Privacy policy

Information you provide

• Newsletter subscription: email address; the page or campaign you subscribed from (the "source"); the timestamp.
• Removal & correction requests: name, role, email, the URL of the entry, your description of the issue. See /removal-request.
• Account (when paid plans launch): name, email, billing details processed by Stripe — we do not store full payment-card numbers.
• Submissions: any incident tip, correction, or response you send us via form or email.

Information collected automatically

• Server logs: IP address, user-agent, request URL, response status, timestamp. Retained for 30 days for security and abuse-prevention purposes, then deleted or aggregated.
• Analytics: we do not currently run any third-party analytics. If we add one in the future it will be a cookieless, privacy-respecting provider (such as Plausible or Fathom) that does not use persistent identifiers, and we will update this page before the script goes live.
• Newsletter delivery: for emails we send you, we record delivery, open, and click events for that send, used to measure list health, suppress bounces, and improve future content.

Information we do not collect

• We do not use Google Analytics, Facebook Pixel, or any cross-site advertising tracker.
• We do not sell, rent, or trade your personal information to third parties for marketing.
• We do not collect or process biometric data, precise location data, or special-category data within the meaning of GDPR Article 9.

• To operate, maintain, and improve the Service.
• To send transactional emails — confirmations, removal-request acknowledgments, billing notices — and the newsletter you subscribed to.
• To respond to your requests and inquiries.
• To detect, prevent, and respond to fraud, abuse, or security incidents.
• To comply with legal obligations and to enforce our Terms.

The Service uses a small number of cookies, all strictly necessary for operation:

• Theme preference (theme) — remembers your light/dark mode choice. Local-storage, not a cookie.
• Session — required only on authenticated routes (admin and, in the future, paid subscriber pages).

We do not set advertising cookies and we do not embed third-party tracking scripts on public pages.

We share personal information only with:

• Service providers that process data on our behalf under contract — including Neon (database hosting), Vercel (application hosting), Resend (transactional email), Stripe (payment processing when paid plans launch), Sentry (error monitoring), and Cloudflare (DNS & security). These providers are bound by data-protection terms equivalent to those in this policy.
• Legal authorities when required by valid legal process, court order, or to protect the rights, property, or safety of AI Incident Tracker, LLC, our users, or the public.
• Successors in connection with a merger, acquisition, financing, reorganization, or sale of assets, in which case notice will be provided as required by law.

We do not sell or "share" personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

• Newsletter subscribers: retained while subscribed plus 12 months after unsubscribe, to honor the unsubscribe and prevent re-add by bulk imports.
• Server logs: 30 days.
• Editorial source archive (used to defend the accuracy of our entries): 7 years.
• Removal-request records: 7 years, to maintain the public corrections audit trail.
• Account & billing records: as required by applicable tax and accounting law.

If you are a California resident, you have the right to:

• Know what personal information we collect, use, disclose, and sell or share (we do not sell or share for advertising).
• Access a copy of the personal information we hold about you.
• Request correction of inaccurate personal information.
• Request deletion of your personal information, subject to legal exceptions.
• Limit the use of sensitive personal information (we do not collect sensitive PI as defined by CPRA in the operation of the Service).
• Be free from retaliation for exercising any of these rights.

To exercise these rights, email editorial@aiincidenttracker.com with the subject line "California Privacy Request." We will respond within 45 days.

If you are in the EEA, UK, or Switzerland, you have the right to:

• Access, rectify, or erase your personal information.
• Restrict or object to processing, including direct marketing (newsletter).
• Data portability — receive your data in a structured, commonly used format.
• Lodge a complaint with your local supervisory authority.

Our legal bases for processing are: contract (delivering the Service you request), legitimate interests (operating, securing, and improving the Service; pursuing the public-interest journalism the editorial database represents), consent (newsletter; you may withdraw at any time), and legal obligation (responding to lawful requests; tax and record-keeping).

To exercise these rights, email editorial@aiincidenttracker.com.

The Service publishes editorial coverage of incidents involving named companies and, in limited circumstances, named individuals. This coverage is governed by our Editorial standards — primary sources, hedge language, named-individual policy. It is not subject to data-subject "right of erasure" requests in the same way as operational personal information; however, named parties may always request review through our removal & correction process. We evaluate each request on its editorial merits and publicly log all material outcomes at /corrections.

Our servers and service providers are located primarily in the United States. By using the Service, you understand that your personal information may be processed in countries with data-protection laws different from those of your country of residence. Where required, transfers from the EEA, UK, or Switzerland are made under the European Commission's Standard Contractual Clauses or equivalent safeguards.

The Service is not directed to children under the age of 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, contact editorial@aiincidenttracker.com and we will delete it.

We use industry-standard technical and organizational measures to protect personal information: TLS in transit, encryption at rest for sensitive data, principle-of-least-privilege access controls, and security monitoring via Sentry. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

We may update this policy from time to time. Material changes will be communicated by updating the "Last updated" date and, where appropriate, by notice on the Service or by email to subscribers.

Privacy questions or requests: editorial@aiincidenttracker.com
Postal: AI Incident Tracker, LLC, c/o registered agent (Delaware). Update with full address before launch.