imadethisup.org Retain →
PRIVACY POLICY · LAST UPDATED 2026-04-27

We collect the minimum information needed to operate the site.

1. Who we are

imadethisup.org (the “Site”) is operated by Global Cyber Institute, Inc. (“GCI”, “we”, “us”), a U.S. 501(c)(3) nonprofit (EIN 84-2148770). For all privacy questions and to exercise any rights described below, write info@imadethisup.org.

For the purposes of the EU/UK General Data Protection Regulation (GDPR), GCI is the controller of any personal data processed through the Site. We have not appointed a Data Protection Officer because the scale and nature of our processing do not require one under Article 37 GDPR. Our publication-related processing relies primarily on Article 6(1)(f) (legitimate interests) and Article 6(1)(a) (consent) where consent is the appropriate basis (e.g., the retain-an-expert form).

For the purposes of California law (CCPA/CPRA) and the parallel statutes of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and Texas (TDPSA), GCI is the business / controller.

2. What we do not do

To save you reading further: we do not sell, rent, trade, or share for cross-context behavioural advertising any personal information about Site visitors. We do not use Google Analytics, Meta Pixel, TikTok Pixel, or any comparable behavioural-tracking service. We set no third-party cookies. We do not engage in profiling or automated decision-making with legal or similarly significant effects. We do not target advertising at anyone, anywhere, ever.

3. Categories of personal information we collect

The CCPA/CPRA "categories of personal information" framework is the most useful taxonomy. Mapped to our actual processing:

  • Identifiers — IP address (server logs); name and email if you submit the retain-an-expert form or email us directly.
  • Internet or electronic network activity — request time, requested URL, referring URL, response code, user-agent string (server logs).
  • Geolocation — coarse, derived from IP at country/region resolution only; we do not collect precise geolocation, do not request browser geolocation permission, and have no need for it.
  • Professional or employment-related information — only if you voluntarily provide it via the retain-an-expert form (organisation, role, jurisdiction).
  • Inferences — none. We do not build profiles.
  • Sensitive personal information (CPRA) — none collected. We do not request, infer, or process precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, genetic data, biometric data, health data, sex life or sexual orientation data, or government identifiers. The DEFIANCE-related content on the Site is general-audience educational material; we do not collect anything about you when you read it.

We have not sold, shared, or otherwise disclosed any of these categories for cross-context behavioural advertising in the preceding twelve months, and we have no plans to.

4. Sources, purposes, and legal bases

Activity Source Purpose GDPR basis Retention
Serving pages, security & abuse-prevention logging Your browser request Operate the Site, prevent attacks, debug Art. 6(1)(f) — legitimate interest in keeping the Site running and secure ≤ 30 days, then deleted
Retain-an-expert form submission You voluntarily submit it Route your inquiry to a vetted expert Art. 6(1)(b) — pre-contractual steps at your request & Art. 6(1)(a) — your express consent (the form's required checkbox) Until the matter is closed or 24 months, whichever is sooner; deletable on request at any time
Email correspondence You email us Respond, log corrections, maintain audit trail Art. 6(1)(f) — legitimate interest in handling correspondence accurately As long as needed for the matter and any legal-hold period
Functional, first-party cookie / localStorage flag (e.g., dismissed-privacy-notice) Your browser, after you click "Got it" Avoid re-showing a notice you have already dismissed "Strictly necessary" under PECR / ePrivacy — no consent required because the only purpose is to deliver a feature you initiated Until you clear your browser storage

5. Cookies and similar technologies

The Site sets no third-party cookies. The only client-side persistence we use is a single first-party localStorage flag (imt-privacy-notice-dismissed-v1) whose sole purpose is to remember that you have already dismissed our informational privacy notice on this device. Under the EU ePrivacy Directive and UK PECR, this falls within the "strictly necessary" exception and does not require prior consent.

If we ever introduce non-essential cookies or analytics, we will present an opt-in consent dialog before any such cookie is set, and we will update this section first.

6. Sub-processors and third-party services

The Site relies on a small, named set of third parties:

  • Hosting.com — web hosting and email forwarding (United States). Receives the same server-log data described above and is contractually limited to processing it on our instructions.
  • Bunny Fonts (BunnyWay d.o.o.) — typeface delivery (European Union). We deliberately use Bunny Fonts rather than Google Fonts because Bunny Fonts is GDPR-compliant by design — it does not log requesting IP addresses, sets no cookies, and is hosted in the EU. See fonts.bunny.net/about.

We do not use any other third-party services on the Site — no advertising networks, no behavioural analytics, no social widgets, no chatbots, no embedded video players, no fingerprinting services, no cross-context profilers.

7. Disclosures of personal information

In the preceding twelve months, we may have disclosed limited personal information (specifically, the categories above) to:

  • Hosting.com, for the operational purposes described in §6.
  • Bunny Fonts, for the operational purpose of font delivery.
  • Law-enforcement or regulatory authorities only where required by valid legal process or where we reasonably believe disclosure is necessary to protect life, prevent serious harm, or protect our rights or property.
  • Successors in interest in the event of a merger, acquisition, or transfer of GCI's assets — in which case the successor would be bound to honor this Policy.

We have not disclosed personal information to a third party for cross-context behavioural advertising. We have not sold personal information. We have not "shared" personal information as that term is defined under the CPRA.

8. International data transfers

The Site is operated from the United States. If you access the Site from outside the United States, your interactions are transferred to and processed in the United States. Where personal information of EU/UK residents is transferred to us, we rely on the European Commission's Standard Contractual Clauses (Module Three, processor-to-controller, where applicable) and on appropriate supplementary measures (TLS 1.2+ in transit, HSTS preload, short retention periods, no advertising secondary uses). For UK residents we additionally rely on the UK International Data Transfer Addendum to the EU SCCs.

9. Data Subject / Consumer rights

Depending on where you live, you may have the following rights. We honor each of them — including for visitors not currently protected by a specific statute, as a baseline. There is no charge, and we will not retaliate against you for exercising any right.

Universal rights we honor:

  • Right to know what personal information we hold about you and how we use it.
  • Right of access — receive a copy of personal information we hold about you.
  • Right to rectification / correction of inaccurate or incomplete personal information.
  • Right to erasure ("right to be forgotten") — have your personal information deleted, subject to narrow legal exceptions.
  • Right to restrict processing in certain circumstances.
  • Right to data portability — receive your personal information in a structured, commonly used, machine-readable format.
  • Right to object to processing based on legitimate interests.
  • Right to withdraw consent at any time, where processing is based on your consent.
  • Right not to be subject to fully automated decisions with legal or similarly significant effects. We do not make any such decisions.

California (CCPA/CPRA) additions:

  • Right to opt out of sale or sharing. We do not sell or share personal information for cross-context behavioural advertising. We honor the Global Privacy Control (GPC) browser signal as a valid opt-out request. See /privacy-choices.
  • Right to limit use of sensitive personal information. We collect no SPI, so there is nothing to limit; we surface the link anyway in our footer for transparency.
  • Right to non-discrimination for exercising any privacy right.
  • Right to designate an authorised agent to submit a request on your behalf — please attach reasonable proof of authorisation.

EU/UK additions:

  • Right to lodge a complaint with a supervisory authority if you believe our processing infringes the GDPR. EU residents may contact their national Data Protection Authority (a list is at edpb.europa.eu). UK residents may contact the Information Commissioner's Office.

To exercise any right, write info@imadethisup.org with the subject line “Privacy request,” from the email address you wish to be associated with the request. We will respond within the time frame required by applicable law (45 days under the CCPA/CPRA, extendable by 45 days; one month under the GDPR, extendable by two months for complex requests). We may need to verify your identity by asking for information that matches what we already hold; this is to protect against unauthorised disclosure.

10. Global Privacy Control (GPC)

We honor the GPC browser signal as a valid opt-out request under the CCPA/CPRA, the Colorado Privacy Act, the Connecticut Data Privacy Act, and other statutes that require it. Because we do not sell or share personal information in the first place, the practical effect of GPC on our Site is the same as for any other visitor: nothing changes about what we do or don't collect. We surface the GPC status on your device on the Privacy choices page.

11. Children's information

The Site is intended for a general adult audience. We do not knowingly collect personal information from children under the age of 13 in the United States, under 14 in some U.S. states, or under 16 in the European Economic Area. If you believe we have inadvertently collected information from a minor, write us at info@imadethisup.org so we can delete it.

12. Security

We use commercially reasonable technical, organizational, and physical safeguards to protect information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. The Site is served over HTTPS with HSTS preload, modern TLS cipher suites, a strict Content Security Policy, X-Content-Type- Options nosniff, X-Frame-Options SAMEORIGIN, Referrer-Policy strict-origin-when-cross-origin, and a Permissions-Policy that forbids geolocation, camera, microphone, and interest-cohort access. No safeguards are absolute; we cannot guarantee security against all threats. In the event of a personal-data breach affecting EU/UK residents that is likely to result in a risk to their rights and freedoms, we will notify the relevant supervisory authority within 72 hours per Article 33 GDPR and notify affected individuals without undue delay where required by Article 34 GDPR.

13. Do Not Track and Do Not Sell or Share

Some browsers transmit a "Do Not Track" (DNT) header. There is no consensus standard for how a Site must respond to DNT, but for the avoidance of doubt: we do no tracking, with or without the DNT header. We honor the more recent and standardized Global Privacy Control signal as our opt-out mechanism for sale and sharing. We do not sell or share personal information; the Do Not Sell or Share My Personal Information link in our footer leads to the dedicated Privacy Choices page where you can confirm and exercise this right.

14. Changes to this policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top of the page reflects the most recent revision. We will review the policy at least annually as required by the CCPA. Material changes will be flagged in the Site's blog where reasonably practicable; for the retain-an-expert form and any other consent-based processing, material changes will not apply retroactively to information collected before the change unless we ask for and receive your renewed consent.

15. How to contact us

info@imadethisup.org — for all privacy, data-rights, opt-out, and complaint communications. For practical step-by-step instructions on exercising your rights, see /privacy-choices.