Privacy Policy

What We Collect

Anonymous browsing. If you read rankings, switch lenses, or page through scorecards without signing in, we do not collect personally identifiable information. We use Vercel Analytics, a privacy-respecting service that records aggregate page views and referrers without cookies and without any personal data.

Authenticated accounts. If you sign in with Google OAuth or an email magic link, we store: your email address, your display name and avatar URL if provided by the OAuth provider, your account creation timestamp, and any data you choose to save — category weight vectors, bookmarks, and notification subscriptions. Authentication is handled by NextAuth.js; we never see your Google password.

Operational logs. Our servers record request metadata (URL, status code, response time, IP, user agent) for security, abuse mitigation, and debugging. Application errors are forwarded to Sentry. Cookies and authorization headers are redacted before logs leave our infrastructure.

Editorial contact. If you write to the editorial address, we store your email address and any message you send for as long as needed to handle the request and a reasonable record period afterwards.

Legal Bases (GDPR Article 6)

For visitors in the United Kingdom, the EEA, and other jurisdictions where the General Data Protection Regulation or an equivalent applies, we rely on the following legal bases:

• Contract performance — to provide signed-in features (account creation, saved weights, bookmarks). Without this data we cannot operate the account.
• Legitimate interest — for aggregate analytics, operational logging, security and abuse prevention, and the community-aggregate computation. We have weighed these interests against your rights and consider them proportionate to the limited data involved.
• Consent — for any non-essential cookie. You may withdraw consent at any time without affecting the lawfulness of prior processing.
• Legal obligation — to respond to lawful requests from authorities and to keep records required by tax or regulatory law if and when those obligations apply.

Data Retention

• Account data — retained for as long as your account is open. If you delete your account, identifying data is removed from our primary database within thirty days; encrypted backups age out within an additional ninety days.
• Saved weights and bookmarks — same lifecycle as the parent account.
• Operational logs — thirty days, then deleted.
• Application error reports (Sentry) — ninety days, then deleted.
• Editorial correspondence — kept for the duration of the matter plus a reasonable record period (typically up to two years) to allow follow-up.
• Community aggregate inputs — anonymous individual weight vectors that contribute to community aggregates are retained only for the aggregate-computation window (currently nightly). After the aggregate is computed, the individual vector is not separately retained.

The periods above reflect the minimum needed to operate the service and respond to data-rights and security requests, plus tail periods consistent with industry practice for encrypted backups and abuse forensics.

International Data Transfers

The site is operated from the United States. If you access it from outside the US, your data will be transferred to and processed in the US, and possibly in other countries where our subprocessors operate. The legal protections in those countries may differ from those in your home jurisdiction.

For transfers of personal data out of the UK or the EEA we rely on the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, or an adequacy mechanism such as the EU–US Data Privacy Framework where the receiving processor is certified. Copies of the relevant safeguards are available on request.

What We Don’t Collect

• No advertising trackers, no third-party marketing pixels.
• No cross-site behavioral profiling.
• No selling, renting, or sharing of email lists.
• No analytics cookies for anonymous visitors.
• No sensitive categories of personal data (we have no need for them).

We do not sell or share your personal information for cross-context behavioral advertising, for monetary consideration, or for other valuable consideration. We do not engage in targeted advertising. We do not use the automated-decisionmaking technologies regulated by California’s 2025 CPPA rules, the GDPR’s Article 22 prohibition on solely-automated significant decisions, or the EU AI Act’s high-risk category. The framework’s scores are produced by human editorial judgment; community aggregates are computed by simple statistical averaging of authenticated user submissions, not by predictive models of users.

How We Use Account Data

Account data is used solely to operate the features you sign in for: remembering your saved category weights so your personal ranking persists across sessions and surfacing your bookmarks.

Your weight vectors contribute to the community aggregate once you have verified your email; for the first 24 hours after sign-up the contribution is held back from the aggregate to prevent freshly-created accounts from skewing the median (see the bias-mitigation notes in the Methodology). Contribution is anonymous; we publish aggregates, not individual vectors.

Subprocessors

The site relies on the following service providers. Each is bound by its own privacy terms, and we share with them only what is required to deliver the service.

• Vercel — application hosting, edge delivery, and cookieless aggregate page analytics (Vercel Analytics).
• Supabase — managed PostgreSQL for account and scoring data.
• Upstash — Redis for rate limiting.
• Google — OAuth identity for sign-in (only if you choose Google).
• Sentry — application error reporting.
• Resend — transactional email provider for magic-link sign-in (only if you sign in by email).

Background-worker infrastructure (for nightly community-aggregate computation and evidence-URL verification) is planned but not yet deployed. Once deployed, the host will be added here.

Your Rights

You may, at any time, sign in and delete your account. Account deletion is irreversible and removes your email, saved weights, bookmarks, and notification subscriptions from our primary database within thirty days. Aggregate community statistics computed before deletion may persist in non-identifying form.

If you are an EU, UK, or California resident, you have additional rights under GDPR, the UK GDPR, and CCPA: to access, correct, export, or restrict our processing of the data we hold about you, and to object to processing carried out on the basis of legitimate interest. Send a request to the editorial contact below and we will respond within thirty days.

You also have the right to lodge a complaint with a data protection supervisory authority. In the UK that is the Information Commissioner’s Office; in the EEA it is the authority in your country of residence; in California it is the California Privacy Protection Agency. We would appreciate the chance to address concerns directly first, but you are not obliged to contact us before contacting them.

Security & Breach Notification

We use industry-standard technical and organizational measures: encryption in transit (TLS) and at rest for the database, principle-of-least-privilege access controls, redacted logging of credentials, and automated dependency monitoring. No system is perfectly secure, and we do not promise one is.

In the event of a personal-data breach that is likely to result in a risk to your rights, we will notify the relevant supervisory authority within seventy-two hours of becoming aware of it where required by law, and notify affected users without undue delay.

Targeting & Territorial Scope

The Presidential Scoring Framework is operated from the United States and is directed at readers in the United States. We do not specifically target users in the European Economic Area or the United Kingdom: the site is offered in English only, addresses US-specific subject matter, and is not localized for any EU or UK market. Visitors from those regions may use the site, but we do not consider EEA or UK residents to be intended recipients of the service for the purposes of GDPR Article 3(2) or UK GDPR.

If our targeting posture changes, we will update this section and, if required, appoint a representative under GDPR Article 27 or its UK equivalent. In the meantime, EU and UK visitors may direct data-protection inquiries to the editorial contact below.

Cookies

We use a single first-party session cookie for authenticated users (HttpOnly, Secure, SameSite=Lax) to keep you signed in. We do not set advertising or analytics cookies. Visitors from the EU, the UK, or other jurisdictions with cookie-consent requirements will see a consent prompt before any non-essential cookie is set.

Do Not Track. We do not respond to Do Not Track browser signals because no industry-standard interpretation of those signals applies to a site that does not engage in cross-context behavioral advertising. We honor Global Privacy Control (GPC) signals as opt-outs of sale or sharing for any future activity that would qualify; at present, we do not sell or share personal information, so no opt-out is required.

Children

The site is intended for users who are at least sixteen years old, or thirteen years old in jurisdictions where that is the lawful minimum for an individual to provide their own consent to data processing. We do not knowingly collect personal information from users below the applicable age threshold. If you believe a child has provided us with personal data, write to the editorial contact below and we will delete it.

Changes to This Policy

If we change this policy in a way that materially affects how we handle your data, we will update the date at the top of the page and, where we have a working email for you, notify you in advance. Older versions are available on request.

Contact

Privacy questions, data-rights requests, and security reports go to editorial@presidential-scoring.org. Takedown and correction requests are covered in the Terms.