Consumer Rights Wiki:Privacy policy

Last Updated: January 20, 2026

This Privacy Policy explains how the Consumer Rights Wiki ("CRW," "we," "us," or "our"), our service providers, and our partners, collect, use, share, and protect Personally Identifying Information (PII), and other data, in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

The data controller responsible for your personal data is:

FULU Foundation Fulu Foundation, Austin, Texas 78705 Email: data@consumerrights.wiki

We process personal data based on the following legal grounds under Article 6 of the GDPR:

Contract (Article 6(1)(b)) Data used for:

• Account registration and management
• User authentication and login
• Enabling wiki contributions and editing

Legitimate Interests (Article 6(1)(f)) Data used for:

• IP address processing for security and anti-spam protection
• Privacy-preserving analytics through Plausible Analytics
• Maintaining the integrity and security of the wiki
• Prevention of abuse and vandalism

We adhere to the principle of data minimization, collecting only the personal data that is necessary for the specific purposes outlined in this policy. We do not collect excessive or irrelevant data.

We do not intentionally collect special categories of personal data (such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation). If such data is inadvertently collected through user-generated content, it is not processed by us for any purpose.

When you create an account, we collect:

• Username - Stored indefinitely, or until account deletion request
• Email address - Stored indefinitely, or until account deletion request
• Hashed and salted password - Stored indefinitely, or until account deletion request

• Edit history and contributions - Stored indefinitely as necessary for wiki functionality and attribution under legitimate interest
• Timestamps of edits - Stored indefinitely as part of contribution history
• Discussion posts and comments - Stored indefinitely as part of wiki content

• IP addresses - Stored in server logs and backups for 90 days for security purposes, and indefinitely in edit history for attribution and anti-vandalism purposes
• Browser type and version - Processed temporarily for technical compatibility and for generation of anonymized analytics
• Device information - Processed temporarily for technical compatibility and for generation of anonymized analytics

Our self-hosted Plausible Analytics instance collects:

• Page views and navigation patterns
• Referrer information
• Country of origin (derived from IP addresses, which are immediately discarded)
• Device type and browser information

Important: Plausible does not use cookies or persistent identifiers, or create profiles. All data is aggregated and anonymous.

hCaptcha processes the following when you interact with protected forms:

• Technical connection data (IP address, timestamp)
• Interaction data with the captcha interface

CloudFlare processes the following when you connect to the site:

• Technical connection data (Traffic routing data, HTTP request metadata)

Important Notes on Backups:

• All backups are fully encrypted
• Deleted data may persist in backups until the backup retention period expires
• Maximum possible retention through backups: 6 months for monthly backups
• After backup expiration, data is permanently deleted unless specifically retained under section 4.1

Our servers are hosted by Hetzner in the United States. This constitutes an international data transfer from the EU/EEA. We ensure appropriate safeguards through:

• EU-US Data Privacy Framework: Our hosting providers participate in the EU-US Data Privacy Framework, ensuring adequate protection for your personal data
• hCaptcha transfers: Data may be transferred to Intuition Machines, Inc. in the USA under the EU-US Data Privacy Framework (European Commission adequacy decision C(2023) 4745)

You have the following rights regarding your personal data:

You can request a copy of your personal data we hold.

You can request correction of inaccurate personal data.

You can request deletion of your personal data, subject to legal obligations and legitimate interests (e.g., contribution history may be retained for attribution).

You can request restriction of processing in certain circumstances.

You can object to processing based on legitimate interests.

You can request your data in a structured, machine-readable format.

You have the right to lodge a complaint with your local supervisory authority.

To exercise any of these rights, contact us at: data@consumerrights.wiki

We do not sell or rent your personal data. We share data only with:

When accessing some sub-services of our website, additional information is processed.

Processed data categories: technical connection data of the server access (IP address, date, time, requested page, browser information), data about the use of the website, and the logging of clicks on individual elements.

Purpose of processing: avoid non-human and automated input.

The legal basis for processing: a legitimate interest that overrides the rights and freedoms of the data subject (Art. 6 (1) f GDPR).

Legitimate interests: strong economic interest in safe and functioning operation of the technical systems.

Data are transmitted: to the data processor Intuition Machines, Inc., 1065 SW 8th St #704, Miami FL 33130, USA (https://www.hcaptcha.com).

This may also mean a transfer of personal data to a country outside the European Union. The data are transferred to the USA on the basis of Art. 45 GDPR in conjunction with the European Commission's adequacy decision C(2023) 4745, since the data recipient has committed to comply with the data processing principles of the Data Privacy Framework (DPF).

Please read the hCaptcha's full privacy policy for more information.

Our website infrastructure and web application are hosted on servers provided by Hetzner.

Processed data categories: Web application data, server infrastructure data, technical connection data (IP address, date, time, requested page, browser information), server configuration and usage metrics, network traffic data.

Purpose of processing: provision of hosting infrastructure for the web application, ensuring system availability and performance.

The legal basis for processing: a legitimate interest that overrides the rights and freedoms of the data subject (Art. 6 (1) f GDPR).

Legitimate interests: strong economic interest in reliable and functioning operation of the technical systems and infrastructure.

Data are transmitted: to the data processor Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany (https://www.hetzner.com).

Hetzner operates servers in both the European Union and the United States. When US servers are used, data transfers are covered under standard contractual clauses.

Please read Hetzner's full privacy policy for more information.

Our website uses CloudFlare services for content delivery, security, and performance optimization. CloudFlare processes analytics and security-related data, but does not have access to user account data or personal information stored in our databases.

Processed data categories: Traffic routing data, HTTP request metadata (HTTP headers, user agent, query-string, path, host, HTTP method, HTTP version, TLS cipher version), request and error rates, DDoS attack patterns and mitigation data, aggregated analytics data about website usage, security threat intelligence data.

Purpose of processing: content delivery network (CDN) services, DDoS attack protection and mitigation, traffic routing and optimization, security monitoring and threat detection, performance analytics to improve website speed and user experience.

The legal basis for processing: a legitimate interest that overrides the rights and freedoms of the data subject (Art. 6 (1) f GDPR).

Legitimate interests: strong economic interest in secure, reliable, and functioning operation of the website, protection against cyber attacks, and optimization of service performance.

Data are transmitted: to the data processor Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA (https://www.cloudflare.com).

This may also mean a transfer of personal data to a country outside the European Union. The data are transferred to the USA on the basis of Art. 45 GDPR in conjunction with the European Commission's adequacy decision C(2023) 4745, since the data recipient has committed to comply with the data processing principles of the Data Privacy Framework (DPF).

Please read Cloudflare's full privacy policy for more information.

We may disclose data when required by law or to protect the rights and safety of users.

We implement appropriate technical and organizational measures to protect personal data, including:

• Hashing and salting of passwords
• Regular security updates
• Access controls and authentication
• The full encryption of all backups made

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach
• Notify affected users without undue delay when the breach is likely to result in a high risk to their rights and freedoms
• Document all breaches in accordance with GDPR requirements

We do not engage in automated decision-making that produces legal or similarly significant effects. Our anti-spam tools (hCaptcha) involve automated processing but:

• Do not produce significant effects on users
• Allow for easy appeals via email or Discord

We do not engage in profiling activities as defined under GDPR.

The CRW is not intended for children under 16. We do not knowingly collect personal data from children. If we become aware of such collection, we will promptly delete the data.

We do not use tracking cookies. The wiki may use strictly necessary session cookies for authentication, which are deleted when you close your browser.

We may update this Privacy Policy to reflect changes in our practices or legal requirements. The "Last Updated" date will always reflect the most recent version.

Previous versions of the policy can be seen by viewing the Privacy Policy page history.

For any questions about this Privacy Policy or our data practices, please contact:

Data Protection Contact Email: data@consumerrights.wiki FULU Foundation FULU Foundation, Austin, Texas 78705

If you are unsatisfied with our response to your data protection query, you have the right to lodge a complaint with your local data protection authority. For EU residents, you can find your local authority at: https://edpb.europa.eu/about-edpb/board/members_en

---

By using the Consumer Rights Wiki, you acknowledge that you have read and understood this Privacy Policy.