Skip to Content

Wiki source code of Privacy Policy

Last modified by Robert Schaub on 2025/12/22 14:15
Show last authors
1 = Privacy Policy =
2 **Effective Date:** [To be determined before production launch] **Last Updated:** December 17, 2025 (V0.9.29 - Legal Compliance Update)
3 == 1. Introduction ==
4 FactHarbor is committed to protecting your privacy while maintaining the transparency necessary for our mission of supporting well-grounded, manipulation-resistant judgments.
5 This Privacy Policy explains:
6 * What information we collect and why
7 * How we use and protect that information
8 * Your rights and choices
9 * How we balance privacy with transparency
10 **Important:** By using FactHarbor services, you agree to this Privacy Policy.
11 == 2. Who We Are ==
12 FactHarbor is a Swiss non-profit association (Verein) under Swiss law, pursuing tax-exempt status. Our mission is to create a transparent, community-driven platform for evaluating factual claims.
13 **Initial Phase:** FactHarbor is a small organization starting with one person, with team growth expected. Contact methods will be established before launch.
14 **Contact:**
15 * General inquiries: [To be established]
16 * Privacy and data requests: [To be established]
17 * Data Protection Officer: [To be designated if serving EU users]
18 * Swiss Representative: [To be designated before launch]
19 == 3. What Information We Collect ==
20 === 3.1 Information You Provide ===
21 **Account Information** (if you register):
22 * Username (required)
23 * Email address (required)
24 * Optional profile information you choose to add
25 **Contributions** (if you contribute):
26 * Content you create (claims, scenarios, verdicts, reviews)
27 * Edits and modifications
28 * Comments and discussions
29 * Flags and quality reports
30 **Communications**:
31 * Messages you send to us
32 * Survey responses
33 * Feedback submissions
34 === 3.2 Information We Collect Automatically ===
35 **Technical Data**:
36 * IP address
37 * Browser type and version
38 * Operating system
39 * Device information
40 * Referrer URL
41 * Pages viewed and time spent
42 **Usage Data**:
43 * Features you use
44 * Actions you take
45 * Search queries
46 * Interaction patterns
47 **Cookies and Similar Technologies**:
48 * Session cookies (essential for functionality)
49 * Preference cookies (remember your settings)
50 * Analytics cookies (understand usage patterns)
51 See Section 8 for cookie management.
52 === 3.3 Information We DO NOT Collect ===
53 We do not collect:
54 * Financial information (no payment processing currently)
55 * Biometric data
56 * Precise geolocation (only general location from IP)
57 * Social security numbers or government IDs
58 * Unnecessary personal information
59 == 4. How We Use Your Information ==
60 We use collected information only for these purposes:
61 === 4.1 Provide Services ===
62 * Create and maintain your account
63 * Display your public contributions
64 * Enable community features
65 * Personalise your experience
66 === 4.2 Maintain Quality and Safety ===
67 * Detect and prevent abuse
68 * Enforce our Terms of Service
69 * Identify and address quality issues
70 * Prevent spam and manipulation
71 === 4.3 Improve Services ===
72 * Understand how FactHarbor is used
73 * Identify bugs and issues
74 * Test new features
75 * Improve algorithms and quality gates
76 === 4.4 Communicate ===
77 * Send important service updates
78 * Respond to your requests
79 * Notify you of policy changes
80 * Send opt-in newsletters (if you subscribe)
81 === 4.5 Comply with Law ===
82 * Respond to valid legal requests
83 * Enforce legal rights
84 * Prevent fraud or illegal activity
85 == 5. Public Information ==
86 **Important:** Much of your activity on FactHarbor is public by design. This transparency is essential to our mission.
87 === 5.1 Always Public ===
88 * **Contributions**: All content you create is permanently public
89 * **Edit history**: All changes are tracked and visible
90 * **Username**: Your username is visible on your contributions
91 * **Contribution metadata**: Timestamps, edit summaries
92 === 5.2 Public if You Choose ===
93 * Profile information you add
94 * Real name (if you provide it)
95 * Social media links
96 * Biography
97 === 5.3 Private (Not Public) ===
98 * Email address
99 * IP address (if you're logged in)
100 * Private messages (if feature exists)
101 * Account settings and preferences
102 **Key Principle:** Transparency of contributions builds trust. Your work is attributed to your username, and edit history ensures accountability.
103 == 6. How We Share Information ==
104 === 6.1 We Never ===
105 * **Sell** your information
106 * **Rent** your information
107 * Share your information for **marketing** purposes
108 * Share with **data brokers**
109 === 6.2 We May Share With ===
110 **Service Providers**:
111 * Hosting services (server infrastructure)
112 * Email services (for communications)
113 * Analytics providers (aggregated data only)
114 * Security services (DDoS protection, etc.)
115 All service providers are bound by contract to protect your data.
116 **Legal Requirements**:
117 * Valid subpoenas or court orders
118 * Government requests (where legally required)
119 * Emergency situations (to prevent harm)
120 See Section 12 for transparency about government requests.
121 **Public Data Releases**:
122 * Anonymized, aggregated statistics
123 * Research datasets (with privacy protections)
124 * Full public contribution history (attributions maintained)
125 === 6.3 We Do Not Share ===
126 * Your email address (except as required by law)
127 * Your IP address (except as required by law)
128 * Your private messages
129 * Your account settings
130 == 7. How Long We Keep Information ==
131 We follow **data minimization** principles - keeping data only as long as necessary.
132 === 7.1 Detailed Retention Periods ===
133 | Data Type | Retention Period | Rationale |
134 |-----------|------------------|-----------|
135 | **Account Data** | Active + 90 days after deletion | User may wish to restore account |
136 | **Email Addresses** | Active + 90 days after deletion | Required for communication during active period |
137 | **IP Addresses (logged in)** | 90 days | Fraud detection, abuse prevention |
138 | **IP Addresses (logged out)** | 30 days | Basic security, rate limiting |
139 | **Web Server Logs** | 30 days | Technical troubleshooting |
140 | **Error Logs** | 90 days | Bug investigation and fixing |
141 | **Security Logs** | 1 year | Security incident investigation, required for compliance |
142 | **Support Emails** | 2 years | Service improvement, warranty claims |
143 | **Public Contributions** | **Permanent** | Transparency requirement, attribution |
144 | **Contribution Metadata** | **Permanent** | Audit trail, quality assurance |
145 | **AKEL Evaluation Logs** | 5 years | Algorithmic accountability, appeals |
146 | **Financial Records** | 10 years | Swiss legal requirement (OR Art. 958f) |
147 | **Tax Documents** | 10 years | Swiss legal requirement |
148 === 7.2 Retention Justification ===
149 Each retention period is based on:
150 * **Legal requirements** (financial records, security logs)
151 * **Operational necessity** (abuse prevention, appeals)
152 * **Data minimization** (shortest possible while meeting needs)
153 * **Transparency mission** (public contributions permanent)
154 === 7.3 Longer Retention ===
155 We may retain data longer if:
156 * Required by law
157 * Necessary for ongoing investigation
158 * Needed to enforce Terms of Service
159 * You explicitly consent
160 === 7.4 What Happens When You Delete Your Account ===
161 When you delete your account:
162 **Immediately**:
163 * Account deactivated
164 * Email address deleted
165 * Profile information removed
166 * You cannot log in
167 **Within 90 days**:
168 * All personal data deleted or anonymized
169 * Username may remain on contributions (for attribution)
170 * Contributions remain public (transparency requirement)
171 **Permanent**:
172 * Your public contributions remain (anonymized to deleted user if requested)
173 * Edit history preserved (essential for trust)
174 == 8. Cookies and Tracking ==
175 === 8.1 Types of Cookies We Use ===
176 **Essential Cookies** (cannot be disabled):
177 * Session management (keep you logged in)
178 * Security features (CSRF protection)
179 * Load balancing
180 **Functional Cookies** (can be disabled):
181 * Language preferences
182 * Display settings
183 * User interface choices
184 **Analytics Cookies** (can be disabled):
185 * Page views and usage patterns
186 * Feature effectiveness
187 * Performance monitoring
188 **We Do NOT Use**:
189 * Advertising cookies
190 * Third-party tracking cookies
191 * Cross-site tracking
192 === 8.2 Managing Cookies ===
193 **Cookie Consent Banner:**
194 On your first visit, we display a cookie consent banner allowing you to:
195 * Accept all cookies
196 * Accept only essential cookies
197 * Customize preferences (analytics, functional)
198 **Consent Requirements:**
199 * **Essential cookies**: No consent required (necessary for functionality)
200 * **Functional & Analytics cookies**: **Opt-in consent required** (not pre-checked)
201 * **Withdrawal**: As easy as giving consent (click banner icon anytime)
202 **Your Choices:**
203 * Accept all non-essential cookies
204 * Reject all non-essential cookies * Customize by category
205 * Change preferences anytime via cookie settings
206 **Browser Controls:**
207 You can also block cookies via browser settings, but this may affect functionality.
208 **No Consent = No Non-Essential Cookies:**
209 If you reject non-essential cookies, we only use cookies necessary for the service to function.
210 **Implementation Note:** We use opt-in (not pre-checked boxes) for all non-essential cookies, in compliance with Swiss and EU law.
211 == 9. Your Rights and Choices ==
212 You have these rights regarding your personal data:
213 === 9.1 Access ===
214 * Request a copy of your personal data
215 * Review what we have about you
216 * Export your data in machine-readable format
217 === 9.2 Correction ===
218 * Update your account information
219 * Correct inaccurate data
220 * Complete incomplete data
221 === 9.3 Deletion ===
222 * Delete your account
223 * Remove specific personal information
224 * Request anonymization of contributions
225 === 9.4 Data Portability ===
226 You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
227 **What You Can Export:**
228 * Account information (JSON, CSV)
229 * Your contributions (JSON, XML, Markdown)
230 * Contribution history (CSV)
231 * Profile settings (JSON)
232 * Communication preferences (JSON)
233 **Formats Available:**
234 * **JSON** - Structured, machine-readable, most complete
235 * **CSV** - Spreadsheet-compatible, for tabular data
236 * **XML** - Alternative structured format
237 * **Markdown** - Human-readable for text content
238 **Export Process:**
239 1. Log in to your account
240 2. Go to Settings > Data Export
241 3. Select data types and format
242 4. Receive download link via email (within 48 hours)
243 5. Download expires after 7 days
244 **What's NOT Included:**
245 * Other users' data (privacy protection)
246 * Internal security logs (security reasons)
247 * Algorithmic scores (proprietary, but results are included)
248 **Transfer to Other Services:**
249 While we provide machine-readable formats, each service has different import capabilities. We cannot guarantee compatibility with specific third-party services.
250 **API Access (Future):**
251 We plan to offer API access for automated data exports for users who need regular portability.
252 === 9.5 Object ===
253 * Object to certain processing
254 * Opt out of analytics cookies
255 * Unsubscribe from emails
256 === 9.6 Lodge Complaint ===
257 * File complaint with us
258 * Contact Swiss FDPIC (www.edoeb.admin.ch)
259 * EU residents: contact local data protection authority
260 * Seek legal remedies
261 === 9.7 How to Exercise Your Rights ===
262 Contact: [Method to be established before launch]
263 Include:
264 * Your username
265 * Specific request
266 * validation information
267 We respond promptly.
268 == 10. Data Security and Compliance ==
269 We protect your information with industry-standard security measures:
270 === 10.1 Technical Measures ===
271 * **Encryption in transit**: TLS/HTTPS for all connections
272 * **Encryption at rest**: Sensitive data encrypted in databases
273 * **Access controls**: Role-based access to systems
274 * **Authentication**: Strong password requirements, optional 2FA
275 * **Secure development**: Security reviews, code audits
276 * **Penetration testing**: Regular security assessments
277 === 10.2 Organisational Measures ===
278 * **Team Members training**: Security awareness programs
279 * **Access logging**: All admin actions logged
280 * **Incident response**: Documented procedures
281 * **Vendor assessment**: Security review of third parties
282 * **Data minimization**: Collect only what's needed
283 === 10.3 Data Protection Impact Assessment (DPIA) ===
284 For high-risk processing activities, we conduct Data Protection Impact Assessments (DPIA) as required by Swiss FADP Article 22, including:
285 * Description of processing operations
286 * Assessment of necessity and proportionality
287 * Evaluation of risks to user rights
288 * Mitigation measures
289 * Documentation and regular review
290 **High-risk activities include:**
291 * AI-powered automated decision systems (AKEL)
292 * Large-scale content moderation
293 * Processing of sensitive personal data (political opinions, health information)
294 * Systematic monitoring of user behavior
295 === 10.4 Processing Activities Register ===
296 We maintain a comprehensive register of all processing activities as required by Swiss FADP Article 12, including:
297 * Controller identification and contact details
298 * Purposes of processing
299 * Categories of data subjects and personal data
300 * Categories of recipients
301 * Retention periods
302 * Description of security measures
303 * Details of international data transfers
304 This register is available for inspection by the Swiss Federal Data Protection and Information Commissioner (FDPIC) upon request.
305 === 10.5 Data Protection Officer (DPO) ===
306 **If we serve users in the European Union**, we will appoint a Data Protection Officer (DPO) as required by EU GDPR Article 37.
307 The DPO will:
308 * Advise on data protection compliance
309 * Monitor FADP and GDPR compliance
310 * Serve as contact point for FDPIC and EU authorities
311 * Conduct privacy audits
312 * Handle data subject requests
313 Contact: [To be established if appointed]
314 **Note:** Swiss law does not require a DPO for organizations of our size, but we commit to appointing one if we process data of EU residents to ensure full GDPR compliance.
315 === 10.6 Limitations ===
316 No system is 100% secure. While we implement strong protections:
317 * We cannot guarantee absolute security
318 * You are responsible for your password security
319 * Public contributions are permanently public
320 == 11. Data Breaches ==
321 If we experience a data breach:
322 === 11.1 Our Response ===
323 **Immediately (without undue delay):**
324 * Contain the breach
325 * Assess scope and impact
326 * **Notify Swiss FDPIC immediately** if breach likely results in high risk to data subjects (as required by FADP Article 24)
327 * Begin investigation
328 **Within 72 hours:**
329 * Complete detailed assessment
330 * Notify affected users if high risk confirmed
331 * Provide details on what was compromised
332 * Explain steps we're taking
333 * Advise on protective actions
334 === 11.2 Transparency ===
335 * Public incident report published (after resolution)
336 * Root cause analysis shared
337 * Improvements implemented
338 * Follow-up report after resolution
339 == 12. Government Requests and Transparency ==
340 === 12.1 Our Principles ===
341 * We require valid legal process
342 * We notify users unless prohibited by law
343 * We challenge overly broad requests
344 * We publish transparency reports
345 === 12.2 What We Require ===
346 * **User data requests**: Court order or warrant
347 * **Content removal**: Valid legal basis, not just request
348 * **Emergency disclosure**: Credible threat to life/safety
349 === 12.3 User Notification ===
350 We notify affected users unless:
351 * Legally prohibited (gag order)
352 * Would interfere with investigation
353 * User is the subject of investigation
354 We challenge gag orders exceeding 1 year.
355 === 12.4 Transparency Reports ===
356 Published twice yearly:
357 * Number of requests by type
358 * Compliance rate
359 * Users affected
360 * Challenges filed
361 == 13. International Data Transfers ==
362 FactHarbor may transfer personal data internationally for the following purposes:
363 * Cloud hosting services (servers may be in EU, Switzerland, US)
364 * AI model providers (if using hosted models)
365 * Content delivery networks
366 * Email and communication services
367 === 13.1 Legal Basis for Transfers ===
368 **European Economic Area (EEA):**
369 Switzerland has an EU adequacy decision (confirmed January 15, 2024), allowing free data flow between Switzerland and EEA countries without additional safeguards.
370 **United States:**
371 We transfer data only to companies certified under the Swiss-US Data Privacy Framework (effective September 15, 2024) or use Standard Contractual Clauses (SCCs) approved by the Swiss Federal Council.
372 **Other Countries:**
373 For countries without adequacy decision, we use:
374 * Swiss/EU Standard Contractual Clauses (SCCs), or
375 * Binding Corporate Rules, or
376 * Explicit user consent for specific transfers
377 === 13.2 Safeguards ===
378 All international transfers include:
379 * Contractual data protection obligations
380 * Technical encryption measures (TLS/HTTPS)
381 * Access controls and logging
382 * Regular compliance audits
383 * validation of recipient's data protection capabilities
384 === 13.3 Disclosure to Users ===
385 We will inform you before your data is transferred to:
386 * Countries without adequacy decision from Switzerland or EU
387 * Processors outside Switzerland/EEA
388 * Government authorities in foreign jurisdictions (if legally compelled)
389 === 13.4 Your Rights ===
390 You may:
391 * Object to specific international transfers
392 * Request information about transfer safeguards
393 * Lodge complaints with Swiss FDPIC or your local data protection authority
394 Contact: [Data requests contact to be established] with concerns about international transfers.
395 == 14. Children's Privacy ==
396 FactHarbor is not intended for children and we take children's privacy very seriously.
397 === 14.1 Age Requirements ===
398 FactHarbor is not intended for children under:
399 * **13 years old** (US COPPA)
400 * **16 years old** (EU GDPR, or lower age set by EU member state)
401 * **13 years old** (Swiss FADP - default age of consent for most processing)
402 === 14.2 No Knowing Collection ===
403 We do not knowingly collect personal data from children below these ages. If you believe a child has provided us data, contact [Privacy contact to be established] immediately.
404 === 14.3 Discovery and Deletion ===
405 If we learn a user is below the age requirement:
406 1. We immediately suspend the account
407 2. We delete all personal data promptly
408 3. We notify the account holder (if email provided)
409 4. We document the deletion for compliance
410 === 14.4 Parental Rights ===
411 Parents or guardians may:
412 * Request information about data collected from their child
413 * Request immediate deletion of that data
414 * Prohibit further collection from their child
415 Contact: [Privacy contact to be established] with subject "Child Data Request"
416 === 14.5 validation ===
417 We may request verification of parental/guardian status before processing requests.
418 === 14.6 Public Contributions ===
419 Content contributed by underage users (before age verification) will be:
420 * Attributed to "Deleted User [ID]"
421 * Content remains for transparency (anonymized)
422 * No personal data retained
423 == 15. Changes to This Policy ==
424 We may update this Privacy Policy:
425 * Material changes require 30-day notice
426 * Notice via email or prominent site banner
427 * Continued use after notice = acceptance
428 * Previous versions archived and accessible
429 == 16. Contact Us ==
430 **Before Launch:**
431 Contact infrastructure will be established before any user data collection begins.
432 **After Launch, contact points will include:**
433 * General privacy questions
434 * Data subject access requests (FADP/GDPR)
435 * Data Protection Officer (if serving EU users)
436 * Swiss Representative (required for FADP)
437 * Security incident reporting
438 **Mailing Address**: [To be determined based on Verein registration]
439 **Note:** As a small organization, contact functions may be handled by the same individual initially, but legal requirements for response times and procedures will be met.
440 == 17. Governing Law and Jurisdiction ==
441 === 17.1 Applicable Law ===
442 This Privacy Policy is governed by:
443 * **Swiss Federal Act on Data Protection (FADP)** - Primary data protection law
444 * **Swiss Civil Code (ZGB)** - For Verein organizational matters
445 * **EU General Data Protection Regulation (GDPR)** - When processing data of EU/EEA residents
446 * **Swiss Telecommunications Act** - For electronic communications
447 === 17.2 Jurisdiction ===
448 For disputes arising from this policy:
449 **Primary Jurisdiction:** Swiss courts (canton to be determined based on Verein location)
450 **Data Protection Disputes:**
451 * First, contact [DPO contact to be established if needed] or [Privacy contact to be established]
452 * File complaint with Swiss FDPIC (www.edoeb.admin.ch)
453 * EU residents may file with local data protection authority
454 * Legal action available in Swiss courts or (for EU residents) in EU member state courts
455 **Alternative Dispute Resolution:**
456 We are committed to resolving disputes amicably through:
457 * Internal escalation process
458 * Mediation before litigation
459 * Transparent decision rationale
460 === 17.3 International Users ===
461 * **EU/EEA users**: May enforce GDPR rights in EU courts
462 * **US users**: Subject to Swiss law, may invoke Swiss-US Data Privacy Framework
463 * **Other jurisdictions**: Swiss law applies, local rights respected where possible
464 === 17.4 Severability ===
465 If any provision of this Privacy Policy is found invalid or unenforceable, the remaining provisions continue in full force.
466 == 18. Effective Date and Version ==
467 **Version**: 0.9.29 (Legal Compliance Update) **Effective Date**: [To be determined before launch] **Last Updated**: December 17, 2025
468 This is a draft policy. Final version will be published before any user data collection begins.
469 == 19. Related Policies ==
470 * [[Transparency Policy>>FactHarbor.Organisation.How-We-Work-Together.Transparency-Policy]]
471 * [[Open Source Model and Licensing>>FactHarbor.Organisation.Open Source Model and Licensing]]
472 * [[Operational Readiness Checklist>>FactHarbor.Organisation.Operational-Readiness-Checklist]]
473 * [[Terms of Service>>FactHarbor.Organisation.How-We-Work-Together.Terms-of-Service]] (to be created)
474 * [[Security Policy>>FactHarbor.Organisation.How-We-Work-Together.Security-Policy]] (to be created)