Privacy Policy

1. Data Controller (Art. 13(1)(a))

The data controller is Earde Network (provisional). Contact for all data protection matters: privacy@earde.eu. No DPO is appointed at this stage; Earde Network does not carry out large-scale systematic monitoring and does not process special-category data (Art. 37 GDPR threshold not met).

2. Personal data processed and legal basis (Art. 6 & 13(1)(c))

Every category of personal data, its technical representation, retention period, and the applicable Art. 6(1) legal basis:

No special-category data (Art. 9) is collected or processed. No data is transferred to third countries outside the EEA. No automated decision-making or profiling (Art. 22) takes place.

3. Cookie and session architecture

Earde sets exactly one cookie: a cryptographically-signed session cookie issued by the Dream web framework. The cookie is HMAC-SHA256 signed using a 256-bit secret key configured via the DREAM_SECRET environment variable. It carries only an opaque session identifier; the session payload (user ID, username, admin flag) is held server-side in process memory and is never exposed to the client.

This cookie is strictly necessary for the service to function: without it, login state cannot be maintained across requests. Under the ePrivacy Directive 2002/58/EC, Article 5(3) and Recital 25, strictly-necessary cookies are exempt from the prior-consent requirement. This is the legal basis for the absence of a cookie consent banner on Earde.

The cookie is cleared immediately on logout (Dream.invalidate_session). It does not persist across devices or browser profiles. No third-party cookies are set by Earde or any resource it loads.

4. Right to Erasure — technical implementation (Art. 17)

Account deletion is handled by Db.anonymize_user, which executes the following atomic SQL update:

UPDATE users
  SET username      = '[deleted_' || id || ']',
      email         = 'deleted_' || id || '@earde.local',
      password_hash = ''
  WHERE id = $1

Downstream data (votes, memberships, moderator roles, community bans, notifications) is removed by PostgreSQL ON DELETE CASCADE foreign-key constraints, which fire within the same transaction.

Why anonymisation rather than hard-delete? Hard-deleting a user row would create orphaned comment and post rows, breaking thread coherence and violating referential integrity. Anonymisation satisfies Art. 17 because the resulting tokens ([deleted_42], deleted_42@earde.local) cannot be re-linked to the original natural person without additional information that is simultaneously destroyed — meeting the pseudonymisation standard of Art. 4(5) and the “no longer personal data” threshold of Recital 26.

The post-deletion session is immediately invalidated (Dream.invalidate_session), ensuring no authenticated request can be made on behalf of the deleted identity.

In-product shortcut: Settings → Danger Zone → Delete account.

5. Data Portability — technical implementation (Art. 20)

The GET /export-data endpoint returns a Content-Disposition: attachment JSON document containing the full data set held against the authenticated user: profile fields (username, bio, avatar_url, joined_at), all posts (id, title, url, content, community_slug, created_at, score), and all comments (id, content, created_at, post_id, post_title, score). The format is structured JSON — machine-readable and interoperable — satisfying the portability format requirement of Art. 20(1). The endpoint requires an authenticated session; unauthenticated requests receive a 401 redirect.

In-product shortcut: Settings → Export your data.

6. Data subject rights (Arts. 15–21)

• Access (Art. 15) — Request a full copy of your data. In-product: Export data.
• Rectification (Art. 16) — Correct inaccurate data at any time. In-product: Settings → Edit profile.
• Erasure (Art. 17) — Delete your account and anonymise your personal data immediately. In-product: Settings → Delete account.
• Restriction (Art. 18) — Request restriction of processing pending a dispute. Contact privacy@earde.eu.
• Portability (Art. 20) — Receive your data in a structured, machine-readable format. In-product: Export data.
• Object (Art. 21) — Object to processing based on legitimate interest (Art. 6(1)(f)). We will cease unless overriding legitimate grounds are demonstrated. Contact privacy@earde.eu.

To exercise any right not available via the product interface, write to privacy@earde.eu. We will respond within 30 days per Art. 12(3), at no charge per Art. 12(5).

7. Security measures (Art. 32)

• Argon2id for all password hashes (OWASP recommended; PHC winner). Raw passwords are never logged or persisted.
• CSRF tokens on every state-mutating form (Dream framework built-in).
• HTML output escaping on all user-supplied strings before template interpolation, preventing stored and reflected XSS.
• URL validation blocking javascript: and data: schemes in user-supplied link targets.
• Rate limiting (5 attempts / 60 seconds, sliding window) on signup, login, and password reset endpoints.
• TLS enforced in transit. The session cookie is issued with Secure, HttpOnly, and SameSite=Strict attributes by the Dream framework.
• Server-side re-authorisation on all privilege-sensitive mutations (moderator actions, admin actions) — no trust placed in client-supplied role claims.

8. Right to lodge a supervisory authority complaint (Art. 13(2)(d))

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with the supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of your personal data infringes the GDPR. A full directory of EU/EEA supervisory authorities is maintained at edpb.europa.eu.

9. Changes to this policy

Material changes will be communicated to registered users via a platform notification at least 14 days before they take effect. The “Last updated” date at the top of this page always reflects the current version. Continued use of Earde after the effective date constitutes acceptance of the revised policy.