Privacy Policy
Effective: May 12, 2026 · Last updated: May 12, 2026
We practice what we preach
Below is a Privacy Panel label for Privacy Panel itself, the same format we generate for every company on this site. Unlike our other labels, this one was handcrafted by us, not AI-extracted. It reflects our actual data practices, including disclosure of our hosting provider as a sub-processor.
Who we are
Privacy Panel is published as an independent, non-commercial project. We have no investors, advertisers, or commercial relationship with any company we analyze. The data controller is the natural person who operates this site; their identity and a postal address are available on written request to hello@privacypanel.org.
What we collect
Privacy Panel deliberately collects very little. There are four sources of data tied to your visit:
1. Aggregate analytics (Plausible)
We run a self-managed instance of Plausible CE at analytics.privacypanel.org. Plausible records:
- Page views and the referring URL
- A "View Company" event recording which company you looked up
- Country-level location derived from your IP (the IP itself is not stored by Plausible)
- Browser and operating system family (aggregated, never per-user)
No cookies. No fingerprinting. No cross-site tracking.
2. Server access logs (Railway)
Like every web service, the underlying web server records each request. Because Privacy Panel runs on Railway (see "Where your data goes" below), Railway captures access logs containing your IP address, user agent, request path, and response status. We do not query these logs for analytics. Their retention is governed by Railway's policies.
3. Rate-limit records
Our public REST API uses an in-memory rate limiter that records caller IP addresses for up to one hour to enforce request quotas. These records are never persisted to disk and are discarded when the server restarts.
4. Email you send us
If you email hello@privacypanel.org, we receive your email address, message, and any attachments. We keep correspondence for as long as needed to respond and to maintain a record of issues raised.
What we don't collect
- No user accounts, no login, no passwords
- No contact forms or newsletter signups
- No advertising or marketing pixels
- No payment data
- No precise location, biometric, health, or financial data
- No device identifiers or browser fingerprinting
- No data sold to anyone, ever
- No data used to train AI models
How we use your data
We use the data above for three purposes only:
- To operate the site (serving pages, returning API responses)
- To understand aggregate usage (which pages are popular, which companies visitors look up)
- To prevent abuse (rate limiting on public APIs)
Legal basis (EU/UK visitors): We rely on legitimate interests (Art. 6(1)(f) GDPR) for aggregate analytics and abuse prevention. No special-category data is processed. You may object at any time using the rights described below.
Where your data goes
Privacy Panel does not share data with advertisers, data brokers, or analytics partners. The only third parties involved are infrastructure providers ("sub-processors") who process data on our behalf:
| Sub-processor | Role | Location | Policy |
|---|---|---|---|
| Railway | Hosting (PaaS) for the website, API, database, and Plausible instance | United States | railway.com/legal/privacy |
| Porkbun | Domain registrar; forwards mail addressed to hello@privacypanel.org to a personal mailbox | United States | porkbun.com/policy/privacy |
| Google (Gmail) | Receives forwarded mail; used to read and reply to correspondence sent to hello@privacypanel.org. Replies are sent from a personal Gmail address. | United States | policies.google.com/privacy |
| GitHub | Hosts the open-source repository. Receives any data you voluntarily include in issues, pull requests, or comments. | United States | GitHub privacy |
International transfers. Visitors from outside the United States have their data transferred to and processed in the United States by the providers above. Where required (e.g. for EU/UK visitors), we rely on the providers' Standard Contractual Clauses or equivalent safeguards.
How long we keep it
- Aggregate analytics: indefinite (no individual records to retain)
- Server access logs: per Railway's retention policy (typically days to weeks)
- Rate-limit IP entries: up to 1 hour, in memory only, never persisted
- Email correspondence: as long as needed to respond and maintain an issue record
Your rights
Everyone
- Browser privacy signals (primary): Enable Global Privacy Control (GPC) or Do Not Track (DNT) in your browser. Plausible CE respects both by default. Analytics will not record visits where these signals are set. Most modern browsers offer GPC in their privacy settings.
- Content blocker (fallback): Install a content blocker (e.g. uBlock Origin) and our Plausible script will not load.
- Request access or deletion: email hello@privacypanel.org with your request.
EU / UK visitors (GDPR)
You have the right to access, rectify, erase, restrict, port, or object to processing of your personal data (Articles 15–22). To exercise any of these, email us. You also have the right to lodge a complaint with your local supervisory authority (a list is available at edpb.europa.eu).
California visitors (CCPA / CPRA)
You have the right to know, delete, and correct personal information we hold about you, and the right to opt out of the "sale" or "sharing" of personal information. We do not sell or share personal information as those terms are defined under the CCPA, so there is nothing to opt out of. We do not use sensitive personal information for any purpose beyond providing the service. Submitting a request will not result in discriminatory treatment.
Children
Privacy Panel is not directed to children under 13, and we do not knowingly collect personal information from anyone under 13. If you believe a child has provided us with personal information, contact us and we will delete it.
Security
All traffic to Privacy Panel is served over HTTPS/TLS. There are no user accounts, so there is no authentication surface to attack. Persistent data sits on Railway volumes that are encrypted at rest. We deploy via signed pull requests and continuous integration.
Breach notification. If we discover a security incident that materially affects visitor data, we will post a notice on this page and, where feasible, notify affected users by email within a reasonable period.
Changes to this policy
We may update this policy. The "Last updated" date at the top of the page will reflect the most recent change. Material changes will additionally be noted in a banner on the homepage for at least 30 days. The full revision history is visible in our public commit log.
Open source
The JSON schema and web application code are public. The extraction pipeline (AI prompts and policy fetching) is private.
github.com/nd4spd13/privacy-panelGoverning law
This policy is governed by the laws of the United States and the State of New York, without regard to conflict-of-laws principles, except that EU/UK visitors retain all rights conferred by their local data-protection laws.
Contact
Takedown / legal contact
For legal matters, copyright claims, factual disputes, or takedown notices, contact us at hello@privacypanel.org. Please include:
- Copyright / DMCA: your claim, the URL in question, and contact details
- Factual disputes: the specific claim, why it's incorrect, and supporting evidence
- Other legal matters: the nature of your request
We will respond within 5 business days. For data access, rectification, or deletion requests, use the "Your rights" section above.