Privacy Policy

Effective June 19, 2026 (last updated June 19, 2026)

This Privacy Policy describes how TiffinOhio.net and its parent company, NorthStar Civic Media LLC (“we”, “us”, or “our”) collects, uses, and discloses information about you when you use our website (“Site”).

---

Table of Contents

1. Information We Collect
2. How We Use Your Information
3. Information Sharing
4. Your Choices
5. Data Security
6. External Links
7. Accounts, Payments, and Children’s Data
8. Cookies and Tracking Technologies
9. Third-Party Tools
10. United States State Privacy Rights
11. Illinois Notice (BIPA)
12. Data Retention
13. Managing Your Membership and Billing Choices
14. Changes to This Policy
15. Contact Us

---

Information We Collect

We collect information that you provide directly to us and certain information that is collected automatically when you use our Site.

• Contact information you provide (for example, your name and email address) when you submit our contact form or manage your newsletter subscription.
• Message content you submit through the contact form.
• Newsletter preferences you submit (subscribe/unsubscribe and optional reason for unsubscribing).
• Reader account information when you create or use a My TiffinOhio.net account (verified email address, optional display name from your sign-in provider, linked sign-in methods, reading history, saved articles, newsletter status, and account activity such as sign-ins and privacy requests). See Reader accounts below.

Information collected automatically may include:

• IP address and approximate location (city/country level).
• Browser and device information (e.g., user agent, operating system).
• Pages viewed and referring/exit pages.
• Date/time stamps and interaction data (e.g., clicks, scroll depth) for diagnostics and usability.
• Site search queries. When you type into our site search bar, we may record the text you enter (after a short delay, and only when the query is at least two characters) even if you do not press Enter. Search queries are sent to our analytics providers (PostHog and Microsoft Clarity) and to Meta for advertising measurement, as described below.
• Article and advertising events. On article pages, we may send page-view and content-view signals to Meta (including article slug and page title). Newsletter sign-ups and contact-form submissions may also generate Meta conversion events.

We currently use Google Analytics, PostHog for website analytics and event measurement, Microsoft Clarity for session analytics, Meta Pixel and Meta Conversions API for advertising measurement, Comscore/ScorecardResearch for audience measurement, Open-Meteo for weather data served to your browser, and Cloudflare services for security and performance. See Third-Party Tools below for details and links to their privacy documentation.

How We Use Your Information

We may use the information we collect for various purposes, including to:

• Provide and improve our services.

• Communicate with you about your account or our services.

• Operate our contact and newsletter features (including security verification via CAPTCHA).

• Analyze and improve Site performance, content, and usability.

• Respond to your inquiries and provide customer support.

• Personalize and tailor your experience on our Site.

• Analyze usage trends and improve the quality of our Site.

• Measure advertising performance, attribute conversions, and build audiences through partners such as Meta.

Information Sharing

We share information with service providers who help us operate the Site (for example, email delivery, security verification, hosting/CDN, analytics, and advertising measurement). These providers are authorized to use your information to provide services to us and must protect it as required by applicable law and our agreements. This includes sharing site-usage and conversion data (such as page views, article views, and search queries) with Meta for advertising measurement through the Meta Pixel and Conversions API.

We may also share your information in the following circumstances:

• With your consent.

• When required by law or to protect our rights or the rights of others.

• In connection with a merger, acquisition, or sale of assets.

Your Choices

You may choose to opt-out of receiving promotional communications from us by following the instructions provided in such communications. Please note that even if you opt-out, we may still send you non-promotional communications, such as those related to your account or orders.

Data Security

We take reasonable measures to protect the information we collect from unauthorized access, disclosure, alteration, or destruction. However, no method of transmission over the internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

External Links

Our Site may contain links to third-party websites and tools. We are not responsible for the privacy practices of those third parties. We encourage you to review the privacy policies of any external sites or tools you use.

Accounts, Payments, and Children’s Data

Reader accounts (My TiffinOhio.net)

• We offer optional reader accounts at https://tiffinohio.net/account so you can sign in across devices, save articles for later, sync reading history, and manage newsletter and membership settings.
• Authentication is provided by Stytch (passwordless email magic links, Google sign-in, and Facebook sign-in). When you use Google or Facebook sign-in, those providers process your request according to their privacy policies (Google, Meta). Stytch processes your email, session data, and sign-in events according to Stytch’s privacy policy. We do not store Stytch session tokens in our database.
• Session cookies. After you sign in, Stytch sets first-party cookies on our domain (for example, stytch_session and stytch_session_jwt) so you stay signed in for up to 30 days unless you sign out or delete your account. You can clear these cookies in your browser settings.
• Creating an account automatically subscribes your verified email to the TiffinOhio.net newsletter. You can unsubscribe anytime using the unsubscribe link in any newsletter email. You may resubscribe from account settings.
• We store account metadata in our Cloudflare D1 database: your Stytch user ID, primary email, optional display name, linked sign-in providers, newsletter status cache, read history (article slugs and timestamps), saved/read-later articles, theme and weather preferences, game progress (Wordio, Buzzwords, Word Search, and Horoscope sign), For You category filters, favorite topics, privacy request records, and account activity events (for example sign-in, data export, and deletion). Some events may include your IP address and browser user-agent string for security and abuse prevention.
• Cross-device sync. When signed in, your theme, weather location, game progress, and read history sync to your account so they follow you across devices. You can download these preferences and game data along with the rest of your account data via Export my data in Account settings.
• Reading history is collected when you read most of an article (about 50% scroll). Before you sign in, read articles may be stored locally in your browser (localStorage key tiffin_read_articles); when you sign in, we may merge that local history into your account. You can clear synced history in account settings.
• Step-up verification. Sensitive actions (exporting your data or deleting your account) require a one-time code emailed to you by Stytch. We do not use this OTP flow for routine sign-in.
• Terms acceptance. When you create an account, we log your acceptance of our Terms of Service (email, TOS version, timestamp, and limited technical metadata such as IP address and user agent) in our existing TOS acceptance logs.
• Analytics when signed in. If you are signed in, we may associate your Stytch user ID with your PostHog analytics profile (posthog.identify) and record account-related events (for example, sign-in, account creation, and read-history sync). We do not send your email address to PostHog through this identify call.
• You may export a copy of your reader data or request account deletion from account settings after verifying with the email code described above. Deletion removes reader data we control, revokes your Stytch session, deletes your Stytch user record, and attempts to unsubscribe your email from our newsletter. If automated unsubscribe fails, you may still use the unsubscribe link in any newsletter email.
• Membership billing. Reader accounts are separate from Stripe billing records, but signed-in users may open the Stripe Customer Portal from account settings to manage a membership tied to the same email. See Managing Your Membership and Billing Choices.
• Account pages are marked noindex and are not intended for search indexing.

Data deletion instructions (including Facebook / Meta)

If you signed in with Facebook (when enabled), you may also remove our app from your Facebook settings at Facebook Apps and Websites. Removing the app at Facebook does not automatically delete your TiffinOhio.net reader account or sign you out of our Site.

To delete your reader account and the personal data we control, sign in and use Delete account in Account settings, or email info@tiffinohio.net with the subject line “Privacy Request.”

Payments and memberships

• If you become a paying member or make a one-time contribution, a customer record is created and managed by our payment processors, Stripe and AutoBooks. Reader accounts are separate from billing accounts; you do not need a reader account to support us.
• We accept payments for monthly memberships and one-time contributions. Payments are processed securely by Stripe and AutoBooks; your payment card information is transmitted directly to these payment processors and does not pass through or get stored on our servers.
• From our payment processors, we receive limited billing details needed for receipts and support (for example: name, email, billing address, the last four digits of a card, card brand and expiration month/year, and transaction identifiers). We use this information to issue receipts, manage recurring billing, assist with customer support, and comply with accounting and legal requirements.
• You can manage your Stripe-based membership (update card, change plan, cancel) through our self-service customer portal operated by Stripe. A link to the portal is available on /support-us/.
• Our services are intended for a general audience and are not directed to children under 13. Individuals must be 18 or older to purchase a membership or make a contribution. If you believe we have collected personal information from a child under 13, please contact us and we will delete it.

Cookies and Tracking Technologies

We use limited cookies and similar technologies to support analytics and essential Site functionality:

• Google Analytics is loaded using Google’s gtag.js (served from Google Tag Manager). Google may set cookies or use similar storage as described in Google’s documentation. We use analytics to understand aggregate usage and improve the Site.
• PostHog helps us measure site traffic, approximate IP-derived location, and selected user interactions through a first-party analytics endpoint on our domain. We configure PostHog without automatic click capture or session recording, and use it for pageview and explicit event analytics (including site search queries typed into the search bar—recorded after you pause typing for about one second or when you press Enter, for queries of at least two characters; optional article listen-audio usage such as opening the player, play/pause, and approximate listening progress; article republish tool usage such as opening the modal, switching HTML/plain-text tabs, and copying republish snippets; related-article clicks in the article footer and exit-intent recommendation modal; when subscribed readers are shown the exit-intent “You may also like” recommendations; and reader account events such as viewing the sign-in page, creating an account, signing in, and syncing local read history). When you are signed in to a reader account, PostHog may associate events with your Stytch user ID (not your email) via identify.
• Meta Pixel (Meta/Facebook) loads on our Site to measure advertising performance and build audiences. Meta may set cookies or use similar storage. We send Meta standard events including PageView (all pages), ViewContent (when you open an article), Search (when you search the Site, including the search text), and Subscribe (newsletter sign-ups, for browser-side deduplication). Selected events (ViewContent and Search) are also forwarded from our server to Meta through the Meta Conversions API (/api/meta-events) using your IP address, browser identifiers, page URL, and event metadata. This server-side forwarding helps Meta receive more complete measurement when browser-based tracking is blocked. Meta may use this data for ad delivery, measurement, attribution, and audience building according to Meta’s policies. You can learn about Meta’s practices and opt-out choices at https://www.facebook.com/privacy/policy/ and https://www.facebook.com/settings?tab=ads.
• Microsoft Clarity helps us understand how visitors use the Site through session replays, heatmaps, and interaction analytics. Clarity may use cookies or similar storage to distinguish browsers and sessions. We mirror selected explicit interaction events (the same categories described for PostHog above) into Clarity for filtering and analysis. Clarity retains recordings for approximately 30 days. Microsoft may use aggregated behavioral data to improve its products. We mask newsletter and gate email fields in Clarity recordings.
• Comscore/ScorecardResearch helps us measure audience size and traffic patterns. Comscore may collect information about visits to our pages, including device and browser information, referrer information, IP-derived location, and identifiers or cookies where permitted. We configure the Comscore tag with first-party cookies disabled.
• Cloudflare Web Analytics helps us measure page views and real-user performance metrics. We load its browser beacon manually.
• Cloudflare may collect limited technical information (such as IP address) to provide security and performance services.
• Stytch session cookies (when signed in to a reader account) keep you authenticated on our domain for up to 30 days, as described under Reader accounts above.

Your choices:

• You can manage cookies through your browser settings.
• You can install the Google Analytics Opt-out Browser Add-on: https://tools.google.com/dlpage/gaoptout.
• We do not treat legacy Do Not Track (DNT) signals as an analytics opt-out because DNT does not have a uniform legal or technical standard in the United States.

Third-Party Tools

We currently use or embed the following services. Their privacy practices are governed by their own policies:

1. Google Analytics (website analytics) – See Google: https://policies.google.com/technologies/partner-sites and https://policies.google.com/privacy; Google Analytics terms: https://marketingplatform.google.com/about/analytics/terms/us/.

2. PostHog (website analytics, approximate IP-derived location, event measurement, and Core Web Vitals performance metrics such as LCP, INP, CLS, and FCP) – See PostHog Privacy Policy: https://posthog.com/privacy and PostHog data privacy documentation: https://posthog.com/docs/privacy.

3. Microsoft Clarity (session replay, heatmaps, and behavioral interaction analytics) – See Microsoft Privacy Statement: https://privacy.microsoft.com/en-us/privacystatement and Clarity FAQ: https://learn.microsoft.com/en-us/clarity/faq.

4. Comscore/ScorecardResearch (audience measurement and traffic analytics) – See Comscore Privacy Policy: https://www.comscore.com/About/Privacy-Policy and Comscore privacy choices: https://www.comscore.com/About/Privacy-Policy/Privacy-Choices.

5. Cloudflare Web Analytics (pageview and real-user performance analytics) – See Cloudflare Privacy Policy: https://www.cloudflare.com/privacypolicy/ and Cloudflare Web Analytics docs: https://developers.cloudflare.com/web-analytics/.

6. Cloudflare Turnstile (spam and abuse prevention CAPTCHA) – See Cloudflare Privacy Policy: https://www.cloudflare.com/privacypolicy/ and Turnstile docs: https://developers.cloudflare.com/turnstile/.

7. Cloudflare (hosting/CDN and security) – See Cloudflare Privacy Policy: https://www.cloudflare.com/privacypolicy/.

8. Vote.org (embedded voter tools on certain pages) – See Vote.org Privacy Policy: https://www.vote.org/privacy/.

9. Stripe (payment processing for monthly memberships) – See Stripe Privacy Policy: https://stripe.com/privacy and Stripe Security: https://stripe.com/docs/security.

10. AutoBooks (payment processing for one-time contributions) – See AutoBooks Privacy Policy: https://www.autobooks.co/privacy-policy and AutoBooks Terms of Use: https://www.autobooks.co/autobooks-terms-of-use-and-end-user-license-agreement.

11. Spotify (embedded podcast players) – When you play embedded podcasts, Spotify may collect information about your interaction with the player. See Spotify Privacy Policy: https://www.spotify.com/us/legal/privacy-policy/.

12. Meta Pixel and Meta Conversions API (Meta/Facebook advertising measurement) – We use Meta’s Pixel on our Site to measure ad performance and send conversion events (including page views, article views, site searches, and newsletter sign-ups). Selected events are also sent server-side to Meta through the Conversions API. Meta may use cookies, pixels, and device identifiers to collect information about your activity on our Site and elsewhere for measurement, attribution, retargeting, and audience building. See Meta Privacy Policy: https://www.facebook.com/privacy/policy/ and Meta ad preferences: https://www.facebook.com/settings?tab=ads.

13. Meta/Facebook (embedded video players) – When you view embedded videos from Meta platforms, Meta may additionally collect information about your interaction with the player. See Meta Privacy Policy: https://www.facebook.com/privacy/policy/.

14. Open-Meteo (weather data) – Our weather features (header weather, weather pages, and location search) fetch forecast and geocoding data directly from Open-Meteo’s APIs (api.open-meteo.com and geocoding-api.open-meteo.com) in your browser. Because these requests originate from your device, Open-Meteo receives your IP address and technical connection data. Open-Meteo states that such information may be logged for up to approximately 90 days. See Open-Meteo Terms of Use: https://open-meteo.com/en/terms and Open-Meteo documentation: https://open-meteo.com/.

15. Stytch (reader account authentication) – Passwordless sign-in, OAuth (Google and Facebook), session management, and email one-time codes for sensitive account actions. See Stytch Privacy Policy: https://stytch.com/legal/privacy-policy.

16. Google Sign-In (OAuth) – When you choose “Continue with Google” for a reader account, Google processes authentication according to Google’s policies. See Google Privacy Policy: https://policies.google.com/privacy.

17. Facebook Sign-In (OAuth) – When you choose “Continue with Facebook” for a reader account, Meta processes authentication according to Meta’s policies. See Meta Privacy Policy: https://www.facebook.com/privacy/policy/.

United States State Privacy Rights

Depending on where you live, you may have certain rights over your personal information under U.S. state privacy laws (for example, in California, Colorado, Connecticut, Utah, Virginia, and other states with similar laws). Subject to verification and applicable exceptions, these may include the right to:

• Access/know the categories and specific pieces of personal information we have collected about you.
• Correct inaccurate personal information.
• Delete personal information.
• Obtain a portable copy of your personal information.
• Opt out of the sale or sharing of personal information and of targeted advertising. We do not sell personal information for monetary consideration. We do use third-party advertising and analytics tools—including Meta Pixel—that may collect or receive information about your activity on our Site for ad measurement, attribution, and audience building. Depending on your state, this may constitute “sharing” for cross-context behavioral advertising. You may opt out by adjusting Meta ad settings (https://www.facebook.com/settings?tab=ads), using browser privacy controls or ad blockers, and emailing us at info@tiffinohio.net with the subject line “Privacy Request.”
• Limit the use and disclosure of certain sensitive personal information (we do not collect sensitive categories such as precise geolocation, health, or biometric data).

How to exercise your rights:

• Reader accounts: Sign in and use Export my data or Delete account in Account settings (email verification code required for export and deletion).
• Email us at info@tiffinohio.net with the subject line “Privacy Request,” and tell us which right(s) you wish to exercise and the state in which you reside.
• We will verify your request using reasonable methods based on the information available to us. You may use an authorized agent where permitted by law.
• If we deny your request, you may appeal by replying to our response with “Appeal.” If your appeal is denied, you may contact your state attorney general.

Non-discrimination: We will not discriminate against you for exercising your privacy rights.

Ohio and Illinois:

• Ohio: We provide the rights and disclosures above to Ohio residents to the extent required by applicable law.
• Illinois: We comply with Illinois law. See the Illinois notice below regarding biometric information.

Illinois Notice (BIPA)

We do not collect, use, or store biometric identifiers or biometric information as defined by the Illinois Biometric Information Privacy Act (BIPA). If that changes, we will first provide written notice, obtain informed written consent, disclose the purpose and retention schedule, and implement a publicly available retention and destruction policy consistent with BIPA.

Data Retention

We retain personal information only for as long as necessary to fulfill the purposes described in this policy, including for security, legal, tax, or accounting requirements. Membership and transaction records may be retained for the period required by applicable law and our financial recordkeeping obligations.

Reader account data: Active account data (profile, read history, saved articles, and related logs) is kept while your account is active. When you delete your account, we soft-delete your profile in our database (replacing your email with an anonymized placeholder), remove linked identity and reading data we control, and delete your authentication record at Stytch. Security and privacy-request logs may be retained for a limited period where needed for fraud prevention, dispute resolution, or legal compliance. Newsletter subscriber records we maintain are removed or suppressed when deletion succeeds, or you may unsubscribe separately.

When we no longer need personal information, we take reasonable steps to delete, de-identify, or anonymize it.

Managing Your Membership and Billing Choices

• For monthly memberships processed through Stripe: Access the customer portal to update payment methods, view invoices, change plans, or cancel your membership. You can find the portal link on /support-us/ and, when signed in, on /account/membership/ (Membership & Billing).
• For one-time contributions processed through AutoBooks: Transaction receipts and records are managed by AutoBooks according to their policies.
• You may also contact us at info@tiffinohio.net for billing support. For your security, we may direct you to complete sensitive updates through the appropriate payment processor’s portal.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by posting the updated policy on this page.

Contact Us

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at info@tiffinohio.net.

You can also reach us via the contact form on our Site at /contact-us/.