Privacy Policy for Codego Press — last reviewed 5 May 2026.
This Privacy Policy explains how Codego Group LTD ("Codego Press", "we", "us", "our") collects, uses, stores, and discloses Personal Data when you visit news.codegotech.com (the "Service"). Codego Press is the editorial publication of Codego Group LTD, a company incorporated in Malta. This Policy applies to all visitors, newsletter subscribers ("Subscribers"), registered members ("Members"), and commenters ("Commenters") who interact with the Service. It has been drafted in accordance with Regulation (EU) 2016/679 (the "GDPR"), the ePrivacy Directive as implemented in Maltese law, and any applicable guidance issued by the Maltese Information and Data Protection Commissioner ("IDPC"). Please read this Policy carefully before using the Service.
Section 01 — Who We Are and How to Contact Us
The data controller for all Personal Data processed through the Service is:
Codego Group LTD
Malta
Email: [email protected]
Codego Group LTD has not appointed a formal Data Protection Officer, as it does not fall within the categories of controllers required to do so under Article 37 GDPR. All data protection enquiries, subject access requests, and complaints are handled by our support team at [email protected]. We aim to respond to all GDPR-related correspondence within one calendar month of receipt, as required by Article 12(3) GDPR. Where a request is complex or numerous, we may extend this period by a further two months and will notify you accordingly.
The Service is operated under the editorial brand Codego Press at news.codegotech.com. It publishes fintech, banking, and BaaS journalism in seven languages (English, Italian, Spanish, French, German, Arabic, and Turkish). Content is produced with a combination of human editorial oversight and AI-assisted curation. All content is editorial opinion and general information only; nothing published on the Service constitutes investment advice, financial advice, or any regulated financial communication. Readers should seek independent professional advice before making any financial decisions.
Section 02 — Personal Data We Collect and How We Collect It
We collect Personal Data in the following categories, depending on how you interact with the Service:
(a) Automatically collected data — all visitors. When you access the Service, our infrastructure automatically records your Internet Protocol ("IP") address, the date and time of your request, the URL requested, your browser type and version, operating system, referring URL, and HTTP status code. This data is processed by Cloudflare, Inc., which provides our content delivery network ("CDN") and security layer, before requests reach our hosting environment. Cloudflare processes this data in the course of providing DDoS mitigation, bot management, and caching services. Your IP address is Personal Data for the purposes of the GDPR.
(b) Analytics identifiers — visitors who have given consent. If you accept analytics cookies, Google Analytics 4 ("GA4") sets first-party cookies (_ga, _gid) on your device and assigns a pseudonymous client identifier to your browser. GA4 collects data on pages viewed, session duration, device type, browser, approximate geographic location (derived from IP, with IP anonymisation enabled), and engagement events. This data is processed by Google LLC on our behalf. Collection only occurs after you provide freely given, specific, informed, and unambiguous consent via our cookie consent interface, in accordance with Article 6(1)(a) GDPR and Article 5(3) of the ePrivacy Directive.
(c) Newsletter and Member account data — Subscribers and Members. The Service uses the Ghost CMS native membership platform. If you choose to subscribe to our newsletter or create a Member account, we collect your email address (mandatory) and, if you choose to provide it, your display name (optional). You register via the Ghost sign-up flow and are required to confirm your email address before your subscription is activated. Membership is free; there is no paywall or premium tier. Your Ghost session is maintained via a session cookie set upon sign-in.
(d) Comment content and associated data — Commenters. The Service uses Ghost's native member-comments feature. Leaving a comment requires you to be signed in as a Member. When you post a comment, we store the content of the comment, the associated Member account identifier, the timestamp, and the IP address from which the comment was submitted. The IP address is retained for comment moderation and abuse prevention purposes.
(e) Language preference. The Service stores a cookie recording your selected display language. This cookie contains no Personal Data beyond a language code and is technically necessary to preserve your preference across page loads.
(f) Newsletter consent flag. A cookie is set to record that you have confirmed your newsletter opt-in, in order to avoid displaying the subscription prompt repeatedly to confirmed Subscribers. This cookie is functionally necessary for the operation of the subscription mechanism.
Section 03 — Lawful Basis for Processing
We rely on the following lawful bases under Article 6 GDPR for each processing activity:
Article 6(1)(a) — Consent. We rely on your consent as the lawful basis for: (i) placing GA4 analytics cookies on your device and processing the resulting analytics data; and (ii) sending you our newsletter by email. Consent is obtained separately for each purpose through a clearly presented, affirmative opt-in mechanism. You may withdraw consent at any time; see Section 09 for how to do so. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
Article 6(1)(b) — Performance of a contract. When you create a Member account or newsletter subscription, processing your email address and optional name is necessary to perform the contract between us — namely, to deliver the Service to you as a Member, authenticate your account, and provide the functionality you have requested (including the ability to leave comments).
Article 6(1)(f) — Legitimate interests. We rely on our legitimate interests for: (i) logging IP addresses and server access data for security, fraud prevention, and abuse mitigation purposes; (ii) logging IP addresses in connection with comment moderation, to detect and prevent spam, harassment, and unlawful content; and (iii) operating the Cloudflare CDN for service availability, performance, and protection against malicious traffic. In each case, we have conducted a balancing assessment and are satisfied that our interests are not overridden by your interests or fundamental rights. You have the right to object to processing carried out on this basis; see Section 09.
Section 04 — Purposes of Processing
We process Personal Data for the following purposes:
(a) Delivering editorial content. To serve pages, articles, and media to your browser, including through Cloudflare's CDN infrastructure, and to maintain the technical availability and security of the Service.
(b) Member account management. To create and maintain your Ghost Member account, authenticate you when you sign in, and enable member-only features such as commenting.
(c) Newsletter delivery. To send you our editorial newsletter by email, where you have given consent. Newsletters are dispatched via our Plesk SMTP email delivery infrastructure. We do not use third-party email marketing platforms; delivery is handled within our own hosting environment.
(d) Analytics and service improvement. Where you have consented, to understand how visitors interact with the Service, which content is most read, and how the Service performs across devices and languages, using GA4.
(e) Comment moderation. To review, moderate, and where necessary remove comments that are abusive, unlawful, or contrary to our editorial standards. IP address data is retained for this purpose to assist with identifying and blocking repeat offenders.
(f) Security and fraud prevention. To detect and prevent unauthorised access, scraping, DDoS attacks, bot activity, and other threats to the integrity and availability of the Service.
We do not use Personal Data for any form of targeted advertising, profiling, or sale to third parties. We do not engage in automated decision-making that produces legal or similarly significant effects in relation to any individual, within the meaning of Article 22 GDPR.
Section 05 — Cookies and Similar Technologies
The Service uses cookies and similar browser storage technologies. The table below sets out each cookie in use, its purpose, its classification, and its retention period.
| Cookie name | Set by | Purpose | Classification | Retention |
|---|---|---|---|---|
ghost-members-ssr / Ghost session |
Ghost CMS (first party) | Authenticates signed-in Members; maintains session state | Strictly necessary | Session / as configured by Ghost |
| Language preference | First party | Stores selected display language | Strictly necessary / functional | 12 months |
| Newsletter consent flag | First party | Records confirmed newsletter opt-in to suppress repeated prompts | Strictly necessary / functional | 12 months |
_ga |
Google (via GA4) | Distinguishes users; assigns pseudonymous client ID | Analytics (consent required) | 26 months |
_gid |
Google (via GA4) | Distinguishes users within a 24-hour session | Analytics (consent required) | 24 hours |
Strictly necessary and functional cookies do not require consent under Article 5(3) ePrivacy Directive, as they are technically necessary to provide the Service or to preserve a preference you have explicitly set. Analytics cookies are only placed on your device after you have provided consent via our cookie banner. You may withdraw consent for analytics cookies at any time by adjusting your preferences through the cookie settings link in the footer of the Service, or by deleting cookies through your browser settings. Note that deleting the _ga cookie will cause GA4 to treat you as a new visitor upon your next visit.
Section 06 — Recipients and Processors
We share Personal Data only with trusted third-party processors who act strictly on our instructions and who are bound by appropriate data processing agreements. We do not sell Personal Data to any third party.
Cloudflare, Inc. — Cloudflare acts as a processor in respect of the CDN, DNS, and security services it provides. All traffic to the Service passes through Cloudflare's network. Cloudflare processes IP addresses and request metadata for the purpose of delivering and protecting the Service. Cloudflare, Inc. is incorporated in the United States; see Section 07 regarding international transfers.
Ghost Foundation / Ghost CMS hosting. The Service is hosted on infrastructure running Ghost CMS. The hosting environment processes all Member account data, Subscriber data, comment content, and associated metadata in the course of providing the platform. Our hosting is managed within our own controlled environment under our Codego Group LTD infrastructure.
Google LLC (GA4). Where you have consented to analytics, Google LLC processes analytics identifiers and associated behavioural data as a processor under our GA4 property. IP anonymisation is enabled. Google LLC is incorporated in the United States; see Section 07 regarding international transfers. Google's data processing terms are incorporated into our relationship with Google by virtue of accepting GA4's terms of service.
Plesk SMTP (email delivery). Newsletter emails are dispatched through Plesk-based SMTP infrastructure operated within our hosting environment. This processor handles your email address for the sole purpose of transmitting newsletter messages you have subscribed to receive.
We will disclose Personal Data to law enforcement, regulatory authorities, or courts where we are legally required to do so, or where disclosure is necessary to protect the rights, property, or safety of Codego Group LTD, its readers, or others. In such cases, we will disclose only the minimum Personal Data necessary and, where lawfully permitted, will notify you of the disclosure.
Section 07 — International Transfers of Personal Data
Certain processors listed in Section 06 are located in, or process Personal Data in, countries outside the European Economic Area ("EEA"). Where Personal Data is transferred outside the EEA, we ensure that an appropriate safeguard is in place as required by Chapter V GDPR.
Cloudflare, Inc. (United States). Cloudflare participates in the EU–US Data Privacy Framework, which the European Commission has recognised as providing an adequate level of protection by its adequacy decision of 10 July 2023. Where processing occurs in Cloudflare data centres outside the scope of that framework, Cloudflare relies on Standard Contractual Clauses ("SCCs") approved by the European Commission under Article 46(2)(c) GDPR.
Google LLC (United States) — GA4. Google LLC participates in the EU–US Data Privacy Framework. In addition, Google relies on the European Commission's approved SCCs for transfers of Personal Data processed outside the Data Privacy Framework scope. GA4 is configured with IP anonymisation enabled and with data retention set to 26 months.
You may request a copy of the relevant transfer safeguards by contacting us at [email protected].
Section 08 — Retention of Personal Data
We retain Personal Data only for as long as is necessary for the purposes for which it was collected, or as required by applicable law. The following specific retention periods apply:
Server access logs and IP addresses (visitors). Automatically collected server and CDN access logs, including IP addresses, are retained for a maximum of 30 days, after which they are automatically deleted or anonymised. Where an IP address is associated with a security incident or abuse investigation, it may be retained for a longer period as necessary to resolve the matter or comply with a legal obligation.
Newsletter Subscriber data (email address, optional name). Retained for the duration of your active subscription. Where you unsubscribe, your Subscriber data will be deleted within 30 days of the date of unsubscription, except where retention is required by law or for the purpose of demonstrating compliance with our consent records obligations.
Member account data. Retained for as long as your Member account remains active. If you request deletion of your account, your account data will be removed within 30 days, subject to any overriding legal obligations.
Comment content and associated IP addresses. Retained for as long as your Member account is active or for as long as the comment remains published on the Service. Upon deletion of a Member account, associated comment data will be reviewed and deleted or anonymised within 30 days, except where retention is required for the purpose of legal proceedings or regulatory compliance.
GA4 analytics data. Retained for 26 months from the date of collection, as configured in our GA4 property settings. After this period, data is automatically deleted by Google.
Consent records. Records of newsletter and analytics consent (timestamp, consent mechanism, identifier) are retained for a period of three years from the date of consent or withdrawal, in order to demonstrate compliance with Article 7(1) GDPR.
Section 09 — Your Rights as a Data Subject
Under the GDPR, you have the following rights in respect of your Personal Data. These rights are not absolute in all circumstances; where a limitation applies, we will explain the reason when responding to your request.
Right of access (Article 15 GDPR). You have the right to obtain confirmation of whether we process Personal Data about you, and if so, to receive a copy of that data together with information about the purposes, categories, recipients, retention periods, and safeguards applicable to it.
Right to rectification (Article 16 GDPR). You have the right to require us to correct inaccurate Personal Data or to complete incomplete Personal Data without undue delay.
Right to erasure (Article 17 GDPR). You have the right to request deletion of your Personal Data where, among other grounds: the data is no longer necessary for the purposes for which it was collected; you withdraw consent and there is no other lawful basis; you object and there are no overriding legitimate grounds; or the data has been unlawfully processed.
Right to restriction of processing (Article 18 GDPR). You have the right to request that we restrict processing of your Personal Data in certain circumstances, for example while the accuracy of data is contested or while an objection is being assessed.
Right to data portability (Article 20 GDPR). Where processing is based on consent or contract and carried out by automated means, you have the right to receive your Personal Data in a structured, commonly used, machine-readable format, and to transmit that data to another controller.
Right to object (Article 21 GDPR). You have the right to object at any time to processing of your Personal Data where that processing is based on Article 6(1)(f) (legitimate interests). Where you object, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where processing is necessary for the establishment, exercise, or defence of legal claims.
Right to withdraw consent (Article 7(3) GDPR). Where processing is based on your consent, you have the right to withdraw that consent at any time. To unsubscribe from our newsletter, click the unsubscribe link in any newsletter email or contact us at [email protected]. To withdraw consent for analytics cookies, adjust your preferences via the cookie settings link in the Service footer or delete cookies through your browser. Withdrawal does not affect the lawfulness of any processing carried out prior to withdrawal.
No automated decision-making. We do not carry out any automated decision-making, including profiling, that produces legal effects or similarly significantly affects you, within the meaning of Article 22 GDPR.
To exercise any of the above rights, please contact us at [email protected]. We will respond within one month of receipt. We may ask you to verify your identity before acting on a request. Exercising your rights is free of charge; however, where requests are manifestly unfounded or excessive, we reserve the right to charge a reasonable fee or decline to act, in accordance with Article 12(5) GDPR.
Section 10 — Security
We implement appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, in accordance with Article 32 GDPR. These measures include: encrypted transmission of data over HTTPS/TLS; Cloudflare's DDoS protection, bot management, and WAF services; access controls limiting Personal Data access to personnel with a legitimate operational need; and regular review of our security practices.
No method of transmission over the internet or electronic storage is entirely secure. Where we become aware of a Personal Data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the IDPC within 72 hours of becoming aware, in accordance with Article 33 GDPR, and will notify affected individuals where required under Article 34 GDPR.
Section 11 — Editorial Content, Disclaimers, and Republishing
All articles, analyses, and commentary published on the Service represent the editorial opinion of Codego Press and are provided for general informational purposes only. Nothing on the Service constitutes investment advice, financial advice, legal advice, or any other form of regulated advice or communication. Readers should not rely on content published on the Service as the basis for any financial, investment, or other decision, and are strongly advised to seek independent professional advice.
Short quotations from articles published on the Service are permitted for the purposes of news reporting, commentary, and criticism, provided clear attribution is given to Codego Press and a hyperlink to the original article is included. Full or substantial reproduction of any article, whether in print or digital form, requires the prior written consent of Codego Group LTD. Requests for republishing permissions should be directed to [email protected].
Section 12 — Contact, Complaints, and Updates
For all data protection enquiries, requests to exercise your rights, or questions about this Policy, please contact:
Codego Group LTD — Data Protection Enquiries
Email: [email protected]
If you are not satisfied with our response, or if you consider that our processing of your Personal Data infringes the GDPR, you have the right to lodge a complaint with the supervisory authority in Malta:
Information and Data Protection Commissioner (IDPC)
Website: https://idpc.org.mt
You also retain the right to seek a judicial remedy before the competent courts of Malta under Article 79 GDPR.
We review and update this Privacy Policy periodically to reflect changes in our processing activities, applicable law, or regulatory guidance. When we make material changes, we will update the "Last Updated" date below and, where appropriate, notify active Subscribers by email or by a prominent notice on the Service. We encourage you to review this Policy regularly. Continued use of the Service after an update constitutes acknowledgement of the revised Policy, subject always to your rights under the GDPR.
Last updated: 1 July 2025