Wiki source code of Privacy Policy
Last modified by Robert Schaub on 2025/12/17 18:07
Hide last authors
| author | version | line-number | content |
|---|---|---|---|
 |
1.1 | 1 | = Privacy Policy = |
| 2 | |||
| 3 | **Effective Date:** [To be determined before production launch] | ||
| 4 | **Last Updated:** December 17, 2025 (V0.9.29 - Legal Compliance Update) | ||
| 5 | |||
| 6 | == 1. Introduction == | ||
| 7 | |||
| 8 | FactHarbor is committed to protecting your privacy while maintaining the transparency necessary for our mission of supporting well-grounded, manipulation-resistant judgments. | ||
| 9 | |||
| 10 | This Privacy Policy explains: | ||
| 11 | |||
| 12 | * What information we collect and why | ||
| 13 | * How we use and protect that information | ||
| 14 | * Your rights and choices | ||
| 15 | * How we balance privacy with transparency | ||
| 16 | |||
| 17 | **Important:** By using FactHarbor services, you agree to this Privacy Policy. | ||
| 18 | |||
| 19 | == 2. Who We Are == | ||
| 20 | |||
| 21 | FactHarbor is a Swiss non-profit association (Verein) under Swiss law, pursuing tax-exempt status. Our mission is to create a transparent, community-driven platform for evaluating factual claims. | ||
| 22 | |||
| 23 | **Initial Phase:** FactHarbor is a small organization starting with one person, with team growth expected. Contact methods will be established before launch. | ||
| 24 | |||
| 25 | **Contact:** | ||
| 26 | * General inquiries: [To be established] | ||
| 27 | * Privacy and data requests: [To be established] | ||
| 28 | * Data Protection Officer: [To be designated if serving EU users] | ||
| 29 | * Swiss Representative: [To be designated before launch] | ||
| 30 | |||
| 31 | == 3. What Information We Collect == | ||
| 32 | |||
| 33 | === 3.1 Information You Provide === | ||
| 34 | |||
| 35 | **Account Information** (if you register): | ||
| 36 | * Username (required) | ||
| 37 | * Email address (required) | ||
| 38 | * Optional profile information you choose to add | ||
| 39 | |||
| 40 | **Contributions** (if you contribute): | ||
| 41 | * Content you create (claims, scenarios, verdicts, reviews) | ||
| 42 | * Edits and modifications | ||
| 43 | * Comments and discussions | ||
| 44 | * Flags and quality reports | ||
| 45 | |||
| 46 | **Communications**: | ||
| 47 | * Messages you send to us | ||
| 48 | * Survey responses | ||
| 49 | * Feedback submissions | ||
| 50 | |||
| 51 | === 3.2 Information We Collect Automatically === | ||
| 52 | |||
| 53 | **Technical Data**: | ||
| 54 | * IP address | ||
| 55 | * Browser type and version | ||
| 56 | * Operating system | ||
| 57 | * Device information | ||
| 58 | * Referrer URL | ||
| 59 | * Pages viewed and time spent | ||
| 60 | |||
| 61 | **Usage Data**: | ||
| 62 | * Features you use | ||
| 63 | * Actions you take | ||
| 64 | * Search queries | ||
| 65 | * Interaction patterns | ||
| 66 | |||
| 67 | **Cookies and Similar Technologies**: | ||
| 68 | * Session cookies (essential for functionality) | ||
| 69 | * Preference cookies (remember your settings) | ||
| 70 | * Analytics cookies (understand usage patterns) | ||
| 71 | |||
| 72 | See Section 8 for cookie management. | ||
| 73 | |||
| 74 | === 3.3 Information We DO NOT Collect === | ||
| 75 | |||
| 76 | We do not collect: | ||
| 77 | * Financial information (no payment processing currently) | ||
| 78 | * Biometric data | ||
| 79 | * Precise geolocation (only general location from IP) | ||
| 80 | * Social security numbers or government IDs | ||
| 81 | * Unnecessary personal information | ||
| 82 | |||
| 83 | == 4. How We Use Your Information == | ||
| 84 | |||
| 85 | We use collected information only for these purposes: | ||
| 86 | |||
| 87 | === 4.1 Provide Services === | ||
| 88 | |||
| 89 | * Create and maintain your account | ||
| 90 | * Display your public contributions | ||
| 91 | * Enable community features | ||
| 92 | * Personalise your experience | ||
| 93 | |||
| 94 | === 4.2 Maintain Quality and Safety === | ||
| 95 | |||
| 96 | * Detect and prevent abuse | ||
| 97 | * Enforce our Terms of Service | ||
| 98 | * Identify and address quality issues | ||
| 99 | * Prevent spam and manipulation | ||
| 100 | |||
| 101 | === 4.3 Improve Services === | ||
| 102 | |||
| 103 | * Understand how FactHarbor is used | ||
| 104 | * Identify bugs and issues | ||
| 105 | * Test new features | ||
| 106 | * Improve algorithms and quality gates | ||
| 107 | |||
| 108 | === 4.4 Communicate === | ||
| 109 | |||
| 110 | * Send important service updates | ||
| 111 | * Respond to your requests | ||
| 112 | * Notify you of policy changes | ||
| 113 | * Send opt-in newsletters (if you subscribe) | ||
| 114 | |||
| 115 | === 4.5 Comply with Law === | ||
| 116 | |||
| 117 | * Respond to valid legal requests | ||
| 118 | * Enforce legal rights | ||
| 119 | * Prevent fraud or illegal activity | ||
| 120 | |||
| 121 | == 5. Public Information == | ||
| 122 | |||
| 123 | **Important:** Much of your activity on FactHarbor is public by design. This transparency is essential to our mission. | ||
| 124 | |||
| 125 | === 5.1 Always Public === | ||
| 126 | |||
| 127 | * **Contributions**: All content you create is permanently public | ||
| 128 | * **Edit history**: All changes are tracked and visible | ||
| 129 | * **Username**: Your username is visible on your contributions | ||
| 130 | * **Contribution metadata**: Timestamps, edit summaries | ||
| 131 | |||
| 132 | === 5.2 Public if You Choose === | ||
| 133 | |||
| 134 | * Profile information you add | ||
| 135 | * Real name (if you provide it) | ||
| 136 | * Social media links | ||
| 137 | * Biography | ||
| 138 | |||
| 139 | === 5.3 Private (Not Public) === | ||
| 140 | |||
| 141 | * Email address | ||
| 142 | * IP address (if you're logged in) | ||
| 143 | * Private messages (if feature exists) | ||
| 144 | * Account settings and preferences | ||
| 145 | |||
| 146 | **Key Principle:** Transparency of contributions builds trust. Your work is attributed to your username, and edit history ensures accountability. | ||
| 147 | |||
| 148 | == 6. How We Share Information == | ||
| 149 | |||
| 150 | === 6.1 We Never === | ||
| 151 | |||
| 152 | * **Sell** your information | ||
| 153 | * **Rent** your information | ||
| 154 | * Share your information for **marketing** purposes | ||
| 155 | * Share with **data brokers** | ||
| 156 | |||
| 157 | === 6.2 We May Share With === | ||
| 158 | |||
| 159 | **Service Providers**: | ||
| 160 | * Hosting services (server infrastructure) | ||
| 161 | * Email services (for communications) | ||
| 162 | * Analytics providers (aggregated data only) | ||
| 163 | * Security services (DDoS protection, etc.) | ||
| 164 | |||
| 165 | All service providers are bound by contract to protect your data. | ||
| 166 | |||
| 167 | **Legal Requirements**: | ||
| 168 | * Valid subpoenas or court orders | ||
| 169 | * Government requests (where legally required) | ||
| 170 | * Emergency situations (to prevent harm) | ||
| 171 | |||
| 172 | See Section 12 for transparency about government requests. | ||
| 173 | |||
| 174 | **Public Data Releases**: | ||
| 175 | * Anonymized, aggregated statistics | ||
| 176 | * Research datasets (with privacy protections) | ||
| 177 | * Full public contribution history (attributions maintained) | ||
| 178 | |||
| 179 | === 6.3 We Do Not Share === | ||
| 180 | |||
| 181 | * Your email address (except as required by law) | ||
| 182 | * Your IP address (except as required by law) | ||
| 183 | * Your private messages | ||
| 184 | * Your account settings | ||
| 185 | |||
| 186 | == 7. How Long We Keep Information == | ||
| 187 | |||
| 188 | We follow **data minimization** principles - keeping data only as long as necessary. | ||
| 189 | |||
| 190 | === 7.1 Detailed Retention Periods === | ||
| 191 | |||
| 192 | | Data Type | Retention Period | Rationale | | ||
| 193 | |-----------|------------------|-----------| | ||
| 194 | | **Account Data** | Active + 90 days after deletion | User may wish to restore account | | ||
| 195 | | **Email Addresses** | Active + 90 days after deletion | Required for communication during active period | | ||
| 196 | | **IP Addresses (logged in)** | 90 days | Fraud detection, abuse prevention | | ||
| 197 | | **IP Addresses (logged out)** | 30 days | Basic security, rate limiting | | ||
| 198 | | **Web Server Logs** | 30 days | Technical troubleshooting | | ||
| 199 | | **Error Logs** | 90 days | Bug investigation and fixing | | ||
| 200 | | **Security Logs** | 1 year | Security incident investigation, required for compliance | | ||
| 201 | | **Support Emails** | 2 years | Service improvement, warranty claims | | ||
| 202 | | **Public Contributions** | **Permanent** | Transparency requirement, attribution | | ||
| 203 | | **Contribution Metadata** | **Permanent** | Audit trail, quality assurance | | ||
| 204 | | **AKEL Evaluation Logs** | 5 years | Algorithmic accountability, appeals | | ||
| 205 | | **Financial Records** | 10 years | Swiss legal requirement (OR Art. 958f) | | ||
| 206 | | **Tax Documents** | 10 years | Swiss legal requirement | | ||
| 207 | |||
| 208 | === 7.2 Retention Justification === | ||
| 209 | |||
| 210 | Each retention period is based on: | ||
| 211 | * **Legal requirements** (financial records, security logs) | ||
| 212 | * **Operational necessity** (abuse prevention, appeals) | ||
| 213 | * **Data minimization** (shortest possible while meeting needs) | ||
| 214 | * **Transparency mission** (public contributions permanent) | ||
| 215 | |||
| 216 | === 7.3 Longer Retention === | ||
| 217 | |||
| 218 | We may retain data longer if: | ||
| 219 | * Required by law | ||
| 220 | * Necessary for ongoing investigation | ||
| 221 | * Needed to enforce Terms of Service | ||
| 222 | * You explicitly consent | ||
| 223 | |||
| 224 | === 7.4 What Happens When You Delete Your Account === | ||
| 225 | |||
| 226 | When you delete your account: | ||
| 227 | |||
| 228 | **Immediately**: | ||
| 229 | * Account deactivated | ||
| 230 | * Email address deleted | ||
| 231 | * Profile information removed | ||
| 232 | * You cannot log in | ||
| 233 | |||
| 234 | **Within 90 days**: | ||
| 235 | * All personal data deleted or anonymized | ||
| 236 | * Username may remain on contributions (for attribution) | ||
| 237 | * Contributions remain public (transparency requirement) | ||
| 238 | |||
| 239 | **Permanent**: | ||
| 240 | * Your public contributions remain (anonymized to deleted user if requested) | ||
| 241 | * Edit history preserved (essential for trust) | ||
| 242 | |||
| 243 | == 8. Cookies and Tracking == | ||
| 244 | |||
| 245 | === 8.1 Types of Cookies We Use === | ||
| 246 | |||
| 247 | **Essential Cookies** (cannot be disabled): | ||
| 248 | * Session management (keep you logged in) | ||
| 249 | * Security features (CSRF protection) | ||
| 250 | * Load balancing | ||
| 251 | |||
| 252 | **Functional Cookies** (can be disabled): | ||
| 253 | * Language preferences | ||
| 254 | * Display settings | ||
| 255 | * User interface choices | ||
| 256 | |||
| 257 | **Analytics Cookies** (can be disabled): | ||
| 258 | * Page views and usage patterns | ||
| 259 | * Feature effectiveness | ||
| 260 | * Performance monitoring | ||
| 261 | |||
| 262 | **We Do NOT Use**: | ||
| 263 | * Advertising cookies | ||
| 264 | * Third-party tracking cookies | ||
| 265 | * Cross-site tracking | ||
| 266 | |||
| 267 | === 8.2 Managing Cookies === | ||
| 268 | |||
| 269 | **Cookie Consent Banner:** | ||
| 270 | On your first visit, we display a cookie consent banner allowing you to: | ||
| 271 | * Accept all cookies | ||
| 272 | * Accept only essential cookies | ||
| 273 | * Customize preferences (analytics, functional) | ||
| 274 | |||
| 275 | **Consent Requirements:** | ||
| 276 | * **Essential cookies**: No consent required (necessary for functionality) | ||
| 277 | * **Functional & Analytics cookies**: **Opt-in consent required** (not pre-checked) | ||
| 278 | * **Withdrawal**: As easy as giving consent (click banner icon anytime) | ||
| 279 | |||
| 280 | **Your Choices:** | ||
| 281 | * Accept all non-essential cookies | ||
| 282 | * Reject all non-essential cookies | ||
| 283 | * Customize by category | ||
| 284 | * Change preferences anytime via cookie settings | ||
| 285 | |||
| 286 | **Browser Controls:** | ||
| 287 | You can also block cookies via browser settings, but this may affect functionality. | ||
| 288 | |||
| 289 | **No Consent = No Non-Essential Cookies:** | ||
| 290 | If you reject non-essential cookies, we only use cookies necessary for the service to function. | ||
| 291 | |||
| 292 | **Implementation Note:** We use opt-in (not pre-checked boxes) for all non-essential cookies, in compliance with Swiss and EU law. | ||
| 293 | |||
| 294 | == 9. Your Rights and Choices == | ||
| 295 | |||
| 296 | You have these rights regarding your personal data: | ||
| 297 | |||
| 298 | === 9.1 Access === | ||
| 299 | |||
| 300 | * Request a copy of your personal data | ||
| 301 | * Review what we have about you | ||
| 302 | * Export your data in machine-readable format | ||
| 303 | |||
| 304 | === 9.2 Correction === | ||
| 305 | |||
| 306 | * Update your account information | ||
| 307 | * Correct inaccurate data | ||
| 308 | * Complete incomplete data | ||
| 309 | |||
| 310 | === 9.3 Deletion === | ||
| 311 | |||
| 312 | * Delete your account | ||
| 313 | * Remove specific personal information | ||
| 314 | * Request anonymization of contributions | ||
| 315 | |||
| 316 | === 9.4 Data Portability === | ||
| 317 | |||
| 318 | You have the right to receive your personal data in a structured, commonly used, and machine-readable format. | ||
| 319 | |||
| 320 | **What You Can Export:** | ||
| 321 | * Account information (JSON, CSV) | ||
| 322 | * Your contributions (JSON, XML, Markdown) | ||
| 323 | * Contribution history (CSV) | ||
| 324 | * Profile settings (JSON) | ||
| 325 | * Communication preferences (JSON) | ||
| 326 | |||
| 327 | **Formats Available:** | ||
| 328 | * **JSON** - Structured, machine-readable, most complete | ||
| 329 | * **CSV** - Spreadsheet-compatible, for tabular data | ||
| 330 | * **XML** - Alternative structured format | ||
| 331 | * **Markdown** - Human-readable for text content | ||
| 332 | |||
| 333 | **Export Process:** | ||
| 334 | 1. Log in to your account | ||
| 335 | 2. Go to Settings > Data Export | ||
| 336 | 3. Select data types and format | ||
| 337 | 4. Receive download link via email (within 48 hours) | ||
| 338 | 5. Download expires after 7 days | ||
| 339 | |||
| 340 | **What's NOT Included:** | ||
| 341 | * Other users' data (privacy protection) | ||
| 342 | * Internal security logs (security reasons) | ||
| 343 | * Algorithmic scores (proprietary, but results are included) | ||
| 344 | |||
| 345 | **Transfer to Other Services:** | ||
| 346 | While we provide machine-readable formats, each service has different import capabilities. We cannot guarantee compatibility with specific third-party services. | ||
| 347 | |||
| 348 | **API Access (Future):** | ||
| 349 | We plan to offer API access for automated data exports for users who need regular portability. | ||
| 350 | |||
| 351 | === 9.5 Object === | ||
| 352 | |||
| 353 | * Object to certain processing | ||
| 354 | * Opt out of analytics cookies | ||
| 355 | * Unsubscribe from emails | ||
| 356 | |||
| 357 | === 9.6 Lodge Complaint === | ||
| 358 | |||
| 359 | * File complaint with us | ||
| 360 | * Contact Swiss FDPIC (www.edoeb.admin.ch) | ||
| 361 | * EU residents: contact local data protection authority | ||
| 362 | * Seek legal remedies | ||
| 363 | |||
| 364 | === 9.7 How to Exercise Your Rights === | ||
| 365 | |||
| 366 | Contact: [Method to be established before launch] | ||
| 367 | |||
| 368 | Include: | ||
| 369 | * Your username | ||
| 370 | * Specific request | ||
| 371 | * Verification information | ||
| 372 | |||
| 373 | We respond within 30 days. | ||
| 374 | |||
| 375 | == 10. Data Security and Compliance == | ||
| 376 | |||
| 377 | We protect your information with industry-standard security measures: | ||
| 378 | |||
| 379 | === 10.1 Technical Measures === | ||
| 380 | |||
| 381 | * **Encryption in transit**: TLS/HTTPS for all connections | ||
| 382 | * **Encryption at rest**: Sensitive data encrypted in databases | ||
| 383 | * **Access controls**: Role-based access to systems | ||
| 384 | * **Authentication**: Strong password requirements, optional 2FA | ||
| 385 | * **Secure development**: Security reviews, code audits | ||
| 386 | * **Penetration testing**: Regular security assessments | ||
| 387 | |||
| 388 | === 10.2 Organisational Measures === | ||
| 389 | |||
| 390 | * **Staff training**: Security awareness programs | ||
| 391 | * **Access logging**: All admin actions logged | ||
| 392 | * **Incident response**: Documented procedures | ||
| 393 | * **Vendor assessment**: Security review of third parties | ||
| 394 | * **Data minimization**: Collect only what's needed | ||
| 395 | |||
| 396 | === 10.3 Data Protection Impact Assessment (DPIA) === | ||
| 397 | |||
| 398 | For high-risk processing activities, we conduct Data Protection Impact Assessments (DPIA) as required by Swiss FADP Article 22, including: | ||
| 399 | |||
| 400 | * Description of processing operations | ||
| 401 | * Assessment of necessity and proportionality | ||
| 402 | * Evaluation of risks to user rights | ||
| 403 | * Mitigation measures | ||
| 404 | * Documentation and regular review | ||
| 405 | |||
| 406 | **High-risk activities include:** | ||
| 407 | * AI-powered automated decision systems (AKEL) | ||
| 408 | * Large-scale content moderation | ||
| 409 | * Processing of sensitive personal data (political opinions, health information) | ||
| 410 | * Systematic monitoring of user behavior | ||
| 411 | |||
| 412 | === 10.4 Processing Activities Register === | ||
| 413 | |||
| 414 | We maintain a comprehensive register of all processing activities as required by Swiss FADP Article 12, including: | ||
| 415 | |||
| 416 | * Controller identification and contact details | ||
| 417 | * Purposes of processing | ||
| 418 | * Categories of data subjects and personal data | ||
| 419 | * Categories of recipients | ||
| 420 | * Retention periods | ||
| 421 | * Description of security measures | ||
| 422 | * Details of international data transfers | ||
| 423 | |||
| 424 | This register is available for inspection by the Swiss Federal Data Protection and Information Commissioner (FDPIC) upon request. | ||
| 425 | |||
| 426 | === 10.5 Data Protection Officer (DPO) === | ||
| 427 | |||
| 428 | **If we serve users in the European Union**, we will appoint a Data Protection Officer (DPO) as required by EU GDPR Article 37. | ||
| 429 | |||
| 430 | The DPO will: | ||
| 431 | * Advise on data protection compliance | ||
| 432 | * Monitor FADP and GDPR compliance | ||
| 433 | * Serve as contact point for FDPIC and EU authorities | ||
| 434 | * Conduct privacy audits | ||
| 435 | * Handle data subject requests | ||
| 436 | |||
| 437 | Contact: [To be established if appointed] | ||
| 438 | |||
| 439 | **Note:** Swiss law does not require a DPO for organizations of our size, but we commit to appointing one if we process data of EU residents to ensure full GDPR compliance. | ||
| 440 | |||
| 441 | === 10.6 Limitations === | ||
| 442 | |||
| 443 | No system is 100% secure. While we implement strong protections: | ||
| 444 | * We cannot guarantee absolute security | ||
| 445 | * You are responsible for your password security | ||
| 446 | * Public contributions are permanently public | ||
| 447 | |||
| 448 | == 11. Data Breaches == | ||
| 449 | |||
| 450 | If we experience a data breach: | ||
| 451 | |||
| 452 | === 11.1 Our Response === | ||
| 453 | |||
| 454 | **Immediately (without undue delay):** | ||
| 455 | * Contain the breach | ||
| 456 | * Assess scope and impact | ||
| 457 | * **Notify Swiss FDPIC immediately** if breach likely results in high risk to data subjects (as required by FADP Article 24) | ||
| 458 | * Begin investigation | ||
| 459 | |||
| 460 | **Within 72 hours:** | ||
| 461 | * Complete detailed assessment | ||
| 462 | * Notify affected users if high risk confirmed | ||
| 463 | * Provide details on what was compromised | ||
| 464 | * Explain steps we're taking | ||
| 465 | * Advise on protective actions | ||
| 466 | |||
| 467 | === 11.2 Transparency === | ||
| 468 | |||
| 469 | * Public incident report published (after resolution) | ||
| 470 | * Root cause analysis shared | ||
| 471 | * Improvements implemented | ||
| 472 | * Follow-up report after resolution | ||
| 473 | |||
| 474 | == 12. Government Requests and Transparency == | ||
| 475 | |||
| 476 | === 12.1 Our Principles === | ||
| 477 | |||
| 478 | * We require valid legal process | ||
| 479 | * We notify users unless prohibited by law | ||
| 480 | * We challenge overly broad requests | ||
| 481 | * We publish transparency reports | ||
| 482 | |||
| 483 | === 12.2 What We Require === | ||
| 484 | |||
| 485 | * **User data requests**: Court order or warrant | ||
| 486 | * **Content removal**: Valid legal basis, not just request | ||
| 487 | * **Emergency disclosure**: Credible threat to life/safety | ||
| 488 | |||
| 489 | === 12.3 User Notification === | ||
| 490 | |||
| 491 | We notify affected users unless: | ||
| 492 | * Legally prohibited (gag order) | ||
| 493 | * Would interfere with investigation | ||
| 494 | * User is the subject of investigation | ||
| 495 | |||
| 496 | We challenge gag orders exceeding 1 year. | ||
| 497 | |||
| 498 | === 12.4 Transparency Reports === | ||
| 499 | |||
| 500 | Published twice yearly: | ||
| 501 | * Number of requests by type | ||
| 502 | * Compliance rate | ||
| 503 | * Users affected | ||
| 504 | * Challenges filed | ||
| 505 | |||
| 506 | == 13. International Data Transfers == | ||
| 507 | |||
| 508 | FactHarbor may transfer personal data internationally for the following purposes: | ||
| 509 | * Cloud hosting services (servers may be in EU, Switzerland, US) | ||
| 510 | * AI model providers (if using hosted models) | ||
| 511 | * Content delivery networks | ||
| 512 | * Email and communication services | ||
| 513 | |||
| 514 | === 13.1 Legal Basis for Transfers === | ||
| 515 | |||
| 516 | **European Economic Area (EEA):** | ||
| 517 | Switzerland has an EU adequacy decision (confirmed January 15, 2024), allowing free data flow between Switzerland and EEA countries without additional safeguards. | ||
| 518 | |||
| 519 | **United States:** | ||
| 520 | We transfer data only to companies certified under the Swiss-US Data Privacy Framework (effective September 15, 2024) or use Standard Contractual Clauses (SCCs) approved by the Swiss Federal Council. | ||
| 521 | |||
| 522 | **Other Countries:** | ||
| 523 | For countries without adequacy decision, we use: | ||
| 524 | * Swiss/EU Standard Contractual Clauses (SCCs), or | ||
| 525 | * Binding Corporate Rules, or | ||
| 526 | * Explicit user consent for specific transfers | ||
| 527 | |||
| 528 | === 13.2 Safeguards === | ||
| 529 | |||
| 530 | All international transfers include: | ||
| 531 | * Contractual data protection obligations | ||
| 532 | * Technical encryption measures (TLS/HTTPS) | ||
| 533 | * Access controls and logging | ||
| 534 | * Regular compliance audits | ||
| 535 | * Verification of recipient's data protection capabilities | ||
| 536 | |||
| 537 | === 13.3 Disclosure to Users === | ||
| 538 | |||
| 539 | We will inform you before your data is transferred to: | ||
| 540 | * Countries without adequacy decision from Switzerland or EU | ||
| 541 | * Processors outside Switzerland/EEA | ||
| 542 | * Government authorities in foreign jurisdictions (if legally compelled) | ||
| 543 | |||
| 544 | === 13.4 Your Rights === | ||
| 545 | |||
| 546 | You may: | ||
| 547 | * Object to specific international transfers | ||
| 548 | * Request information about transfer safeguards | ||
| 549 | * Lodge complaints with Swiss FDPIC or your local data protection authority | ||
| 550 | |||
| |
2.1 | 551 | Contact: [Data requests contact to be established] with concerns about international transfers. |
| |
1.1 | 552 | |
| 553 | == 14. Children's Privacy == | ||
| 554 | |||
| 555 | FactHarbor is not intended for children and we take children's privacy very seriously. | ||
| 556 | |||
| 557 | === 14.1 Age Requirements === | ||
| 558 | |||
| 559 | FactHarbor is not intended for children under: | ||
| 560 | * **13 years old** (US COPPA) | ||
| 561 | * **16 years old** (EU GDPR, or lower age set by EU member state) | ||
| 562 | * **13 years old** (Swiss FADP - default age of consent for most processing) | ||
| 563 | |||
| 564 | === 14.2 No Knowing Collection === | ||
| 565 | |||
| |
2.1 | 566 | We do not knowingly collect personal data from children below these ages. If you believe a child has provided us data, contact [Privacy contact to be established] immediately. |
| |
1.1 | 567 | |
| 568 | === 14.3 Discovery and Deletion === | ||
| 569 | |||
| 570 | If we learn a user is below the age requirement: | ||
| 571 | 1. We immediately suspend the account | ||
| 572 | 2. We delete all personal data within 7 days | ||
| 573 | 3. We notify the account holder (if email provided) | ||
| 574 | 4. We document the deletion for compliance | ||
| 575 | |||
| 576 | === 14.4 Parental Rights === | ||
| 577 | |||
| 578 | Parents or guardians may: | ||
| 579 | * Request information about data collected from their child | ||
| 580 | * Request immediate deletion of that data | ||
| 581 | * Prohibit further collection from their child | ||
| 582 | |||
| |
2.1 | 583 | Contact: [Privacy contact to be established] with subject "Child Data Request" |
| |
1.1 | 584 | |
| 585 | === 14.5 Verification === | ||
| 586 | |||
| 587 | We may request verification of parental/guardian status before processing requests. | ||
| 588 | |||
| 589 | === 14.6 Public Contributions === | ||
| 590 | |||
| 591 | Content contributed by underage users (before age verification) will be: | ||
| 592 | * Attributed to "Deleted User [ID]" | ||
| 593 | * Content remains for transparency (anonymized) | ||
| 594 | * No personal data retained | ||
| 595 | |||
| 596 | == 15. Changes to This Policy == | ||
| 597 | |||
| 598 | We may update this Privacy Policy: | ||
| 599 | |||
| 600 | * Material changes require 30-day notice | ||
| 601 | * Notice via email or prominent site banner | ||
| 602 | * Continued use after notice = acceptance | ||
| 603 | * Previous versions archived and accessible | ||
| 604 | |||
| 605 | == 16. Contact Us == | ||
| 606 | |||
| 607 | **Before Launch:** | ||
| 608 | Contact infrastructure will be established before any user data collection begins. | ||
| 609 | |||
| 610 | **After Launch, contact points will include:** | ||
| 611 | * General privacy questions | ||
| 612 | * Data subject access requests (FADP/GDPR) | ||
| 613 | * Data Protection Officer (if serving EU users) | ||
| 614 | * Swiss Representative (required for FADP) | ||
| 615 | * Security incident reporting | ||
| 616 | |||
| 617 | **Mailing Address**: [To be determined based on Verein registration] | ||
| 618 | |||
| 619 | **Note:** As a small organization, contact functions may be handled by the same individual initially, but legal requirements for response times and procedures will be met. | ||
| 620 | |||
| 621 | == 17. Governing Law and Jurisdiction == | ||
| 622 | |||
| 623 | === 17.1 Applicable Law === | ||
| 624 | |||
| 625 | This Privacy Policy is governed by: | ||
| 626 | * **Swiss Federal Act on Data Protection (FADP)** - Primary data protection law | ||
| 627 | * **Swiss Civil Code (ZGB)** - For Verein organizational matters | ||
| 628 | * **EU General Data Protection Regulation (GDPR)** - When processing data of EU/EEA residents | ||
| 629 | * **Swiss Telecommunications Act** - For electronic communications | ||
| 630 | |||
| 631 | === 17.2 Jurisdiction === | ||
| 632 | |||
| 633 | For disputes arising from this policy: | ||
| 634 | |||
| 635 | **Primary Jurisdiction:** Swiss courts (canton to be determined based on Verein location) | ||
| 636 | |||
| 637 | **Data Protection Disputes:** | ||
| |
2.1 | 638 | * First, contact [DPO contact to be established if needed] or [Privacy contact to be established] |
| |
1.1 | 639 | * File complaint with Swiss FDPIC (www.edoeb.admin.ch) |
| 640 | * EU residents may file with local data protection authority | ||
| 641 | * Legal action available in Swiss courts or (for EU residents) in EU member state courts | ||
| 642 | |||
| 643 | **Alternative Dispute Resolution:** | ||
| 644 | We are committed to resolving disputes amicably through: | ||
| 645 | * Internal escalation process | ||
| 646 | * Mediation before litigation | ||
| 647 | * Transparent decision rationale | ||
| 648 | |||
| 649 | === 17.3 International Users === | ||
| 650 | |||
| 651 | * **EU/EEA users**: May enforce GDPR rights in EU courts | ||
| 652 | * **US users**: Subject to Swiss law, may invoke Swiss-US Data Privacy Framework | ||
| 653 | * **Other jurisdictions**: Swiss law applies, local rights respected where possible | ||
| 654 | |||
| 655 | === 17.4 Severability === | ||
| 656 | |||
| 657 | If any provision of this Privacy Policy is found invalid or unenforceable, the remaining provisions continue in full force. | ||
| 658 | |||
| 659 | == 18. Effective Date and Version == | ||
| 660 | |||
| 661 | **Version**: 0.9.29 (Legal Compliance Update) | ||
| 662 | **Effective Date**: [To be determined before launch] | ||
| 663 | **Last Updated**: December 17, 2025 | ||
| 664 | |||
| 665 | This is a draft policy. Final version will be published before any user data collection begins. | ||
| 666 | |||
| 667 | == 19. Related Policies == | ||
| 668 | |||
| 669 | * [[Transparency Policy>>FactHarbor.Organisation.Transparency-Policy]] | ||
| 670 | * [[Open Source Model and Licensing>>FactHarbor.Organisation.Open Source Model and Licensing]] | ||
| 671 | * [[Operational Readiness Checklist>>FactHarbor.Organisation.Operational-Readiness-Checklist]] | ||
| 672 | * [[Terms of Service>>FactHarbor.Organisation.Terms-of-Service]] (to be created) | ||
| 673 | * [[Security Policy>>FactHarbor.Organisation.Security-Policy]] (to be created) | ||
| 674 |