Privacy Policy

Last updated: March 11, 2026

1. Data Controller

OpenTruth Lausanne 1003 Lausanne, Vaud, Switzerland Email: hello@opentruth.ch

OpenTruth (hereinafter "we", "our" or "OpenTruth") is the data controller for personal data collected through the websites opentruth.ch, app.opentruth.ch, and api.opentruth.ch, in accordance with the Swiss Federal Act on Data Protection (FADP, SR 235.1, in force since 1 September 2023) and, for users residing in the European Economic Area (EEA), the General Data Protection Regulation (GDPR, EU Regulation 2016/679).

2. Data Collected

2.1 User Account Data

  • Email address
  • Password (encrypted, stored by Supabase Auth)
  • Authentication tokens (JWT)

2.2 Service Usage Data

  • Public YouTube video URLs submitted for analysis
  • RAG search queries
  • API usage history (endpoints, timestamps)

2.3 Technical Data

  • IP address
  • Browser type and operating system
  • Server log data

2.4 Analytics Data

  • Anonymized browsing statistics via Vercel Analytics (no third-party cookies, no individual tracking)

2.5 Data We Do NOT Collect

  • Sensitive personal data (health, religion, sexual orientation, biometric data)
  • Behavioral profiling data
  • Data from advertising cookies or third-party trackers

3. Purposes of Processing

  • Service provision (video analysis, claim verification): Contract performance (Art. 31(2)(a) FADP) - Art. 6(1)(b) GDPR
  • User account management: Contract performance - Art. 6(1)(b) GDPR
  • Security and abuse prevention: Overriding interest (Art. 31(1) FADP) - Art. 6(1)(f) GDPR
  • Service improvement and statistical analysis: Overriding interest - Art. 6(1)(f) GDPR
  • Legal compliance: Legal obligation (Art. 31(2)(b) FADP) - Art. 6(1)(c) GDPR

4. Recipients and Sub-processors

We use the following sub-processors to operate the service:

Each sub-processor is bound by a Data Processing Agreement (DPA) ensuring an adequate level of protection.

  • Supabase (AWS EU): Authentication, database - European Union - User accounts, application data
  • OpenAI (USA): AI processing (transcription, analysis, embeddings) - United States - Transcription texts, extracted claims
  • Vercel (USA): Website hosting, analytics - United States - Anonymized browsing data
  • OVH (France): API hosting - France - Application data, server logs
  • YouTube Data API (Google): Retrieval of public transcripts - United States - Public video URLs
  • Brave Search API: Source verification search - United States - Text search queries

5. International Transfers

Certain data is transferred to the United States (OpenAI, Vercel, Brave Search). These transfers are governed by:

  • The EU-US Data Privacy Framework (European Commission adequacy decision of 10 July 2023, upheld by the EU General Court on 3 September 2025) for DPF-certified sub-processors;
  • Standard Contractual Clauses (SCCs) approved by the European Commission for other transfers;
  • Switzerland's recognition of adequate protection levels for countries with adequacy decisions (Art. 16 FADP, Annex 1 DPO).

6. Data Retention

After these periods, data is deleted or irreversibly anonymized.

  • User account: Until account deletion by user
  • Video analysis data: Duration of service + 12 months after deletion
  • Server logs (IP, access): 90 days
  • Analytics data (Vercel): 30 days (anonymized)

7. Rights of Data Subjects

In accordance with the FADP (Art. 25-29) and the GDPR (Art. 15-22), you have the following rights:

To exercise your rights, contact us at: hello@opentruth.ch

We will respond within 30 days (FADP) or without undue delay and within one month at the latest (GDPR).

Supervisory authorities:

  • Switzerland: Federal Data Protection and Information Commissioner (FDPIC), www.edoeb.admin.ch
  • EU: supervisory authority of your country of residence
  • Right of access: obtain confirmation of processing and a copy of your data (Art. 25 FADP / Art. 15 GDPR)
  • Right to rectification: correct inaccurate data (Art. 32(1) FADP / Art. 16 GDPR)
  • Right to erasure: request deletion of your data (Art. 17 GDPR)
  • Right to data portability: receive your data in a structured, machine-readable format (Art. 28 FADP / Art. 20 GDPR)
  • Right to object: object to processing based on legitimate interest (Art. 21 GDPR)
  • Right to withdraw consent at any time, where processing is based on consent

8. Cookies and Similar Technologies

OpenTruth uses no advertising cookies or third-party trackers.

A cookie consent banner is used to collect consent for analytics cookies.

  • Strictly necessary cookies: session cookies for authentication (Supabase JWT)
  • Analytics: Vercel Analytics operates without third-party cookies and collects only aggregated, anonymized data

9. Processing of Public Figures' Data

OpenTruth analyzes public political speeches and extracts the names of public figures (parliamentarians, ministers, elected officials) for the purpose of factual analysis of political discourse. This processing is based on public interest and the overriding interest in the transparency of democratic debate (Art. 31(1) FADP / Art. 6(1)(f) GDPR). No private data of these individuals is collected.

10. Data Security

We implement appropriate technical and organizational measures (Art. 8 FADP / Art. 32 GDPR):

  • Encryption of data in transit (TLS 1.2+)
  • Password encryption (bcrypt via Supabase Auth)
  • Restricted data access based on the principle of least privilege
  • Access logging and anomaly monitoring

11. Changes to This Policy

We reserve the right to modify this policy at any time. Substantial changes will be communicated via email or notification on the service. The current version is always available at opentruth.ch/privacy.

12. Contact

For any questions regarding the protection of your data:

OpenTruth Lausanne 1003 Lausanne, Vaud, Switzerland Email: hello@opentruth.ch

---

This document does not constitute legal advice.

contact[at]opentruth[dot]ch