Privacy Policy - discuss² (Open-Source Forum Engine)

0) Open-source disclaimer (no responsibility for Operator actions)

The Software is provided "as is" under the MIT License. We (the original authors/maintainers of discuss²) do not operate your instance and are not the data controller for your deployment. We are not responsible or liable for any Operator or administrator actions, configurations, misuse, or violations of law, nor for any user behavior on deployments, forks, copies, or derivatives of this Software. Each Operator is solely responsible for complying with applicable laws, providing accurate notices and consents, honoring user rights, implementing security, and responding to legal requests for their instance.

1) Who is the data controller?

2) What personal data we process

Depending on configuration and use:

• Account data: display name, username/handle, email address, password hash (never the raw password), role/permissions (Admin/Moderator/User).
• OAuth data (optional): basic profile and email from an identity provider (e.g., Google) when you sign in with OAuth (actual fields depend on provider scopes and your consent).
• Profile data (optional): avatar, bio, links, any info you add.
• Forum content: topics, posts, replies, reactions, uploaded media, timestamps, edit history.
• Device & usage data: IP address, user-agent, log files, pages viewed, referring URLs, interaction events, error logs.
• Email notifications (optional): delivery status, opens/clicks if the email service used by the Operator tracks them.
• Anti-spam & security data (optional): invisible captcha tokens and risk signals, rate-limit counters, moderation flags.
• Cookies/local storage: session/auth cookies, CSRF/security cookies, preferences (e.g., theme).

Special category data:Not required by the Software. Users should not submit sensitive data. Operators should moderate and remove sensitive data that is not appropriate for the forum's purpose.

3) Purposes and legal bases (GDPR/UK GDPR)

The Software may process personal data for the following purposes and legal bases:

• Account registration & authentication: sign up/sign in, profile management. Legal basis: performance of a contract (Terms) or legitimate interests; consent for OAuth where required.
• Core forum functionality: posting, discussions, search, tags, notifications. Legal basis: performance of a contract or legitimate interests.
• Moderation & safety: enforcing community rules, detecting spam/abuse, securing the service. Legal basis: legitimate interests; legal obligation where applicable.
• Service operations: debugging, error fixing, availability, performance. Legal basis: legitimate interests.
• Communications: transactional emails (verification, password reset). Legal basis: performance of a contract; legitimate interests. Optional marketing emails require consent (if enabled by the Operator). Where local law requires consent for certain cookies/analytics, the Operator will obtain it via a banner or settings.

4) Sources of data

Data may come from:

• Directly from you (registration, profile, posts).
• Identity providers (if you use OAuth, e.g., Google).
• Your device (server logs, cookies, similar technologies).
• Moderators/admins (annotations/flags for safety and compliance).

5) Sharing and disclosures

Depending on configuration, data may be shared with:

• Service providers (processors): cloud hosting, email delivery, file/object storage/CDN, error tracking, anti-spam/captcha—acting under the Operator's instructions.
• Moderators/admins: designated by the Operator; may access content and metadata to enforce rules.
• Public audience: content you publish can be public, indexed by search engines, and accessible via APIs (if enabled).
• Legal/compliance: to comply with law, protect rights/safety, or respond to lawful requests.

Operator action required — list processors/sub-processors:

• Hosting: [Provider, region]
• Email: [Provider]
• Object storage/CDN: [Provider]
• Error monitoring (optional): [Provider]
• Anti-spam/captcha (optional): [Provider]

6) International data transfers

If data is transferred outside your jurisdiction (e.g., from the EEA/UK to another country), the Operator will use appropriate safeguards (adequacy decisions, Standard Contractual Clauses) and assess recipient-country legal requirements.

7) Data retention

Typical retention examples (Operators should set concrete periods to match law):

• Account data: kept while your account is active; deleted or anonymized within [X days/months] after closure.
• Forum content: retained to preserve discussion history; Operators may allow deletion/anonymization subject to forum rules and legal holds.
• Logs: typically [e.g., 30-180 days] for security/operations.
• Backups: kept for disaster recovery for up to [e.g., 90 days] before rotation.

8) Your rights

Depending on your location, you may have the right to access, correct, delete, port, restrict/object, withdraw consent (where applicable), and lodge a complaint with a supervisory authority.

How to exercise rights: Contact[privacy email]. We may need to verify identity and account control.

California (CCPA/CPRA): We honor rights to access, deletion, correction, opt-out of sale/share, and limit use of sensitive personal information. We do not sell personal information.

9) Cookies and similar technologies

The Software uses essential cookies (session, CSRF). Optional cookies may include preferences, analytics (if enabled), and captcha/anti-spam (if enabled). Where required, consent will be collected and preferences offered.

10) Security

We employ administrative, technical, and organizational measures appropriate to the risk, including password hashing, HTTPS, role-based access controls, rate limiting, and regular updates. No system is perfectly secure; use strong, unique passwords and enable MFA if offered.

Operator note: Review deployment hardening (reverse proxy/TLS, secrets, backups, log retention, monitoring). Keep the Software and dependencies up to date.

11) Children's privacy

Not intended for children under[minimum age, e.g., 13 or 16]. We do not knowingly collect data from children below the applicable threshold. If you believe a child has provided data, contact us to remove it.

12) Third-party links and content

Forum posts may contain links to third-party websites or embedded content. We are not responsible for those sites' privacy practices. Review their policies before interacting.

13) Open-source transparency

The Software is open source (MIT) and its code is public. This transparency enables review but does not make your personal data public. Only information you choose to publish (e.g., posts) is public by design.

14) Operator-specific options & toggles

State what's enabled:

• Authentication: Devise (email/password) [Enabled/Disabled]; OAuth (Google) [Enabled/Disabled].
• Email delivery: [Provider]; opens/clicks tracking [On/Off].
• Anti-spam: Invisible captcha [Enabled/Disabled].
• Error tracking: span class="ml-2 font-semibold" [Provider] [Enabled/Disabled].
• Analytics: span class="ml-2 font-semibold" [Tool] [Enabled/Disabled]; IP anonymization [On/Off].
• CDN/object storage: span class="ml-2 font-semibold" [Provider]; region [Region].

15) Contact us

For privacy questions or requests, contact:[privacy email]. If we cannot resolve your concern, you may contact your local data protection authority.

16) Changes to this policy

We may update this Privacy Policy from time to time. We will post the new version with an updated Effective date and, if changes are material, provide additional notice.

17) Jurisdiction-specific addenda (optional)

Add region-specific disclosures (e.g., EEA/UK, California, Brazil, Canada).

Appendix A - Data map (example for Operators)

Example mapping of data categories, sources, purposes and retention.