Privacy for source-linked AI intelligence.
How AI on Radar collects, stores, and protects subscriber and operational data. Operators deploying this codebase must review this policy with local counsel before launch (GDPR / UK GDPR / KVKK / CCPA as applicable).
The AI on Radar operator is the data controller for digest subscriptions.
AI on Radar is an automated AI news radar. The entity operating this deployment is the data controller for any personal data processed through it. Public surfaces (articles, GitHub, models, papers, benchmarks, tools) do not require an account and do not collect personal data. Contact the operator at privacy@aionradar.example for any privacy matter.
Digest subscriber records and operational/security logs.
Digest subscribers: email address, subscription status (pending / confirmed / unsubscribed / bounced), verification and unsubscribe token hashes, signup source, double opt-in timestamps, last delivery timestamp, and per-issue delivery status.
Operational records: source collection metadata, raw item snapshots, article evidence, automation decisions, LLM run audit trails, pipeline events, and rate-limit / job-lock entries. These records are about the platform and its sources, not about visitors.
Server logs: request IP, user-agent, path, status, and timing. Logs are retained for up to 30 days for security, abuse prevention, and debugging.
Consent for the digest; legitimate interests for operational logs.
Digest emails are processed on the basis of explicit consent (Article 6(1)(a) GDPR; KVKK Art. 5(1) açık rıza). Operational and security logs are processed on the basis of legitimate interest (Article 6(1)(f) GDPR) to keep the service running, prevent abuse, and meet basic audit requirements.
Digest delivery, source attribution, reliability, and abuse prevention.
Subscriber email addresses are used solely to confirm subscriptions, send digest emails when delivery is enabled, record delivery status, and process unsubscribe requests. AI on Radar does not sell or share subscriber email addresses, does not use them for advertising, and does not profile subscribers.
A small, transparent set of subprocessors.
Hosting: the operator's chosen infrastructure provider (VPS / managed PostgreSQL). Stores all subscriber and operational data at rest.
Resend (resend.com): transactional email delivery when DIGEST_EMAIL_ENABLED=true. Receives subscriber email address, digest content, and delivery metadata. Subject to Resend's own privacy policy and DPA.
Google (Gemini API): server-side language model used to enrich source-collected items. Input is source metadata and excerpts only; subscriber data is never sent to Gemini. Subject to Google's API terms and privacy notice.
X (twitter.com) API: only when the operator explicitly enables auto-posting. AI on Radar uses the official X API; subscriber data is never sent to X.
No third-party analytics, advertising, cross-site trackers, or session replay tools are loaded on public pages.
Strictly necessary cookies only.
Public pages do not set marketing or analytics cookies. The admin panel may set a session cookie scoped to HTTP Basic Authentication for the duration of the operator's browser session. No third-party cookies are set.
Transfers occur only via the subprocessors listed above.
Where a subprocessor (e.g., Resend, Google) processes data outside the European Economic Area, transfers rely on the subprocessor's Standard Contractual Clauses and additional safeguards. The operator does not independently transfer subscriber data outside the deployment region.
Kept only as long as necessary.
Confirmed subscribers are retained until unsubscribe. Pending (unconfirmed) subscriptions expire automatically after the double opt-in window (default 72 hours) and are purged. Unsubscribed records are retained for 90 days for audit / re-subscribe handling, then anonymized. Server access logs are retained for up to 30 days. LLM prompt / response audit records and pipeline events are retained for up to 30 days for operational troubleshooting and then purged by a scheduled job.
Access, rectification, erasure, restriction, portability, objection.
Under GDPR / UK GDPR / KVKK you have the right to access your data, request correction or erasure, restrict or object to processing, request data portability, and withdraw consent at any time without affecting prior lawful processing. Under CCPA you have the right to know, delete, and opt out of sale or sharing (we do not sell or share).
To exercise any right, email privacy@aionradar.example. We respond within 30 days. You may also lodge a complaint with your local supervisory authority (e.g., EU DPA, ICO, KVKK Kurumu).
Defense in depth, minimal exposure.
Secrets are stored server-side only and never returned in public responses. Admin endpoints require HTTP Basic Authentication with timing-safe comparison. Cron endpoints require a shared secret in a request header. Database traffic is internal to the deployment network. Backups are encrypted at rest. The operator is responsible for keeping infrastructure patched and rotating credentials regularly.
We will note material changes here.
This policy was last updated on 2026-05-21. Material changes will be reflected on this page along with the updated date. Continued use of AI on Radar after a change indicates acceptance of the revised policy.