Privacy Policy

1. Introduction

Pressrun (“we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, and your rights regarding that information when you use pressrun.news (“the Service”).

2. Information We Collect

2.1 Information You Provide

• Account information: Email address, password (stored as a bcrypt hash, never in plain text), and optional display name, bio, and avatar URL.
• Comments: Text content you post on articles, associated with your account.
• Reports: When you report a comment, we store the reason you provide along with a reference to your account.

2.2 Information Collected Automatically

• Click analytics: When you view an article, we record a one-way cryptographic hash (SHA-256) derived from your IP address, the article identifier, and the calendar date. This hash cannot be reversed to recover your IP address. We do not store raw IP addresses.
• Session data: A session cookie (pressrun_session) is set when you log in. It contains only a session identifier and expires when you close your browser.

2.3 Information We Do Not Collect

We do not use tracking cookies, third-party analytics (such as Google Analytics), advertising pixels, browser fingerprinting, or client-side persistent storage (localStorage or sessionStorage). We do not collect your device type, operating system, or browser version.

3. How We Use Your Information

We process your personal data under the following legal bases as defined by GDPR Article 6(1): (a) Contract performance— account management, session authentication, and email verification are necessary to provide the Service you requested; (b) Legitimate interest— aggregate click analytics and security/abuse prevention serve our legitimate interest in operating and protecting the Service; (c) Legal obligation— we may process data to comply with applicable laws.

• Account management: To create and maintain your account, authenticate your sessions, and verify your email address.
• Service operation: To display your comments, enforce community guidelines, and moderate content.
• Aggregate analytics: To count article views using anonymized, hashed data. These counts are not linked to individual users.
• Transactional email: To send account verification emails and, in the future, password reset emails.
• Security and abuse prevention: To detect and prevent unauthorized access, spam, and abuse of the Service.

4. Data Sharing with Third Parties

We share personal information only in the following circumstances:

• Email delivery: We use Resend to send transactional emails. Resend receives your email address and display name solely for the purpose of delivering messages. Our use of Resend is governed by a Data Processing Agreement (DPA) that requires Resend to process your data only on our instructions and in compliance with applicable data protection law. We do not share your data with any other third-party service.
• Legal requirements: We may disclose your information if required by law, subpoena, court order, or governmental regulation.
• Safety: We may disclose information when we believe in good faith that disclosure is necessary to protect the rights, safety, or property of Pressrun, our users, or the public.

We do not sell, rent, or trade your personal information. We do not display advertising or share data with advertising networks.

5. Data Retention

• Account data: Retained for as long as your account is active. When you delete your account, your email, password hash, display name, bio, and avatar are permanently deleted within 30 days of your deletion request, including removal from database backups within 90 days.
• Comments: Deleted comments are soft-deleted (the comment text and author attribution are removed, but a placeholder remains in the thread to preserve conversational context). Upon account deletion, all your comments are disassociated from your identity.
• Comment reports: Retained for up to 12 months after resolution, then permanently deleted.
• Click analytics: Hashed click records are retained indefinitely as anonymized, aggregate data. Because these records contain only a one-way hash, they cannot be linked back to any individual.
• Email verification tokens: Expire after 48 hours and are marked as used upon redemption.
• Session data: Automatically deleted when sessions expire or when you log out.

6. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate personal data. You can update your display name, bio, and avatar directly in your account settings.
• Deletion: Request deletion of your account and associated personal data. Contact us at the address below to initiate account deletion.
• Data portability: Request an export of your personal data in a machine-readable format.
• Restriction: Request that we restrict the processing of your personal data in certain circumstances (e.g., while we verify the accuracy of disputed data).
• Objection: Object to certain processing of your personal data.
• Withdrawal of consent: Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (or 45 days for California residents, as required by the CCPA). If we need additional time, we will notify you of the reason and extension period.

6.1 Additional Rights for California Residents

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you additional rights.

Categories of personal information we collect (as defined by Cal. Civ. Code §1798.140): Identifiers (email address, display name); Internet or electronic network activity (hashed click records, session data).

We do not sell or share your personal information as defined by the CCPA, and have not done so in the preceding 12 months.

Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights.

7. Cookies

We use a single, essential cookie (pressrun_session) to maintain your authenticated session. This cookie is HttpOnly, set to SameSite=Lax, and marked Secure in production. It contains only a session identifier and does not track your activity across other websites. We do not use any third-party cookies, tracking cookies, or analytics cookies. Because this cookie is strictly necessary for the Service to function, no consent is required under the ePrivacy Directive (Article 5(3)) or equivalent national implementations.

8. Security

We take reasonable measures to protect your information, including: encrypting passwords with bcrypt, hashing IP addresses with SHA-256 before storage, using HTTPS for all connections, enforcing HttpOnly and Secure cookie flags, and implementing rate limiting on authentication endpoints. However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

9. International Data Transfers

The Service is hosted in the United States. If you access the Service from outside the United States, your information may be transferred to and processed in the United States. For transfers of personal data from the EU/EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other lawful transfer mechanisms as applicable. Where we rely on your explicit consent as a transfer mechanism, you may withdraw that consent at any time by contacting us at [email protected].

10. Children’s Privacy

Pressrun is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you are under 13, you may not create an account or use the interactive features of this site.

If we learn that we have collected personal information from a child under 13, we will take steps to delete that information as promptly as possible. If you believe a child under 13 has provided us with personal information, please contact us at [email protected] so we can investigate and remove the data.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of material changes by updating the “Last updated” date at the top of this page. Your continued use of the Service after changes are posted constitutes acceptance of the revised policy.

12. Contact

If you have questions or concerns about this Privacy Policy or our data practices, contact us at [email protected].

We have not appointed a Data Protection Officer, as we do not engage in large-scale processing of special category data. If you are an EU/EEA resident and believe our processing of your data violates the GDPR, you have the right to lodge a complaint with your local supervisory authority.