Terms of Use & Privacy Policy
Acceptance of the current Terms of Use and Privacy Policy is required before you may use any feature of this site, including signing in, browsing the community, posting, commenting, or contacting support. Please read each document below in full and tick every required box to continue.
Read the full text ▾
1. Definitions
"Service" means the website operated under needmoretruth.com and any related sub-domains, applications, and features. "User", "you", or "your" means any natural person who accesses or uses the Service. "Operator", "we", "us", or "our" means the natural person who operates the Service in a personal, non-commercial capacity. "Member" means a User who has authenticated through a supported OAuth identity provider; "Guest" means a User who has not. "Guest Mode" means the convenience feature that lets a Member submit Content under the same processing rules as a Guest (defined in Section 7). "Content" means any text, link, file, image, code, or other material submitted to the Service. "Privacy Policy" means the document published at /privacy and incorporated into these Terms by reference. "Account" means an authenticated identity created when you sign in via a supported OAuth identity provider.
2. Acceptance and binding effect
These Terms become binding on you when you first access or use the Service, or when you click any control marked as acceptance of these Terms, whichever occurs first. Where the Service requires an explicit click-through acceptance — including the consent gate that precedes sign-in, browsing the community section, posting, commenting, reporting content, or contacting support — that click constitutes a binding electronic acceptance of these Terms and the Privacy Policy as of the version stated on the consent gate. If you do not accept, you may continue to read the home page, Terms of Use, and Privacy Policy, but you may not use any other feature of the Service.
3. Eligibility
You represent and warrant that (a) you are at least sixteen (16) years of age and otherwise of the legal age required to enter into a binding agreement under the laws of the jurisdiction in which you reside, (b) you are competent to enter into a binding agreement, and (c) you are not barred from receiving the Service under any law applicable to you, including export-control, sanctions, age, and professional-conduct rules. If you access the Service on behalf of an organisation, you represent and warrant that you have authority to bind that organisation to these Terms. The minimum age of sixteen is an operator policy set to align with the default age of consent for information-society services under EU/EEA GDPR Article 8; it sits above the fourteen-year floor permitted for personal-data processing under the Republic of Korea Personal Information Protection Act (PIPA), and where your local law sets a different age of digital consent that applies to you, the higher of that age or sixteen governs your eligibility. Authentication is delegated exclusively to third-party OAuth providers (GitHub, Google), which apply their own age-verification policies; the Operator does not perform independent age verification and relies on these providers and on your own representation to enforce minimum-age requirements. The Operator does not knowingly permit the Service to be used by anyone below the applicable minimum age and does not seek verifiable parental consent to enrol younger children, because the Service is not directed to children below that age. If you believe that a person below the minimum age has nevertheless accessed the Service, please contact the Operator at [email protected] or through the in-Service Bug & Operations Reports channel so that the relevant data may be deleted without undue delay.
4. Accounts and authentication
Authentication is provided exclusively through third-party OAuth identity providers, currently GitHub and Google. The Service does not collect, store, or process passwords. Only profile fields exposed by the identity provider — such as provider account ID, login name, public display name, avatar URL, and (where exposed) email address — are stored. You are solely responsible for the security of the third-party account you use to sign in and for all activity that occurs under your Account on the Service. When multiple Members would share the same display name, the later-joining Member receives a visible numeric suffix (for example, "name#2") shown in a distinct typographic style so that it cannot be confused with digits that happen to be part of the chosen name itself. The Operator may suspend or terminate your Account where you breach these Terms or where required by law, by giving you reasonable prior notice through the in-Service inbox or, where you have provided one, your sign-in email address. Notice may be omitted only where (i) you are causing material harm to the Service, other Users, or third parties, (ii) you have fundamentally breached these Terms, (iii) immediate action is required by law or to prevent a security incident, or (iv) prior notice would be impossible or impracticable. Termination without cause, where permitted by law for a free non-commercial service, will also be subject to reasonable prior notice except in the circumstances listed above.
5. User-submitted Content
You retain all ownership rights you may have in Content that you submit to the Service. By submitting Content, you grant the Operator a worldwide, non-exclusive, royalty-free, fully paid-up licence — sublicensable solely to subprocessors acting on the Operator's behalf for the purpose of operating the Service (for example, content-delivery, hosting, and backup providers), and transferable solely to a successor operator that continues to provide the Service in substantially the same form — to host, store, reproduce, display, transmit, distribute, cache, modify (including for formatting, translation, and moderation), create derivative works of, and publish your Content for the purpose of operating, providing, securing, and improving the Service. The licence does not authorise the Operator to use your Content for unrelated commercial purposes, for advertising, or for resale to third parties. This licence terminates when you or the Operator delete the relevant Content from the Service, except to the extent that the Operator must retain residual copies for technical reasons (such as backups, caches, or audit logs) or legal reasons. The Operator has no obligation to host, monitor, edit, or retain any specific Content.
6. Content rules
You must not submit Content that: (a) is unlawful or that promotes, facilitates, or encourages unlawful activity, including the sale of controlled substances, weapons, or unauthorised intrusion or denial-of-service tools; (b) infringes any patent, trademark, trade secret, copyright, right of publicity, or other right of any person; (c) is defamatory, harassing, hateful, threatening, or invasive of another's privacy; (d) is sexually explicit, sexually exploitative of any person, or depicts a minor in a sexual context; (e) depicts, glorifies, or encourages self-harm, suicide, or eating disorders; (f) plans, threatens, or encourages violence against any identified person or group; (g) contains malware, viruses, or any code intended to damage or disable any system; (h) is designed to harvest personal data or to phish credentials; or (i) violates any third party's intellectual-property or privacy rights. The Operator applies automated content filtering to the more serious categories above; as described in Section 10, the strictness of this filtering may be configured separately for each board, and matched Content may be refused, hidden pending the Operator's review, or flagged for review. The Operator may remove, hide, edit, refuse, or restrict access to any Content at the Operator's sole discretion, with or without notice. The Operator is not a publisher of User-submitted Content and does not endorse or warrant any User-submitted material.
7. Guest Mode for Members
A Member may, at the moment of submitting Content, toggle "submit as Guest". When this toggle is on, the Service processes the submission exactly as if it had originated from a logged-out Guest on the same connection: no link to your Account is stored, the public display name shown is the same daily Guest identifier that a logged-out visitor from your connection would receive, the Guest cooldown applies in place of the Member cooldown, and self-deletion requires the deletion password that you set at the time of submission. This is a convenience feature only. Because logging out and submitting as a Guest already produces an indistinguishable result, the toggle simply removes the need to log out and back in. Any attempt to manipulate the visible discourse by alternating between Member and Guest Mode — including operating multiple effective identities to inflate or suppress engagement signals — is your responsibility under Section 9; the absence of a database link does not absolve you of accountability under these Terms or under applicable law.
8. Reporting Content
Any visitor may report a post or comment that they believe violates these Terms via the in-Service report function attached to the Content. A high volume of reports against a single piece of Content raises the Operator's review priority but does not, on its own, hide or remove the Content; only the Operator's own review may do so. Coordinated or bad-faith reporting intended to suppress lawful Content is itself a violation of these Terms and may result in enforcement action against the reporting User or connection. Copyright owners and other rights holders may submit takedown requests through the Bug & Operations Reports channel; valid requests will be processed within a reasonable time.
9. Prohibited conduct
You must not, and you must not attempt to, and you must not permit any third party to: (a) circumvent, bypass, or interfere with rate limits, anti-spam controls, content fingerprinting, authentication, the human-verification challenge, or access controls of the Service; (b) probe, scan, or test the vulnerability of the Service or any related system, network, or infrastructure, except as expressly authorised in writing by the Operator; (c) submit automated traffic, scraping, crawling, or bulk requests to the Service, except as expressly authorised; (d) impersonate any person or misrepresent your affiliation; (e) interfere with any other User's use or enjoyment of the Service; (f) collect, store, transfer, or disclose personal data of other Users or visitors of the Service without their lawful consent; (g) reverse engineer, decompile, or disassemble any portion of the Service except as permitted by mandatory law; (h) use the Service in any manner that could overload, damage, or impair its operation; (i) operate multiple identities — whether through separate Accounts, alternation between Member and Guest Mode, or other means — to evade access restrictions, inflate engagement signals, or otherwise manipulate the visible discourse; or (j) use Guest Mode or any other feature of the Service to engage in any of the foregoing. Because the Operator processes only the minimum data necessary for safe operation, the Operator may, in some cases, be technically unable to identify the natural person responsible for a violation after the fact. This limitation is an intentional consequence of the data-minimisation design and does not transfer responsibility for your acts from you to the Operator. The Operator will cooperate in good faith with valid lawful requests from competent authorities, within the technical scope of the data actually retained at the time of the request, and will preserve the data it is required to preserve under applicable law.
10. Moderation and enforcement
The Service applies a combination of automated controls (rate limiting per daily IP hash and per Account, request deduplication, automated content filtering for the categories listed in Section 6, the strictness of which the Operator may configure separately for each board and which may refuse a submission, hide it pending review, or flag it for review, and a third-party human-verification challenge for write actions provided by Cloudflare Turnstile) and human review by the Operator. The Operator may apply the following enforcement actions, in any combination and at the Operator's sole discretion: warning, Content hiding, Content deletion, anonymisation of an Account's display in connection with specific Content, an access restriction keyed to the current day's IP hash ("IP ban") which auto-expires when the daily IP-hashing salt rotates (see Section 12 and the Privacy Policy), an Account-level write timeout for a stated duration, and Account suspension or termination, including permanently. All administrator actions are recorded in an internal audit log used only for moderation review. Affected Users may submit one appeal per access restriction through the in-Service form on the access-restriction notice page. This one-appeal limit is without prejudice to any mandatory legal right of review you may have under applicable law (such as the right to obtain human review of a significant automated decision under EU/EEA GDPR Article 22, equivalent rights under PIPA, or analogous protections in other jurisdictions). The Operator is not obligated to respond and may decline to provide reasoned responses where doing so would compromise the integrity of the moderation system, except to the extent applicable law requires the Operator to provide a reasoned response.
11. Content deletion and moderation authority
The Operator retains full authority to delete, hide, or modify any Content at any time, including for reasons of safety, legal compliance, or community standards. Moderation decisions are final as between the User and the Operator, subject only to mandatory legal rights of appeal or review that the User may have under applicable law. Members may delete their own posts and comments at any time from the Service interface. Deletion is permanent and irreversible; the Operator cannot recover deleted Content. Guests, and Members using Guest Mode, must set a deletion password at the time of submission. This password is the sole means of self-deletion and is stored as a one-way cryptographic hash that the Operator cannot reverse. If the password is forgotten, self-deletion is permanently impossible. The Operator does not provide any recovery mechanism for deletion passwords; this absence of recovery is an intentional consequence of the data-minimisation design described in the Privacy Policy, and the responsibility for retaining the password rests with the User. The Operator cannot verify the identity of a User who submitted as a Guest or in Guest Mode. Deletion requests submitted via the Bug & Operations Reports channel will be processed only if the Content violates these Terms or applicable law, as determined solely by the Operator, except where mandatory law (such as the GDPR right to erasure or the PIPA right of deletion) requires deletion regardless of these Terms. Requests to delete Content that does not violate these Terms and is not subject to a mandatory deletion right will be declined. Do not include personal data (real names, addresses, telephone numbers, national identification numbers, financial information, or other sensitive data) in Content submitted as a Guest or in Guest Mode. Such information cannot be guaranteed to be deleted if the deletion password is lost. The Operator is not liable for personal information voluntarily and unnecessarily included in User-submitted Content.
12. Access restrictions
The Operator may restrict access to the Service through the following tiered measures, applied in combination as needed: (a) an "IP ban" keyed to the current day's IP hash, which automatically expires at most twenty-four (24) hours after the most recent rotation of the daily IP-hashing salt; (b) an Account-level write timeout preventing a Member from posting, commenting, or otherwise writing for a stated duration; and (c) Account suspension or termination, which may be permanent. The first measure is short by design: because the Service stores no raw IP address and the daily salt is unrecoverable after rotation, an "IP ban" cannot meaningfully bind any address beyond the current day. This is an intentional consequence of the data-minimisation design described in the Privacy Policy, and the Operator acknowledges that determined attackers will rotate their network paths and so cannot in practice be excluded by IP-level restriction alone. A User affected by an IP ban will see a notice page explaining the approximate time until automatic expiry; that page contains a one-shot form that allows the User to send the Operator a written account of the situation. Because most IP bans expire automatically before they could be reviewed, that form exists to inform future moderation rather than to lift the current restriction. Account-level measures, by contrast, are not affected by salt rotation and may be permanent.
13. Intellectual property
All software, source code, design, branding, logos, layouts, graphics, original written content (other than User-submitted Content), and other materials forming part of the Service are owned by the Operator or licensed to the Operator and are protected by copyright, trademark, and other applicable intellectual-property laws. Subject to these Terms, the Operator grants you a limited, revocable, non-exclusive, non-transferable, non-sublicensable licence to access and use the Service for personal, non-commercial purposes. No other rights are granted by implication, estoppel, or otherwise. Trademarks, logos, and service marks displayed on the Service may not be used without the prior written consent of the Operator or, where applicable, the relevant third-party rights holder.
14. Third-party services
The Service relies on third-party providers including but not limited to GitHub and Google (authentication), Cloudflare (DNS, edge, TLS termination, tunnelling between the public internet and the origin server, and the Turnstile human-verification challenge presented for write actions), and the operating system, runtime, and database software running on the origin server. The Operator does not control these providers and is not responsible for their availability, policies, performance, or actions. Your interactions with these providers are governed by the providers' own terms of service and privacy policies.
15. Privacy
Your use of the Service is also governed by the Privacy Policy, which is incorporated into these Terms by reference. Reading the Privacy Policy is required before granting consent. Capitalised terms used in the Privacy Policy and not otherwise defined there have the meanings given to them in these Terms.
16. Disclaimer of warranties
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, AND THE OPERATOR EXPRESSLY DISCLAIMS ALL SUCH WARRANTIES AND CONDITIONS, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, ACCURACY, AVAILABILITY, AND QUIET ENJOYMENT. THE OPERATOR DOES NOT WARRANT THAT THE SERVICE WILL BE UNINTERRUPTED, SECURE, ERROR-FREE, OR FREE FROM HARMFUL COMPONENTS, OR THAT ANY CONTENT WILL BE ACCURATE, TIMELY, OR RELIABLE.
17. Limitation of liability
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT WILL THE OPERATOR BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, OR FOR ANY LOSS OF PROFITS, REVENUE, BUSINESS, DATA, GOODWILL, OR OTHER INTANGIBLE LOSSES, ARISING OUT OF OR IN CONNECTION WITH YOUR USE OF, OR INABILITY TO USE, THE SERVICE, REGARDLESS OF THE LEGAL THEORY (CONTRACT, TORT, STATUTE, OR OTHERWISE) ON WHICH THE CLAIM IS BASED AND REGARDLESS OF WHETHER THE OPERATOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SUBJECT TO THE FOLLOWING SENTENCE, THE OPERATOR'S TOTAL CUMULATIVE LIABILITY FOR DIRECT DAMAGES ARISING OUT OF OR IN CONNECTION WITH THESE TERMS OR THE SERVICE WILL NOT EXCEED ONE UNITED STATES DOLLAR (USD 1.00) OR THE EQUIVALENT IN YOUR LOCAL CURRENCY. NOTHING IN THESE TERMS EXCLUDES OR LIMITS THE OPERATOR'S LIABILITY FOR: (A) DEATH OR PERSONAL INJURY CAUSED BY THE OPERATOR'S NEGLIGENCE; (B) THE OPERATOR'S GROSS NEGLIGENCE OR WILFUL MISCONDUCT; (C) FRAUD OR FRAUDULENT MISREPRESENTATION; OR (D) ANY OTHER LIABILITY THAT APPLICABLE LAW DOES NOT PERMIT TO BE EXCLUDED OR LIMITED, INCLUDING MANDATORY CONSUMER-PROTECTION LIABILITY UNDER THE LAWS OF YOUR COUNTRY OF RESIDENCE. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF CERTAIN WARRANTIES OR DAMAGES; IN THOSE JURISDICTIONS THE LIABILITY OF THE OPERATOR IS LIMITED TO THE GREATEST EXTENT PERMITTED BY LAW.
18. Indemnification
You agree to indemnify, defend, and hold harmless the Operator and any of the Operator's affiliates, contractors, and service providers from and against any and all claims, demands, liabilities, damages, losses, costs, and expenses (including reasonable legal fees) arising out of or in any way connected with: (a) your access to or use of the Service; (b) any Content you submit; (c) any violation of these Terms by you; or (d) any violation by you of any law or any right of any third party.
19. Suspension and termination
The Operator may suspend or terminate your access to the Service in accordance with Section 4 (Accounts and authentication) and Section 10 (Moderation and enforcement). You may stop using the Service at any time. Upon termination, all rights granted to you under these Terms cease immediately. Sections of these Terms which by their nature are intended to survive termination — including ownership, indemnification, disclaimers of warranties, limitation of liability, governing law, and dispute resolution — will so survive.
20. Changes to these Terms
The Operator may amend, modify, or replace these Terms at any time. The current version is identified by the version label and the "last updated" date displayed at the top of this page. When the version changes, you will be required to re-accept the updated Terms before using any feature that requires acceptance. Continued use of the Service after acceptance of an updated version constitutes acceptance of that version.
21. Governing law
These Terms and any dispute or claim arising out of or in connection with them (including non-contractual disputes or claims) are governed by and construed in accordance with the laws of the Republic of Korea, without regard to its conflict-of-laws provisions. Where a mandatory consumer-protection law of your country of residence grants you stronger rights or protection, that mandatory law will apply to that extent.
22. Dispute resolution
The parties will first attempt in good faith to resolve any dispute arising out of or in connection with these Terms by informal contact through the Support channel. If a dispute is not resolved within sixty (60) days of first contact, the dispute may be brought before the competent courts of the Republic of Korea, whose jurisdiction is non-exclusive: nothing in this section prevents you from bringing proceedings in the courts of your country of residence where mandatory consumer-protection rules of that jurisdiction grant you such a right, and nothing in this section limits any mandatory right you may have to refer the dispute to a competent supervisory authority (such as a data-protection regulator).
23. Severability and entire agreement
If any provision of these Terms is held to be invalid, illegal, or unenforceable by a court of competent jurisdiction, that provision will be modified to the minimum extent necessary to make it valid and enforceable while preserving its original intent, or, if such modification is not possible, severed from these Terms; in either case the remaining provisions will continue in full force and effect. These Terms, together with the Privacy Policy and any additional notices posted within the Service, constitute the entire agreement between you and the Operator regarding the Service and supersede all prior or contemporaneous agreements, communications, and understandings, whether written or oral, regarding the same subject matter.
24. Languages and controlling version
These Terms are originally drafted in the English language and the Operator may publish translations (including a Korean translation) for the convenience of readers. Each language version is intended to express the same substantive rights and obligations and is binding on a User who has accepted the Terms in that language. In the event of any genuine discrepancy, ambiguity, or conflict between the English version and any translation, the English version shall prevail and shall be used to interpret and enforce these Terms. The same rule applies to the Privacy Policy. Nothing in this section limits any mandatory consumer-protection law of your country of residence that requires the Operator to communicate with you, or to enforce certain provisions, in your local language; in such cases, that mandatory law continues to apply notwithstanding this section.
25. No waiver; assignment
Failure or delay by the Operator in enforcing any provision of these Terms is not a waiver of the right to enforce that provision later or to enforce any other provision. You may not assign or transfer any of your rights or obligations under these Terms without the prior written consent of the Operator. The Operator may assign these Terms without restriction. Any attempted assignment in violation of this section is void.
26. Contact
The Operator provides the Service from the Republic of Korea (대한민국). Questions or notices about these Terms can be sent by email to [email protected], or through the in-Service Support channel, or through the in-Service Bug & Operations Reports channel for technical or operational concerns. The in-Service forms are the preferred channels because they let your request be tracked and handled fairly; the email address above is provided as a direct alternative and as the contact point of the Operator for the purposes of applicable data-protection law. The Operator is a natural person operating the Service in a personal, non-commercial capacity and, consistent with the data-minimisation design of the Service, does not publish a personal legal name, postal address, or business-registration number; the country of establishment and the contact email above are the Operator's disclosed identifying and contact details.
Read the full text ▾
1. Summary
The Service collects the minimum personal data strictly necessary to operate a community board with anti-spam protection. The Service does not store raw IP addresses, does not sell personal data, does not display third-party advertising, and does not store passwords. Account data is sourced from your sign-in provider (GitHub or Google). IP-based anti-spam keys are not stored as conventional salted hashes but as one-way HMAC values computed with a daily-rotating random salt that is irrecoverably discarded at the end of each UTC day, so that the Operator cannot — even with full database access — derive yesterday's IP-based identifiers from today's. You may request deletion of your data at any time through the in-Service Bug & Operations Reports channel.
2. Data controller
The Operator is the data controller (and, where the equivalent role exists under your local data-protection law — such as the "personal information controller" under the Republic of Korea Personal Information Protection Act, or the "business" under the California Consumer Privacy Act as amended by the California Privacy Rights Act) for the personal data processed in connection with the Service. The Operator provides the Service from the Republic of Korea (대한민국) and is a natural person operating the Service in a personal, non-commercial capacity, not as a registered business entity; consistent with the data-minimisation design of the Service, the Operator does not publish a personal legal name, postal address, or business-registration number, and discloses instead the country of establishment together with the contact email below. You can contact the Operator about this Policy or to exercise your rights by email at [email protected], or through the in-Service Support or Bug & Operations Reports channels. There is no separate Data Protection Officer; given the scale and nature of the processing, the Operator is not required to appoint one and handles all data-subject requests personally. The Operator has not appointed a representative in the European Union or the United Kingdom under Article 27 of the EU/UK GDPR. Where that obligation applies to the Operator, the Operator will appoint a representative; in the meantime, EU/EEA and UK data subjects retain every right described in this Policy and may at any time contact the Operator directly at the email above and lodge a complaint with their local supervisory authority (Section 11).
3. Lawful basis for processing
The Service processes personal data on the following lawful bases under applicable law (including, where relevant, EU/EEA GDPR Article 6, UK GDPR, the Korean Personal Information Protection Act (PIPA), the California Consumer Privacy Act and California Privacy Rights Act (CCPA/CPRA), and equivalent regimes elsewhere): (a) performance of the User-Operator agreement constituted by the Terms of Use; (b) the Operator's legitimate interest in preventing abuse, fraud, and security incidents and in operating the Service safely; (c) compliance with applicable legal obligations to which the Operator is subject; and (d) the User's explicit consent obtained via the consent gate before any processing for which consent is the appropriate legal basis.
4. Categories of personal data we store
(a) Account profile data received from your sign-in provider: provider name (GitHub or Google), provider account ID, login name, public display name, optional numeric display-name suffix, avatar URL, and email address where exposed by the provider. The OAuth access and refresh tokens issued by the sign-in provider are also stored so that your signed-in session can be maintained; they are not used for any purpose other than authentication. (b) Content you submit: post titles and bodies, comment bodies, reactions, content reports, support tickets, and bug & operations reports. (c) For Guest submissions and Member submissions made in Guest Mode only, an HMAC-SHA256 value of the request IP computed with the current day's random salt — used as a cooldown, deduplication, ban, and audit key. The salt is rotated at the end of each UTC day and the previous salt is irrecoverably discarded, so the value cannot be linked across day boundaries even with full database access. Member submissions do not have an IP-derived value stored against them at all; the Account identifier already serves the moderation purpose. (d) Raw IP addresses are not stored. (e) An opaque random viewer identifier cookie used to count unique post views. (f) The publicly displayed Guest identifier shown as "Guest #CODE"; the code is the first ten base-36 digits of the HMAC value in (c) and is therefore tied to the current day only. The Operator cannot reverse the code into an IP and cannot link a code observed on one day to a code observed on another day. (g) Audit-log entries describing automated and manual moderation actions, including the actor, the target, and — for entries that relate to a Guest action, to a Member action carried out in Guest Mode, or to an IP-level access restriction — the current day's IP HMAC. Audit entries that relate to a Member action made under the Member's Account do not include an IP HMAC; the Member identifier is sufficient for moderation review. (h) A record of your acceptance of the current Terms of Use and Privacy Policy versions, stored against your Account if you are signed in or in a first-party browser cookie if you are not. (i) For Guest submissions and Member submissions made in Guest Mode, a one-way bcrypt hash of the deletion password set at write time. The original password is never stored; the hash cannot be reversed. This data is deleted when the associated submission is deleted. (j) For Member sanctions, an internal record of any active access restriction (Account-level write timeout, suspension, or termination) including its stated reason and duration. (k) Ban-appeal submissions: when a User submits a ban-appeal form, the body of that submission and (if the User is signed in) their Account identifier are stored so the Operator can follow up. (l) In-app notification records: where a Member-visible notification is generated (for example, when a post on which the Member has commented is removed, or when the Operator replies to a Member's bug or operations report), a short notification message is stored and deleted once the Member marks it read or the Member's Account is deleted following a deletion request. (m) Software version-history entries (update log): the Operator records internal notes about software updates in a log visible only to the Operator. These entries do not contain personal data and are retained for as long as the Operator considers them useful. (n) Relationship data set by a Member: the block and follow relationships a Member creates between their Account and other Members' Accounts, stored so that the Service can apply the Member's blocking and following choices.
5. Categories of personal data we do NOT store
The Service does not store: raw IP addresses; passwords; payment information; precise geolocation data; advertising identifiers; biometric data; government-issued identifiers; or any data category designated "sensitive" or "special category" under applicable law. The Service does not perform behavioural profiling for advertising purposes. The Service does not retain any IP-derived value beyond the current UTC day.
6. Daily salt rotation and the data-minimisation design
Anti-spam, deduplication, ban, and audit keys derived from a User's request IP are computed using HMAC-SHA256 with a random 256-bit salt stored in an in-memory cache. At the end of each UTC day, the previous day's salt is discarded and replaced with a new random salt. Once a salt is discarded, neither the Operator nor any third party can recover it; the corresponding HMAC values become permanently unlinkable to the IP addresses that produced them and to any HMAC values produced under any other salt. This design is intentional. It means that: (a) an IP-level access restriction ("IP ban") cannot meaningfully bind beyond the current UTC day; (b) the Operator cannot, on request from a User, identify or recover that User's past Guest submissions across day boundaries, because no link exists in the database; and (c) the Operator cannot, on request from law enforcement or any other third party, provide a User's IP address or a value derivable from it, because the Service neither stores raw IP addresses nor retains the salt necessary to recompute prior-day HMAC values. The intent of this design is to comply with the minimisation principles of the Korean Personal Information Protection Act (PIPA) and the EU/EEA GDPR by limiting the Operator's ability to know more than is necessary for the safe operation of the Service. The trade-off is that determined attackers who rotate their network paths cannot be excluded by IP-level restriction alone; the Operator accepts that trade-off and relies on Account-level measures, narrow automated filtering, and the third-party human-verification challenge to maintain Service integrity.
7. Cookies and similar technologies
The Service uses a small number of strictly first-party cookies, all set as HttpOnly where technically possible: an authentication session cookie when you are signed in; a locale cookie remembering your language choice; an opaque viewer cookie (nmt_vid) used to count unique post views; a consent cookie (nmt_consent) recording your acceptance of the current Terms of Use and Privacy Policy versions; a functional cookie (nmt_mode), with a one-year lifetime, that records whether you have switched on the optional 'NMT mode' visual theme; a functional cookie (nmt_palette), with a one-year lifetime, that stores the ten-character code of a personal colour palette you have chosen for NMT mode, if you have saved one; and, only if you reach the Service through a known misspelling of its domain, a functional cookie (nmt_typo_hint) with a thirty-day lifetime that records that a one-time informational banner about the correct address should be shown; and a functional cookie (nmt_snapshot_mode) with a seven-day lifetime that records whether you have switched on 'snapshot mode' (an option that replaces displayed public posts with uniform example content — you can switch it on and off yourself, and no identifying information about your use of it is sent to the Operator). The nmt_mode, nmt_palette, nmt_typo_hint and nmt_snapshot_mode cookies carry only a non-identifying display preference and are intentionally not HttpOnly because they are read by a client-side script. Your light/dark-mode preference is not stored in a cookie at all; it is kept in your browser's local storage (localStorage) by the theme library and is never transmitted to the Operator. The Cloudflare Turnstile human-verification challenge displayed during write actions may set short-lived cookies on the cloudflare.com or challenges.cloudflare.com domains under Cloudflare's own privacy policy; those cookies are strictly necessary to complete the security challenge and are not under the Operator's control. The Service does not use any third-party advertising, marketing, or cross-site tracking cookies, and presents no consent banner because it sets no non-essential cookie that would require one. In addition to cookies, your browser also stores short-lived entries in session storage (sessionStorage) for two client-side conveniences: preserving the contents of a compose form across language switches (cleared after five minutes or when the tab closes), and recording that the one-time first-login welcome banner has been shown in the current session. Both are confined to your browser, are never transmitted to the Operator, and are emptied automatically when you close the tab. The Service uses a feature called 'Web Analytics' provided by Cloudflare, the company that operates the network gateway through which the Service is connected to the public internet. According to Cloudflare's official documentation, this feature does not use any client-side state — it sets no cookie and writes nothing to your browser's local or session storage — and it does not 'fingerprint' individual visitors by their IP address, User-Agent string, or any other signal for the purpose of producing analytics. It is therefore an aggregate, privacy-first statistics tool, and because it stores or accesses no information on your device it does not require a cookie-consent banner under EU/EEA ePrivacy rules. When you visit a page of the Service, Cloudflare, at its gateway layer (commonly called the 'edge'), inserts a small measurement JavaScript file (served from the static.cloudflareinsights.com domain) into the response it sends back to your browser. Your browser then runs that script, which sends aggregate, non-identifying information — the address of the page you visited, the approximate amount of time you spent there, the broad family of your browser and operating system, and a coarse geographic location at the country level (for example, 'Republic of Korea' or 'Japan', not a city or district) — to Cloudflare's own systems (cloudflareinsights.com). The Operator only views the aggregate statistics that Cloudflare compiles from the above information (for example, the total page-view count for today, or the most-viewed pages), uses them solely to understand overall usage of the Service, and never uses them for advertising, profiling, or any attempt to identify an individual. The Service does not separately collect or retain any information that would identify any individual visitor in connection with this feature, and neither the Operator nor Cloudflare sells this data. Information that Cloudflare collects and processes in connection with this feature is governed by Cloudflare's own privacy policy (https://www.cloudflare.com/privacypolicy/).
8. Third-party processors and recipients
The following third-party providers may process technical metadata or personal data in connection with the Service and act as their own controllers and/or processors under their respective privacy policies: GitHub and Google (authentication); Cloudflare (DNS, edge, TLS termination, tunnelling between the public internet and the origin server, and the Turnstile human-verification challenge). The Operator does not control these providers' practices; please consult their respective policies for further information.
9. International data transfers
The origin server is operated in the Republic of Korea. The Cloudflare network and the OAuth identity providers (GitHub, Google) operate globally, so using the Service from outside Korea will involve the transfer of technical metadata and account data to or through other jurisdictions, including the United States. By using the Service from outside Korea you acknowledge that your personal data may be processed in jurisdictions whose data-protection regimes may differ from your own. For transfers of personal data out of the EU/EEA or the United Kingdom, the relevant providers act as the exporting parties and rely on their own transfer mechanisms — principally the European Commission's Standard Contractual Clauses (and the UK Addendum) and, where applicable, an adequacy decision or the EU-U.S. Data Privacy Framework; details are set out in each provider's own privacy documentation (GitHub, Google, and Cloudflare). The Operator does not itself export personal data to any further third party beyond these providers.
10. Data retention
Account profile data is retained while your Account is active. The Service does not provide a self-service account-closure control; if you request deletion of your Account through the email contact, the Support channel, or the Bug & Operations Reports channel, the Operator deletes your Account profile data when processing that request, except for fields that the Operator must retain to satisfy a legal obligation or to resolve an open dispute. Posts and comments are retained until they are deleted by the User, by the Operator, or under any periodic retention policy that may be in force. IP-derived HMAC values stored against Guest submissions and audit entries become unlinkable at most twenty-four (24) hours after creation through salt rotation and are not separately deleted; older values become indistinguishable random strings. Database backups are written daily to a separate disk attached to the origin server, retained for seven (7) days, and then deleted; the Operator may, at the Operator's discretion, additionally store encrypted copies of backups off-host but does not represent that all backups are off-host or encrypted. Audit-log entries (other than the IP-HMAC component, which becomes unlinkable on the next salt rotation) and ban or sanction records are retained only for as long as necessary for security review and dispute resolution and in any event no longer than three (3) years from the date of the entry, unless a specific legal obligation or an unresolved dispute requires longer retention. Consent records (your accepted Terms/Privacy versions and the acceptance timestamp) are retained for as long as your Account exists, and after deletion for the limited period during which the Operator may need to evidence that consent was given, after which they are deleted.
11. Your rights
Subject to the law that applies in your jurisdiction, you may have the right to: access your personal data; correct inaccurate or incomplete data; request erasure (the "right to be forgotten"); restrict or object to processing; receive a portable copy of your data in a structured, commonly used, machine-readable format; withdraw consent (where processing is based on consent), without affecting the lawfulness of processing carried out before withdrawal; and lodge a complaint with the supervisory authority in your country of residence. To exercise any of these rights, contact the Operator through the Support channel. The Operator will respond within a reasonable time and at no charge for routine requests; manifestly unfounded or excessive requests may be refused or charged a reasonable fee in accordance with applicable law.
12. Automated decision-making
The Service applies automated controls for anti-spam and abuse-prevention purposes: rate limiting per daily IP HMAC and per Account, request deduplication, automated content filtering for the categories listed in Section 6 of the Terms of Use (the "severe-content filter"), the strictness of which the Operator configures separately for each board, and a Cloudflare Turnstile human-verification challenge for write actions. Depending on the board's configured strictness, the severe-content filter may refuse a submission, hide it pending human review by the Operator, or flag it for review while leaving it visible; all other automated controls only delay or block a single write attempt and do not produce legal effects on you and do not significantly affect you in any other way comparable to a legal effect. If you believe an automated action against you was incorrect, you may request human review by the Operator through the in-Service Bug & Operations Reports channel.
13. No sale or share for advertising purposes
The Operator does not sell, rent, or share personal data with third parties for monetary or other valuable consideration, and does not "share" personal data for purposes of cross-context behavioural advertising, as those terms are defined under the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA). Because there is no sale or share, the Service does not provide a "Do Not Sell or Share My Personal Information" link; there is nothing to opt out of. For California residents, the categories of personal information the Service collects are limited to identifiers (such as a sign-in provider account ID, login name, display name, avatar URL, and — where exposed by the provider — email address), internet or other electronic network activity information (such as content you submit and aggregate page-view statistics), and the day-bound IP-derived HMAC value described in Section 4; the sources are you and your sign-in provider; the business or commercial purpose is operating, securing, and providing the Service and preventing abuse; and the only recipients are the processors and providers listed in Section 8. The Operator does not collect or process any category of "sensitive personal information" for the purpose of inferring characteristics, and does not use personal information for profiling that produces legal or similarly significant effects. California residents have the right to know, to delete, to correct, and to be free from discrimination for exercising these rights; the Service treats all visitors the same regardless of whether they exercise any privacy right, and you may exercise these rights as described in Section 11.
14. Minors
The Service is not directed to children, and the Operator does not knowingly collect personal data from anyone below the minimum age of sixteen (16) set out in the Terms of Use. That sixteen-year threshold is an operator policy aligned with the default age of consent for information-society services under the EU/EEA GDPR; it is higher than the fourteen-year floor permitted for personal-data processing under the Republic of Korea Personal Information Protection Act, and where your local law sets a different age of digital consent the higher of that age or sixteen applies. The Operator does not seek verifiable parental consent to enrol younger children, because the Service is not directed to them. If you believe that a person below the applicable minimum age has provided personal data to the Service, please contact the Operator at [email protected] or through the in-Service Bug & Operations Reports channel and the data will be deleted without undue delay.
15. Security
The Operator implements reasonable technical and organisational measures to protect personal data, including: TLS termination at the network edge with no public origin port; IP-derived anti-spam values computed under a daily-rotating random salt that is held only in volatile memory and irrecoverably discarded at the end of each UTC day (see Section 6), so that a database compromise alone cannot recover prior-day IP-based identifiers; in the rare event that the in-memory salt store is unavailable, a deterministic day-bound fallback is used so that the abuse-prevention pipeline stays operational without weakening the day-boundary unlinkability described in Section 6; least-privilege database access by the application; daily database backups written to a separate disk attached to the origin server and rotated after seven days; audit logging of all administrative actions; and server-side operational logs (performance and error logs) that record response times and software errors — these logs contain no personal data (no IP addresses, no user content) and are stored only on the origin server with rotation at 10 MB / 5 MB respectively. Raw IP addresses are not stored, so a database compromise cannot expose IP addresses of Users. No internet-facing system can be guaranteed perfectly secure. In the event of a personal-data breach affecting your data, the Operator will notify affected Users and any required supervisory authorities within the time limits applicable in the relevant jurisdiction.
16. Changes to this Policy
This Privacy Policy may be updated at any time. The current version is identified by the version label and the "last updated" date displayed at the top of this page. When the version changes, you will be required to re-accept the updated Policy before using any feature that requires acceptance.
17. Contact
Privacy questions and data-subject requests can be sent by email to [email protected], or through the in-Service Support channel, or through the in-Service Bug & Operations Reports channel. The in-Service forms are the preferred channels because they let your request be tracked and handled fairly; the email address above is the direct alternative and is the contact point of the Operator (the data controller) for the purposes of applicable data-protection law. The Operator provides the Service from the Republic of Korea (대한민국). You also have the right to lodge a complaint with the data-protection supervisory authority of your country of residence (for example, in the Republic of Korea, the Personal Information Protection Commission; in the EU/EEA, your national supervisory authority; in the United Kingdom, the Information Commissioner's Office).
If you choose Not now, you can keep reading public pages such as the home, Terms of Use, and Privacy Policy, but every interactive feature — including the sign-in and community navigation — remains gated until you accept.