Privacy Policy
Last updated: June 11, 2026. Downtown St. Paul (dtstpaul.com) is an independent, resident-run site. It is not affiliated with the Saint Paul Downtown Alliance or any business-improvement district.
What we collect
We collect personal data in two places:
- Newsletter sign-up: your email address, and your topic preferences if you choose them.
- Event submissions (/now/submit): an optional submitter email address — only if you provide it, and only so we can reply to you about your submission. See the “Event submissions” section below for details.
We do not run third-party advertising trackers and we do not sell or share your data with advertisers.
Newsletter consent (double opt-in)
Joining is double opt-in. When you submit your email we store an unconfirmed record and send you a confirmation link. Your address is only added to our mailing list after you click that link. Every email we send includes our physical mailing address and a one-click unsubscribe link, as required by U.S. CAN-SPAM law. Unconfirmed records are deleted after 30 days.
Event submissions
When you submit an event via /now/submit, you may optionally provide your email address. If you do:
- Purpose: we may use it solely to reply to you about your submission (e.g., to confirm it was published or to ask a clarifying question).
- Processor: Supabase (stored in the
dt_eventstable alongside the event record). - Retention: your email is stored until the event record’s
retain_untildate, at which point it is automatically deleted by our nightly retention-purge job. You may also request earlier erasure by emailing hello@dtstpaul.com.
Your email address is never published publicly and is never used for marketing.
Processors we use
- Supabase — database and storage (your email and consent state).
- Resend — sends confirmation, welcome, and newsletter emails.
- Vercel — hosting and cookieless web analytics (aggregate counts only; no per-visitor identity).
Cookies
We use only strictly-necessary cookies (e.g. an administrator session cookie). Our analytics are cookieless. Because we set no non-essential or advertising cookies, we do not show a consent banner. We will revisit this if that ever changes.
Your rights — access & erasure (DSAR / RTBF)
You may request a copy of the personal data we hold about you, or ask us to delete it. Erasure is a hard purge of your personal data (your email and any associated consent records); audit logs we must keep are PII-minimized or redacted. To make a request, email hello@dtstpaul.com. You can also unsubscribe at any time using the link in any email.
Retention
- Unconfirmed newsletter sign-ups: deleted after 30 days.
- Anti-abuse IP hashes: transient rate-limit keys only — they are never persisted to long-term storage and expire automatically (typically within an hour) as part of the rate-limit window.
- Event-submission emails: retained until the event record’s
retain_untildate, then automatically purged. - Rejected or expired event records: deleted after 90 days.
Contact
Questions about this policy: hello@dtstpaul.com.