Privacy policy

What Policy Window collects, what we do with it, and what rights you have. The honest version: the public wiki is deliberately low-data — we don't need much, so we don't collect much. Where we do collect data (signed-in users, feedback submissions, server logs), it's named below.

Last updated: 2026-05-30 (iter-312).

1 · Data controller

As of 2026-05-30, the data controller for policywindow.org is the project founder, Ryan Wong, operating as a sole trader. Contact for data-subject requests: privacy@policywindow.org. Response target: 14 days for GDPR / UK GDPR requests, in line with the statutory 30-day cap.

Honest disclosure: a legal entity (UK CIC or equivalent PBC) is on the Q4 2026 roadmap (see /wiki/roadmap). When incorporated, the controller will transition to that entity and this page will name a Data Protection Officer.

2 · What we collect

Surface	What's collected	Why	Retention
/wiki/* (public articles)	Server access logs: timestamp, request path, referrer, user-agent, IP address (truncated to /24 for IPv4, /48 for IPv6 within 24 hours of capture).	Operational debugging, abuse detection, aggregate usage analytics.	30 days for raw logs; aggregate metrics (no IPs) retained indefinitely.
Feedback widget on articles	Submitted text + optional email if you provide one + the article slug.	Editorial review + corrections workflow.	Until resolved + 90 days; submissions that become public CorrectionRecord rows are retained indefinitely.
Signed-in dashboard	Opaque userId + role + (optional) tenantId carried in a HMAC-signed HttpOnly session cookie. No password is stored; identity is verified administratively via a UserRoleAssignment table populated when an administrator grants access. A credentialled / SSO authentication layer in front of the app is on the roadmap (see /wiki/roadmap); until then this site does not collect email addresses for the signed-in surface. No cookies on /wiki/* — signed-in cookies only set after login.	Authentication, role-based access control, multi-tenancy isolation.	Account lifetime + 12 months from last login; audit logs minimum 365 days.
Press contact + email	Email content + sender address.	Responding to press enquiries.	3 years (UK + EU statutory).

We do not use third-party analytics on /wiki/* as of 2026-05-30. If we add analytics (planned Q3 2026 — see goal G10 on /wiki/goals), we will use a privacy-respecting vendor (Plausible, Fathom, or equivalent — no IP retention, no cross-site tracking) and update this page within 7 days of integration.

3 · What we do NOT collect

No cookies on the public wiki (/wiki/*) — no consent banner needed because there is nothing to consent to.
No cross-site tracking pixels.
No fingerprinting (canvas, WebGL, font enumeration).
No location data beyond inference from IP geolocation for aggregate usage metrics (and IPs are truncated within 24h).
No social-media login providers, no third-party SSO with tracking, no advertising-network integrations.
No personal data is sold or rented to third parties. Ever.

4 · Data residency

Application + database: hosted on Fly.io, currently in lhr(London, UK) region. Data does not transit through US infrastructure for normal application requests. Static assets (JavaScript, CSS, images) may be served via Cloudflare's global edge CDN; the edge nodes do not have access to user-specific data, only public static files.

Third-party processors (sub-processors):

Fly.io (compute + volume hosting, lhr region).
Cloudflare (DNS, optional edge CDN — no PII access).
GitHub (source-code hosting; corrections workflow if you submit feedback that becomes a GitHub issue).
Anthropic (Claude API for internal research-workspace + topic-proposer flows — see /wiki/ai-disclosure. Public-wiki article rendering does not call Anthropic.).
Resend (transactional email delivery for newsletter signup confirmation + digest dispatch; US-hosted processor; cross-border transfer mechanism: Standard Contractual Clauses per Resend's Data Processing Addendum). Used only on the newsletter signup/confirm path; not invoked for public-wiki article rendering or signed-in dashboard.

5 · Your rights (GDPR / UK GDPR)

If you are in the EU, UK, or any jurisdiction with similar data-protection law, you have the right to:

Access (Art. 15): request a copy of personal data we hold about you.
Rectification (Art. 16): correct inaccurate data.
Erasure / right to be forgotten (Art. 17): request deletion.
Restriction (Art. 18): limit processing pending review.
Portability (Art. 20): receive your data in a portable format.
Objection (Art. 21): object to processing on legitimate-interest grounds.
Withdrawal of consent (Art. 7(3)): where processing relies on consent (it generally doesn't for us).
Lodge a complaint with the Information Commissioner's Office (UK), the relevant EU supervisory authority, or your local DPA.

Send requests to privacy@policywindow.org. We'll respond within 30 days, usually within 14.

6 · Automated decision-making (GDPR Article 22)

We do not make solely-automated decisions that produce legal or significant effects about you. The public wiki is read-only catalog content; AI is used internally during topic-proposer and research-workspace operations (see /wiki/ai-disclosure), but human reviewers are in the loop before any output is published. If we ever build a feature that does meaningful automated decision-making about people, we'll update this page first and add an opt-out mechanism.

7 · Breach notification

If we become aware of a personal-data breach that poses a risk to rights and freedoms, we'll notify the relevant supervisory authority within 72 hours (GDPR Art. 33) and affected individuals without undue delay (GDPR Art. 34). A summary of all incidents that meet the notification threshold is published on /wiki/changelog (tagged incident) within a further 7 days.

8 · Children

Policy Window is not directed at children. We don't knowingly collect data from anyone under 16. If you believe a child has provided personal data through our service, email privacy@policywindow.org and we'll delete it.

9 · How this policy is updated

Material changes (new data collected, new sub-processor added, retention period extended) require a 14-day notice posted on /wiki/changelog before they take effect. Cosmetic changes (typo fixes, link updates) take effect immediately; the change is visible in git log src/app/privacy/page.tsx on the public repository.