This seems pretty typical. It is sad when a 'Privacy policy' has become a tool to give users a false sense of security. I had a similar problem with scriplance.com. I use http://www.spamgourmet.com for nearly every single 'subscription' that requires an email address. It's nice and easy because I can name the addy after the site. This particular address was scriptlance.20.jab@xoxy.net. Started getting spam from outside scriptlance within a week. When pressed about it the response was:

"I didn't sell your e-mail. You are probably just forgetting that you used the
e-mail somewhere else."

That's right, I probably used a disposable email address, used specifically to weed out the crooks like this, at another site where the email address would have no significance.

Heh, I guess welcome to the Internet Age.

-jb