Data minimization and source safety

Privacy

The archive measures public usefulness without building visitor profiles. Information supplied for records, corrections, replies, inquiries, or updates is collected only through an explicit visitor action and used for the stated purpose.

No live analytics script, source-submission endpoint, upload service, newsletter form, or Ask the Archive query logger is included in the current public-site files.

Core notice: This archive collects only the information visitors choose to provide, plus basic privacy-respecting analytics. Confidential-source submissions are handled separately from public evidence canon. Do not submit illegal recordings, hacked materials, or documents you are not authorized to share.

Current implementation

As currently implemented, the site is static and does not set analytics cookies, run browser fingerprinting, replay sessions, load advertising pixels, accept form submissions, or upload files. The hosting and security infrastructure may process ordinary request data, such as IP address, requested path, timestamp, user agent, and security signals, to deliver and protect the site. Those operational logs should not be combined with source-intake records or used to identify readers.

Information the archive may collect after approval

CategoryLimited dataPurpose and controls
Anonymous site analyticsPage path, date/time, coarse device/browser category, country or region at a coarse level, and aggregate visit counts.Understand which public pages are useful. No persistent visitor profile, cross-site tracking, or collection on sensitive intake pages.
Search and referral analyticsReferring domain, landing page, campaign label, and aggregate search terms made available by a search provider.Understand discovery routes. Strip query strings and fragments; do not retain identifiers or sensitive terms in URLs.
Voluntary source submissionsThe fields a visitor chooses to provide, requested source status, consent, follow-up preference, and authorized files through a future secure channel.Evaluate leads and records. Confidential submissions remain segregated from analytics and public evidence canon.
Right-of-reply submissionsResponse, page or claim addressed, supporting record, attribution preference, contact details if provided, and consent.Review and fairly represent a materially affected party’s response.
Correction requestsPage or metadata at issue, proposed correction, supporting record, urgency, contact details if provided, and consent.Verify accuracy, context, procedural posture, and privacy concerns.
Journalist inquiriesQuestion, deadline, optional name, contact details, affiliation, topic, and requested records or comment.Respond to public-interest research and methodology inquiries.
Ask the Archive query logsQuestion text, page context, timestamp, answer route, and optional feedback.Improve evidence-bounded answers. Identity is not logged unless the visitor separately opts in.
Newsletter or update signupsEmail address, signup time, consent record, preferences, and unsubscribe status.Send requested archive updates using double opt-in. Do not add tracking pixels to messages.

Information the archive does not collect or use

Sensitive-page exclusions

Analytics and session replay must be excluded from the confidential-source submission form, right-of-reply form, correction form, and document upload form. The exclusion must be enforced in page code and vendor configuration, then verified in a browser network inspection before release. Session replay should remain disabled site-wide unless a future, non-sensitive product need passes a separate review.

Ask the Archive

If query logging is implemented, the archive should log only question text, page context, timestamp, answer route, and optional feedback. It should not log a private identity unless the visitor opts in. The interface should warn visitors not to place confidential-source material, private contact details, or unnecessary personal information in a question.

Source intake and publication boundaries

Ordinary submissions, corrections, replies, and journalist inquiries should be stored separately from confidential-source intake. Access should be limited by role. Files should be quarantined for malware, provenance, authorization, and privacy review. A submission does not enter public evidence canon on receipt, and no raw document should be published automatically.

The archive should remove private addresses, phone numbers, personal email addresses, credentials, signatures, account data, and confidential-source identities from public material unless publication is necessary, lawful, proportionate, and separately approved.

Retention and access

Before any collection begins, the archive should publish a retention schedule and a working privacy contact. The operating target is to retain anonymous aggregate analytics for no more than 12 months; keep rejected or abandoned ordinary intake only as long as needed for review and security; and review retained editorial or confidential-source material on a case-specific schedule. Legal holds, safety needs, and the integrity of a correction or reply record may require longer retention.

Access to voluntary submissions should be limited to people who need it for editorial, security, or legal review. Vendors should receive only the minimum data required to provide the approved service and should not use it for advertising, model training, or independent profiling.

Visitor choices

Name and affiliation should remain optional. Email should be required only when a visitor requests a response. Newsletter signup should require separate consent and provide a one-step unsubscribe method. A process for access, correction, deletion, and consent withdrawal requests must be published before intake or signup is enabled; some editorial records may be retained where necessary for accuracy, legal obligations, or safety.

Changes to this notice

Material changes should be dated on this page before new collection begins. Adding analytics, an intake provider, an upload service, Ask the Archive logging, or a newsletter provider requires an updated data map, vendor review, sensitive-route test, and public notice.