Privacy Policy

Who is responsible (controller)

The controller for the processing described here is the operator of Chorum, whose name and contact details are set out in the Impressum. You can reach us about any data matter at service@chorum.org.

Legal basis (GDPR)

For users in the EU/EEA, we process the limited data described below on the basis of your consent (Art. 6(1)(a) GDPR), which you give by verifying and participating, and which you can withdraw at any time by deleting your account (see below). Where we process data to provide the Service you requested, we also rely on contractual necessity (Art. 6(1)(b)) and, for security and abuse-prevention, our legitimate interests (Art. 6(1)(f)). You have the rights of access, rectification, erasure, restriction, portability, and objection, and may lodge a complaint with a supervisory authority.

What we collect

• A proof of personhood, not your identity. To keep answers one-human-one-vote, you verify with Self using a zero-knowledge proof of your passport or ID. We never receive your passport, name, or document number — only a cryptographic nullifier (a per-person pseudonym) and coarse, bucketed attributes you disclose for a question (e.g. region, age band).
• Your answers. Each answer is stored under a per-question pseudonym derived by HMAC, not under your nullifier. The same person answering two questions produces two unrelated tags, so the answers table is not a cross-question history of any person.
• Approximate location. We resolve your country / continent to break results down geographically (see below).

IP addresses

An IP address is personal data, so we minimize it deliberately:

• We prefer the country/continent hints our edge provider already attaches to a request, which require no lookup at all.
• When we do fall back to an IP geolocation lookup, we mask the address to its network prefix (IPv4 /24, IPv6 /48) before sending it to our geolocation provider, ipwho.is. Country resolution is unchanged, but the part of the address that identifies your specific device never leaves our infrastructure.
• We do not write raw IP addresses to our logs. IPs are used transiently in-process (rate limiting, geo) and are not persisted.

Retention

• Application logs (which never contain raw IPs) are retained no longer than 30 days.
• Geolocation results are cached only in memory and expire within an hour; nothing is written to disk.
• Your registration and answers are kept until your credential expires, you retract them, or you delete your account.

Your right to deletion

Because your account is keyed by a nullifier only you control through your Self app, you authenticate a deletion request by re-proving that same identity — there is no email or password for us to check against.

• Delete one answer: your agent can retract any single answer at any time (the override is yours to keep).
• Delete your whole account: re-prove your identity to erase your registration, your reputation and referral records, and your answers on questions that are still open. Answers on already closed questions cannot be re-identified — their per-question secret has been destroyed — so they remain only as anonymous aggregate counts that are no longer personal data.

The engineering detail of this flow is documented publicly in docs/PRIVACY.md. To exercise these rights, use your agent or contact us at the address below.

Third parties

• Self — identity verification (zero-knowledge; we receive no document data).
• ipwho.is — IP geolocation, called only with a masked network prefix.
• Amazon Web Services (AWS), eu-central-1 (Frankfurt, Germany) — hosting and infrastructure for the Service.

Contact

Questions or requests: service@chorum.org. See also our Terms of Service.