Privacy Policy

The privacy of your data is important to us. This policy explains what information we collect, why we collect it, how we use it, and your rights regarding that information. We promise we will never sell your personal data. We have never sold it and we never will.

This policy applies to the Publishing Policy platform at publishingpolicy.org, currently operated by Roarke Clinton (“we,” “us,” “our”) with plans to incorporate as a 501(c)(3) nonprofit organization.

What we collect and why

Our guiding principle is to collect only what we need to provide the service. Here is what that means in practice:

Identity and access

When you create a Publishing Policy account, we collect your email address and the domain or URL you are creating a policy for. Your email is used to send you a magic link for passwordless authentication. We do not ask for or store passwords. We may also store the name you provide for your organization and your role within it.

Publishing policy content

When you create a publishing policy through our platform, we store the content you provide. This includes:

• Your publishing identity (organization name, URL, sector, audience, mission statement)
• Your editorial commitments (sourcing standards, accuracy processes, transparency practices, independence policies)
• Your accountability framework (correction timeframes, feedback mechanisms, review schedules, contact information)
• Your malpublishing definitions (both auto-generated and custom definitions)

This content is stored so you can use the service as intended: to create, edit, publish, and share your publishing policy. When you publish a policy, the content becomes publicly visible in our directory and at your policy's unique URL. Draft policies are visible only to you.

Organization data

When you create a policy, we automatically create an organization record associated with your domain. This includes the organization name, domain, sector, and any logo fetched from public sources (via Google's Favicon API). If you complete domain verification, we store the verification method used and the date verification succeeded.

Policy version history

Each time you update a published policy, we store a snapshot of the previous version. This creates an auditable history of changes to your policy over time. Version history is part of the service's accountability features and is publicly visible.

Community interaction data

As community features become available, we may collect data related to your interactions with the platform, including: violation reports you file, votes or feedback you provide on published policies, and related activity. This data is collected to operate the community accountability features and may be used in aggregate to generate scores or reputation indicators. Your individual interactions may be visible to platform administrators for moderation purposes.

Domain verification data

If you choose to verify ownership of your domain, we generate a unique verification code and store the verification method you selected (DNS TXT record, well-known file, meta tag, or bio link). We store whether verification succeeded and when. We do not store DNS records, file contents, or page contents from your domain beyond confirming the presence of the verification code.

Voluntary correspondence

When you email us with a question or request for help, we keep that correspondence, including your email address, so that we have a history of past communication to reference if you reach out in the future.

Automatically collected information

When you use our platform, certain technical information is collected automatically:

• Server logs: Our hosting provider (Vercel) logs IP addresses, request timestamps, URLs accessed, and HTTP headers (browser type, operating system). These logs are used for security, debugging, and abuse prevention.
• Authentication cookies: Our authentication provider (Supabase) sets strictly necessary cookies to maintain your login session. See the Cookies section for details.

We do not use analytics cookies, tracking pixels, advertising scripts, or any other form of behavioral tracking. We do not run ads. We do not build user profiles for marketing purposes.

When we access or disclose your information

To provide the service

We use the following third-party service providers to operate Publishing Policy:

• Supabase — Database hosting and user authentication. Your account data, policy content, and organization records are stored in Supabase's PostgreSQL infrastructure.
• Vercel — Application hosting and content delivery. Vercel serves the web application and processes incoming HTTP requests.
• Resend — Transactional email delivery. Resend sends magic link authentication emails on our behalf. We send emails from noreply@publishingpolicy.org.

These providers process your data solely to deliver their services to us. We do not share your data with any other third parties.

Published policies are public by design

When you publish a policy, its content is publicly accessible. This is the core purpose of the service: to make publishing standards transparent and verifiable. Published policies appear in the public directory, have shareable URLs, and may be indexed by search engines. If you do not want your policy to be public, you can keep it in draft status.

We do not look at your content unless necessary

No one at Publishing Policy accesses the content of your policies except in limited circumstances: to debug a technical issue that prevents the service from working correctly, to respond to a support request you initiated, or to investigate a potential violation of our Use Restrictions (as a last resort).

When required by law

Publishing Policy is operated from the United States. We will disclose your information if compelled by a valid legal process such as a court order, subpoena, or warrant. Our policy is to:

• Resist overly broad or legally questionable requests
• Notify affected users before disclosing data, unless legally prohibited from doing so
• Disclose only the minimum information required

If the company is acquired or restructured

If Publishing Policy is acquired by or merged with another entity — or restructured as part of nonprofit incorporation — we will notify you before any personal information is transferred or becomes subject to a different privacy policy.

Your rights with respect to your information

We apply the same data rights to all users, regardless of location. You have:

• Right to know: You have the right to know what personal information we collect, use, and share. This policy describes that in detail.
• Right of access: You have the right to access the personal information we hold about you.
• Right to correction: You have the right to request correction of inaccurate personal information. You can update your policy content and organization details directly through the platform.
• Right to deletion: You have the right to request that we delete your personal information. To request account deletion, email us at team@publishingpolicy.org. See the deletion section below for details on what is and is not deletable.
• Right to portability: You have the right to receive your personal data in a structured, machine-readable format. To request a data export, email us at team@publishingpolicy.org.
• Right to object: You have the right to object to certain processing of your personal information.
• Right to complain: You have the right to lodge a complaint with a supervisory authority. If you are in the EU or UK, you can contact your local data protection authority.
• Right to non-discrimination: We will not treat you differently for exercising your data privacy rights.

To exercise any of these rights, email us at team@publishingpolicy.org. We will respond within 30 days. We may need to verify your identity before processing your request, which we will do by confirming your email address.

How we secure your data

All data is encrypted in transit via TLS when transmitted between your browser and our servers, and between our servers and our service providers. Our database is hosted by Supabase, which provides encryption at rest for all stored data.

Authentication is passwordless (magic link via email), which eliminates the risk of password breaches. Session tokens are stored in secure, HTTP-only cookies. Database access is protected by row-level security (RLS) policies that ensure users can only access their own data.

What happens when you delete your account

During the Preview period

During the Preview period, everything is deletable. When you request account deletion, we will delete:

• Your user profile and authentication record
• All publishing policies you created (including published ones)
• All policy version history
• Your organization record (if no other users are associated with it)
• Any community interaction data (reports, votes, feedback)

After the Preview period

After the Preview period ends, we distinguish between personal account data and the public policy record. When you request account deletion:

• Deleted: Your user profile, authentication record, email address, and private account settings
• Retained as public record: Published policy content, version history, and effective dates. This is the permanent public record described in our Terms of Service. The record will be disassociated from your personal identity where possible.

Deletion from our active database will occur within 30 days of your request. Copies of your data may persist in database backups for up to an additional 30 days before being fully purged.

Data retention

We retain your information for as long as your account is active and as long as needed to provide the service. Specifically:

• Account data: Retained while your account is active. Deleted upon account deletion request.
• Policy content (Preview period): Fully deletable. Removed upon request or account deletion.
• Policy content (after Preview): Published policies and their version history become permanent public records. They can be deactivated but not deleted. Unpublished drafts remain deletable.
• Community interaction data: Reports, votes, and feedback are retained as long as your account is active. Upon account deletion, this data may be anonymized rather than deleted if it contributes to aggregate public scores.
• Server logs: Retained by Vercel according to their data retention policies, typically up to 30 days.
• Email correspondence: Retained indefinitely for support continuity unless you request deletion.

Cookies

We use only strictly necessary cookies required for authentication. We do not use analytics cookies, advertising cookies, or any form of tracking cookies.

The cookies we set:

Because these cookies are strictly necessary for the service to function (you cannot sign in without them), we do not require consent before setting them. This is consistent with the EU ePrivacy Directive, which exempts cookies that are essential for providing a service explicitly requested by the user.

Location of site and data

Publishing Policy is operated from the United States. Our service providers (Supabase, Vercel, and Resend) primarily process data in the United States. If you are located outside the United States, your data will be transferred to and stored in the United States. By using our service, you acknowledge this transfer.

Transfers of personal data from the EU

If you are in the European Union or the United Kingdom, the GDPR requires that personal data transferred outside the EU/UK be afforded the same level of protection. Our service providers offer Data Processing Agreements that include Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate protection for cross-border data transfers. You may request copies of these agreements by emailing us at team@publishingpolicy.org.

Changes and questions

We may update this policy as needed to reflect changes in our practices or applicable regulations. When we make significant changes, we will update the date at the top of this page. Changes to this policy are tracked in our public GitHub repository, providing a full version history of every revision.

Have questions, comments, or concerns about this privacy policy, your data, or your rights? Contact us: