Privacy Policy
Last updated: March 2026 — Written by Dami
The Short Version (Plain English)
Everything Earde collects about you:
- ✓Your username. Public. Your identity on the platform.
- ✓Your email address. Private. Used only to verify your account and send password resets.
- ✓Your password — hashed, immediately. The raw password is discarded the instant it is received. Only an Argon2id hash is stored. We cannot recover or read your password.
- ✓Your posts, comments, and votes. The content you choose to contribute.
- ✓Your IP address, for security. Temporarily stored in the database to enforce rate limiting on login and signup. Not used for anything else.
- ✓Anonymous daily page-view counts. We count visits per page using a daily-resetting hash of your IP, browser string, and the current date. The hash is one-way: the original IP cannot be recovered from it.
No advertising. No tracking pixels. No Google Analytics. No Meta Pixel. No data brokers. No behavioural profiling. No selling your data.
We set exactly one cookie: a session cookie that keeps you logged in. It is deleted when you log out. No cookie banner is shown because this cookie is strictly necessary for the service to function, so consent is not legally required for it.
You can download all your data as JSON at any time. You can delete your account instantly from Settings.
Technical Specification
1. Who we are
I am Dami, a developer based in Italy. With my friend Nico, we built and run Earde. At the moment there is no company, no legal team, no DPO, just us. You can contact me for all data protection matters: dami@earde.com.
This policy reflects the actual source code. If anything here contradicts the code, the code is the ground truth, and I want to know so I can fix the policy.
- Earde is fully open-source. You do not have to trust this policy. Read the code and verify it yourself: https://github.com/earde-social/earde
- We collect the minimum data needed to run this.
- No third-party services receive your data. Your browser makes no requests to any external server when you use Earde.
2. Infrastructure & Hosting
Earde runs on servers provided by Hetzner, a German hosting company. All servers are located physically inside the European Union, either in Germany (Nuremberg/Falkenstein) or Finland (Helsinki).
Your data never leaves EU jurisdiction. We do not use Amazon Web Services, Google Cloud, Microsoft Azure, or any comparable US-based cloud platform. There is no CDN routing your traffic through non-EU nodes. The infrastructure is a bespoke setup (server, PostgreSQL database, application) with no intermediary black boxes. The entire data pipeline is subject to EU law, including the GDPR, from end to end.
3. Data Collected & Legal Basis (Art. 6)
Every category of personal data, its exact storage location, retention period, and GDPR legal basis:
| Data | Storage | Retention | Basis |
|---|---|---|---|
| Username | users.username — plaintext, public |
Until deletion; replaced with [deleted_N] |
Art. 6(1)(b) |
| Email address | users.email — plaintext, never shown in UI |
Until deletion; overwritten with deleted_N@earde.local |
Art. 6(1)(b) |
| Password hash | users.password_hash — Argon2id encoded string; raw password never stored |
Until deletion; zeroed | Art. 6(1)(b) |
| Posts & comments | posts, comments tables |
Indefinite as community content; authorship tombstoned on deletion (see §6) | Art. 6(1)(b) |
| Votes | post_votes, comment_votes tables |
Hard-deleted on account deletion (CASCADE) | Art. 6(1)(b) |
| Bio & avatar (optional) | users.bio, users.avatar_url |
Until changed or account deletion | Art. 6(1)(a) — consent |
| IP address (rate limiting) | rate_limits.ip_address — plaintext, alongside attempt count and time window |
Sliding window (~60s); stale rows are overwritten, not archived | Art. 6(1)(f) — legitimate interest (security) |
| Page-view session hash | page_views.session_hash — MD5(IP + User-Agent + date); one-way, non-reversible |
Indefinite aggregate; hash resets every 24 hours by design | Art. 6(1)(f) — legitimate interest (understanding usage) |
| Password reset token | password_resets.token |
Hard expiry via expires_at; deleted on use (CASCADE on user deletion) |
Art. 6(1)(b) |
No real name, date of birth, phone number, or any other identifying information is collected or requested. No special-category data (Art. 9). No data transfers outside the EEA. No automated decision-making or profiling (Art. 22).
4. Password Security (Art. 32)
When you set a password, the server runs the following logic (from auth.ml):
let salt = Dream.random 16 (* 16 bytes from the framework CSPRNG *) Argon2.hash ~t_cost:2 (* 2 iterations *) ~m_cost:65536 (* 64 MB of RAM required per hash attempt *) ~parallelism:1 ~kind:Argon2.ID (* Argon2id variant *) ~version:Argon2.VERSION_13 ~hash_len:32 ...
Argon2id is the algorithm recommended by OWASP and selected by the Password Hashing Competition. The ID variant provides resistance against both side-channel and GPU brute-force attacks. The 64 MB memory requirement means cracking a single password requires 64 MB of RAM per attempt, making large-scale GPU attacks prohibitive.
A fresh 16-byte random salt is generated for every password, so two users with identical passwords will have completely different hashes. Only the encoded hash string is written to the database. The plaintext password is never stored, logged, or accessible after the request completes.
Additional security measures: CSRF tokens on all state-mutating forms; HTML output escaping preventing XSS; rate limiting on auth endpoints; session cookie with Secure, HttpOnly, and SameSite=Strict attributes.
5. Cookies & Tracking
Earde sets exactly one cookie: a session cookie issued by the Dream web framework. It carries only an opaque session identifier. The session data (user ID, username) is stored server-side in the dream_session PostgreSQL table, nothing personal is embedded in the cookie itself.
This cookie is strictly necessary for the service to function. Under ePrivacy Directive 2002/58/EC, Art. 5(3) and Recital 25, strictly-necessary cookies are exempt from prior-consent requirements. This is why there is no cookie consent banner.
The cookie is cleared immediately on logout. It does not persist across devices or browser profiles.
What we do not use:
- Google Analytics, Google Tag Manager, or any Google product
- Meta (Facebook) Pixel or any Meta tracking
- Any third-party advertising or analytics script
- Cross-site tracking or browser fingerprinting
When you visit Earde, your browser makes no requests to any third-party server.
6. Account Deletion & Right to Erasure (Art. 17)
When you delete your account, the server calls Db.anonymize_user, which executes this SQL:
UPDATE users
SET username = '[deleted_' || id || ']',
email = 'deleted_' || id || '@earde.local',
password_hash = ''
WHERE id = $1
Your email is overwritten with an inert placeholder. Your password hash is wiped. Your username becomes an anonymous tombstone like [deleted_42]. Your votes, community memberships, moderator roles, bans, and notifications are hard-deleted by ON DELETE CASCADE constraints. Your session is immediately invalidated.
Your posts and comments are not deleted. They remain in the database attributed to the [deleted_N] tombstone. This is an intentional design choice: hard-deleting your user row would cascade and destroy every reply ever written to your comments, breaking discussion threads for everyone else. The tombstone cannot be linked back to you (your email and credentials are gone) satisfying the pseudonymisation threshold of GDPR Art. 4(5) and Recital 26.
If you also want your posts and comments deleted, email me at dami@earde.com and I will remove them manually.
Before deleting, you can export your posts and comments as JSON from the Settings page.
7. Your GDPR Rights
To exercise any right, email dami@earde.com. I will respond within 30 days (Art. 12(3)), at no charge (Art. 12(5)). Many rights are also exercisable directly in the product:
- Access (Art. 15) — Request a copy of all data held about you. In-product: Export data (JSON).
- Rectification (Art. 16) — Correct inaccurate data. In-product: Settings → Edit profile.
- Erasure (Art. 17) — Delete your account and anonymise your data. In-product: Settings → Delete account. Or email me to also remove post/comment content.
- Restriction (Art. 18) — Request restriction of processing pending a dispute. Email me.
- Portability (Art. 20) — Receive your data in a machine-readable format. In-product: Export data (JSON).
- Object (Art. 21) — Object to processing based on legitimate interest. Email me.
8. Supervisory Authority (Art. 13(2)(d))
If you believe your rights under the GDPR have been violated, you have the right to lodge a complaint with a supervisory authority. As I am based in Italy, the lead authority is the Garante per la protezione dei dati personali (garanteprivacy.it). You may also contact the authority in your own EU member state of residence.
9. Changes to This Policy
If the code changes in a way that affects data handling, this document will be updated and the date at the top of the page will reflect it. The source code remains the authoritative reference at all times.