UI Things

Privacy Policy

Updated: May 21, 2026

This Privacy Policy describes how Craftled, MB ("Craftled", "we", "us", "our") collects, uses, and protects personal data when you visit UI Things at uithings.com, subscribe to our newsletter, or interact with our services.

UI Things is part of Epigraph Media, a publishing network owned and operated by Craftled. For the broader agreement governing your use of UI Things, see our Terms of Service.

1. Who We Are

UI Things is operated by:

Craftled, MB
Eduardo Andre 14-5, LT-02232 Vilnius, Lithuania
Registration: 305722486
VAT: LT100015273316

For privacy inquiries, contact support@uithings.com.

Craftled acts as the data controller for personal data collected through uithings.com and the other publications in the Epigraph Media network. Emails sent to addresses at uithings.com are received and handled by Craftled.

2. What Information We Collect

We collect the minimum information needed to operate UI Things and the services we offer.

Information you provide directly

  • Newsletter subscription: your email address when you subscribe to the UI Things newsletter. First name is optional. Resend, our email delivery provider, also logs the IP address used to submit the form for spam prevention.
  • Broken link reports: the URL you visited and any optional note you submit through the report form on our 404 page.
  • Sponsor accounts (advertisers only): name, email, billing address, and payment method details processed by Stripe for ad credit purchases.
  • Direct correspondence: any information you include when you email us.

Information collected automatically

  • Analytics data: anonymized page views, referrer, browser type, country-level geography, and device type, collected via our self-hosted Umami analytics. Umami does not use cookies and does not track individuals across sessions or sites.
  • Server logs: IP address, user agent, request path, response code, and timestamp, retained for security and debugging.
  • 404 events: URLs that returned a 404 response, retained to help us fix broken links and improve redirects.

Information we do not collect

  • We do not use Google Analytics, Facebook Pixel, or any tracking pixel that profiles individuals across the web.
  • We do not sell or share personal information for cross-context behavioral advertising as defined under CPRA.
  • We do not collect Sensitive Personal Information as defined under CPRA (such as precise geolocation, racial or ethnic origin, religious beliefs, biometric data, or health information).
  • We do not require account registration to read UI Things.

3. How We Use Information

We use the information we collect to:

  • Deliver the newsletter: send the UI Things newsletter to subscribers, manage subscription preferences, and process unsubscribe requests.
  • Process payments: charge sponsor accounts for ad credit purchases via Stripe, maintain credit balance records, and issue receipts.
  • Operate the service: serve pages, distribute content via RSS, deliver search results, generate sitemaps and AI-discovery files, and protect against bots and abuse.
  • Improve content: understand which articles readers find useful through aggregated, anonymized analytics. We do not build profiles of individual readers.
  • Communicate with you: respond to inquiries sent to support@uithings.com or business@uithings.com.
  • Comply with legal obligations: maintain accounting records (7 years per EU tax law) and respond to lawful requests from authorities.

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects.

We process personal data on the following legal bases under the EU and UK General Data Protection Regulations:

  • Consent: newsletter subscriptions (you opt in explicitly via double opt-in confirmation).
  • Contract performance: sponsor account services, ad credit purchases, and receipts.
  • Legitimate interest: protecting our service from abuse and fraud (server logs, bot protection), understanding aggregate readership to improve content (analytics), and responding to your direct correspondence.
  • Legal obligation: accounting and tax records.

You may withdraw consent at any time by unsubscribing from the newsletter (one-click link in every email) or by emailing support@uithings.com.

5. Third-Party Processors

We use the following service providers to operate UI Things. Each is bound by a data processing agreement (DPA) and processes data only on our instructions.

Provider

Purpose

Location

Vercel Inc.

Web hosting, edge CDN, bot protection (BotID), cron jobs

USA / EU (Frankfurt)

Neon (Vercel Postgres)

Primary database

EU

Cloudflare R2

Media and file storage

Global (no specified region)

Resend

Newsletter delivery, transactional email, segment and topic management

USA

Stripe, Inc.

Payment processing for sponsor ad credits

USA / Ireland (EU customers)

Umami (self-hosted)

Cookie-free analytics, hosted on our own infrastructure at umami.craftled.com

EU

Typefully

Social media post scheduling and distribution (only post content authored for distribution; no reader data)

USA

Anthropic

Claude AI used to adapt post content for social distribution (only post content; no reader data)

USA

GitHub

Source code repository and CI (no reader data)

USA

Where data is transferred outside the European Economic Area (EEA) or UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent safeguards.

6. Cookies and Similar Technologies

UI Things is designed to be lightweight on tracking. We do not display a cookie consent banner because we do not use non-essential cookies on our reader-facing pages.

Analytics

We use Umami, a privacy-first analytics tool that we self-host. Umami does not set cookies, does not use device fingerprinting, does not collect personal data, and does not track visitors across sessions or websites. No consent banner is required for Umami because it does not store data on your device.

Bot protection

When you submit the newsletter form, Vercel BotID may briefly use your IP address and browser characteristics to verify you are not a bot. This is processed as a transient signal and not stored persistently.

Strictly necessary cookies

We may use a small number of cookies that are strictly necessary for the site to function (for example, to remember a sponsor's login session in the admin panel). These do not require consent under GDPR and CCPA because they are essential for delivering a service you have explicitly requested.

Stripe checkout

When sponsors purchase ad credits, the checkout flow opens on Stripe's hosted checkout page (checkout.stripe.com). Stripe's own cookies apply on that page; see Stripe's Privacy Policy and Cookie Settings.

Third-party embeds

Articles may embed third-party content such as X (Twitter) posts via the official embed format. These embeds may set cookies when you interact with them. We use Vercel's react-tweet library to lazy-load tweet content; nothing loads until the embed is near your viewport.

7. Data Sharing

We do not sell personal data. We share data only with:

  • The third-party processors listed in Section 5, bound by DPAs.
  • Law enforcement or regulators when required by a valid legal request.
  • Successors in the event of a merger, acquisition, or sale of assets, with notice to affected users where required by law.

8. Data Retention

Data type

Retention period

Newsletter subscribers (confirmed)

Until you unsubscribe

Newsletter subscribers (pending double opt-in confirmation)

30 days, then automatically deleted

Unsubscribed contacts

30 days, then permanently removed from Resend

Sponsor account records

Duration of the account plus 7 years for accounting records per Lithuanian / EU tax law

Payment records

7 years per EU tax law

Server and access logs

30 days

404 event logs

90 days, or until the broken link is fixed

Analytics data (Umami)

Aggregated and retained indefinitely; no individual-level data is stored

9. Your Rights

Under the GDPR, UK GDPR, and CPRA, you have the right to:

  • Access: request a copy of the personal data we hold about you.
  • Rectify: correct inaccurate personal data.
  • Erase ("right to be forgotten"): request deletion of your personal data, subject to legal retention requirements.
  • Restrict processing: ask us to limit how we use your data.
  • Object to processing: object to processing based on legitimate interest.
  • Data portability: receive your data in a structured, machine-readable format.
  • Withdraw consent: at any time, for any consent-based processing.
  • Lodge a complaint: with your local data protection authority. In Lithuania, this is the State Data Protection Inspectorate (VDAI). In the UK, this is the Information Commissioner's Office (ICO).

California residents (CPRA)

If you are a California resident, you additionally have the right to:

  • Know what personal information we collect, use, and share.
  • Request deletion of personal information.
  • Opt out of any "sale" or "sharing" of personal information (we do not sell or share personal information for cross-context behavioral advertising).
  • Non-discrimination for exercising your rights.

California residents may also lodge a complaint with the California Privacy Protection Agency (CPPA) or the California Attorney General's Office.

We honor Global Privacy Control (GPC) signals as a valid opt-out request under CPRA. We do not currently respond to traditional Do Not Track (DNT) browser signals.

To exercise any right, email support@uithings.com. We will respond within 30 days (GDPR) or 45 days (CPRA), and may request reasonable verification of your identity.

10. International Data Transfers

Some of our processors are located outside the EEA and UK (notably in the United States). Where this occurs, we rely on European Commission Standard Contractual Clauses (SCCs), the EU-US Data Privacy Framework, or other lawful transfer mechanisms.

11. Children's Privacy

UI Things is not directed at children under 18. We do not knowingly collect personal data from children under 18. If you believe a child has provided us with personal data, contact support@uithings.com and we will delete it.

12. Security

We protect personal data using:

  • TLS encryption in transit for all connections to uithings.com.
  • Database encryption at rest (Neon Postgres).
  • Encrypted media storage (Cloudflare R2).
  • Access controls limiting administrative access to authorized personnel.
  • HMAC-signed webhooks and double opt-in tokens to prevent tampering.
  • Bot protection on public forms (Vercel BotID).
  • Regular dependency updates and vulnerability scanning.

No internet transmission or storage system is completely secure. We cannot guarantee absolute security, but we apply reasonable measures consistent with industry practice.

13. Changes to This Policy

We may update this Privacy Policy from time to time. The "Effective Date" at the top reflects the most recent revision. Material changes will be communicated by email to newsletter subscribers or via a notice on uithings.com. Continued use of UI Things after the effective date of an updated policy constitutes acceptance of the changes.

14. Contact

For privacy questions, data requests, or to exercise your rights: support@uithings.com

For advertising and sponsorship inquiries: business@uithings.com

UI Things is part of Epigraph Media, a publishing network owned and operated by Craftled.