Legal

Data Compliance

How this site meets its obligations under the GDPR and related regulations. Not aspirations: each commitment below describes something the site actually does.

Last updated: July 2026

1. Approach: minimal data, verified inventory

The site collects only what it needs to operate: resource submission details, cookie consent records keyed to a hashed IP address, and transient form contents delivered by email. Every store of personal data is tracked in a maintained data inventory, and the deletion and export machinery works from that inventory, so a request cannot silently miss a copy.

2. GDPR in practice

  • Data subject rights: Access (export) and erasure run through a self-service flow with email verification, so data is only ever released to the person who controls the address on file. Requests complete well within the one-month GDPR deadline.
  • Erasure with dignity: A submitter whose resource is published chooses: remove the personal details and keep the contribution anonymous, or delete the resource entirely.
  • Lawful bases: Submissions are processed on consent; consent records on legal obligation; security logging on legitimate interest. The privacy policy lists each one.
  • Accountability: Handled requests are logged with type, timestamps, and outcome, without duplicating the requester's data into a new store.

Exercise any of these on the data privacy request page.

3. Retention, enforced automatically

Retention windows are enforced by a scheduled job that runs daily, not by manual cleanup:

  • Cookie consent records: deleted after 24 months, prompting fresh consent.
  • Privacy request records: completed and expired requests purged after 30 days.
  • Resource submissions: retained until the submitter requests removal or anonymization.
  • Contact and event-idea form contents: delivered by email; the contact form stores nothing on the server.

4. Security measures

  • All traffic is encrypted in transit (TLS); data is encrypted at rest by the database provider.
  • Administrative access requires authenticated sign-in limited to named, pre-authorized people.
  • Public forms are protected by rate limiting, origin checks, and bot honeypots.
  • Consent records store a hashed IP address, never the raw address.

In the event of a personal-data breach, affected people and the relevant supervisory authority are notified within 72 hours, as the GDPR requires.

5. California (CCPA/CPRA)

California residents hold equivalent rights here: to know what is collected, to delete it, and to non-discrimination for exercising those rights. This site does not sell or share personal information, so there is nothing to opt out of.

6. Subprocessors

Personal data touches exactly these providers:

  • Vercel Inc.: Hosting and delivery. SOC 2 Type II; participates in the EU-US Data Privacy Framework.
  • Neon Inc.: Database (AWS us-east-1, Virginia). SOC 2 Type II. Encrypted at rest.
  • Resend: Transactional email delivery (submission confirmations, verification links).
  • Anthropic: AI assistance for the editorial team only, on content submitted for publication. See the AI & Data Ethics statement.

International transfers are governed by Standard Contractual Clauses or the EU-US Data Privacy Framework, as applicable.

7. Contact

Compliance questions and concerns: info@responsible-agetech.org. You may also lodge a complaint with your national supervisory authority.