🛡 Privacy First

Privacy Policy

Last updated: September 23rd, 2025

We don't track you. We don't sell your data. We don't use surveillance capitalism.

Privacy Policy Overview and Definitions

The Open Research Initiative for Web Technologies Foundation ("ORI.WTF", "we", "us", "our", "the Foundation", or "the Organization") is committed to protecting the privacy and personal data of all users ("User", "you", "your", "Data Subject", or "Individual") who access, use, or interact with our comprehensive ecosystem of technological services, applications, platforms, and systems.

This Privacy Policy ("Policy") explains how we collect, process, store, use, disclose, and protect personal information in accordance with applicable data protection laws, including but not limited to the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Personal Information Protection and Electronic Documents Act (PIPEDA), and other regional privacy regulations.

Definitions: For purposes of this Policy, "Personal Data" means any information relating to an identified or identifiable natural person, including but not limited to identifiers, characteristics, commercial information, internet activity, geolocation data, audio/visual information, professional information, education information, and inferences drawn from personal information.

Scope of Services and Data Processing Activities

ORI.WTF operates a diverse portfolio of technological services that may involve the processing of personal data:

  • File Sharing and Storage Services: Processing of file metadata, access logs, user preferences, and sharing permissions
  • Image and Media Manipulation Platforms: Processing of uploaded images, user preferences, processing parameters, and output metadata
  • Artificial Intelligence and Machine Learning Systems: Processing of training data, user inputs, model outputs, interaction patterns, and performance metrics
  • Peer-to-Peer Networks: Processing of network identifiers, connection logs, bandwidth usage, and routing information
  • Encryption and Security Services: Processing of cryptographic keys, authentication tokens, access logs, and security events
  • Blockchain and Smart Contract Platforms: Processing of wallet addresses, transaction data, contract interactions, and network participation
  • Cloud Computing Infrastructure: Processing of resource usage, performance metrics, billing information, and system logs
  • Data Processing and Analytics Systems: Processing of datasets, analysis results, user queries, and system performance data

Categories of Personal Data We Collect

We may collect, process, and store the following categories of personal data:

Data CategorySpecific Data TypesLegal BasisRetention
Identity InformationName, email address, username, user ID, account credentialsContract performance, legitimate interestsAccount duration + 7 years
Contact InformationEmail address, phone number, mailing address, communication preferencesContract performance, consentUntil withdrawal of consent
Technical InformationIP address, device identifiers, browser type, operating system, user agentLegitimate interests, legal obligation2 years maximum
Usage InformationAccess logs, clickstream data, feature usage, session duration, error logsLegitimate interests, contract performance1 year maximum
Content DataUploaded files, generated content, user inputs, processing resultsContract performance, consentAs specified in service terms
Location DataIP geolocation, approximate location, time zoneLegitimate interests, legal obligation6 months maximum
Financial InformationPayment methods, billing addresses, transaction history, subscription detailsContract performance, legal obligation7 years for tax compliance
Communication DataSupport tickets, feedback, survey responses, correspondenceContract performance, legitimate interests3 years maximum

Legal Basis for Processing Personal Data

We process personal data based on the following legal grounds under applicable data protection laws:

  • Contract Performance: Processing necessary for the performance of a contract or to take steps at the request of the data subject prior to entering into a contract
  • Legitimate Interests: Processing necessary for our legitimate interests or those of third parties, including service improvement, security, fraud prevention, and business operations
  • Consent: Processing based on explicit, informed, and freely given consent that can be withdrawn at any time
  • Legal Obligation: Processing necessary to comply with legal obligations, including tax, accounting, and regulatory requirements
  • Vital Interests: Processing necessary to protect the vital interests of the data subject or another natural person
  • Public Task: Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority

Purposes of Data Processing

We process personal data for the following specific purposes:

  • Service Provision: Delivering, maintaining, and improving our technological services and platforms
  • User Authentication: Verifying user identity, managing accounts, and ensuring secure access
  • Communication: Responding to inquiries, providing support, and sending important service updates
  • Security and Fraud Prevention: Detecting and preventing unauthorized access, abuse, and fraudulent activities
  • Legal Compliance: Meeting regulatory requirements, responding to legal requests, and maintaining compliance records
  • Research and Development: Improving services, developing new features, and conducting research in web technologies
  • Analytics and Performance: Understanding usage patterns, optimizing performance, and improving user experience
  • Business Operations: Managing relationships, processing payments, and conducting business activities

Data Collection Methods and Sources

We collect personal data through various methods and sources:

  • Direct Collection: Information provided directly by users through registration, forms, uploads, and communications
  • Automatic Collection: Data collected automatically through cookies, log files, analytics tools, and system monitoring
  • Third-Party Sources: Information received from partners, service providers, and publicly available sources
  • User-Generated Content: Content created, uploaded, or generated by users through our services
  • Device Information: Technical data collected from devices, browsers, and applications
  • Network Information: Data collected from network communications, protocols, and infrastructure

Data Sharing and Disclosure

We may share personal data with the following categories of recipients:

  • Service Providers: Third-party vendors who assist in providing services, including hosting, analytics, payment processing, and customer support
  • Business Partners: Strategic partners and collaborators who provide complementary services or technologies
  • Legal Authorities: Government agencies, law enforcement, and regulatory bodies when required by law or to protect rights
  • Affiliates: Related companies, subsidiaries, and entities under common control
  • Acquirers: Entities involved in mergers, acquisitions, or other business transactions
  • Public Information: Information that users choose to make public through our services

Data Sharing Restrictions: We do not sell, rent, or trade personal data to third parties for marketing purposes. All data sharing is subject to appropriate safeguards and contractual protections.

International Data Transfers

Personal data may be transferred to and processed in countries outside your jurisdiction. We ensure appropriate safeguards are in place for such transfers:

  • Adequacy Decisions: Transfers to countries with adequate data protection laws
  • Standard Contractual Clauses: EU-approved contractual clauses for data transfers
  • Binding Corporate Rules: Internal policies and procedures for data protection
  • Certification Schemes: Participation in recognized privacy certification programs
  • Consent: Explicit consent for transfers to countries without adequate protection

Transfer Impact Assessments: We conduct assessments to evaluate risks associated with international transfers and implement additional safeguards when necessary.

Data Security and Protection Measures

We implement comprehensive security measures to protect personal data:

  • Technical Safeguards: Encryption in transit and at rest, access controls, firewalls, intrusion detection, and security monitoring
  • Administrative Safeguards: Privacy by design, data minimization, regular security training, and incident response procedures
  • Physical Safeguards: Secure data centers, environmental controls, and restricted access to facilities
  • Organizational Safeguards: Data protection policies, privacy impact assessments, and regular security audits
  • Operational Safeguards: Backup and recovery procedures, business continuity planning, and disaster recovery protocols

Security Incident Response: We maintain procedures for detecting, reporting, and responding to security incidents, including data breaches, and will notify affected individuals and authorities as required by law.

Data Retention and Deletion

We retain personal data only for as long as necessary to fulfill the purposes outlined in this Policy:

  • Account Data: Retained for the duration of the account plus applicable legal retention periods
  • Usage Data: Retained for up to 2 years for analytics and service improvement
  • Communication Data: Retained for up to 3 years for support and legal purposes
  • Financial Data: Retained for 7 years for tax and accounting compliance
  • Legal Data: Retained as required by applicable laws and regulations

Data Deletion: Upon expiration of retention periods or upon request, personal data is securely deleted using industry-standard methods that prevent recovery.

Your Privacy Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Right of Access: Request information about the personal data we process about you
  • Right of Rectification: Request correction of inaccurate or incomplete personal data
  • Right of Erasure: Request deletion of your personal data under certain circumstances
  • Right of Portability: Request a copy of your data in a structured, machine-readable format
  • Right to Restrict Processing: Request limitation of how we process your personal data
  • Right to Object: Object to processing based on legitimate interests or for direct marketing
  • Right to Withdraw Consent: Withdraw consent for processing based on consent
  • Right to Non-Discrimination: Exercise privacy rights without discrimination

Exercising Your Rights: To exercise these rights, contact us at [email protected]. We will respond to requests within the timeframes required by applicable law.

Cookies and Tracking Technologies

Cookie Policy and Tracking Technologies:

  • Essential Cookies: Necessary for basic website functionality and security
  • Analytics Cookies: Used to understand usage patterns and improve services (anonymized)
  • Preference Cookies: Remember user settings and preferences
  • Session Cookies: Temporary cookies that expire when the browser is closed
  • Persistent Cookies: Cookies that remain on your device for a specified period

Cookie Management: You can control cookies through your browser settings, but disabling certain cookies may affect service functionality.

Third-Party Tracking: We do not use third-party tracking cookies or engage in cross-site tracking for advertising purposes.

Artificial Intelligence and Machine Learning

Our AI and ML services involve specific privacy considerations:

  • Training Data: AI models may be trained on datasets that include personal data, subject to appropriate safeguards
  • Automated Decision-Making: Some services may use automated decision-making processes with human oversight
  • Data Minimization: We minimize the use of personal data in AI training and processing
  • Bias and Fairness: We implement measures to detect and mitigate bias in AI systems
  • Transparency: We provide information about how AI systems process personal data
  • Human Review: Automated decisions affecting individuals are subject to human review when appropriate

Blockchain and Cryptocurrency Services

Services involving blockchain technology have unique privacy characteristics:

  • Public Ledgers: Blockchain transactions are generally public and permanent
  • Pseudonymity: Blockchain addresses provide pseudonymity but may be linked to identity
  • Immutable Records: Data recorded on blockchain cannot be easily modified or deleted
  • Network Analysis: Blockchain analysis may reveal transaction patterns and relationships
  • Regulatory Compliance: Cryptocurrency services may require additional identity verification
  • Privacy Coins: Some cryptocurrencies offer enhanced privacy features

Children's Privacy and Age Restrictions

Our services are not directed to children under 13 (or 16 in the EU). We do not knowingly collect personal information from children without parental consent:

  • Age Verification: We implement age verification measures where appropriate
  • Parental Consent: We obtain parental consent before collecting data from children
  • Limited Collection: We minimize data collection from children to what is necessary
  • Parental Rights: Parents can request access, correction, or deletion of their child's data
  • Educational Services: Special provisions apply to educational use of our services

Data Protection Officer and Contact Information

Data Protection Officer: ORI.WTF has designated a Data Protection Officer (DPO) to oversee privacy compliance and serve as a point of contact for data protection matters.

Contact Information: For privacy-related inquiries, requests, or complaints, contact us at:

  • Email: [email protected]
  • Subject Line: "Privacy Inquiry" or "Data Protection Request"
  • Response Time: We will respond within 30 days (or as required by applicable law)

Supervisory Authority: You have the right to lodge a complaint with your local data protection supervisory authority if you believe your privacy rights have been violated.

Privacy Policy Updates and Changes

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements:

  • Material Changes: Significant changes will be communicated through email, website notice, or in-app notification
  • Minor Updates: Non-material changes will be posted on our website with updated effective dates
  • Consent Requirements: Some changes may require renewed consent under applicable law
  • Historical Versions: Previous versions of this Policy are available upon request
  • Effective Date: Changes become effective immediately upon posting unless otherwise specified

Continued Use: Continued use of our services after changes constitutes acceptance of the updated Policy.

Compliance and Regulatory Framework

This Privacy Policy is designed to comply with applicable data protection laws and regulations:

  • GDPR (EU): General Data Protection Regulation compliance for EU residents
  • CCPA (California): California Consumer Privacy Act compliance for California residents
  • PIPEDA (Canada): Personal Information Protection and Electronic Documents Act compliance
  • LGPD (Brazil): Lei Geral de Proteção de Dados compliance
  • PDPA (Singapore): Personal Data Protection Act compliance
  • Other Jurisdictions: Compliance with applicable privacy laws in other regions

Industry Standards: We also adhere to industry best practices and standards for data protection and privacy.

Questions About Privacy?

If you have any questions about this Privacy Policy, please contact us:

[email protected]