Privacy Policy
Last updated: March 19, 2026
1. Data Controller #
This website is operated by:
Andrei Klemenchenok, operating as FolkUp Largo José Afonso 19-20 RC, 2900-429 Setúbal, Portugal NIF: 312596928 Email: [email protected]
2. Data We Collect #
2.1 Analytics (Self-Hosted) #
We use Umami, a privacy-focused, self-hosted analytics platform. Umami:
- Does not use cookies
- Does not collect personally identifiable information (PII)
- Does not track users across websites
- Collects only: page URL, referrer, browser type, operating system, device type, country (from IP, not stored)
- All data is aggregated and anonymous
2.2 Server Logs #
Our web server may temporarily log:
- IP address (for security purposes)
- Request URL, timestamp, HTTP status code
- User agent string
Server logs are retained for a maximum of 30 days and are used exclusively for security monitoring and troubleshooting.
2.3 Newsletter Subscription #
If you subscribe to our OSINT Digest newsletter, we collect:
- Email address — solely for sending the newsletter
- Consent proof — timestamp, hashed IP address (truncated, not stored in full), consent version, language preference
Newsletter data is processed by Brevo (Sendinblue SA, France) as our data processor under a Data Processing Agreement (DPA) compliant with Article 28 GDPR.
- Legal basis: Consent (Art. 6(1)(a) GDPR) — you actively opt-in via double opt-in (DOI)
- Retention: Your email is stored until you unsubscribe. After unsubscription, your data is deleted within 30 days
- Right to withdraw: You can unsubscribe at any time via the one-click unsubscribe link in each newsletter (no login required) or by contacting [email protected]. Upon unsubscription, your contact record is deleted from our mailing list within 30 days
2.4 Data We Do NOT Collect #
- We do not require user accounts or registration
- We do not use advertising or marketing cookies
- We do not use third-party tracking scripts
3. Data Protection Officer #
We have not appointed a Data Protection Officer (DPO) as we do not meet the threshold under Article 37 GDPR (we do not engage in large-scale processing of personal data or special categories of data).
For data protection inquiries, contact: [email protected]
4. Legal Basis for Processing #
Under Article 6 of the GDPR, we process data based on:
- Legitimate interest (Art. 6(1)(f)) — for anonymous analytics and security monitoring. We have conducted a balancing test and determined that our minimal, anonymous data collection does not override the rights and freedoms of data subjects, given that no PII is collected or stored.
- Consent (Art. 6(1)(a)) — for newsletter subscription and if you voluntarily contact us via email
5. OSINT Research — Processing of Third-Party Data #
As part of our research activities, Lucerna may process publicly available information about individuals. This section explains how we handle such data.
5.1 What Data We Process #
In the course of OSINT (open-source intelligence) investigations, we may collect and analyze:
- Publicly available professional profiles (GitHub, tech blogs, professional platforms)
- Published articles, comments, and public contributions
- Professional affiliations visible in public sources
We do not access private systems, hack accounts, use social engineering, or obtain data through deceptive means.
5.2 Legal Basis #
We process this data under:
- Legitimate interest (Art. 6(1)(f) GDPR) — for research, fact-checking, and public interest journalism
- Sufficient anonymization — published investigations redact personal identifiers so that the data subject cannot be identified with reasonable effort, rendering the data anonymous (Recital 26 GDPR)
5.3 Protection Measures #
- All personal identifiers are redacted before publication
- We apply a re-identification audit to ensure anonymization is sufficient
- Subjects are not named, and unique identifying combinations are generalized
- We never publish private communications, private data, or data obtained through unauthorized access
5.4 Rights of Data Subjects #
If you believe you are the subject of one of our investigations, you have the right to:
- Access the data we have processed about you (Art. 15 GDPR)
- Object to processing (Art. 21 GDPR)
- Request erasure of your data (Art. 17 GDPR)
- Right of reply — we will publish your unedited response alongside our research
To exercise these rights, contact: [email protected]
We will respond within 30 days.
6. Automated Decision-Making #
We do not engage in automated decision-making or profiling as defined in Article 22 GDPR. No decisions affecting you are made solely by automated means.
7. Cookies #
This website does not use cookies. Our analytics solution (Umami) is cookie-free.
8. Third-Party Services #
8.1 Brevo (Newsletter) #
Newsletter subscriptions are processed by Brevo (Sendinblue SA), 106 boulevard Haussmann, 75008 Paris, France. Brevo acts as our data processor under Article 28 GDPR. Brevo’s privacy policy: https://www.brevo.com/legal/privacypolicy/. Brevo’s Data Processing Agreement: https://www.brevo.com/legal/termsofuse/#data-processing-agreement
8.2 Ko-fi (Donations) #
If you choose to support us via Ko-fi, your data is processed by Ko-fi according to their Privacy Policy. We do not receive or store your payment information.
8.3 GitHub #
Our source code is hosted on GitHub. If you interact with our repositories, GitHub’s Privacy Statement applies.
9. International Data Transfers #
Our server is located in the European Union. We do not transfer personal data outside the EU/EEA, except:
- When you voluntarily use third-party services (Ko-fi, GitHub) that may process data in other jurisdictions
- These services operate under Standard Contractual Clauses (SCCs) or equivalent safeguards
10. Data Retention #
| Data Type | Retention Period |
|---|---|
| Analytics (Umami) | Aggregated, no PII stored |
| Server logs | Maximum 30 days |
| Newsletter subscription | Until unsubscription, then deleted within 30 days |
| Email correspondence | Until purpose fulfilled, then deleted |
11. Your Rights #
Under the GDPR (Articles 15–22), you have the right to:
- Access your personal data
- Rectify inaccurate data
- Erase your data (“right to be forgotten”)
- Restrict processing
- Object to processing based on legitimate interest
- Data portability — receive your data in a structured format
- Withdraw consent at any time
To exercise these rights, contact us at: [email protected]
12. Right to Complaint #
You have the right to lodge a complaint with a supervisory authority. For Portugal:
CNPD — Comissão Nacional de Proteção de Dados
- Website: https://www.cnpd.pt
- Email: [email protected]
- Address: Av. D. Carlos I, 134, 1200-651 Lisboa, Portugal
13. Security #
We implement appropriate technical and organizational measures to protect your data, including:
- HTTPS/TLS encryption for all traffic
- Security headers (CSP, HSTS, X-Frame-Options)
- Regular software updates
- Access controls and monitoring
14. Children’s Privacy #
This website is not directed at children under 16. We do not knowingly collect data from children.
15. Changes to This Policy #
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated “Last updated” date. We encourage you to review this page periodically.