Privacy Policy

Factkeeper Policy Document

Download (.md) Back to Home

Privacy Policy

Open Civic Systems — Legal Document
Organization Open Civic Systems (OCS) — 501(c)(3) nonprofit
Platform Factkeeper (factkeeper.org)
Version 1.0
Effective Date [January 2026]
Last Reviewed [January 2026]
Approved By OCS Board of Directors

Privacy Policy Summary (TL;DR)

The short version:

Topic What You Need to Know
Anonymous submissions We can't identify you. Your IP is hashed immediately (irreversibly) and deleted in 30 days. We don't ask for your name or email.
Registered users Chronicle Admins see your full info (name, email). The public only sees your display name — which you control — if your Chronicle enables attribution.
Your display name You choose it. Use a pseudonym, your real name, or "Anonymous."
Multi-Chronicle privacy Separate account per Chronicle. Your activity in one Chronicle isn't visible to admins of other Chronicles.
We don't sell data No advertising. No third-party tracking cookies. No Google Analytics.
Logs are minimal Masked IPs kept 30 days for analytics. Full IPs only captured on errors, deleted in 48 hours.
AI features Optional. Document content goes to AI providers; your personal info does not.
Account deletion Your personal info gets deleted. Your contributions remain part of the historical record (anonymized).
Content is permanent Chronicle Content is archived for historical preservation. That's the point.

Read the full policy below for complete details, legal disclosures, and your rights.

1. Introduction

Open Civic Systems ("OCS," "we," "us," or "our") operates Factkeeper (factkeeper.org), a platform for community-managed historical archives ("Chronicles"). This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our Service.

We believe in radical transparency about data collection. This policy tells you exactly what we collect, why, and how long we keep it.

By using the Service, you consent to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.

2. Information We Collect

We collect different information depending on how you interact with the Service.

2.1 Anonymous Submissions

When you submit an event through the public submission form, we collect minimal information and protect your anonymity:

Data Type How Stored Retention Purpose
Submission content Plaintext in database Indefinite (if processed into Chronicle) The event information you're reporting
IP address Salted and hashed (SHA-256, practically irreversible) 30 days maximum Spam prevention only
User agent Salted and hashed (SHA-256, practically irreversible) 30 days maximum Spam prevention only
Submission timestamp Timestamp Indefinite Record keeping
Tracking ID Random string Indefinite So you can check submission status

What we do NOT collect from anonymous submissions:

  • Your name or contact information
  • Your real IP address (we hash it immediately)
  • Browser fingerprints or device IDs
  • Location data beyond what you include in the submission itself
  • Cookies or tracking pixels

Your tracking ID (like "CS1729845abc") is a random string that contains no identifying information. It's provided so you can check your submission's status, not to identify you.

2.2 Registered User Accounts

When a Chronicle Administrator creates an account for you (as a reviewer, curator, or administrator), we collect:

Data Type Required Who Can See It
Email address Yes Chronicle Admin, OCS
First name Yes Chronicle Admin, OCS
Last name Yes Chronicle Admin, OCS
Username (login) Yes Chronicle Admin, OCS
Public display name Yes (user-controlled) Depends on Chronicle settings (see Section 4)
Password Yes (hashed) No one (stored as irreversible hash)

Your public display name is controlled by you. You may use:

  • A pseudonym (recommended for sensitive topics)
  • Your real name (if you prefer transparency)
  • "Anonymous" (though this doesn't prevent Chronicle Admins from knowing your identity)

Multi-Chronicle accounts: If you participate in multiple Chronicles, you will have a separate account for each. Your activity in one Chronicle is not automatically visible to administrators of other Chronicles.

2.3 Automatically Collected Information

When you access the Service, our servers automatically collect:

Data Type How Stored Retention Purpose
IP address (access logs) Masked (e.g., 12.34.56.0) 30 days Analytics, service operation
IP address (security logs) Full IP, only on errors/blocked requests 48 hours Immediate threat response
Pages visited Log files 30 days Analytics
Browser type Log files 30 days Service optimization
Timestamp Log files 30 days Analytics

Cookies:

Cookie Type Purpose Duration
session_id Essential Maintains your login session Session
csrf_token Essential Security (prevents cross-site request forgery) Session
preferences Functional Stores your display preferences 1 year

We do NOT use third-party tracking cookies, advertising cookies, or analytics services like Google Analytics.

3. How We Use Your Information

3.1 To Provide and Operate the Service

  • Process and display submissions
  • Manage your account and permissions
  • Enable Chronicle administration functions
  • Provide customer support
  • Maintain and improve the Service

3.2 To Protect the Service

  • Prevent spam and automated abuse (using hashed IP/user agent)
  • Detect and respond to security threats
  • Investigate Code of Conduct violations
  • Maintain audit logs for accountability

3.3 To Communicate With You

  • Service announcements and updates (registered users only)
  • Responses to your inquiries
  • Policy updates and legal notices

We will never sell your information or use it for advertising.

4. Information Visibility and Sharing

4.1 Your Public Display Name

Your public display name may be visible to the public if your Chronicle enables contributor attribution. This is controlled by:

  1. Chronicle settings: Each Chronicle decides whether to display contributor names on public events
  2. Your choice: You control what your public display name says

If your Chronicle displays attribution, the public may see:

  • Your public display name
  • Contribution counts or history (depending on Chronicle settings)

The public will NOT see your real name, email, username, or other account details (unless you choose to make your public display name match your real name).

4.2 What Chronicle Users See

Other registered users in your Chronicle may see:

  • Your public display name
  • Your contributions to shared work

If we implement collaboration features (such as discussion pages), Chronicle users may see your public display name in those contexts as well.

4.3 What Chronicle Administrators See

Chronicle Administrators can see all information about users in their Chronicle:

  • Your full account details (name, email, username)
  • Your public display name
  • Your contribution history and activity
  • Audit logs of your actions

This visibility is necessary for Chronicle Administrators to manage their teams and maintain accountability.

4.4 What OCS Sees

OCS staff can access all information across all Chronicles when necessary for:

  • Platform operation and support
  • Dispute resolution
  • Legal compliance
  • Security investigations

OCS does not routinely monitor individual user activity but may access records when required.

4.5 Third-Party Service Providers

We share information with service providers who help us operate the Service:

Provider Type Purpose Data Shared
Cloud hosting (AWS) Infrastructure All data (encrypted in transit and at rest)
Email service Account notifications Email address, name
AI providers Document analysis (when you use AI features) Document content only (not personal info)

Service providers are contractually required to protect your information and use it only for the services they provide to us.

4.6 Legal Requirements

We may disclose information if required by law or if we believe in good faith that disclosure is necessary to:

  • Comply with legal process
  • Protect our rights or property
  • Protect the safety of users or the public
  • Investigate fraud or security issues

For anonymous submissions: Because we hash IP addresses immediately and irreversibly, we cannot identify anonymous submitters even if legally compelled to do so. We do not have that information.

5. Anonymous Submission Protections

We take special care to protect the anonymity of people who submit events through our public submission form. This section explains our technical and operational protections.

5.1 How We Protect Your Identity

  1. No personal information required: We don't ask for your name, email, or any identifying details
  2. Immediate IP hashing: Your IP address is converted to an irreversible hash (SHA-256) before storage
  3. Short retention: Even the hashed data is deleted after 30 days
  4. Minimal logging: Server logs use masked IPs; full IPs are only captured for security errors and deleted within 48 hours

5.2 What This Means

We cannot identify you from a submission, even if legally compelled. The one-way hash means there is no mathematical way to recover your IP address from what we store.

Your tracking ID is a random string — it contains no information about you and cannot be used to identify you.

5.3 Limitations You Should Understand

While we cannot identify you, others might be able to:

  • Your ISP: Your internet provider knows you visited this site (use Tor to hide this)
  • Your network: Your workplace or school network may log your activity
  • Submission content: Details you include could identify you if they're unique enough
  • Correlation: If you're the only person who knew about an event, submitting it could reveal you're the source

5.4 Best Practices for Maximum Anonymity

If you're submitting sensitive information:

  1. Use Tor Browser: Routes traffic through multiple servers, hiding your IP even from your ISP
  2. Use public WiFi: A coffee shop or library adds another layer of separation
  3. Don't include unique details: Avoid information only you would know
  4. Wait before submitting: Avoid submitting immediately after an event (temporal correlation)
  5. Clear your browser: Delete history and cookies after submitting

We welcome submissions via Tor and will never block Tor users.

5.5 If You're a Whistleblower

If you're submitting information that could put you at legal or professional risk, please take extra precautions. Consider consulting with a lawyer or press freedom organization. For highly sensitive material, dedicated platforms like SecureDrop may be more appropriate.

6. AI Features and Data Processing

6.1 How AI Features Work

When you use AI-powered document analysis:

  • Document content is sent to third-party AI providers (such as Anthropic, Google, or OpenAI)
  • AI providers process the content and return analysis results
  • We do not share your personal account information with AI providers

6.2 AI Provider Practices

We utilize enterprise/API settings that are designed to prevent your data from being used for model training, subject to the provider's terms.

Refer to each provider's privacy policy for their specific practices.

6.3 Your Choices

  • AI features are optional; you can contribute without using them
  • You may use "DIY Mode" to process documents through your own AI accounts (if available)
  • Chronicle Administrators may enable or disable AI features for their Chronicle
  • All AI outputs require human review before publication

7. Data Retention

7.1 Server Logs

Log Type Retention
Access logs (masked IPs) 30 days
Security logs (full IPs on errors only) 48 hours
Hashed submission data (IP, user agent) 30 days

7.2 Account Information

  • Active accounts: Retained for the life of the account
  • After deletion request: Personal information removed within 30 days; user ID retained for referential integrity (see Section 8)

7.3 Chronicle Content

Chronicle Content (events, sources, people records) is retained as part of the historical record, potentially indefinitely. This is fundamental to the archival purpose of the Service.

7.4 Backups

Backup copies may retain deleted data for up to 90 days.

8. Your Rights and Choices

8.1 Access Your Information

You may:

8.2 Correct Your Information

You may:

  • Update your account information through account settings
  • Change your public display name at any time
  • Request corrections by contacting your Chronicle Administrator or OCS

8.3 Delete Your Account

You may request deletion of your account at any time by contacting your Chronicle Administrator or emailing privacy@opencivicsystems.org.

Upon deletion:

  • Your personal information (name, email, display name) will be removed
  • Your internal user ID will be retained for database integrity, but will no longer be linked to identifying information
  • Chronicle Content you helped create will remain part of the historical record (see Terms of Service, Section 4.6)
  • Your contributions will appear as an anonymized user ID in audit logs

8.4 Anonymous Submissions

Anonymous submissions contain no personal information to access, correct, or delete. Your tracking ID cannot be used to remove submissions that have been processed into Chronicle Content.

8.5 Communication Preferences

Registered users may:

  • Update notification preferences in account settings
  • Unsubscribe from non-essential emails via unsubscribe links

You cannot opt out of essential service communications (security alerts, legal notices, account-related messages).

8.6 Cookies

Most browsers allow you to refuse cookies or alert you when cookies are being sent. Note that if you disable essential cookies, you may not be able to log in or use certain features.

9. Data Security

9.1 Security Measures

We implement reasonable security measures including:

  • Encryption of data in transit (TLS/HTTPS)
  • Encryption of sensitive data at rest
  • Secure password hashing (bcrypt)
  • IP address hashing for submissions (SHA-256)
  • Access controls limiting who can access your data
  • Audit logging of administrative actions
  • Regular security assessments

9.2 No Guarantee

No method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

9.3 Breach Notification

In the event of a data breach affecting your personal information, we will notify you as required by applicable law, typically within 72 hours of discovery.

10. Children's Privacy

The Service is not intended for users under 16 years of age. We do not knowingly collect personal information from children under 16. If we learn we have collected such information, we will delete it promptly.

If you believe a child under 16 has been given an account, please contact us at privacy@opencivicsystems.org.

11. International Users

11.1 Data Location

The Service is operated from the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States.

11.2 EU/EEA Users (GDPR)

If you are located in the European Union or European Economic Area:

  • Legal basis for processing: Consent (by using the Service) or legitimate interests (operating the Service, preventing abuse)
  • Your rights: Access, rectification, erasure, restriction, portability, objection
  • Right to complain: You may lodge a complaint with your local supervisory authority

To exercise your GDPR rights, contact privacy@opencivicsystems.org.

11.3 California Users (CCPA)

If you are a California resident:

  • Right to know: What personal information we collect and how we use it
  • Right to delete: Request deletion of your personal information
  • Right to opt out: We do not sell personal information
  • Right to non-discrimination: We will not discriminate against you for exercising your rights

To exercise your CCPA rights, contact privacy@opencivicsystems.org.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the updated policy with a new effective date
  • Sending email notification to registered users (for significant changes)
  • Displaying a notice on the Service

Your continued use after changes take effect constitutes acceptance of the updated policy.

13. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or your personal information:

Open Civic Systems Email: privacy@opencivicsystems.org Website: opencivicsystems.org

For general support: Email: support@opencivicsystems.org

Appendix A: Complete Data Collection Summary

From Anonymous Submissions

Data Type How Stored Retention Can Identify You?
Submission content Plaintext Indefinite Only if you include identifying details
IP address SHA-256 hash 30 days max No
User agent SHA-256 hash 30 days max No
Timestamp Plaintext Indefinite No
Tracking ID Random string Indefinite No

From Registered Users

Data Type How Stored Retention Who Sees It
Email Encrypted at rest Life of account Chronicle Admin, OCS
Real name Encrypted at rest Life of account Chronicle Admin, OCS
Username Plaintext Life of account Chronicle Admin, OCS
Public display name Plaintext Life of account Potentially public (Chronicle setting)
Password Bcrypt hash Life of account No one
Contribution history Plaintext Indefinite Chronicle Admin, OCS; public if Chronicle enables

From All Visitors

Data Type How Stored Retention Purpose
IP (access logs) Masked 30 days Analytics
IP (security logs) Full (errors only) 48 hours Threat response
Pages visited Log files 30 days Analytics
Browser type Log files 30 days Optimization

Appendix B: Version History

Version Date Summary of Changes
1.0 [January 2026] Initial adoption

Effective Date: [January 2026]

Other Policy Documents:

Terms of Service Privacy Policy Code of Conduct
Return to Factkeeper