Effective — 22 May 2026

Privacy Policy

19 Protocol is built around the idea that meaningful conversation does not require surveillance. This policy explains, in plain language, what data we collect, why, and what control you have over it.

1. Who we are

19 Protocol ("we", "us", "the platform") is operated as an independent project. The data controller responsible for processing your personal data under the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") is:

• Controller: Mehdi Karacagün, founder and operator of 19 Protocol
• Contact: 19protocol@proton.me

2. What data we collect

We collect only what is needed to run the platform.

• Account data — your email address, the handle (display name) you choose, a salted hash of your password (we never see or store your actual password), and any optional profile fields you fill in: short bio, avatar image, year of study, interest and expertise tags.
• Content you publish — thread posts, replies, and their metadata (timestamps, the thread they belong to).
• Technical data — your IP address (used for rate-limiting and abuse prevention), your browser's user-agent string, the approximate city/country derived from your IP at the moment of login (kept as a short-lived security audit history), and a single session cookie (a signed JWT) that keeps you logged in.

We do not run third-party analytics, tracking pixels, fingerprinting scripts, or advertising. There is no Google Analytics, no Meta pixel, no Hotjar, no nothing.

3. Why we process this data (legal basis)

• Performance of a contract — Art. 6(1)(b) GDPR. We need your account data and the content you publish to actually provide the discussion service you signed up for.
• Legitimate interest — Art. 6(1)(f) GDPR. We process IP address, user-agent, and login geo data to protect the platform from spam, abuse, and unauthorized account access. You may object to this processing at any time; see Section 6.

4. Who we share data with

We do not sell, rent, or trade your personal data. We share it only with the processors strictly needed to operate the service:

• Brevo (sendinblue.com) — sends transactional email on our behalf (verification, password reset, notifications you opt in to). Brevo processes your email address and the message content under a GDPR-compliant Data Processing Agreement; its infrastructure is located in the European Union.
• VPS hosting provider — a single virtual server inside the European Union holds the application and database. The provider does not have access to application data beyond what is required to keep the machine running.

If we ever add another processor, we will update this section before the change takes effect.

5. How long we keep data

• Active accounts: indefinitely, until you delete the account or ask us to.
• Deleted accounts: account-related rows are removed within 7 days; encrypted backups containing prior state are rotated out within 30 days. Posts you published may remain visible with the author label set to [deleted] if removing them would break thread continuity — no identifying link to you remains in that case.
• Login geo / audit logs: 90 days.
• Email verification & password-reset tokens: 24 hours.

6. Your rights under GDPR

At any time, you can:

• Access the data we hold about you.
• Rectify incorrect data — most fields are editable directly from the settings page.
• Delete your account and the personal data attached to it.
• Restrict or object to processing based on legitimate interest.
• Receive a copy of your data in a structured, machine-readable format (data portability).

To exercise these rights, use the settings page where possible, or write to 19protocol@proton.me. We respond within 30 days. You can also lodge a complaint with your local Data Protection Authority — in Belgium this is the Gegevensbeschermingsautoriteit / Autorité de protection des données (gegevensbeschermingsautoriteit.be).

7. Cookies and similar technologies

We use exactly one cookie:

• Session cookie (token) — a signed JWT that proves you are logged in. It is set with HttpOnly, Secure, and SameSite=Lax. It expires automatically after a period of inactivity.

We do not use analytics, tracking, or third-party cookies. No consent banner is shown because the only cookie we set is strictly necessary for authentication and is therefore exempt from the consent requirement under the ePrivacy Directive.

8. Children

19 Protocol is intended for adults aged 18 and over. Accounts of users we identify as under 18 will be removed. If you believe we hold personal data of someone under 18, contact us and we will delete it.

9. Security

Passwords are stored as salted hashes using a modern key-derivation function. Traffic is encrypted in transit via TLS (HTTPS only). The database is reachable only from the application process; there are no external dashboards or unauthenticated APIs that expose user data. Backups are kept encrypted and rotated.

10. International transfers

All processing happens inside the European Economic Area (server and Brevo are both in the EU). We do not transfer your personal data outside the EEA.

11. Changes to this policy

We may update this policy. When we do, the "Effective" date at the top changes. Material changes will also be announced inside the platform so you don't have to re-read the policy to know what shifted.

12. Contact

For privacy questions, data-deletion requests, or to exercise any GDPR right, write to 19protocol@proton.me.