This Privacy Policy explains how AGORÀ may collect, use, store, and protect personal data.

1. Service operator / controller

The data controller of AGORÀ is:

Mehdi Benkaouz
Bologna, Italy
Contact: privacy@agorapolis.org

AGORÀ is an independent project operated as a personal initiative. It is not currently operated by a registered company. If the organizational structure changes, this section will be updated accordingly.

2. Scope of this policy

This Privacy Policy describes how AGORÀ may process personal data when users visit the website, create an account, sign in, publish posts, interact with other users, use platform tools, contact support, submit reports, or otherwise use the service.

This policy applies to personal data processed through the AGORÀ website and related platform functions. It should be read together with the Terms of Service and the Cookies & Storage Notice.

3. Data we may collect

Depending on how AGORÀ is used, the platform may process categories of data such as:

• Account and identity data — email address, display name, profile picture URL, and authentication-related records. If you sign in via Google OAuth, AGORÀ receives your email address, name, and profile picture from Google. AGORÀ does not receive or store your Google password.
• User-generated content — posts, comments, replies, profile text, saved items, uploaded images and videos, bug reports, moderation appeals, map session data, game session states, or other content submitted by users.
• Technical and device data — IP address, browser type, operating system, session tokens, timestamps, request logs, and security events. Cloudflare, which serves as our infrastructure provider, may also collect connection metadata as part of its standard service.
• Usage data — pages visited, features used, interactions, account actions, navigation events, saved preferences, and platform activity patterns.
• Authentication data — one-time password (OTP) codes sent to your email for login verification, session cookies, and login timestamps. OTP codes are stored temporarily and deleted after use or expiration.
• Support and communication data — messages sent to support, legal notices, abuse reports, or correspondence with AGORÀ.
• Moderation and trust & safety data — reports, enforcement records, restriction history, spam detection signals (including action timestamps and periodicity analysis), and investigation notes reasonably necessary to protect the platform and users.
• Local storage and browser-side data — theme preferences, terms acceptance records, login state indicators, and other device-side data described in the Cookies & Storage Notice.

4. Public content and visibility

AGORÀ is designed as a public or semi-public discussion platform. This means that some profile information, posts, comments, reactions, or other user activity may be visible to other users or, depending on platform design, to the wider public.

Users should assume that content intentionally published to the platform may be viewed, copied, quoted, screenshotted, archived, or discussed by others, even if AGORÀ later limits or removes access. AGORÀ cannot guarantee that third parties will not reproduce or retain content they have already seen.

5. Why data may be processed

AGORÀ may process personal data for purposes including:

• creating and maintaining user accounts;
• authenticating users and keeping sessions secure;
• publishing, displaying, storing, and delivering user content and profile information;
• operating features such as posts, comments, saved items, maps, games, discovery, or future modules;
• detecting, preventing, and investigating spam, abuse, fraud, platform misuse, or security incidents;
• reviewing reports, moderating content, and enforcing the Terms of Service;
• communicating with users about the service, updates, security matters, or policy changes;
• fulfilling legal obligations, defending rights, responding to lawful requests, or preserving evidence where necessary;
• improving reliability, performance, accessibility, and user experience;
• maintaining internal logs, backups, business continuity, and administrative records.

6. Legal bases

Where data protection law such as the GDPR applies, AGORÀ may rely on one or more legal bases depending on the context of processing. These may include:

• Performance of a contract — when processing is necessary to provide the service requested by the user;
• Legitimate interests — when reasonably necessary to protect platform security, prevent abuse, improve the service, operate moderation systems, or defend legal rights, provided such interests are not overridden by the user’s rights where the law requires balancing;
• Consent — where the law requires consent, including for some non-essential cookies, storage, or comparable technologies;
• Legal obligation — when AGORÀ must retain, disclose, or process data to comply with applicable law;
• Protection of vital interests or public-interest grounds — only where applicable and legally justified.

AGORÀ identifies the correct legal basis for each processing activity and does not rely on consent where another legal basis is the proper one.

7. Cookies and local storage

AGORÀ uses the following cookies and browser storage mechanisms:

• agora_session (cookie) — a strictly necessary HttpOnly, Secure session cookie used to authenticate logged-in users. This cookie is set at login and cleared at logout. It cannot be read by JavaScript and is transmitted only over HTTPS. No consent is required for this cookie under the GDPR and the ePrivacy Directive, as it is essential for the service to function.
• agora_logged_in (localStorage) — a flag that indicates whether the user is currently logged in, used to adjust the user interface. It does not contain any personal data or session credentials.
• agora_terms_accepted_v3 (localStorage) — records that the user has accepted the current version of the Terms of Service.
• agora_theme (localStorage) — stores the user's light/dark theme preference.

AGORÀ does not use advertising cookies, tracking cookies, analytics cookies, or any third-party marketing cookies. For more details, see the Cookies & Storage Notice.

8. Automated content moderation

AGORÀ uses automated systems to moderate user-uploaded images and video frames before they are published. This processing is performed to detect and prevent the publication of sexually explicit, pornographic, or graphically violent content.

The moderation system works in two tiers:

• Tier 1 — Image classification: uploaded images are analyzed by a ResNet-50 image classification model (run on Cloudflare Workers AI) to detect certain categories of visual content.
• Tier 2 — Vision language model: if the first tier does not flag the image, a Meta Llama 3.2 Vision model (also run on Cloudflare Workers AI) is asked to determine whether the image is sexually explicit, pornographic, or graphically violent. The model responds with a yes/no determination.

Image data is processed transiently for moderation purposes and is not stored separately by the AI models. The AI systems do not build profiles of users and do not use uploaded content for training.

Additionally, AGORÀ employs automated spam detection that analyzes the timing patterns of user actions (such as posting frequency and interval regularity) to identify bot-like behavior. This system may temporarily restrict accounts that exhibit automated patterns. No content analysis is performed by the spam detection system — only action timestamps are evaluated.

Under Article 22 of the GDPR, users have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. If you believe an automated moderation decision was made in error, you may contact us at privacy@agorapolis.org to request a manual review.

9. Sub-processors and third-party services

AGORÀ relies on the following third-party service providers to operate the platform. Each provider processes data only as necessary to deliver its specific function:

• Cloudflare, Inc. (United States) — web hosting (Cloudflare Pages), serverless compute (Cloudflare Workers), database (Cloudflare D1), object storage for media (Cloudflare R2), AI inference (Cloudflare Workers AI), DDoS protection, CDN, DNS, and bot verification (Cloudflare Turnstile). Cloudflare acts as a data processor. Cloudflare participates in the EU-U.S. Data Privacy Framework.
• Google LLC (United States) — authentication via Google OAuth 2.0 (Google Sign-In). When you log in with Google, AGORÀ receives your email, name, and profile picture. Google's own privacy policy governs Google's handling of your data. Google participates in the EU-U.S. Data Privacy Framework.
• Resend, Inc. (United States) — transactional email delivery for one-time password (OTP) login codes. Resend processes only the recipient email address and the email content for delivery purposes.
• MapTiler AG (Switzerland) — map tiles and geocoding for the AGORÀ Study Map feature. MapTiler may receive IP addresses and location queries when the map is used.
• Google Fonts (Google LLC, United States) — web font delivery. Loading fonts from Google's servers may transmit the user's IP address to Google.

AGORÀ does not sell, rent, or share personal data with third parties for advertising or marketing purposes.

10. Retention periods

AGORÀ may retain personal data only for as long as reasonably necessary for the purposes for which it was collected, including operation of the service, account continuity, moderation, fraud prevention, backup integrity, dispute handling, legal compliance, and evidentiary preservation.

Retention periods may vary by category. For example:

• account data may be retained while the account remains active and for a limited period afterwards where reasonably necessary;
• public content may remain visible until deleted by the user, removed by AGORÀ, or otherwise archived under platform rules;
• security logs and moderation records may be retained longer where abuse prevention, investigations, or legal preservation require it;
• backup copies may persist temporarily even after deletion from active systems.

11. Sharing and disclosure

AGORÀ may disclose data only where reasonably necessary, such as:

• to infrastructure, hosting, authentication, security, analytics, or support providers acting on AGORÀ’s behalf;
• to moderators, administrators, or trusted operational personnel who need access to perform their roles;
• to other users or the public where the user intentionally publishes content or profile information;
• to legal, regulatory, or enforcement authorities where required by law or lawful process;
• to advisors, auditors, insurers, or acquirers where reasonably necessary and lawfully permitted;
• to protect the rights, safety, property, or integrity of AGORÀ, its users, or third parties.

AGORÀ does not sell personal data to third parties.

12. International transfers

AGORÀ's infrastructure is primarily provided by Cloudflare, Google, and Resend, all of which are headquartered in the United States. MapTiler is based in Switzerland. As a result, personal data may be transferred to and processed in the United States and Switzerland.

For transfers from the European Economic Area (EEA) to the United States, AGORÀ relies on the EU-U.S. Data Privacy Framework, to which Cloudflare and Google are certified participants. Switzerland is recognized by the European Commission as providing an adequate level of data protection.

Where applicable law requires additional safeguards for international data transfers, AGORÀ uses appropriate legal mechanisms such as Standard Contractual Clauses (SCCs) or adequacy decisions before transferring protected personal data across borders.

13. Security and safeguards

AGORÀ uses technical and organizational measures designed to protect personal data against unauthorized access, unlawful disclosure, misuse, destruction, or accidental loss. These include:

• session authentication via HttpOnly, Secure cookies with SameSite=Lax, preventing JavaScript access to session tokens;
• HTTPS-only transport enforced via HSTS (HTTP Strict Transport Security);
• Content Security Policy (CSP) headers restricting script and resource origins;
• Cloudflare Turnstile bot verification on authentication endpoints;
• rate limiting on login attempts (maximum 3 OTP requests per 15 minutes, maximum 5 verification attempts per code);
• automated spam detection based on action timing patterns;
• X-Frame-Options: DENY to prevent clickjacking;
• Permissions-Policy headers restricting access to device APIs;
• CORS controls restricting API access to authorized origins;
• server-side input validation and parameterized database queries to prevent injection attacks.

No online system can guarantee absolute security. Users should also protect their accounts, devices, and credentials appropriately.

14. User rights

Under the GDPR and applicable data protection law, users in the European Economic Area have the following rights:

• Right of access (Art. 15 GDPR) — you may request a copy of the personal data AGORÀ holds about you.
• Right to rectification (Art. 16 GDPR) — you may request correction of inaccurate or incomplete data. You can also update your display name and profile picture directly in the platform settings.
• Right to erasure (Art. 17 GDPR) — you may request deletion of your personal data. AGORÀ provides a self-service account deletion feature that removes your account, posts, comments, media, and associated data.
• Right to restriction (Art. 18 GDPR) — you may request that AGORÀ restrict the processing of your data in certain circumstances.
• Right to object (Art. 21 GDPR) — you may object to processing based on legitimate interests.
• Right to data portability (Art. 20 GDPR) — you may request your data in a structured, commonly used, machine-readable format.
• Right to withdraw consent (Art. 7(3) GDPR) — where processing relies on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint — you may file a complaint with your local data protection supervisory authority. In Italy, this is the Garante per la protezione dei dati personali (www.garanteprivacy.it).

To exercise any of these rights, contact privacy@agorapolis.org. AGORÀ may need to verify your identity before acting on certain requests and will respond within 30 days as required by law.

15. Children and minimum age

AGORÀ is not intended for users under the age of 16. The platform's own rules require users to be at least 16. By creating an account, users confirm they meet this age requirement. If AGORÀ becomes aware that it has collected personal data from a person below the permitted minimum age, AGORÀ will restrict or remove the account and take reasonable steps to delete the related data.

16. Policy updates

AGORÀ may update this Privacy Policy from time to time to reflect legal, operational, technical, or product changes. The most recent version will always be available on this page, together with the updated effective date.

Where required by law or appropriate for the significance of the change, AGORÀ will provide additional notice or request renewed acknowledgment.

17. Contact for privacy matters

For any privacy-related requests, questions, or to exercise your data protection rights, contact:

privacy@agorapolis.org

AGORÀ will respond to all privacy inquiries within 30 days of receipt.