Политика конфиденциальности

1. Who We Are

Webpodium is a website discovery and promotion platform. For the purposes of applicable data protection law, the Company acts as the data controller for personal data collected through the Service. If you have questions about how we handle your data, please contact us.

2. Information We Collect

A. Information you provide directly:

• Account registration: Username, email address, and password (stored as a bcrypt hash — we never store your password in plain text).
• Profile information (optional): Display name, biographical text, personal website URL, and profile avatar image.
• Website submissions: Website name, URL, description, category, screenshots, and related metadata.
• Comments and interactions: Text comments, replies, and recommendation actions on website listings.
• Contact and support inquiries: Messages, email addresses, and any other information you include when contacting us.
• Payment information (future): When Paid Services are introduced, payment details (e.g., credit card number, billing address) will be processed by a third-party payment processor. We will not store your full payment card details on our servers.

B. Information collected automatically:

• Usage data: Pages visited, features used, time spent on the Service, and referring URLs.
• Click and view counts: Aggregated click and view statistics for each submitted website, associated with your account where applicable.
• Search queries: Search terms you enter on the platform, stored in anonymized or aggregated form for search suggestion features.
• Log data: IP address, browser type, operating system, and timestamp of requests, retained for security monitoring and abuse prevention.
• Device information: General device type (desktop, mobile) and screen resolution, used for optimizing the user interface.

C. Information from third-party services:

• Google OAuth: If you choose to sign in with Google, we receive your Google account email address, display name, and profile picture URL from Google. We do not receive your Google password.
• Advertising partners (future): When advertising is enabled, third-party advertising networks may collect and share with us aggregated, non-personally-identifiable information about ad impressions and clicks.

3. How We Collect Information

• Directly from you: When you register, submit content, fill in your profile, contact us, or make a purchase.
• Automatically: Through server logs, session management, and aggregated analytics as you interact with the Service.
• Cookies and similar technologies: As described in Section 5 below.
• Third-party integrations: Via OAuth providers or advertising networks as described in Section 2.

4. How We Use Your Information

We use collected information for the following purposes:

Service operation:

• Creating and managing your account.
• Displaying your profile, submitted websites, and activity to other users.
• Providing website discovery features (trending, recommended, search).
• Processing comments, recommendations, and follows.
• Displaying analytics dashboards for your submitted websites.

Communications:

• Sending transactional emails such as email verification and password reset messages.
• Sending notification emails about interactions with your content (comments, recommendations, follows) — only if you have enabled this in your notification settings.
• Sending important service announcements (e.g., changes to Terms or Privacy Policy).
• Sending promotional or marketing communications — only with your explicit consent, and you may opt out at any time.

Security and integrity:

• Detecting and preventing fraud, spam, abuse, and unauthorized access.
• Enforcing our Terms of Service and Content guidelines.
• Rate limiting to protect the Service from abuse.

Service improvement:

• Analyzing usage patterns to understand how the Service is used and identify areas for improvement.
• Troubleshooting technical issues and bugs.

Advertising and monetization (future):

• Serving relevant advertisements within the Service (using aggregate or anonymized interest categories).
• Processing and managing Paid Service subscriptions and purchases.

5. Cookies & Tracking Technologies

We use cookies and similar technologies to operate and improve the Service. Below is a description of the types of cookies used:

Currently active: At this time, we use only essential, functional, and security cookies (the first three types above). Advertising and analytics cookies may be introduced in the future, at which time we will update this policy and request your consent where required by law.

Managing cookies: You can control or delete cookies through your browser settings. Disabling essential cookies will prevent you from staying logged in. Please refer to your browser's help documentation for instructions on managing cookies.

6. Information Sharing & Disclosure

We do not sell, rent, or trade your personal information to third parties for their own marketing purposes. We may share your information only in the following limited circumstances:

• Public profile data: Your username, display name, profile picture, bio, and public submissions are visible to all users of the Service by design.
• Service providers: We may share data with trusted third-party vendors who assist us in operating the Service (e.g., hosting providers, email delivery services, payment processors). These providers are contractually required to keep your data confidential and may only use it to provide services to us.
• Advertising partners (future): When advertising is enabled, we may share anonymized or aggregate user segments with advertising networks. We will not share personally identifiable information with advertisers without your explicit consent.
• Legal requirements: We may disclose your information if required to do so by law, court order, or governmental authority, or if we believe in good faith that such disclosure is necessary to protect the rights, property, or safety of the Company, its users, or the public.
• Business transfers: In the event of a merger, acquisition, or sale of all or part of our assets, your personal data may be transferred to the acquiring entity. We will notify you via email or a prominent notice on the Service before such a transfer occurs.
• With your consent: We may share your information for other purposes with your explicit consent.

When we share data with service providers, we ensure they provide at least the same level of data protection as described in this Privacy Policy.

7. Third-Party Services

The Service currently integrates with the following third-party services. These services have their own privacy policies, which we encourage you to review:

• Google OAuth: Used for optional "Sign in with Google" authentication. Governed by Google's Privacy Policy.
• Email delivery service: Used to send transactional emails such as email verification and password reset messages.

Future integrations may include:

• Payment processors (e.g., Stripe, PayPal) for handling Paid Service subscriptions and purchases.
• Advertising networks (e.g., Google AdSense) for serving relevant advertisements within the Service.

When new third-party integrations are introduced, this Privacy Policy will be updated accordingly.

8. Advertising & Monetization Data

Current status: The Service does not currently display third-party advertisements. This section describes how data will be handled when advertising is introduced in the future.

When advertising is enabled:

• Third-party advertising partners may collect data about your interactions with ads, including which ads you viewed and clicked.
• Advertising partners may use cookies, web beacons, or other technologies to deliver interest-based advertisements.
• We may share anonymized demographic and interest-category information with advertising partners to enable relevant ad targeting. This information will not directly identify you.
• You will have the ability to opt out of personalized advertising through a dedicated privacy dashboard or through industry opt-out mechanisms such as the NAI opt-out tool or Your Online Choices (EU).

Payment data: When Paid Services are introduced, your payment transactions will be processed by a PCI-DSS compliant third-party payment processor. We will only receive a transaction confirmation and the last four digits of your payment card (for reference purposes). We will not store full card numbers on our servers.

We will notify users and update this Privacy Policy at least 14 days before introducing advertising or payment systems.

9. Data Retention

• Active accounts: We retain your personal data for as long as your account is active and as needed to provide you with the Service.
• After account deletion: When you delete your account, your personally identifiable information (email, username, profile data, submitted websites) is permanently deleted within 30 days. Some anonymized data (e.g., aggregated view counts) may be retained for historical analytics.
• Security logs: IP address logs and security-related records are retained for up to 90 days for fraud and abuse prevention purposes.
• Backup data: Deleted data may remain in encrypted backups for up to 30 additional days before being permanently purged.
• Legal hold: We may retain data for longer periods if required by applicable law or for the establishment, exercise, or defense of legal claims.
• Contact inquiries: Support messages and contact threads are retained for up to 2 years for quality assurance and legal purposes.

10. Data Security

We implement the following security measures to protect your personal data:

• Password hashing: All passwords are stored using bcrypt with a cost factor ensuring they cannot be reversed to plain text, even in the event of a database breach.
• HTTPS encryption: All data transmitted between your browser and our servers is encrypted using TLS/HTTPS.
• CSRF protection: All state-changing requests are protected by CSRF tokens to prevent cross-site request forgery attacks.
• Rate limiting: API and form submission endpoints are rate-limited to prevent brute-force attacks and abuse.
• Input sanitization: User-generated content is sanitized to prevent cross-site scripting (XSS) attacks.
• Access controls: Administrative functions are restricted to authorized staff only.
• Regular security updates: We keep all software dependencies up to date with the latest security patches.

Despite these measures, no system is 100% secure. We cannot guarantee absolute security of your data. In the event of a data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by applicable law.

11. Your Rights

Depending on your location, you may have the following rights with respect to your personal data:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Correct inaccurate or incomplete personal data. You can update most information directly through your profile settings.
• Right to erasure ("right to be forgotten"): Request the deletion of your personal data. You can delete your account at any time from the settings page, which will trigger deletion of your personal data.
• Right to data portability: Request an export of your personal data in a structured, machine-readable format.
• Right to restrict processing: Request that we limit how we use your personal data in certain circumstances.
• Right to object: Object to the processing of your personal data for direct marketing purposes or where processing is based on our legitimate interests.
• Right to opt out of email notifications: Manage notification preferences in your account settings at any time.
• Right to withdraw consent: Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights (other than those available directly in settings), please contact us. We will respond to your request within 30 days. We may need to verify your identity before processing your request.

EU/EEA and UK residents (GDPR/UK GDPR): In addition to the rights above, you have the right to lodge a complaint with your local data protection supervisory authority if you believe we have not handled your personal data in accordance with applicable law.

12. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA) or United Kingdom, we process your personal data under the following legal bases:

• Contract performance: Processing necessary to provide you with the Service (account management, website submissions, comments).
• Legitimate interests: Processing for security monitoring, fraud prevention, service improvement, and analytics, where these interests are not overridden by your fundamental rights.
• Consent: Processing for marketing communications, personalized advertising (when introduced), and any other processing where we ask for your explicit consent.
• Legal obligation: Processing required to comply with applicable law or regulatory requirements.

13. Children's Privacy

The Service is not directed to children under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that a child under 13 has provided us with personal data without parental consent, we will take steps to delete such data promptly.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately.

14. International Data Transfers

Webpodium is accessible globally, and your information may be stored and processed in countries outside of your country of residence. These countries may have data protection laws that differ from those in your country.

Where required by applicable law (e.g., GDPR for transfers outside the EEA), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission. By using the Service, you consent to the transfer of your information to countries that may not provide the same level of data protection as your home country.

15. Do Not Track

Some browsers include a "Do Not Track" (DNT) feature that signals websites not to track your browsing activity. Currently, our Service does not respond to DNT signals, as there is no universally accepted standard for how websites should respond to such signals. We will update this policy if and when a standard is established.

16. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make changes:

• The "Last updated" date at the top of this page will be revised.
• For material changes (such as introducing advertising, new data collection practices, or changes to data sharing), we will notify registered users by email and display a prominent notice on the Service at least 14 days before the changes take effect.
• Your continued use of the Service after the effective date constitutes your acceptance of the updated policy.

If you do not agree to the revised Privacy Policy, please stop using the Service and delete your account.

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us through the contact page. We will do our best to respond to your inquiry within 30 days.

For users in the EU/EEA, if you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority. A list of EU data protection authorities is available at edpb.europa.eu.