/679, and the corresponding UK GDPR after Brexit) gives EU and UK residents a more granular set of rights than US state laws do. The specific GDPR articles that matter for a reader of this site:
- Article 15 — Right of access · you can request a copy of any personal data I hold about you
- Article 16 — Right to rectification · you can demand correction of inaccurate data
- Article 17 — Right to erasure · the "right to be forgotten" — request deletion
- Article 18 — Right to restriction · temporarily halt processing while a dispute is resolved
- Article 19 — Notification obligation · I must inform any downstream recipient of any rectification/erasure (there are no downstream recipients in this case)
- Article 20 — Right to data portability · machine-readable export of data you provided
- Article 21 — Right to object · object specifically to processing based on legitimate-interest grounds
The legal basis I rely on for processing GA4 analytics is legitimate interest under Article 6(1)(f), narrowly scoped to operating and improving the publication. Email-handling falls under Article 6(1)(b) (performance of a contract, namely the contract you implicitly form when you initiate correspondence). I do not process any special-category data under Article 9 and I do not make any automated decisions producing legal effects under Article 22.
EU-US Data Privacy Framework
Since 10 July 2023, transfers of personal data from the EU/EEA to the United States are governed by the EU-US Data Privacy Framework (DPF), which replaced the invalidated Privacy Shield. Google has self-certified under the DPF, which means GA4 analytics data flowing from EU visitors to Google's US servers is covered by an adequacy decision. If the DPF is ever invalidated again (a real possibility given ongoing Schrems-III-style legal challenges), the fallback would be EU standard contractual clauses, which Google also relies on. As a practical matter: if you are an EU/EEA reader and you do not want your anonymised GA4 events flowing across the Atlantic, disabling cookies prevents the GA4 client from firing, and no data crosses any border.
Cookie consent · the EU vs US asymmetry
This is the part where US and EU privacy norms diverge most sharply. In the EU under GDPR plus the ePrivacy Directive, the default rule is strict opt-in — non-essential cookies should not be set until the user affirmatively consents, and dark-pattern consent banners are increasingly being enforced against by national DPAs. In the US, the prevailing norm is notice-only — cookies can be set by default as long as the user has notice and can opt out. This site currently sets the GA4 cookie on first visit regardless of region, because the GA4 cookie is anonymised and IP-stripped. If you are visiting from the EU and prefer a strict opt-in posture, blocking cookies in your browser before visiting achieves that result without requiring me to maintain region-specific consent infrastructure that would itself collect additional location data to function.
FTC Section 5 enforcement (US)
The US does not have a single federal privacy law equivalent to GDPR, but the Federal Trade Commission enforces against unfair or deceptive practices under Section 5 of the FTC Act. The FTC has brought enforcement actions against publishers and platforms that misrepresented their data practices, leaked data through poor security, or failed to honour stated retention promises. If you believe this site has materially deviated from what this privacy policy describes, you can file a complaint at reportfraud.ftc.gov, and the FTC has jurisdiction to investigate. I would rather you tell me first so I can fix whatever is broken, but the FTC channel is the formal remedy available to you.
Right channels for US/EU/UK readers
Here are the working escalation channels by jurisdiction, in order of how I would actually use them:
- Step 1 (everyone) · email [email protected] with subject "Privacy request" — first-touch response within seven business days, full resolution within 45 calendar days
- US · your state Attorney General · particularly the New York OAG (Bureau of Internet and Technology), California's DFPI and the Attorney General of California (which enforces CCPA/CPRA directly), the Texas AG and the Florida AG. State AGs have civil enforcement authority over privacy violations
- US · Federal Trade Commission · reportfraud.ftc.gov for deceptive-practices complaints under Section 5 of the FTC Act
- EU · your national Data Protection Authority · the CNIL in France, BfDI/Datenschutzbeauftragter in Germany (state-level DPAs handle most cases), Garante per la Protezione dei Dati Personali in Italy, AEPD in Spain, Datatilsynet in Denmark, Autoriteit Persoonsgegevens in the Netherlands, and the equivalent body in every other member state. Under GDPR Article 77 you have the right to lodge a complaint with the DPA of your country of residence or of the place of the alleged infringement
- UK · Information Commissioner's Office (ICO) · ico.org.uk · the UK supervisory authority for UK GDPR and the Data Protection Act 2018. The ICO has fining authority up to GBP 17.5 million or 4 percent of global turnover, whichever is higher
- EU · European Data Protection Board (EDPB) · for cross-border issues where multiple member-state DPAs are involved
None of these channels are fast. DPA investigations typically take 12-24 months. But the formal complaint is the way to create a permanent regulatory record, and DPAs explicitly publish aggregated complaint data to inform their enforcement priorities. Filing matters even when it does not produce immediate resolution.
§10Contact
For any privacy-related question, or to exercise any of the rights described in §5 or §9, email is the most reliable channel:
Please include "Privacy request" in the subject line so it gets prioritised. First-touch response within seven business days. Full resolution within 45 calendar days as required by CCPA/CPRA and within 30 days as required by GDPR (extendable by an additional 60 days for complex requests with notice to you, also as GDPR permits).