Identity at the Core ("we", "us", or "the Publication") takes your privacy seriously. This Privacy Policy explains what personal information we collect, how we use it, and the rights you have over your data. We follow the principles of the EU General Data Protection Regulation (GDPR), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), and the California Consumer Privacy Act (CCPA).

1. Who We Are

Identity at the Core is an independent publication covering Identity and Access Management (IAM) news, breach intelligence, and expert commentary. The site is operated by Paulo Valadares (about the author).

2. Information We Collect

Information you provide directly

• Account information when you register: name, email address, optional profile information (bio, title, company, links).
• Authentication credentials: passwords are stored as Argon2id hashes (OWASP-recommended); we never store plain-text passwords. We also support OAuth sign-in via Google and GitHub.
• Newsletter subscriptions: email address only.
• Submitted content: questions, votes, guest column drafts, and partnership applications.
• Donations: payment information is collected and processed by Stripe; we never see or store your card details.

Information collected automatically

• Usage analytics: aggregated, anonymous metrics from Vercel Web Analytics and Speed Insights. We do not use cookies for tracking.
• Security logs: IP address, user agent, and timestamps for authentication events and significant actions, used for fraud prevention and incident response.

3. How We Use Your Information

• To provide and maintain your account and our services.
• To send you the newsletter or transactional emails you request.
• To detect, prevent, and respond to security incidents.
• To comply with legal obligations and enforce our Terms of Service.

We do not sell your personal information. We do not use it for advertising or share it with advertisers.

4. Legal Bases for Processing (GDPR)

We process personal data under the following legal bases: your consent (newsletter, optional profile fields), performance of a contract (account services), legitimate interests (security, fraud prevention), and legal obligation (compliance with applicable law).

5. Data Retention

• Account data: retained until you delete your account.
• Audit and security logs: retained for 12 months.
• Newsletter subscriptions: retained until you unsubscribe.
• Donation records: retained for 7 years to comply with tax and accounting requirements.

6. Sharing With Third Parties

We share data only with vendors who help us operate the service, under contracts that bind them to confidentiality and data-protection standards equivalent to ours:

• Vercel — hosting and analytics
• Neon — managed PostgreSQL database
• Stripe — payment processing
• SMTP provider — transactional email delivery
• OAuth providers (Google, GitHub) — only if you choose to sign in via OAuth

7. International Data Transfers

Our infrastructure is based in North America. If you access the site from outside this region, your information will be transferred to and processed in jurisdictions whose data-protection laws may differ from your own. We rely on Standard Contractual Clauses where applicable.

8. Your Rights

You have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Delete your account and associated data.
• Export your data in a machine-readable format.
• Withdraw consent at any time (where consent is the legal basis).
• Object to processing or request restriction.
• Lodge a complaint with your local data-protection authority (e.g., the Office of the Privacy Commissioner of Canada, the European Data Protection Board, or your state's attorney general).

To exercise any of these rights, email privacy@identityatcore.org. We will respond within 30 days.

9. Security

We protect your data with measures including: TLS 1.3 in transit, encryption at rest, Argon2id password hashing, role-based access control, per-endpoint rate limiting, audit logging of every significant action, and a strict Content Security Policy. No system is perfectly secure, but we work continuously to reduce risk.

10. Children

This service is not intended for individuals under the age of 16. We do not knowingly collect personal information from children. If you believe we have, please contact us and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced via the newsletter and a banner on this page. The "Last updated" date at the top of this page reflects the most recent revision.

12. Contact

Questions about this policy or our data practices? Email privacy@identityatcore.org.