Sign in

Privacy Policy

This Privacy Policy explains what personal data the Service collects, on what legal basis it is processed, how it is used, where it is stored, with whom it is shared, how long it is retained, and what controls you have. It applies to all visitors of needmoretruth.com regardless of location. Two design choices shape the rest of this document: the Service stores no raw IP addresses, and the values it does store for anti-spam purposes are computed under a daily-rotating random salt that is irrecoverably discarded each UTC day, so that the Operator cannot link those values across day boundaries. Capitalised terms used but not defined in this Policy have the meaning given to them in the Terms of Use.

Last updated: 2026-05-29 · Version: 2026-05-29-v17

1. Summary

The Service collects the minimum personal data strictly necessary to operate a community board with anti-spam protection. The Service does not store raw IP addresses, does not sell personal data, does not display third-party advertising, and does not store passwords. Account data is sourced from your sign-in provider (GitHub or Google). IP-based anti-spam keys are not stored as conventional salted hashes but as one-way HMAC values computed with a daily-rotating random salt that is irrecoverably discarded at the end of each UTC day, so that the Operator cannot — even with full database access — derive yesterday's IP-based identifiers from today's. You may request deletion of your data at any time through the in-Service Bug & Operations Reports channel.

2. Data controller

The Operator is the data controller (and, where the equivalent role exists under your local data-protection law — such as the "personal information controller" under the Republic of Korea Personal Information Protection Act, or the "business" under the California Consumer Privacy Act as amended by the California Privacy Rights Act) for the personal data processed in connection with the Service. The Operator provides the Service from the Republic of Korea (대한민국) and is a natural person operating the Service in a personal, non-commercial capacity, not as a registered business entity; consistent with the data-minimisation design of the Service, the Operator does not publish a personal legal name, postal address, or business-registration number, and discloses instead the country of establishment together with the contact email below. You can contact the Operator about this Policy or to exercise your rights by email at [email protected], or through the in-Service Support or Bug & Operations Reports channels. There is no separate Data Protection Officer; given the scale and nature of the processing, the Operator is not required to appoint one and handles all data-subject requests personally. The Operator has not appointed a representative in the European Union or the United Kingdom under Article 27 of the EU/UK GDPR. Where that obligation applies to the Operator, the Operator will appoint a representative; in the meantime, EU/EEA and UK data subjects retain every right described in this Policy and may at any time contact the Operator directly at the email above and lodge a complaint with their local supervisory authority (Section 11).

3. Lawful basis for processing

The Service processes personal data on the following lawful bases under applicable law (including, where relevant, EU/EEA GDPR Article 6, UK GDPR, the Korean Personal Information Protection Act (PIPA), the California Consumer Privacy Act and California Privacy Rights Act (CCPA/CPRA), and equivalent regimes elsewhere): (a) performance of the User-Operator agreement constituted by the Terms of Use; (b) the Operator's legitimate interest in preventing abuse, fraud, and security incidents and in operating the Service safely; (c) compliance with applicable legal obligations to which the Operator is subject; and (d) the User's explicit consent obtained via the consent gate before any processing for which consent is the appropriate legal basis.

4. Categories of personal data we store

(a) Account profile data received from your sign-in provider: provider name (GitHub or Google), provider account ID, login name, public display name, optional numeric display-name suffix, avatar URL, and email address where exposed by the provider. The OAuth access and refresh tokens issued by the sign-in provider are also stored so that your signed-in session can be maintained; they are not used for any purpose other than authentication. (b) Content you submit: post titles and bodies, comment bodies, reactions, content reports, support tickets, and bug & operations reports. (c) For Guest submissions and Member submissions made in Guest Mode only, an HMAC-SHA256 value of the request IP computed with the current day's random salt — used as a cooldown, deduplication, ban, and audit key. The salt is rotated at the end of each UTC day and the previous salt is irrecoverably discarded, so the value cannot be linked across day boundaries even with full database access. Member submissions do not have an IP-derived value stored against them at all; the Account identifier already serves the moderation purpose. (d) Raw IP addresses are not stored. (e) An opaque random viewer identifier cookie used to count unique post views. (f) The publicly displayed Guest identifier shown as "Guest #CODE"; the code is the first ten base-36 digits of the HMAC value in (c) and is therefore tied to the current day only. The Operator cannot reverse the code into an IP and cannot link a code observed on one day to a code observed on another day. (g) Audit-log entries describing automated and manual moderation actions, including the actor, the target, and — for entries that relate to a Guest action, to a Member action carried out in Guest Mode, or to an IP-level access restriction — the current day's IP HMAC. Audit entries that relate to a Member action made under the Member's Account do not include an IP HMAC; the Member identifier is sufficient for moderation review. (h) A record of your acceptance of the current Terms of Use and Privacy Policy versions, stored against your Account if you are signed in or in a first-party browser cookie if you are not. (i) For Guest submissions and Member submissions made in Guest Mode, a one-way bcrypt hash of the deletion password set at write time. The original password is never stored; the hash cannot be reversed. This data is deleted when the associated submission is deleted. (j) For Member sanctions, an internal record of any active access restriction (Account-level write timeout, suspension, or termination) including its stated reason and duration. (k) Ban-appeal submissions: when a User submits a ban-appeal form, the body of that submission and (if the User is signed in) their Account identifier are stored so the Operator can follow up. (l) In-app notification records: where a Member-visible notification is generated (for example, when a post on which the Member has commented is removed, or when the Operator replies to a Member's bug or operations report), a short notification message is stored and deleted once the Member marks it read or the Member's Account is deleted following a deletion request. (m) Software version-history entries (update log): the Operator records internal notes about software updates in a log visible only to the Operator. These entries do not contain personal data and are retained for as long as the Operator considers them useful. (n) Relationship data set by a Member: the block and follow relationships a Member creates between their Account and other Members' Accounts, stored so that the Service can apply the Member's blocking and following choices.

5. Categories of personal data we do NOT store

The Service does not store: raw IP addresses; passwords; payment information; precise geolocation data; advertising identifiers; biometric data; government-issued identifiers; or any data category designated "sensitive" or "special category" under applicable law. The Service does not perform behavioural profiling for advertising purposes. The Service does not retain any IP-derived value beyond the current UTC day.

6. Daily salt rotation and the data-minimisation design

Anti-spam, deduplication, ban, and audit keys derived from a User's request IP are computed using HMAC-SHA256 with a random 256-bit salt stored in an in-memory cache. At the end of each UTC day, the previous day's salt is discarded and replaced with a new random salt. Once a salt is discarded, neither the Operator nor any third party can recover it; the corresponding HMAC values become permanently unlinkable to the IP addresses that produced them and to any HMAC values produced under any other salt. This design is intentional. It means that: (a) an IP-level access restriction ("IP ban") cannot meaningfully bind beyond the current UTC day; (b) the Operator cannot, on request from a User, identify or recover that User's past Guest submissions across day boundaries, because no link exists in the database; and (c) the Operator cannot, on request from law enforcement or any other third party, provide a User's IP address or a value derivable from it, because the Service neither stores raw IP addresses nor retains the salt necessary to recompute prior-day HMAC values. The intent of this design is to comply with the minimisation principles of the Korean Personal Information Protection Act (PIPA) and the EU/EEA GDPR by limiting the Operator's ability to know more than is necessary for the safe operation of the Service. The trade-off is that determined attackers who rotate their network paths cannot be excluded by IP-level restriction alone; the Operator accepts that trade-off and relies on Account-level measures, narrow automated filtering, and the third-party human-verification challenge to maintain Service integrity.

7. Cookies and similar technologies

The Service uses a small number of strictly first-party cookies, all set as HttpOnly where technically possible: an authentication session cookie when you are signed in; a locale cookie remembering your language choice; an opaque viewer cookie (nmt_vid) used to count unique post views; a consent cookie (nmt_consent) recording your acceptance of the current Terms of Use and Privacy Policy versions; a functional cookie (nmt_mode), with a one-year lifetime, that records whether you have switched on the optional 'NMT mode' visual theme; a functional cookie (nmt_palette), with a one-year lifetime, that stores the ten-character code of a personal colour palette you have chosen for NMT mode, if you have saved one; and, only if you reach the Service through a known misspelling of its domain, a functional cookie (nmt_typo_hint) with a thirty-day lifetime that records that a one-time informational banner about the correct address should be shown; and a functional cookie (nmt_snapshot_mode) with a seven-day lifetime that records whether you have switched on 'snapshot mode' (an option that replaces displayed public posts with uniform example content — you can switch it on and off yourself, and no identifying information about your use of it is sent to the Operator). The nmt_mode, nmt_palette, nmt_typo_hint and nmt_snapshot_mode cookies carry only a non-identifying display preference and are intentionally not HttpOnly because they are read by a client-side script. Your light/dark-mode preference is not stored in a cookie at all; it is kept in your browser's local storage (localStorage) by the theme library and is never transmitted to the Operator. The Cloudflare Turnstile human-verification challenge displayed during write actions may set short-lived cookies on the cloudflare.com or challenges.cloudflare.com domains under Cloudflare's own privacy policy; those cookies are strictly necessary to complete the security challenge and are not under the Operator's control. The Service does not use any third-party advertising, marketing, or cross-site tracking cookies, and presents no consent banner because it sets no non-essential cookie that would require one. In addition to cookies, your browser also stores short-lived entries in session storage (sessionStorage) for two client-side conveniences: preserving the contents of a compose form across language switches (cleared after five minutes or when the tab closes), and recording that the one-time first-login welcome banner has been shown in the current session. Both are confined to your browser, are never transmitted to the Operator, and are emptied automatically when you close the tab. The Service uses a feature called 'Web Analytics' provided by Cloudflare, the company that operates the network gateway through which the Service is connected to the public internet. According to Cloudflare's official documentation, this feature does not use any client-side state — it sets no cookie and writes nothing to your browser's local or session storage — and it does not 'fingerprint' individual visitors by their IP address, User-Agent string, or any other signal for the purpose of producing analytics. It is therefore an aggregate, privacy-first statistics tool, and because it stores or accesses no information on your device it does not require a cookie-consent banner under EU/EEA ePrivacy rules. When you visit a page of the Service, Cloudflare, at its gateway layer (commonly called the 'edge'), inserts a small measurement JavaScript file (served from the static.cloudflareinsights.com domain) into the response it sends back to your browser. Your browser then runs that script, which sends aggregate, non-identifying information — the address of the page you visited, the approximate amount of time you spent there, the broad family of your browser and operating system, and a coarse geographic location at the country level (for example, 'Republic of Korea' or 'Japan', not a city or district) — to Cloudflare's own systems (cloudflareinsights.com). The Operator only views the aggregate statistics that Cloudflare compiles from the above information (for example, the total page-view count for today, or the most-viewed pages), uses them solely to understand overall usage of the Service, and never uses them for advertising, profiling, or any attempt to identify an individual. The Service does not separately collect or retain any information that would identify any individual visitor in connection with this feature, and neither the Operator nor Cloudflare sells this data. Information that Cloudflare collects and processes in connection with this feature is governed by Cloudflare's own privacy policy (https://www.cloudflare.com/privacypolicy/).

8. Third-party processors and recipients

The following third-party providers may process technical metadata or personal data in connection with the Service and act as their own controllers and/or processors under their respective privacy policies: GitHub and Google (authentication); Cloudflare (DNS, edge, TLS termination, tunnelling between the public internet and the origin server, and the Turnstile human-verification challenge). The Operator does not control these providers' practices; please consult their respective policies for further information.

9. International data transfers

The origin server is operated in the Republic of Korea. The Cloudflare network and the OAuth identity providers (GitHub, Google) operate globally, so using the Service from outside Korea will involve the transfer of technical metadata and account data to or through other jurisdictions, including the United States. By using the Service from outside Korea you acknowledge that your personal data may be processed in jurisdictions whose data-protection regimes may differ from your own. For transfers of personal data out of the EU/EEA or the United Kingdom, the relevant providers act as the exporting parties and rely on their own transfer mechanisms — principally the European Commission's Standard Contractual Clauses (and the UK Addendum) and, where applicable, an adequacy decision or the EU-U.S. Data Privacy Framework; details are set out in each provider's own privacy documentation (GitHub, Google, and Cloudflare). The Operator does not itself export personal data to any further third party beyond these providers.

10. Data retention

Account profile data is retained while your Account is active. The Service does not provide a self-service account-closure control; if you request deletion of your Account through the email contact, the Support channel, or the Bug & Operations Reports channel, the Operator deletes your Account profile data when processing that request, except for fields that the Operator must retain to satisfy a legal obligation or to resolve an open dispute. Posts and comments are retained until they are deleted by the User, by the Operator, or under any periodic retention policy that may be in force. IP-derived HMAC values stored against Guest submissions and audit entries become unlinkable at most twenty-four (24) hours after creation through salt rotation and are not separately deleted; older values become indistinguishable random strings. Database backups are written daily to a separate disk attached to the origin server, retained for seven (7) days, and then deleted; the Operator may, at the Operator's discretion, additionally store encrypted copies of backups off-host but does not represent that all backups are off-host or encrypted. Audit-log entries (other than the IP-HMAC component, which becomes unlinkable on the next salt rotation) and ban or sanction records are retained only for as long as necessary for security review and dispute resolution and in any event no longer than three (3) years from the date of the entry, unless a specific legal obligation or an unresolved dispute requires longer retention. Consent records (your accepted Terms/Privacy versions and the acceptance timestamp) are retained for as long as your Account exists, and after deletion for the limited period during which the Operator may need to evidence that consent was given, after which they are deleted.

11. Your rights

Subject to the law that applies in your jurisdiction, you may have the right to: access your personal data; correct inaccurate or incomplete data; request erasure (the "right to be forgotten"); restrict or object to processing; receive a portable copy of your data in a structured, commonly used, machine-readable format; withdraw consent (where processing is based on consent), without affecting the lawfulness of processing carried out before withdrawal; and lodge a complaint with the supervisory authority in your country of residence. To exercise any of these rights, contact the Operator through the Support channel. The Operator will respond within a reasonable time and at no charge for routine requests; manifestly unfounded or excessive requests may be refused or charged a reasonable fee in accordance with applicable law.

12. Automated decision-making

The Service applies automated controls for anti-spam and abuse-prevention purposes: rate limiting per daily IP HMAC and per Account, request deduplication, automated content filtering for the categories listed in Section 6 of the Terms of Use (the "severe-content filter"), the strictness of which the Operator configures separately for each board, and a Cloudflare Turnstile human-verification challenge for write actions. Depending on the board's configured strictness, the severe-content filter may refuse a submission, hide it pending human review by the Operator, or flag it for review while leaving it visible; all other automated controls only delay or block a single write attempt and do not produce legal effects on you and do not significantly affect you in any other way comparable to a legal effect. If you believe an automated action against you was incorrect, you may request human review by the Operator through the in-Service Bug & Operations Reports channel.

13. No sale or share for advertising purposes

The Operator does not sell, rent, or share personal data with third parties for monetary or other valuable consideration, and does not "share" personal data for purposes of cross-context behavioural advertising, as those terms are defined under the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA). Because there is no sale or share, the Service does not provide a "Do Not Sell or Share My Personal Information" link; there is nothing to opt out of. For California residents, the categories of personal information the Service collects are limited to identifiers (such as a sign-in provider account ID, login name, display name, avatar URL, and — where exposed by the provider — email address), internet or other electronic network activity information (such as content you submit and aggregate page-view statistics), and the day-bound IP-derived HMAC value described in Section 4; the sources are you and your sign-in provider; the business or commercial purpose is operating, securing, and providing the Service and preventing abuse; and the only recipients are the processors and providers listed in Section 8. The Operator does not collect or process any category of "sensitive personal information" for the purpose of inferring characteristics, and does not use personal information for profiling that produces legal or similarly significant effects. California residents have the right to know, to delete, to correct, and to be free from discrimination for exercising these rights; the Service treats all visitors the same regardless of whether they exercise any privacy right, and you may exercise these rights as described in Section 11.

14. Minors

The Service is not directed to children, and the Operator does not knowingly collect personal data from anyone below the minimum age of sixteen (16) set out in the Terms of Use. That sixteen-year threshold is an operator policy aligned with the default age of consent for information-society services under the EU/EEA GDPR; it is higher than the fourteen-year floor permitted for personal-data processing under the Republic of Korea Personal Information Protection Act, and where your local law sets a different age of digital consent the higher of that age or sixteen applies. The Operator does not seek verifiable parental consent to enrol younger children, because the Service is not directed to them. If you believe that a person below the applicable minimum age has provided personal data to the Service, please contact the Operator at [email protected] or through the in-Service Bug & Operations Reports channel and the data will be deleted without undue delay.

15. Security

The Operator implements reasonable technical and organisational measures to protect personal data, including: TLS termination at the network edge with no public origin port; IP-derived anti-spam values computed under a daily-rotating random salt that is held only in volatile memory and irrecoverably discarded at the end of each UTC day (see Section 6), so that a database compromise alone cannot recover prior-day IP-based identifiers; in the rare event that the in-memory salt store is unavailable, a deterministic day-bound fallback is used so that the abuse-prevention pipeline stays operational without weakening the day-boundary unlinkability described in Section 6; least-privilege database access by the application; daily database backups written to a separate disk attached to the origin server and rotated after seven days; audit logging of all administrative actions; and server-side operational logs (performance and error logs) that record response times and software errors — these logs contain no personal data (no IP addresses, no user content) and are stored only on the origin server with rotation at 10 MB / 5 MB respectively. Raw IP addresses are not stored, so a database compromise cannot expose IP addresses of Users. No internet-facing system can be guaranteed perfectly secure. In the event of a personal-data breach affecting your data, the Operator will notify affected Users and any required supervisory authorities within the time limits applicable in the relevant jurisdiction.

16. Changes to this Policy

This Privacy Policy may be updated at any time. The current version is identified by the version label and the "last updated" date displayed at the top of this page. When the version changes, you will be required to re-accept the updated Policy before using any feature that requires acceptance.

17. Contact

Privacy questions and data-subject requests can be sent by email to [email protected], or through the in-Service Support channel, or through the in-Service Bug & Operations Reports channel. The in-Service forms are the preferred channels because they let your request be tracked and handled fairly; the email address above is the direct alternative and is the contact point of the Operator (the data controller) for the purposes of applicable data-protection law. The Operator provides the Service from the Republic of Korea (대한민국). You also have the right to lodge a complaint with the data-protection supervisory authority of your country of residence (for example, in the Republic of Korea, the Personal Information Protection Commission; in the EU/EEA, your national supervisory authority; in the United Kingdom, the Information Commissioner's Office).