This Privacy Policy describes the personal data processed by ArchiveBay in connection with its platform, the purposes and lawful bases of such processing, the recipients of personal data, the retention periods applied, and the rights available to data subjects. Capitalised terms not defined in this Policy bear the meanings ascribed to them in the Terms of Service available at /terms.
1.Identity and contact details of the controller
The data controller in respect of the personal data processed through the ArchiveBay platform is ArchiveBay (the "Controller", "we", "us", "our"), the operator of the platform at archivebay.io.
General correspondence may be addressed to hello@archivebay.io. Privacy-specific correspondence, including requests by data subjects under Section 8 below, should be addressed to privacy@archivebay.io.
The Controller has not appointed a Data Protection Officer on the basis that its processing operations do not, in their current form, meet the thresholds set out in Article 37(1) of the UK GDPR. This position is reviewed periodically.
2.Categories of personal data processed
The Controller processes the categories of personal data identified in the table below. Each category is specified with its source, the purpose of processing, and the lawful basis upon which it is processed.
Account identification data
- Source
- Provided by the data subject on registration or in account settings.
- Particulars
- Email address, display name, role indicator (creator/publisher/buyer), optional company name, optional jurisdiction, optional website, optional social handles.
- Purpose
- Establishment and administration of the contractual relationship between the data subject and the Controller; identification and authentication of users; communication regarding the service.
- Lawful basis
- Article 6(1)(b) UK GDPR — processing necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract.
Authentication credentials
- Source
- Provided by the data subject; in the case of federated sign-in, received from the identity provider.
- Particulars
- Password (stored as a salted hash), Solana wallet public address (where wallet authentication is used), federated-identity-provider subject identifier.
- Purpose
- Verification of identity at sign-in; protection of the data subject's account against unauthorised access.
- Lawful basis
- Article 6(1)(b) UK GDPR (performance of contract); Article 6(1)(f) UK GDPR — legitimate interests in maintaining the security of the platform.
Archive metadata
- Source
- Generated by the data subject or by the publication channels with which the data subject has authenticated.
- Particulars
- Source platform identifier, public uniform resource locators, item titles, publication dates, aggregate word and item counts, item-level cryptographic fingerprints (SHA-256). The full content of the underlying works is not stored.
- Purpose
- Listing of archives on the platform; generation of the licensing manifest annexed to each License Agreement.
- Lawful basis
- Article 6(1)(b) UK GDPR (performance of contract).
Verification credentials
- Source
- Provided by the data subject in the course of the ownership-verification procedure.
- Particulars
- Application programming interface (API) keys for third-party publication platforms (where applicable); OAuth access tokens (where federated verification is used). Where API keys are used for verification, they are processed in volatile memory only and are not persisted. OAuth tokens are retained only for so long as is necessary to complete the verification check, and are thereafter discarded.
- Purpose
- Verification that the data subject controls the publication channel associated with the archive being listed.
- Lawful basis
- Article 6(1)(b) UK GDPR (performance of contract).
Licence records
- Source
- Generated by the platform upon the consummation of a transaction.
- Particulars
- Identifiers of the parties (licensor and licensee), archive identifier and manifest hash, consideration paid, fee split, licence term, expiry date, status, and the signature of the on-chain transaction recording the licence.
- Purpose
- Maintenance of the canonical record of transactions consummated on the platform; production of licence documentation for the parties; anchoring of the licence to a public, immutable register.
- Lawful basis
- Article 6(1)(b) UK GDPR (performance of contract); Article 6(1)(f) UK GDPR — legitimate interests in producing an enforceable and auditable record of the transaction.
API access credentials (licensee)
- Source
- Generated by the platform at the request of the data subject.
- Particulars
- Cryptographic hashes of API keys issued to licensees; metadata regarding key creation, last use, and revocation. The plaintext of the key is presented to the data subject once at creation and is not retained by the Controller.
- Purpose
- Authentication of programmatic access to licensed content.
- Lawful basis
- Article 6(1)(b) UK GDPR (performance of contract).
Operational telemetry
- Source
- Generated automatically in the course of the data subject's interaction with the platform.
- Particulars
- Request timestamps, salted and daily-rotated hashes of internet protocol addresses (the raw addresses are not retained), user-agent strings, error traces, and rate-limiting counters.
- Purpose
- Detection and prevention of abuse and security incidents; diagnostic investigation of errors; enforcement of rate limits.
- Lawful basis
- Article 6(1)(f) UK GDPR — legitimate interests in maintaining the security, availability, and integrity of the platform.
3.Categories of personal data not processed
In addition to disclosing what is processed, the Controller records the following matters by way of confirmation:
- The Controller does not engage in cross-site tracking of data subjects. No tracking pixels, cross-domain identifiers, or advertising cookies are deployed by the Controller on the platform.
- The Controller does not sell personal data within the meaning of section 1798.140(t) of the California Consumer Privacy Act, nor does it share personal data for cross-context behavioural advertising within the meaning of section 1798.140(ah).
- The Controller does not perform device or browser fingerprinting.
- The Controller deploys only such cookies as are strictly necessary for the operation of the platform (in particular, the session cookie that maintains the data subject's authenticated session). No further consent is requested for cookie usage because the cookies in use qualify as strictly necessary within the meaning of regulation 6(4) of the Privacy and Electronic Communications (EC Directive) Regulations 2003.
4.Recipients of personal data
Personal data is disclosed only to the categories of recipient identified below, and only to the extent necessary for the purposes described in Section 2.
- Processors engaged by the Controller, in each case under a written processing agreement complying with the requirements of Article 28 UK GDPR:
- Supabase Inc. — provision of the managed database and authentication infrastructure. Data is hosted in the Amazon Web Services region ap-southeast-2 (Sydney, Australia).
- Netlify, Inc. — provision of application hosting, transport-layer security termination, and edge caching.
- Resend Inc. — provision of transactional email services. Processes recipient email address and message contents for the duration of delivery.
- Independent controllers, where the data subject's interaction is governed by that party's own privacy notice:
- Google LLC — where the data subject elects to authenticate by means of Google OAuth, the Controller receives the email address and display name returned by Google in respect of the authenticated identity.
- Public registers — the Solana blockchain. Licence records are written to the chain as part of the transaction-settlement workflow described in the Terms of Service. The chain is operated by a decentralised network of independent participants; no single party (including the Controller) controls the data once it is committed.
- Competent authorities, where disclosure is required by applicable law, regulatory request, or order of a court of competent jurisdiction.
- Professional advisors of the Controller (including legal counsel, accountants, and auditors), where disclosure is necessary for the operation or protection of the Controller's business.
- Acquirers or successors, in the event of a merger, acquisition, restructuring, or sale of the business or assets of the Controller, to the extent necessary for the evaluation or consummation of such transaction.
5.International transfers of personal data
The infrastructure of the platform involves the processing of personal data outside the United Kingdom and the European Economic Area. In particular, the managed database is hosted in Australia and certain processors maintain operations in the United States.
Transfers of personal data to recipients outside the United Kingdom and the European Economic Area are made on the basis of the International Data Transfer Agreement and the United Kingdom Addendum to the European Commission Standard Contractual Clauses, or, in respect of transfers governed by EU law, the European Commission Standard Contractual Clauses adopted pursuant to Article 46(2)(c) UK GDPR / GDPR. Copies of the relevant transfer instruments may be requested from the address in Section 1.
6.Retention
The Controller retains personal data for no longer than is necessary for the purposes for which it is processed, in accordance with the following retention periods.
- Account data — for the duration of the account's existence. Following account closure, the account is soft-deleted (rendered inaccessible to the data subject and removed from public surfaces) for a period of thirty (30) days, after which it is hard-deleted save in respect of fields that are required to be retained for the continued performance of subsisting License Agreements or for the discharge of a legal or regulatory obligation.
- Licence records — for the duration of the relevant licence term and for a period of six (6) years thereafter, to enable the Controller to discharge tax, accounting, and limitation-period obligations.
- Operational telemetry — ninety (90) days from the date of generation, after which records are automatically purged.
- Email correspondence — for so long as is necessary to handle the matter to which the correspondence relates, and thereafter for so long as is necessary to comply with any applicable limitation period.
- On-chain records — permanently. The Controller is unable to procure the erasure of information committed to a public blockchain. This limitation is explained to data subjects prior to the consummation of any transaction.
7.Source of data not collected from the data subject
Where the Controller obtains personal data otherwise than from the data subject, the source is identified to the data subject at the first reasonable opportunity, in accordance with Article 14 UK GDPR. The principal categories of indirect source are:
- identity providers (e.g. Google LLC), in respect of data subjects who elect to authenticate by means of federated sign-in;
- publication platforms with which the data subject has independently authenticated (e.g. for the purpose of ownership verification), in respect of public-channel metadata associated with the data subject's account on that platform.
8.Rights of data subjects
Data subjects in the United Kingdom and the European Economic Area have the following rights under the UK GDPR and the EU GDPR. The Controller extends the same rights, as a matter of policy, to all data subjects regardless of residence.
- Right of access (Article 15) — to obtain confirmation as to whether personal data concerning the data subject is being processed and, where that is the case, access to that personal data.
- Right to rectification (Article 16) — to obtain the rectification of inaccurate personal data and the completion of incomplete personal data.
- Right to erasure (Article 17) — to obtain the erasure of personal data without undue delay in the circumstances specified by that Article. The Controller's inability to procure the erasure of personal data committed to a public blockchain is noted at Section 6 above.
- Right to restriction of processing(Article 18) — to obtain the restriction of processing in the circumstances specified by that Article.
- Right to data portability (Article 20) — to receive personal data provided to the Controller in a structured, commonly used, and machine-readable format, and to transmit such data to another controller.
- Right to object (Article 21) — to object, on grounds relating to the data subject's particular situation, to processing based on Article 6(1)(e) or Article 6(1)(f) UK GDPR.
- Right to withdraw consent (Article 7(3)) — where processing is based on consent, to withdraw that consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
- Right to lodge a complaint (Article 77) — with a supervisory authority, in particular in the Member State of the data subject's habitual residence, place of work, or place of the alleged infringement. In the United Kingdom, the supervisory authority is the Information Commissioner's Office (ico.org.uk).
Exercise of rights. Requests under this Section 8 should be addressed to privacy@archivebay.io from the email address registered with the data subject's account, or, where that is not possible, accompanied by such information as is reasonably necessary to verify the identity of the data subject. The Controller will respond to a substantiated request within one (1) month of receipt, extendable by a further two (2) months where necessary taking into account the complexity and number of the requests, in accordance with Article 12(3) UK GDPR.
Residents of California. California residents enjoy substantially the same rights under the CCPA, including the right to know the categories and specific pieces of personal information collected, the right to deletion, the right to correction, the right to limit the use of sensitive personal information, and the right not to be subject to retaliation for the exercise of any such right. The Controller does not sell personal information within the meaning of the CCPA.
9.Automated decision-making and profiling
The Controller does not engage in solely automated decision-making producing legal or similarly significant effects concerning data subjects within the meaning of Article 22 UK GDPR. The admission of licensee accounts to the platform involves human review.
10.Security
The Controller implements appropriate technical and organisational measures to ensure a level of security appropriate to the risks posed by processing, in accordance with Article 32 UK GDPR. Without limiting the foregoing, passwords are stored as salted hashes (bcrypt); API keys are stored as SHA-256 hashes; all transport is secured by transport-layer security; row-level security is enabled on the database; access to service-role database credentials is restricted to server-side processes; and wallet signatures are verified by reference to standard Ed25519 cryptography.
In the event of a personal-data breach within the meaning of Article 4(12) UK GDPR, the Controller will, where required, notify the Information Commissioner's Office not later than seventy-two (72) hours after becoming aware of the breach, and will communicate the breach to affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms, in accordance with Articles 33 and 34 UK GDPR.
11.Children
The platform is not directed to persons under the age of eighteen (18) years. The Controller does not knowingly process the personal data of children. If the Controller becomes aware that it has, inadvertently, collected the personal data of a child, the data will be erased.
12.Amendments
The Controller may amend this Privacy Policy from time to time. The current version is identified by the effective date appearing at the head of this notice. Material amendments will be notified to active data subjects by email or in-product notice not less than thirty (30) days prior to the effective date of the amendment, save where the amendment is required by applicable law or to address a security or operational emergency.