Legal

Privacy Policy

Last updated: May 1, 2026

1. Data Controller

Anarki Corporation
6 rue d'Armaillé — 75017 Paris, France
SIREN: 977 870 799
Contact: contact@project-nebula.anarki-corporation.com

2. What We Collect

This site collects only the personal data strictly necessary for the features you choose to use. We never collect data passively from casual visitors beyond standard server logs.

Newsletter signup (optional):

  • Your email address — encrypted at rest with AES-256-GCM
  • Signup source (which page you signed up from)
  • Confirmation timestamp (when you completed double opt-in)

Moderator agreement (only if you are invited as a moderator candidate):

  • Discord username and Discord user ID — encrypted at rest with AES-256-GCM
  • Your typed signature text — encrypted at rest with AES-256-GCM
  • Acceptance date you provide
  • Submitter IP address — retained as a forensic record of the agreement origin

Administrator authentication (operators only):

  • Discord user ID and username (via Discord OAuth) — used to authorize admin access
  • Login timestamp — recorded in an internal audit log

Standard server logs (every visitor):

  • IP address, timestamp, page requested, response status
  • Retained for 30 days for security and technical diagnostic purposes only

Analytics (only if you give consent — currently disabled):

  • Anonymized navigation data (pages visited, duration, interactions)
  • Approximate country and city — not precise location
  • Device type and browser
  • Traffic source (direct link, Discord, search engine, etc.)
  • IP addresses are systematically anonymized before any processing

3. Purpose of Processing

  • Newsletter: send you development updates and milestone announcements about Project Nebula, no more
  • Moderator agreement: document, verify and retain a signed agreement with each community moderator, as required to administer the moderator program
  • Administrator authentication: grant authorized operators access to the admin panel for site management
  • Server logs: detect abuse, debug technical issues, secure the service
  • Analytics (when enabled): understand which sections interest visitors and adapt development priorities accordingly

We never sell your data to third parties. We have no advertising partners. No data is transmitted to third parties for commercial purposes.

4. Legal Basis

  • Newsletter: your explicit consent (Article 6(1)(a) GDPR), confirmed by double opt-in. Withdrawable at any time.
  • Moderator agreement: performance of the moderator agreement (Article 6(1)(b) GDPR). Submitter IP retention is based on legitimate interest (Article 6(1)(f) GDPR) for forensic verification of agreement origin.
  • Administrator authentication: legitimate interest (Article 6(1)(f) GDPR) — securing administrative access to the platform.
  • Server logs: legitimate interest (Article 6(1)(f) GDPR) for system security and operational integrity.
  • Analytics: your consent (Article 6(1)(a) GDPR), withdrawable at any time using the button at the bottom of this page.

5. Encryption & Security

All sensitive personal data — newsletter email addresses, moderator Discord identifiers, signature text — is encrypted at rest with AES-256-GCM using server-side keys held outside the database. Lookup of email addresses uses HMAC-SHA256 deterministic hashing so the system can find a record without ever decrypting it.

The database is backed up regularly. Backups inherit the same encryption — they are useless without the encryption keys, which are stored separately from the backup files.

6. Hosting & Data Transfers

This site and its database are hosted on a VPS server operated by Ionos SE (Germany), with the server itself physically located in France. All personal data remains within the European Union under EU/EEA jurisdiction.

Email delivery for newsletter confirmation, unsubscribe confirmation, and moderator agreement notifications is handled through our own SMTP server hosted at Ionos (France). No third-party email delivery service is used.

Discord OAuth (administrators only): when an administrator logs in to the admin panel, authentication is performed via Discord (Discord Inc., United States). This involves a one-time data exchange with Discord limited to identifying the operator. Standard Contractual Clauses approved by the European Commission govern this transfer. Regular site visitors are never subject to this transfer.

Analytics (when enabled): Google Analytics is a service of Google LLC (United States). Data transfers to Google servers are governed by Standard Contractual Clauses, in compliance with GDPR Chapter V. Currently disabled.

7. Data Retention

  • Newsletter signups: retained until you unsubscribe. Three unsubscribe paths are available: the link at the bottom of every email, the RFC 8058 List-Unsubscribe header in your email client, and a public unsubscribe form on this site.
  • Pending newsletter signups (not yet confirmed): automatically deleted after 48 hours if double opt-in is not completed.
  • Moderator agreements: 24 months from finalization, then automatically purged. This duration matches the post-departure confidentiality clause in the agreement itself. Manual purge is available immediately upon request.
  • Submitter IP (moderator agreements): cleared at the same time as the rest of the moderator agreement record (24 months or earlier upon manual purge or void).
  • Administrator session cookie: 7 days (re-authentication required after expiry).
  • Administrator login audit log: retained for the lifetime of the project for security accountability.
  • Server logs: 30 days.
  • Analytics data (when enabled): 14 months (GA4 default setting).
  • Consent preference: 12 months (stored locally in your browser).

8. Your Rights

Under GDPR, you have the following rights:

  • Right of access to your data
  • Right to rectification
  • Right to erasure (right to be forgotten)
  • Right to object to processing
  • Right to data portability
  • Right to withdraw consent at any time
  • Right to restrict processing

To exercise these rights, contact us at: contact@project-nebula.anarki-corporation.com

You may also contact the French data protection authority:
Commission Nationale de l'Informatique et des Libertés (CNIL)
www.cnil.fr

9. Cookies

This site uses:

  • One functional cookie (administrator session) — exempt from consent requirement under the ePrivacy Directive, used only for authenticated administrator access. Stores only an opaque session identifier.
  • Google Analytics cookies — subject to your consent only. These are never loaded if you decline or have not yet made a choice. Currently disabled site-wide.

No advertising cookies. No social media tracking pixels. No third-party data sharing for marketing purposes.

Consent Management

You can withdraw your analytics consent at any time. The page will reload and Google Analytics will no longer be loaded.