Skip to Content

Wiki source code of Privacy Policy

Last modified by Robert Schaub on 2025/12/24 21:53
Show last authors
1 = Privacy Policy =
2 **Effective Date:** [To be determined before production launch]
3 **Last Updated:** December 17, 2025 (V0.9.29 - Legal Compliance Update)
4 == 1. Introduction ==
5 FactHarbor is committed to protecting your privacy while maintaining the transparency necessary for our mission of supporting well-grounded, manipulation-resistant judgments.
6 This Privacy Policy explains:
7 * What information we collect and why
8 * How we use and protect that information
9 * Your rights and choices
10 * How we balance privacy with transparency
11 **Important:** By using FactHarbor services, you agree to this Privacy Policy.
12 == 2. Who We Are ==
13 FactHarbor is a Swiss non-profit association (Verein) under Swiss law, pursuing tax-exempt status. Our mission is to create a transparent, community-driven platform for evaluating factual claims.
14 **Initial Phase:** FactHarbor is a small organization starting with one person, with team growth expected. Contact methods will be established before launch.
15 **Contact:**
16 * General inquiries: [To be established]
17 * Privacy and data requests: [To be established]
18 * Data Protection Officer: [To be designated if serving EU users]
19 * Swiss Representative: [To be designated before launch]
20 == 3. What Information We Collect ==
21 === 3.1 Information You Provide ===
22 **Account Information** (if you register):
23 * Username (required)
24 * Email address (required)
25 * Optional profile information you choose to add
26 **Contributions** (if you contribute):
27 * Content you create (claims, scenarios, verdicts, reviews)
28 * Edits and modifications
29 * Comments and discussions
30 * Flags and quality reports
31 **Communications**:
32 * Messages you send to us
33 * Survey responses
34 * Feedback submissions
35 === 3.2 Information We Collect Automatically ===
36 **Technical Data**:
37 * IP address
38 * Browser type and version
39 * Operating system
40 * Device information
41 * Referrer URL
42 * Pages viewed and time spent
43 **Usage Data**:
44 * Features you use
45 * Actions you take
46 * Search queries
47 * Interaction patterns
48 **Cookies and Similar Technologies**:
49 * Session cookies (essential for functionality)
50 * Preference cookies (remember your settings)
51 * Analytics cookies (understand usage patterns)
52 See Section 8 for cookie management.
53 === 3.3 Information We DO NOT Collect ===
54 We do not collect:
55 * Financial information (no payment processing currently)
56 * Biometric data
57 * Precise geolocation (only general location from IP)
58 * Social security numbers or government IDs
59 * Unnecessary personal information
60 == 4. How We Use Your Information ==
61 We use collected information only for these purposes:
62 === 4.1 Provide Services ===
63 * Create and maintain your account
64 * Display your public contributions
65 * Enable community features
66 * Personalise your experience
67 === 4.2 Maintain Quality and Safety ===
68 * Detect and prevent abuse
69 * Enforce our Terms of Service
70 * Identify and address quality issues
71 * Prevent spam and manipulation
72 === 4.3 Improve Services ===
73 * Understand how FactHarbor is used
74 * Identify bugs and issues
75 * Test new features
76 * Improve algorithms and quality gates
77 === 4.4 Communicate ===
78 * Send important service updates
79 * Respond to your requests
80 * Notify you of policy changes
81 * Send opt-in newsletters (if you subscribe)
82 === 4.5 Comply with Law ===
83 * Respond to valid legal requests
84 * Enforce legal rights
85 * Prevent fraud or illegal activity
86 == 5. Public Information ==
87 **Important:** Much of your activity on FactHarbor is public by design. This transparency is essential to our mission.
88 === 5.1 Always Public ===
89 * **Contributions**: All content you create is permanently public
90 * **Edit history**: All changes are tracked and visible
91 * **Username**: Your username is visible on your contributions
92 * **Contribution metadata**: Timestamps, edit summaries
93 === 5.2 Public if You Choose ===
94 * Profile information you add
95 * Real name (if you provide it)
96 * Social media links
97 * Biography
98 === 5.3 Private (Not Public) ===
99 * Email address
100 * IP address (if you're logged in)
101 * Private messages (if feature exists)
102 * Account settings and preferences
103 **Key Principle:** Transparency of contributions builds trust. Your work is attributed to your username, and edit history ensures accountability.
104 == 6. How We Share Information ==
105 === 6.1 We Never ===
106 * **Sell** your information
107 * **Rent** your information
108 * Share your information for **marketing** purposes
109 * Share with **data brokers**
110 === 6.2 We May Share With ===
111 **Service Providers**:
112 * Hosting services (server infrastructure)
113 * Email services (for communications)
114 * Analytics providers (aggregated data only)
115 * Security services (DDoS protection, etc.)
116 All service providers are bound by contract to protect your data.
117 **Legal Requirements**:
118 * Valid subpoenas or court orders
119 * Government requests (where legally required)
120 * Emergency situations (to prevent harm)
121 See Section 12 for transparency about government requests.
122 **Public Data Releases**:
123 * Anonymized, aggregated statistics
124 * Research datasets (with privacy protections)
125 * Full public contribution history (attributions maintained)
126 === 6.3 We Do Not Share ===
127 * Your email address (except as required by law)
128 * Your IP address (except as required by law)
129 * Your private messages
130 * Your account settings
131 == 7. How Long We Keep Information ==
132 We follow **data minimization** principles - keeping data only as long as necessary.
133 === 7.1 Detailed Retention Periods ===
134 | Data Type | Retention Period | Rationale |
135 |-----------|------------------|-----------|
136 | **Account Data** | Active + 90 days after deletion | User may wish to restore account |
137 | **Email Addresses** | Active + 90 days after deletion | Required for communication during active period |
138 | **IP Addresses (logged in)** | 90 days | Fraud detection, abuse prevention |
139 | **IP Addresses (logged out)** | 30 days | Basic security, rate limiting |
140 | **Web Server Logs** | 30 days | Technical troubleshooting |
141 | **Error Logs** | 90 days | Bug investigation and fixing |
142 | **Security Logs** | 1 year | Security incident investigation, required for compliance |
143 | **Support Emails** | 2 years | Service improvement, warranty claims |
144 | **Public Contributions** | **Permanent** | Transparency requirement, attribution |
145 | **Contribution Metadata** | **Permanent** | Audit trail, quality assurance |
146 | **AKEL Evaluation Logs** | 5 years | Algorithmic accountability, appeals |
147 | **Financial Records** | 10 years | Swiss legal requirement (OR Art. 958f) |
148 | **Tax Documents** | 10 years | Swiss legal requirement |
149 === 7.2 Retention Justification ===
150 Each retention period is based on:
151 * **Legal requirements** (financial records, security logs)
152 * **Operational necessity** (abuse prevention, appeals)
153 * **Data minimization** (shortest possible while meeting needs)
154 * **Transparency mission** (public contributions permanent)
155 === 7.3 Longer Retention ===
156 We may retain data longer if:
157 * Required by law
158 * Necessary for ongoing investigation
159 * Needed to enforce Terms of Service
160 * You explicitly consent
161 === 7.4 What Happens When You Delete Your Account ===
162 When you delete your account:
163 **Immediately**:
164 * Account deactivated
165 * Email address deleted
166 * Profile information removed
167 * You cannot log in
168 **Within 90 days**:
169 * All personal data deleted or anonymized
170 * Username may remain on contributions (for attribution)
171 * Contributions remain public (transparency requirement)
172 **Permanent**:
173 * Your public contributions remain (anonymized to deleted user if requested)
174 * Edit history preserved (essential for trust)
175 == 8. Cookies and Tracking ==
176 === 8.1 Types of Cookies We Use ===
177 **Essential Cookies** (cannot be disabled):
178 * Session management (keep you logged in)
179 * Security features (CSRF protection)
180 * Load balancing
181 **Functional Cookies** (can be disabled):
182 * Language preferences
183 * Display settings
184 * User interface choices
185 **Analytics Cookies** (can be disabled):
186 * Page views and usage patterns
187 * Feature effectiveness
188 * Performance monitoring
189 **We Do NOT Use**:
190 * Advertising cookies
191 * Third-party tracking cookies
192 * Cross-site tracking
193 === 8.2 Managing Cookies ===
194 **Cookie Consent Banner:**
195 On your first visit, we display a cookie consent banner allowing you to:
196 * Accept all cookies
197 * Accept only essential cookies
198 * Customize preferences (analytics, functional)
199 **Consent Requirements:**
200 * **Essential cookies**: No consent required (necessary for functionality)
201 * **Functional & Analytics cookies**: **Opt-in consent required** (not pre-checked)
202 * **Withdrawal**: As easy as giving consent (click banner icon anytime)
203 **Your Choices:**
204 * Accept all non-essential cookies
205 * Reject all non-essential cookies
206 * Customize by category
207 * Change preferences anytime via cookie settings
208 **Browser Controls:**
209 You can also block cookies via browser settings, but this may affect functionality.
210 **No Consent = No Non-Essential Cookies:**
211 If you reject non-essential cookies, we only use cookies necessary for the service to function.
212 **Implementation Note:** We use opt-in (not pre-checked boxes) for all non-essential cookies, in compliance with Swiss and EU law.
213 == 9. Your Rights and Choices ==
214 You have these rights regarding your personal data:
215 === 9.1 Access ===
216 * Request a copy of your personal data
217 * Review what we have about you
218 * Export your data in machine-readable format
219 === 9.2 Correction ===
220 * Update your account information
221 * Correct inaccurate data
222 * Complete incomplete data
223 === 9.3 Deletion ===
224 * Delete your account
225 * Remove specific personal information
226 * Request anonymization of contributions
227 === 9.4 Data Portability ===
228 You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
229 **What You Can Export:**
230 * Account information (JSON, CSV)
231 * Your contributions (JSON, XML, Markdown)
232 * Contribution history (CSV)
233 * Profile settings (JSON)
234 * Communication preferences (JSON)
235 **Formats Available:**
236 * **JSON** - Structured, machine-readable, most complete
237 * **CSV** - Spreadsheet-compatible, for tabular data
238 * **XML** - Alternative structured format
239 * **Markdown** - Human-readable for text content
240 **Export Process:**
241 1. Log in to your account
242 2. Go to Settings > Data Export
243 3. Select data types and format
244 4. Receive download link via email (within 48 hours)
245 5. Download expires after 7 days
246 **What's NOT Included:**
247 * Other users' data (privacy protection)
248 * Internal security logs (security reasons)
249 * Algorithmic scores (proprietary, but results are included)
250 **Transfer to Other Services:**
251 While we provide machine-readable formats, each service has different import capabilities. We cannot guarantee compatibility with specific third-party services.
252 **API Access (Future):**
253 We plan to offer API access for automated data exports for users who need regular portability.
254 === 9.5 Object ===
255 * Object to certain processing
256 * Opt out of analytics cookies
257 * Unsubscribe from emails
258 === 9.6 Lodge Complaint ===
259 * File complaint with us
260 * Contact Swiss FDPIC (www.edoeb.admin.ch)
261 * EU residents: contact local data protection authority
262 * Seek legal remedies
263 === 9.7 How to Exercise Your Rights ===
264 Contact: [Method to be established before launch]
265 Include:
266 * Your username
267 * Specific request
268 * validation information
269 We respond promptly.
270 == 10. Data Security and Compliance ==
271 We protect your information with industry-standard security measures:
272 === 10.1 Technical Measures ===
273 * **Encryption in transit**: TLS/HTTPS for all connections
274 * **Encryption at rest**: Sensitive data encrypted in databases
275 * **Access controls**: Role-based access to systems
276 * **Authentication**: Strong password requirements, optional 2FA
277 * **Secure development**: Security reviews, code audits
278 * **Penetration testing**: Regular security assessments
279 === 10.2 Organisational Measures ===
280 * **Team Members training**: Security awareness programs
281 * **Access logging**: All admin actions logged
282 * **Incident response**: Documented procedures
283 * **Vendor assessment**: Security review of third parties
284 * **Data minimization**: Collect only what's needed
285 === 10.3 Data Protection Impact Assessment (DPIA) ===
286 For high-risk processing activities, we conduct Data Protection Impact Assessments (DPIA) as required by Swiss FADP Article 22, including:
287 * Description of processing operations
288 * Assessment of necessity and proportionality
289 * Evaluation of risks to user rights
290 * Mitigation measures
291 * Documentation and regular review
292 **High-risk activities include:**
293 * AI-powered automated decision systems (AKEL)
294 * Large-scale content moderation
295 * Processing of sensitive personal data (political opinions, health information)
296 * Systematic monitoring of user behavior
297 === 10.4 Processing Activities Register ===
298 We maintain a comprehensive register of all processing activities as required by Swiss FADP Article 12, including:
299 * Controller identification and contact details
300 * Purposes of processing
301 * Categories of data subjects and personal data
302 * Categories of recipients
303 * Retention periods
304 * Description of security measures
305 * Details of international data transfers
306 This register is available for inspection by the Swiss Federal Data Protection and Information Commissioner (FDPIC) upon request.
307 === 10.5 Data Protection Officer (DPO) ===
308 **If we serve users in the European Union**, we will appoint a Data Protection Officer (DPO) as required by EU GDPR Article 37.
309 The DPO will:
310 * Advise on data protection compliance
311 * Monitor FADP and GDPR compliance
312 * Serve as contact point for FDPIC and EU authorities
313 * Conduct privacy audits
314 * Handle data subject requests
315 Contact: [To be established if appointed]
316 **Note:** Swiss law does not require a DPO for organizations of our size, but we commit to appointing one if we process data of EU residents to ensure full GDPR compliance.
317 === 10.6 Limitations ===
318 No system is 100% secure. While we implement strong protections:
319 * We cannot guarantee absolute security
320 * You are responsible for your password security
321 * Public contributions are permanently public
322 == 11. Data Breaches ==
323 If we experience a data breach:
324 === 11.1 Our Response ===
325 **Immediately (without undue delay):**
326 * Contain the breach
327 * Assess scope and impact
328 * **Notify Swiss FDPIC immediately** if breach likely results in high risk to data subjects (as required by FADP Article 24)
329 * Begin investigation
330 **Within 72 hours:**
331 * Complete detailed assessment
332 * Notify affected users if high risk confirmed
333 * Provide details on what was compromised
334 * Explain steps we're taking
335 * Advise on protective actions
336 === 11.2 Transparency ===
337 * Public incident report published (after resolution)
338 * Root cause analysis shared
339 * Improvements implemented
340 * Follow-up report after resolution
341 == 12. Government Requests and Transparency ==
342 === 12.1 Our Principles ===
343 * We require valid legal process
344 * We notify users unless prohibited by law
345 * We challenge overly broad requests
346 * We publish transparency reports
347 === 12.2 What We Require ===
348 * **User data requests**: Court order or warrant
349 * **Content removal**: Valid legal basis, not just request
350 * **Emergency disclosure**: Credible threat to life/safety
351 === 12.3 User Notification ===
352 We notify affected users unless:
353 * Legally prohibited (gag order)
354 * Would interfere with investigation
355 * User is the subject of investigation
356 We challenge gag orders exceeding 1 year.
357 === 12.4 Transparency Reports ===
358 Published twice yearly:
359 * Number of requests by type
360 * Compliance rate
361 * Users affected
362 * Challenges filed
363 == 13. International Data Transfers ==
364 FactHarbor may transfer personal data internationally for the following purposes:
365 * Cloud hosting services (servers may be in EU, Switzerland, US)
366 * AI model providers (if using hosted models)
367 * Content delivery networks
368 * Email and communication services
369 === 13.1 Legal Basis for Transfers ===
370 **European Economic Area (EEA):**
371 Switzerland has an EU adequacy decision (confirmed January 15, 2024), allowing free data flow between Switzerland and EEA countries without additional safeguards.
372 **United States:**
373 We transfer data only to companies certified under the Swiss-US Data Privacy Framework (effective September 15, 2024) or use Standard Contractual Clauses (SCCs) approved by the Swiss Federal Council.
374 **Other Countries:**
375 For countries without adequacy decision, we use:
376 * Swiss/EU Standard Contractual Clauses (SCCs), or
377 * Binding Corporate Rules, or
378 * Explicit user consent for specific transfers
379 === 13.2 Safeguards ===
380 All international transfers include:
381 * Contractual data protection obligations
382 * Technical encryption measures (TLS/HTTPS)
383 * Access controls and logging
384 * Regular compliance audits
385 * validation of recipient's data protection capabilities
386 === 13.3 Disclosure to Users ===
387 We will inform you before your data is transferred to:
388 * Countries without adequacy decision from Switzerland or EU
389 * Processors outside Switzerland/EEA
390 * Government authorities in foreign jurisdictions (if legally compelled)
391 === 13.4 Your Rights ===
392 You may:
393 * Object to specific international transfers
394 * Request information about transfer safeguards
395 * Lodge complaints with Swiss FDPIC or your local data protection authority
396 Contact: [Data requests contact to be established] with concerns about international transfers.
397 == 14. Children's Privacy ==
398 FactHarbor is not intended for children and we take children's privacy very seriously.
399 === 14.1 Age Requirements ===
400 FactHarbor is not intended for children under:
401 * **13 years old** (US COPPA)
402 * **16 years old** (EU GDPR, or lower age set by EU member state)
403 * **13 years old** (Swiss FADP - default age of consent for most processing)
404 === 14.2 No Knowing Collection ===
405 We do not knowingly collect personal data from children below these ages. If you believe a child has provided us data, contact [Privacy contact to be established] immediately.
406 === 14.3 Discovery and Deletion ===
407 If we learn a user is below the age requirement:
408 1. We immediately suspend the account
409 2. We delete all personal data promptly
410 3. We notify the account holder (if email provided)
411 4. We document the deletion for compliance
412 === 14.4 Parental Rights ===
413 Parents or guardians may:
414 * Request information about data collected from their child
415 * Request immediate deletion of that data
416 * Prohibit further collection from their child
417 Contact: [Privacy contact to be established] with subject "Child Data Request"
418 === 14.5 validation ===
419 We may request verification of parental/guardian status before processing requests.
420 === 14.6 Public Contributions ===
421 Content contributed by underage users (before age verification) will be:
422 * Attributed to "Deleted User [ID]"
423 * Content remains for transparency (anonymized)
424 * No personal data retained
425 == 15. Changes to This Policy ==
426 We may update this Privacy Policy:
427 * Material changes require 30-day notice
428 * Notice via email or prominent site banner
429 * Continued use after notice = acceptance
430 * Previous versions archived and accessible
431 == 16. Contact Us ==
432 **Before Launch:**
433 Contact infrastructure will be established before any user data collection begins.
434 **After Launch, contact points will include:**
435 * General privacy questions
436 * Data subject access requests (FADP/GDPR)
437 * Data Protection Officer (if serving EU users)
438 * Swiss Representative (required for FADP)
439 * Security incident reporting
440 **Mailing Address**: [To be determined based on Verein registration]
441 **Note:** As a small organization, contact functions may be handled by the same individual initially, but legal requirements for response times and procedures will be met.
442 == 17. Governing Law and Jurisdiction ==
443 === 17.1 Applicable Law ===
444 This Privacy Policy is governed by:
445 * **Swiss Federal Act on Data Protection (FADP)** - Primary data protection law
446 * **Swiss Civil Code (ZGB)** - For Verein organizational matters
447 * **EU General Data Protection Regulation (GDPR)** - When processing data of EU/EEA residents
448 * **Swiss Telecommunications Act** - For electronic communications
449 === 17.2 Jurisdiction ===
450 For disputes arising from this policy:
451 **Primary Jurisdiction:** Swiss courts (canton to be determined based on Verein location)
452 **Data Protection Disputes:**
453 * First, contact [DPO contact to be established if needed] or [Privacy contact to be established]
454 * File complaint with Swiss FDPIC (www.edoeb.admin.ch)
455 * EU residents may file with local data protection authority
456 * Legal action available in Swiss courts or (for EU residents) in EU member state courts
457 **Alternative Dispute Resolution:**
458 We are committed to resolving disputes amicably through:
459 * Internal escalation process
460 * Mediation before litigation
461 * Transparent decision rationale
462 === 17.3 International Users ===
463 * **EU/EEA users**: May enforce GDPR rights in EU courts
464 * **US users**: Subject to Swiss law, may invoke Swiss-US Data Privacy Framework
465 * **Other jurisdictions**: Swiss law applies, local rights respected where possible
466 === 17.4 Severability ===
467 If any provision of this Privacy Policy is found invalid or unenforceable, the remaining provisions continue in full force.
468 == 18. Effective Date and Version ==
469 **Version**: 0.9.29 (Legal Compliance Update)
470 **Effective Date**: [To be determined before launch]
471 **Last Updated**: December 17, 2025
472 This is a draft policy. Final version will be published before any user data collection begins.
473 == 19. Related Policies ==
474 * [[Transparency Policy>>FactHarbor.Organisation.How-We-Work-Together.Transparency-Policy]]
475 * [[Open Source Model and Licensing>>FactHarbor.Organisation.Open Source Model and Licensing]]
476 * [[Operational Readiness Checklist>>FactHarbor.Organisation.Operational-Readiness-Checklist]]
477 * [[Terms of Service>>FactHarbor.Organisation.How-We-Work-Together.Terms-of-Service]] (to be created)
478 * [[Security Policy>>FactHarbor.Organisation.How-We-Work-Together.Security-Policy]] (to be created)