Privacy Policy

Last updated: September 17, 2025

This Privacy Policy explains how Stichting De Lokale (Netherlands) (“we”) processes personal data in connection with the Informational Defence platform (the “Service”). We act as a data controller for account/billing/marketing data and as a data processor when processing Customer Data under a DPA. We are committed to GDPR and applicable privacy laws.

1) Scope & Audience

This Policy covers: (a) website visitors; (b) users with accounts; and (c) processing of public YouTube content selected by customers for analysis.

2) Categories of Data We Process

• Account & Organization Data — name, email, organization, role, authentication identifiers.
• Billing — subscription plan, transaction identifiers, invoicing contact, tax information (processed by our payment processor).
• Support — messages, attachments, and metadata you send us.
• Product Telemetry — pages and features used, event timestamps, device/browser info, approximate location (city/country) derived from IP.
• Public Source Data (YouTube) — video metadata, captions, public comments, commenter handles/usernames, timestamps, and derived analytics (embeddings, clusters, topic matches, confidence scores).
• Marketing — opt-in newsletter preferences, campaign performance.
• Cookies — essential cookies for login/session; optional analytics cookies with consent.

3) Sources

• Information you provide directly (forms, admin panel, support).
• Public Source Data retrieved via official APIs (e.g., YouTube Data API) in compliance with YouTube’s Terms of Service.
• Service telemetry and cookies.

4) Personal Data Storage

We store user data in the EU. Full list of stored data:

• Account & Organization Data — name, email, organization, role, authentication identifiers.
• Billing — subscription plan, transaction identifiers, invoicing contact, tax information (processed by our payment processor).
• Support — messages, attachments, and metadata you send us.

4) Purposes & Legal Bases (GDPR)

• Provide and improve the Service (Art. 6(1)(b) contract; Art. 6(1)(f) legitimate interests).
• Security, abuse prevention, and rate-limit compliance (Art. 6(1)(f)).
• Billing and compliance (Art. 6(1)(c) legal obligation; Art. 6(1)(b)).
• Research & product analytics on de-identified/aggregated data (Art. 6(1)(f)).
• Marketing communications with your consent (Art. 6(1)(a)); you can withdraw at any time.

5) Retention

We retain personal data only as long as necessary for the purposes above but not more than 24 months. You may request earlier deletion. Some records (e.g., invoices) may be kept to satisfy legal obligations.

6) Sharing & Sub-processors

We share personal data with sub-processor company Stripe to handle billing & invoicing. We will provide notice before adding or replacing any sub-processor for personal data in future in it will be required. We do not sell personal data.

7) International Transfers

When transferring personal data outside the EEA/UK, we use appropriate safeguards such as the EU Standard Contractual Clauses. Data residency options (e.g., EU-only) are available on certain plans.

8) Security Measures

• Encryption in transit (TLS), network isolation, access controls with least privilege.
• Regular backups, vulnerability patching, and monitoring.
• Staff confidentiality commitments and security training.

9) Your Rights (EEA/UK & similar regimes)

Subject to law, you have rights to access, rectification, erasure, restriction, portability, and to object to processing based on our legitimate interests. You may withdraw consent at any time for processing that relies on consent. You may lodge complaints with your local authority.

10) Children

The Service is not directed to children under 16. We do not knowingly process children’s personal data. If you believe we have such data, contact us for deletion.

11) Public Source Data & Research Ethics

• We analyze publicly available content selected by customers. Even when data is public, we design features to avoid harmful use (e.g., no bulk export of sensitive attributes; rate-limit compliance; auditable evidence links).
• Customers must not use the Service to target, harass, or unlawfully profile individuals.

12) Cookies

• Essential (required): authentication session, CSRF, load balancing.
• Analytics (optional): we use privacy-respecting analytics with IP truncation; disabled unless you consent.

13) Automated Processing & Profiling

We use machine learning to cluster comments and match narratives. Outputs are probabilistic and should be reviewed by human analysts. We do not make decisions producing legal or similarly significant effects on individuals without human involvement.

14) Law Enforcement & Requests

We may disclose information where required by law or valid legal process. We will notify the Customer unless prohibited.

15) Your Controllers & DPO

Controller: Stichting De Lokale (Netherlands). Data Protection Officer: info@society22.org

16) Changes

We may update this Policy; we will notify you of material changes via the Service or email.

17) Contact

Email: info@society22.org

YouTube API Disclosures

• Our Service uses the YouTube API Services to retrieve public video metadata and comments from channels that you select.
• Use of YouTube is subject to Google’s Privacy Policy and YouTube’s Terms of Service. Customers must ensure their use of retrieved data complies with those policies.
• We do not claim ownership over YouTube content; rights remain with their respective owners.
• All Platform Data presented to customers is made by disint.ai platform, not by YouTube.