Privacy Policy
Last updated: April 14, 2026
1. Controller
Robert Lauko
c/o F2BII E-Commerce#660
Hintergoldingerstrasse 30
8638 Goldingen, Switzerland
Email: robert@kurate.org
This privacy policy explains how Kurate.org ("we", "us", "the Service") collects, uses, and protects personal data in accordance with the Swiss Federal Act on Data Protection (nDSG/DSG, in force since 1 September 2023) and, where applicable, the EU General Data Protection Regulation (GDPR).
2. What Data We Collect
2.1 Account Data (via Google Sign-In)
When you sign in using Google OAuth 2.0, we receive and store your name, email address, and Google account identifier. We do not receive or store your Google password. This data is used solely to authenticate your identity and personalize your experience (e.g., bookmarks, reading lists).
2.2 Usage Data (Google Analytics)
We use Google Analytics 4 (GA4) to understand how visitors use the Service. GA4 collects:
- IP address (anonymized by default in GA4)
- Browser type and version, operating system, screen resolution
- Pages visited, time spent, referral source
- Device type and approximate geographic location (country/region level)
This data is transmitted to Google LLC servers in the United States. Google processes this data on our behalf under a data processing agreement. We have enabled IP anonymization and do not use GA4 for cross-site tracking or advertising.
2.3 Server Logs
Our hosting infrastructure automatically logs HTTP requests, including IP addresses, request paths, timestamps, and user-agent strings. These logs are retained for up to 30 days for security and debugging purposes.
2.4 Cookies and Local Storage
We use essential cookies and browser local storage for authentication session management. Google Analytics sets its own cookies (_ga, _ga_*) for visitor identification across sessions. Reddit's advertising pixel sets a limited number of cookies (e.g. _rdt_uuid) used to measure advertising effectiveness (see section 2.5).
2.5 Reddit Advertising Pixel
We use the Reddit Pixel to measure the effectiveness of advertising campaigns we may run on reddit.com. The pixel fires a single PageVisit event when you load the site and transmits to Reddit Inc. (United States):
- Page URL and referrer
- IP address, browser user-agent, and a pseudonymous cookie identifier (
_rdt_uuid) - Approximate geographic location derived from IP
Reddit's "auto-advanced matching" feature, which would additionally collect email addresses and phone numbers shown in the DOM (hashed with SHA-256 client-side) to improve cross-device attribution, is disabled on our account. We do not transmit any hashed personal identifiers to Reddit.
Reddit processes this data as an independent controller for its own analytics and advertising purposes. See Reddit's Privacy Policy for details. You can opt out of Reddit's advertising cookies via your browser's tracking-protection settings or Reddit's ad preferences.
3. Purpose and Legal Basis
| Purpose | Legal Basis (nDSG/GDPR) |
|---|---|
| User authentication (Google Sign-In) | Consent / Contract performance |
| Personalization (bookmarks, reading lists) | Contract performance |
| Website analytics (Google Analytics) | Legitimate interest / Consent |
| Advertising measurement (Reddit Pixel) | Legitimate interest / Consent |
| Security and abuse prevention | Legitimate interest |
| Email notifications (if opted in) | Consent |
4. Data Transfers Abroad
Personal data may be transferred to the United States through our use of:
- Google Analytics 4 — analytics data processed by Google LLC, USA
- Google OAuth — authentication data processed by Google LLC, USA
- Reddit Pixel — advertising measurement data processed by Reddit Inc., USA
- Cloudflare — CDN and security services, data may transit through global servers
The United States does not provide an equivalent level of data protection under Swiss law. These transfers are based on standard contractual clauses (SCCs) and the providers' compliance with applicable data protection frameworks. By using the Service, you acknowledge this transfer.
5. Data Retention
- Account data: retained as long as your account is active. Deleted within 30 days of account deletion request.
- Analytics data: retained for 14 months (GA4 default), then automatically deleted.
- Server logs: retained for up to 30 days.
6. Your Rights
Under the nDSG (and GDPR where applicable), you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — correct inaccurate data
- Deletion — request deletion of your data ("right to be forgotten")
- Data portability — receive your data in a structured, machine-readable format
- Object — object to processing based on legitimate interest
- Withdraw consent — where processing is based on consent, withdraw it at any time
To exercise any of these rights, contact us at privacy@kurate.org. We will respond within 30 days.
7. Data Security
We implement appropriate technical and organizational measures to protect personal data, including encrypted data transmission (TLS/HTTPS), access controls, and regular security reviews. However, no method of transmission over the Internet is 100% secure.
8. Third-Party Services
- Google LLC (Google Sign-In, Google Analytics) — Privacy Policy
- Cloudflare Inc. (CDN, DDoS protection) — Privacy Policy
- MongoDB Inc. (database hosting) — Privacy Policy
9. Children
The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us.
10. Supervisory Authority
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the:
Federal Data Protection and Information Commissioner (FDPIC)
Feldeggweg 1
3003 Bern, Switzerland
www.edoeb.admin.ch
11. Changes to This Policy
We may update this privacy policy from time to time. Changes will be posted on this page with an updated "Last updated" date. We encourage you to review this policy periodically.