Privacy Policy — NewsFriend

Privacy Policy

Last updated: April 2025

1. Introduction

We take the protection of your personal data very seriously. This Privacy Policy explains what personal data we collect, how we use it, and what rights you have under the General Data Protection Regulation (GDPR) and applicable data protection laws.

2. Data Controller

The data controller responsible for data processing on this website is identified on our Impressum (Legal Notice) page. Please refer to that page for full contact details.

3. Data We Collect

We collect and process the following categories of personal data:

3.1 Account Registration

• Email address: Required for account creation, login, and communication.
• Display name: A mandatory user-chosen name displayed within the platform.
• Password: Stored in encrypted (hashed) form. We never store passwords in plain text. Passwords are checked against the "Have I Been Pwned" database to protect you from using known compromised passwords.
• Language preference: Your chosen interface language (English or German).

3.2 User-Generated Content

• Comments and questions: Text you submit through the Comments feature, along with any AI-generated responses and administrator replies.

3.3 Notification Preferences

• Email notification settings: Your choices regarding receiving announcement notifications and daily report notifications.

3.4 Technical Data

• Authentication tokens: Session data necessary to keep you logged in securely.
• Cookie consent status: Your acceptance or rejection of cookies, stored locally in your browser.

4. Legal Basis for Processing (Art. 6 GDPR)

We process your personal data on the following legal bases:

• Consent (Art. 6(1)(a)): You provide explicit consent during registration by accepting our privacy policy. You may withdraw consent at any time.
• Contract performance (Art. 6(1)(b)): Processing is necessary to provide you with account access and platform features.
• Legitimate interest (Art. 6(1)(f)): We may process data for security purposes, such as preventing abuse and ensuring platform integrity.

5. How We Use Your Data

• Account management: To create, maintain, and secure your user account.
• Communication: To send email notifications about announcements and daily news reports (based on your preferences).
• Content delivery: To display AI-generated news reports and ethical perspectives.
• AI processing: User-submitted comments may be processed by AI models to generate helpful responses. This processing is done in real time and the input is not used for model training.
• Security: To verify email addresses, enforce password security, and detect potential abuse.

6. AI-Generated Content

This platform uses artificial intelligence to generate news reports, ethical reflections, and responses to user comments. The AI processes publicly available news articles and user-submitted questions. No personal data beyond the content of your submitted comment is sent to AI services.

7. Data Sharing and Third Parties

We do not sell, rent, or trade your personal data to third parties. Data may be shared with:

• Infrastructure providers: Our backend services are hosted on secure cloud infrastructure. These providers act as data processors under GDPR-compliant agreements.
• Email delivery services: Transactional emails (verification, notifications) are sent through a managed email service.
• Payment processors: If you make a donation, payment data is handled directly by the payment processor (Stripe). We do not store your payment card details.
• AI service providers: AI-generated content is produced using external AI APIs. Only the content of news articles and user questions is transmitted — no personal identifiers.

8. Data Retention

• Account data: Retained for as long as your account is active. Upon account deletion, all personal data (profile, comments, notification preferences, and roles) is permanently removed.
• Comments: Retained until you or an administrator deletes them, or until your account is deleted.
• Email logs: Transactional email send logs are retained for operational and debugging purposes and do not contain message content.

9. Your Rights Under GDPR

You have the following rights regarding your personal data:

• Right of access (Art. 15): You can request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): You can update your display name, password, and notification preferences at any time through your Account settings.
• Right to erasure (Art. 17): You can delete your account at any time through the Account page. This permanently removes all associated data including your profile, comments, notification preferences, and any assigned roles.
• Right to restrict processing (Art. 18): You may request restriction of processing under certain circumstances.
• Right to data portability (Art. 20): You may request your data in a structured, machine-readable format.
• Right to object (Art. 21): You may object to processing based on legitimate interests.
• Right to withdraw consent: You may withdraw your consent at any time without affecting the lawfulness of prior processing.

10. Email Communications

We send the following types of emails:

• Verification emails: Sent upon registration to confirm your email address.
• Notification emails: Announcements and daily report digests, based on your notification preferences.
• Admin replies: Responses to your submitted comments.

You can manage your notification preferences in your Account settings or unsubscribe via the link provided in every notification email.

11. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

• Encrypted data transmission (HTTPS/TLS)
• Secure password hashing
• Leaked password detection (Have I Been Pwned integration)
• Row-level security policies ensuring users can only access their own data
• Email verification requirement before account activation
• CAPTCHA protection during registration

12. International Data Transfers

Your data may be processed on servers located outside the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or adequacy decisions by the European Commission.

13. Children's Privacy

This service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can take appropriate action.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date. Continued use of the platform after changes constitutes acceptance of the revised policy.

15. Contact & Complaints

For questions about this policy or to exercise your rights, please visit our Impressum page for contact details. You also have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

German version: Datenschutzerklärung · Cookie Declaration · Imprint · Interactive version: /page/privacy-policy