Privacy Policy

1. Who We Are

Warrant is operated by Inspiry Labs LLC. This Privacy Policy explains what data we collect, how we use it, and your rights. It applies to all users: readers, subscribers, and journalist contributors.

2. Data We Collect

Account data

• Email address — used for magic link authentication and account notifications
• Display name / pseudonym — chosen by journalists for public bylines
• Session tokens — stored as secure HTTP-only cookies for authentication

Journalist-specific data

• Identity verification — processed by Stripe Identity. We store verification status and Stripe reference IDs, not raw identity documents (passports, IDs).
• Payout information — managed via Stripe Connect. We store Stripe account IDs; bank details are held by Stripe.
• Reputation score and history — calculated from public moderation events (corrections, disputes, flags)

Subscriber data

• Subscription status — managed via Stripe Billing. We store Stripe customer and subscription IDs.
• Read tracking — we log article reads (article ID, reader ID, timestamp) for revenue distribution calculations. This data is anonymized after monthly revenue calculations.

Automatically collected data

• IP address — logged for rate limiting and security audit trails
• Audit logs — all state-changing actions (publish, flag, dispute, moderation) are logged with actor, action, timestamp, and IP address

3. How We Use Your Data

• Authenticate you and maintain your session
• Process subscription payments and journalist payouts
• Calculate reputation scores and revenue distribution based on read share
• Enforce rate limits, prevent abuse, and maintain platform security
• Send transactional emails (magic links, moderation notifications)
• Maintain audit trails for integrity and moderation transparency

We do not sell your personal data. We do not run third-party advertising. We do not use your data for AI model training.

4. Third-Party Services

5. Data Retention

• Sessions — expire after 30 days of inactivity; deleted on logout
• Magic links — expire after 15 minutes; used tokens are invalidated
• Audit logs — retained indefinitely for transparency and accountability
• Read tracking data — anonymized after monthly revenue calculation
• Account data — retained until account deletion is requested

6. Your Rights

All users

• Access — request a copy of your personal data
• Correction — update inaccurate personal information
• Deletion — request deletion of your account and associated data
• Portability — receive your data in a structured, machine-readable format

GDPR (EU/EEA residents)

Our legal basis for processing is: contract performance (account operation, payments), legitimate interest (security, abuse prevention), and consent (where explicitly given). You may withdraw consent at any time. You have the right to lodge a complaint with your local data protection authority.

CCPA (California residents)

You have the right to know what personal information we collect, to request deletion, and to opt out of the sale of personal information. We do not sell personal information.

7. Security

All data is encrypted in transit (TLS) and at rest (database-level encryption via Neon). Authentication uses secure, HTTP-only session cookies. We do not store passwords — authentication is via time-limited magic links.

8. Children

Warrant is not directed at children under 18. We do not knowingly collect data from minors. If we learn that a minor has created an account, we will delete it promptly.

9. Changes to This Policy

We may update this Privacy Policy. Material changes will be communicated via email at least 30 days before taking effect.

10. Contact

For privacy inquiries or data requests: privacy@warrant.ink