Privacy policy

1. Controller

Marco Meyer
Tegeler Str. 2, 13467 Berlin, Germany
Email: marco.meyer@jpberlin.de

2. Data we process

Server access logs

Our reverse proxy (Caddy 2, running on our own server) writes a log line for each HTTP request. The log line includes: the visitor's IP address, the request method and path, the HTTP status code, the response size, the user-agent string, and a timestamp. We process these logs on the legal basis of Art. 6 (1) lit. f GDPR (legitimate interest) for the purposes of debugging, security, and protection against abuse.

Session cookie (cgen_sid)

When you first interact with the generator we set a strictly necessary, first-party, HTTP-only cookie named cgen_sid. It contains a 24-character pseudonymous identifier (a server-side hash, see below). The cookie is used to attribute your ratings to your own session and to deduplicate ratings. It is not used for advertising, analytics, or cross-site tracking. Because the cookie is strictly necessary for the service requested by you, no consent is required (§25 (2) Nr. 2 TTDSG; Art. 6 (1) lit. b GDPR).

Pseudonymous session hash

On the first request that needs a session we compute a salted SHA-256 hash of three inputs and keep only the first 24 hex characters: (i) a coarsened version of your IP address — for IPv4 we keep only the first three octets (the /24 block), for IPv6 we keep only the /64 prefix; (ii) your browser's user-agent string; and (iii) today's date. The salt is a random server secret that never leaves the server. The resulting hash is stored alongside generations and ratings. It cannot be reversed to your IP address, but it is still personal data within the meaning of Art. 4 (1) GDPR.

Generations and ratings

When you build a fake conspiracy theory we store: the news event, culprit, and motive you picked; the AI-generated paragraphs and debunks; the model and recipe version used; and the session hash described above. When you rate a generation we additionally store your rating (1–5) and an optional free-text comment. Legal basis: Art. 6 (1) lit. b GDPR (performance of the service you requested) and Art. 6 (1) lit. f GDPR (legitimate interest in maintaining permanent, shareable links to the theories users have built).

No analytics, fingerprinting, or third-party tracking

We do not use Google Analytics, Plausible, Matomo, or any other analytics tool. We do not embed advertising. We do not load fonts, scripts, or images from third-party CDNs at runtime.

3. Recipients and processors

OpenAI (USA)

To generate the news intros, brainstorm ideas, and conspiracy paragraphs we call the OpenAI API operated by OpenAI Ireland Limited (Dublin) and OpenAI, L.L.C. (San Francisco, USA). The data sent in each request consists of the news event you selected, the culprit and motive you picked, the brainstorm idea you chose, and short instructions to the model. Your IP address is not forwarded; OpenAI sees only the IP address of our server. Transfers to the United States rely on the EU–US Data Privacy Framework (Adequacy Decision of the European Commission of 10 July 2023); additionally, OpenAI's Standard Contractual Clauses (Art. 46 GDPR) apply. OpenAI has committed not to use API content to train its models by default. See openai.com/policies/privacy-policy.

Hetzner Online GmbH (Germany)

The site is hosted on a virtual server operated by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. A data processing agreement (Auftragsverarbeitung) under Art. 28 GDPR is in place. See hetzner.com/legal/privacy-policy.

DuckDNS

The domain conspiracy-generator.duckdns.org is served via DuckDNS. DuckDNS only resolves the domain name and does not see your traffic.

Let's Encrypt

TLS certificates for the site are issued automatically by Let's Encrypt (Internet Security Research Group, USA). The interaction is server-to-server and does not involve user data.

4. Retention

• Server access logs: kept on the server until manually rotated or deleted. We do not currently apply an automated retention period; we will introduce one if the volume of logs grows materially. You may request deletion of log entries that contain your IP address.
• Session cookie: up to 12 months in your browser. You can delete it at any time through your browser's privacy settings.
• Generations and ratings: stored indefinitely so that the permanent shareable links remain valid. You can request deletion of any generation you created (see §5).
• Database backups: encrypted, stored in our own infrastructure, rotated on a 30-day window.

5. Your rights

Under the GDPR you have the right to:

• access the personal data we hold about you (Art. 15);
• request rectification of inaccurate data (Art. 16);
• request erasure of your data (Art. 17);
• request restriction of processing (Art. 18);
• data portability (Art. 20);
• object to processing based on legitimate interest (Art. 21) — including the creation of the session hash described in §2;
• withdraw consent at any time, where processing is based on consent (Art. 7).

To exercise any of these rights, write to marco.meyer@jpberlin.de. Because we do not link generations to email addresses, requests to delete a specific generation should include the permalink (/g/<id>).

6. Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority. The competent authority for this site is the Berliner Beauftragte für Datenschutz und Informationsfreiheit, Alt-Moabit 59–61, 10555 Berlin (datenschutz-berlin.de).

7. Updates to this notice

We may update this notice when the underlying processing changes (for example, if we switch AI providers). The current version is always available at this URL.