The Rahile Dawut Uyghur Heritage Archive (Sanduq) ("Sanduq", "we", "us", or "our") is committed to protecting the privacy, confidentiality, and security of Personal Information.
Please read this Privacy Policy carefully. It describes how we collect, use, disclose, protect, and otherwise process Personal Information when you access or use Sanduq and related services (collectively, the "Services").
We may update this Privacy Policy from time to time. Please review the Last Updated and Effective Date shown at the top of this page.
1) Applicable Privacy Frameworks
Depending on user location, operations, and legal scope, Sanduq is designed to align with applicable privacy requirements, including:
- European Union / EEA: General Data Protection Regulation (GDPR) (EU) 2016/679
- United States: applicable U.S. privacy laws, including the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA)
- Canada: PIPEDA and the British Columbia Personal Information Protection Act (PIPA)
- Türkiye: Law No. 6698 on the Protection of Personal Data (KVKK)
2) Data We Collect
Sanduq is built to minimize personal data collection. We do not collect non-public personal information beyond what is necessary to provide secure access and platform operations.
2.1 Account and Access Data
- Email address: used solely for registration, account management, workflow-related notifications, critical security notices, and password management.
- Username: may appear publicly as a user handle to uniquely identify the account in public-facing contexts.
- Authentication credentials: passwords are never stored in plaintext.
2.2 Security and Technical Data
- IP address: processed for security monitoring, abuse prevention, blocking, and reporting when abnormal or harmful activity is detected (for example, brute-force or bot attacks).
- Security-related logs may be retained where required for legal, compliance, and incident response purposes.
2.3 User Content and Workflow Data
- Data that users submit through archive workflows (for example, records, edits, and workflow actions) is processed to provide core functionality.
2.4 Public vs. Non-Public Data
- By default, personal account data is treated as non-public.
- Username may be public as a handle.
- Other profile details are non-public unless a user explicitly publishes them or disclosure is required by system function or law.
3) How We Use Personal Information
We use Personal Information to:
- provide account registration and authentication;
- manage user roles, permissions, and workflow operations;
- send critical service and security notifications;
- detect, investigate, and prevent abuse or unauthorized access;
- comply with legal and regulatory obligations.
We do not sell Personal Information and do not use Personal Information for behavioral advertising.
4) How We Protect Personal Information
We apply layered technical and organizational controls, including:
- strong password hashing (such as Argon2-class password hashing);
- encryption in transit and encryption controls for sensitive data at rest;
- least-privilege access controls;
- private/internal network isolation for core database and service layers;
- security monitoring and incident response procedures.
No security system is perfect, but we continuously improve safeguards appropriate to the sensitivity of the data we process.
5) International Data Transfers and Storage
Data provided to Sanduq is primarily stored and processed in British Columbia, Canada.
Off-site backups are maintained for resilience and disaster recovery, including in US West (Oregon). Cross-border processing is handled under applicable legal safeguards and data protection requirements.
6) Children’s Privacy
Our Services are not intended for persons under 18 (or the applicable age of majority in the relevant jurisdiction).
If a minor requires access, use must occur under parent or legal guardian supervision and control, including account responsibility.
7) Cookie Policy
Sanduq uses cookies and similar storage technologies to operate the platform securely and reliably.
We do not use cookies for advertising or marketing profiling.
Cookie/storage uses may include:
- essential session and authentication support;
- security and abuse-prevention controls;
- functional preferences (for example, UI state);
- consent state tracking (to remember your privacy choices).
When you click Accept in the consent bar, we store a consent record cookie containing:
- policy/consent version;
- decision value;
- timestamp.
This allows us to avoid repeatedly prompting users who already provided consent.
8) Third-Party Services
During active development and operations, we may rely on third-party providers for infrastructure and diagnostics, including:
- GitHub (source control and development workflows)
- Google Cloud Platform (hosting, compute, storage, and security operations)
- Sentry (error and exception monitoring)
Where enabled by environment/configuration, additional operational analytics or observability tooling may be used under contractual and security controls.
9) AI Features (Zérek)
Sanduq provides an AI assistant feature ("Zérek") backed by self-hosted/offline model infrastructure.
Based on current architecture and policy intent, archive/user content processed through Zérek is not sent to third-party commercial AI model providers.
10) Data Retention
We retain Personal Information only for as long as necessary to:
- provide the Services;
- maintain security and auditability;
- satisfy legal, contractual, and regulatory obligations;
- resolve disputes and enforce platform terms.
Retention periods vary by data type and legal requirement.
11) Your Privacy Rights
Subject to applicable law, users may have rights to request access, correction, deletion, restriction, objection, or data portability, and to lodge complaints with relevant supervisory authorities.
Rights and procedures may differ by jurisdiction (for example, GDPR/EEA, California, Canada, and Türkiye).
12) Changes to this Privacy Policy
We may update this Privacy Policy from time to time.
When we make material updates, we will revise the Last Updated and Effective Date at the top of this page and publish the updated version through our Services.
13) Contact
If you have questions about this Privacy Policy or privacy requests, contact the Sanduq product/administration team through official project channels.