Privacy Policy

Version 1.0 • Last updated: December 18, 2025

Introduction

Samla ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and protect your personal information.

Our Privacy-First Approach

We believe in privacy by design and default. This means:

  • Data Minimization: We only collect data necessary for functionality
  • No Tracking: We don't use tracking pixels, analytics, or third-party cookies
  • No Ads: We don't sell your data or show targeted advertisements
  • EU Hosting: All data is processed and stored within the EU
  • Transparency: You can export all your data at any time

Data We Collect

1. Account Information

When you create an account, we collect:

  • Email address (for login and notifications)
  • Display name (chosen by you)
  • Password (hashed using Argon2, never stored in plaintext)
  • Optional: Profile avatar (uploaded image)

2. Content You Create

  • Groups you create or join
  • Posts and replies in message boards
  • Events you create or RSVP to
  • Files you upload (images, PDFs)

3. Technical Data (Privacy-Preserving)

  • IP Address: Hashed using SHA-256 (we cannot reverse this to identify you)
  • User Agent: Browser type, for security purposes only
  • Session tokens: For keeping you logged in

Note: We deliberately hash IP addresses so we can detect abuse patterns without being able to identify individual users.

How We Use Your Data

We use your data only for:

  • Providing the Samla service (groups, posts, events)
  • Sending you essential notifications (event reminders, invitations)
  • Preventing abuse and ensuring security
  • Complying with legal obligations

We never:

  • Sell your data to third parties
  • Use your data for advertising or marketing
  • Track your behavior across the web
  • Share your data except as legally required

Email Communications

We send emails only for:

  • Account verification
  • Password resets
  • Group invitations
  • Event reminders (if you RSVP)

No tracking in emails:

  • We don't use tracking pixels to see if you opened emails
  • We don't track clicks on links in emails
  • All links go directly to Samla (no redirect tracking)

Cookies

We use only essential cookies for:

  • Authentication: Keeping you logged in
  • Security: CSRF protection

Cookie settings:

  • SameSite=Strict (maximum privacy)
  • Secure (HTTPS only)
  • HttpOnly (not accessible to JavaScript)

We don't use third-party cookies, advertising cookies, or analytics cookies.

Data Retention

  • Active accounts: Retained as long as your account is active
  • Audit logs: Automatically deleted after 90 days
  • Sessions: Automatically deleted after 90 days of inactivity
  • Expired tokens: Deleted automatically

Your Rights (GDPR)

You have the right to:

1. Access Your Data (Article 15)

Download all your data in JSON and CSV format from your account settings.

2. Rectification (Article 16)

Update your profile information at any time in your settings.

3. Erasure / "Right to be Forgotten" (Article 17)

Delete your account and all associated data from your account settings.

What happens when you delete your account:

  • Hard deleted: Your profile, sessions, consents, uploaded files
  • Anonymized: Your posts and replies (replaced with "Deleted User" to preserve community discussions)

4. Data Portability (Article 20)

Export your data in machine-readable formats (JSON, CSV).

5. Object to Processing (Article 21)

Contact us to object to how we process your data.

Data Security

We protect your data with:

  • HTTPS encryption for all connections
  • Argon2 password hashing
  • SHA-256 IP address hashing
  • CSRF protection on all forms
  • Content Security Policy (CSP) headers
  • Rate limiting to prevent abuse
  • Regular security audits

Third-Party Services

We use minimal third-party services:

  • Cloudflare: CDN and DDoS protection (EU data processing agreement in place)
  • Email provider: For sending transactional emails (no tracking)

We do not use:

  • Google Analytics or any analytics service
  • Facebook Pixel or social media trackers
  • Advertising networks
  • Third-party cookies

Children's Privacy

Samla is not intended for children under 16. We do not knowingly collect data from children. If you believe a child has created an account, please contact us.

Changes to This Policy

We may update this policy occasionally. If we make significant changes, we'll notify you via email. Continued use after changes constitutes acceptance.

Version history:

  • Version 1.0 (December 18, 2025): Initial privacy policy

Contact Us

For privacy questions or to exercise your rights:

Legal Basis for Processing (GDPR Article 6)

  • Contract: Processing necessary to provide the Samla service
  • Consent: You explicitly consent to our terms and privacy policy
  • Legitimate interests: Fraud prevention and security

This privacy policy is part of our commitment to transparency and user privacy. We believe you should own your data and know exactly how it's used.