Data minimization and source safety
Privacy
The archive measures public usefulness without building visitor profiles. Information supplied for records, corrections, replies, inquiries, or updates is collected only through an explicit visitor action and used for the stated purpose.
No live analytics script, source-submission endpoint, upload service, newsletter form, or Ask the Archive query logger is included in the current public-site files.
Core notice: This archive collects only the information visitors choose to provide, plus basic privacy-respecting analytics. Confidential-source submissions are handled separately from public evidence canon. Do not submit illegal recordings, hacked materials, or documents you are not authorized to share.
Current implementation
As currently implemented, the site is static and does not set analytics cookies, run browser fingerprinting, replay sessions, load advertising pixels, accept form submissions, or upload files. The hosting and security infrastructure may process ordinary request data, such as IP address, requested path, timestamp, user agent, and security signals, to deliver and protect the site. Those operational logs should not be combined with source-intake records or used to identify readers.
Information the archive may collect after approval
| Category | Limited data | Purpose and controls |
|---|---|---|
| Anonymous site analytics | Page path, date/time, coarse device/browser category, country or region at a coarse level, and aggregate visit counts. | Understand which public pages are useful. No persistent visitor profile, cross-site tracking, or collection on sensitive intake pages. |
| Search and referral analytics | Referring domain, landing page, campaign label, and aggregate search terms made available by a search provider. | Understand discovery routes. Strip query strings and fragments; do not retain identifiers or sensitive terms in URLs. |
| Voluntary source submissions | The fields a visitor chooses to provide, requested source status, consent, follow-up preference, and authorized files through a future secure channel. | Evaluate leads and records. Confidential submissions remain segregated from analytics and public evidence canon. |
| Right-of-reply submissions | Response, page or claim addressed, supporting record, attribution preference, contact details if provided, and consent. | Review and fairly represent a materially affected party’s response. |
| Correction requests | Page or metadata at issue, proposed correction, supporting record, urgency, contact details if provided, and consent. | Verify accuracy, context, procedural posture, and privacy concerns. |
| Journalist inquiries | Question, deadline, optional name, contact details, affiliation, topic, and requested records or comment. | Respond to public-interest research and methodology inquiries. |
| Ask the Archive query logs | Question text, page context, timestamp, answer route, and optional feedback. | Improve evidence-bounded answers. Identity is not logged unless the visitor separately opts in. |
| Newsletter or update signups | Email address, signup time, consent record, preferences, and unsubscribe status. | Send requested archive updates using double opt-in. Do not add tracking pixels to messages. |
Information the archive does not collect or use
- Browser fingerprints or persistent shadow identifiers.
- Covert tracking, hidden deanonymization, or cross-site behavioral profiles.
- Session replay or keystroke capture on any sensitive form.
- Advertising-technology pixels, data-broker enrichment, or visitor scoring for advertising.
- Private information without an informed, affirmative visitor action.
- Precise location, contact lists, browsing history, or unnecessary URL query strings.
- Visitor data for sale. The archive does not sell visitor or source information.
Sensitive-page exclusions
Analytics and session replay must be excluded from the confidential-source submission form, right-of-reply form, correction form, and document upload form. The exclusion must be enforced in page code and vendor configuration, then verified in a browser network inspection before release. Session replay should remain disabled site-wide unless a future, non-sensitive product need passes a separate review.
Ask the Archive
If query logging is implemented, the archive should log only question text, page context, timestamp, answer route, and optional feedback. It should not log a private identity unless the visitor opts in. The interface should warn visitors not to place confidential-source material, private contact details, or unnecessary personal information in a question.
Source intake and publication boundaries
Ordinary submissions, corrections, replies, and journalist inquiries should be stored separately from confidential-source intake. Access should be limited by role. Files should be quarantined for malware, provenance, authorization, and privacy review. A submission does not enter public evidence canon on receipt, and no raw document should be published automatically.
The archive should remove private addresses, phone numbers, personal email addresses, credentials, signatures, account data, and confidential-source identities from public material unless publication is necessary, lawful, proportionate, and separately approved.
Retention and access
Before any collection begins, the archive should publish a retention schedule and a working privacy contact. The operating target is to retain anonymous aggregate analytics for no more than 12 months; keep rejected or abandoned ordinary intake only as long as needed for review and security; and review retained editorial or confidential-source material on a case-specific schedule. Legal holds, safety needs, and the integrity of a correction or reply record may require longer retention.
Access to voluntary submissions should be limited to people who need it for editorial, security, or legal review. Vendors should receive only the minimum data required to provide the approved service and should not use it for advertising, model training, or independent profiling.
Visitor choices
Name and affiliation should remain optional. Email should be required only when a visitor requests a response. Newsletter signup should require separate consent and provide a one-step unsubscribe method. A process for access, correction, deletion, and consent withdrawal requests must be published before intake or signup is enabled; some editorial records may be retained where necessary for accuracy, legal obligations, or safety.
Changes to this notice
Material changes should be dated on this page before new collection begins. Adding analytics, an intake provider, an upload service, Ask the Archive logging, or a newsletter provider requires an updated data map, vendor review, sensitive-route test, and public notice.