panel · v0 hosted preview · statusfree tier open · paid tiers in DP onboarding
panel/privacy
privacy policy · draft · v0

privacy

last updated: 2026-05-20 · effective: TBD

v0 — pending counsel review. reflects current panel data practices. wording may change after legal review. for questions: privacy@goku.codes.

tl;dr

panel.goku.codes is a captcha-shape feedback layer. when you click "i'm human" on a partner site we show you one short judgment task. your answer doubles as preference data for AI agents. we keep your identity pseudonymous (a random cookie id), collect the minimum behavioral data we need to block bots, and delete it on request.

who we are

panel (UltraInstinct0x). contact: privacy@goku.codes. host: Oracle Cloud Frankfurt (DE). repo: github.com/UltraInstinct0x/panel.

what we collect

when you interact with a panel widget

  • a random pseudonymous rater_id cookie on panel.goku.codes.
  • your judgment: choice, latency, unit id.
  • behavioral signals: mouse-movement summaries (counts/distances, not replay), dwell time, focus events, viewport, user-agent.
  • IP address — used only for rate-limiting, dropped after 1 hour, never stored alongside your judgment.

we do NOT collect

  • name, email, phone, government id.
  • precise location.
  • biometric data (summaries are aggregates, not stroke replay).
  • payment card data (Stripe handles cards when paid plans are active).
  • special-category data (health, religion, ethnicity, etc.).

why we collect it (lawful basis)

  • captcha + bot prevention → legitimate interest (GDPR Art. 6(1)(f)).
  • judgment + behavioral signals → legitimate interest; pseudonymous, no profiling that affects you.
  • rater earnings, operator account → contract (Art. 6(1)(b)).
  • analytics → none today; we'd ask for consent before adding any.

retention

  • judgments + behavioral signals: 90 days default. up to 24 months with opt-in.
  • raw behavioral signals: aggregated after 30 days.
  • audit log: 12 months minimum.
  • rate-limit data: 1 hour.

sub-processors

  • Oracle Cloud Frankfurt — hosting
  • GitHub — code only, no production data
  • Stripe — when paid plans are active
  • Postmark / SES — when transactional email is active

we do not sell your data, share it with advertisers, or feed it to third-party AI providers without your explicit consent.

your rights

regardless of where you live, you can:

  • export your data:GET /api/me/export?rater_id=<your-id>
  • delete your data:POST /api/me/delete?rater_id=<your-id>
  • email privacy@goku.codes for rectification, restriction, objection, or complaint.

we respond within 30 days. you can also complain to your DPA (BfDI in Germany, KVKK Kurumu in Türkiye, ICO in the UK, etc.). if you've cleared cookies we cannot link you back — by design.

EU / UK (GDPR)

panel is hosted in Frankfurt (DE). most EU/EEA operators can use panel without cross-border concerns. for non-EU operators, our DPA includes SCCs (2021/914) and the UK addendum where applicable. controller: panel (UltraInstinct0x). DPO not required (Art. 37). contact privacy@goku.codes.

Türkiye (KVKK)

panel KVKK uyarınca veri sorumlusudur. VERBIS kayıt eşiğinin altındayız; ilk TR-resident operatör onboardingi sonrası kayıt yapılacak. yurt dışına veri aktarımı (Frankfurt) için açık rıza alınacak. tam aydınlatma metni /tr/privacy üzerinde yayımlanacak.

USA / health data

panel does not collect, store, or transmit PHI by default. operators in healthcare settings must (1) sign a BAA, (2) route all unit content through scrubber-proxy in hipaa mode, and (3) configure ingest under BAA scope. sending PHI without a BAA violates our terms.

automated decisions

/api/verify returns a probability score. it does not produce legal effects on you — it gives the operator a captcha pass/fail. email privacy@goku.codes if you believe a panel decision unfairly blocked you and we'll do a manual review.

cookies

one cookie: panel_rater on panel.goku.codes (host-only, strictly necessary). no third-party cookies. no analytics. no ads. no banner required today. we'll show a banner the moment any non-essential cookie is added.

security

TLS in transit, host-level disk encryption, AES-256-GCM for reversible mappings in scrubber-proxy, pseudonymous identifiers, append-only audit logging, ratelimit + bot detection. not certified (SOC 2 / ISO 27001).

breaches

72h notification to the supervisory authority (GDPR Art. 33). high-risk: notify affected individuals without undue delay (Art. 34).

children

not directed to people under 13. we do not knowingly collect data from children.

changes

material changes posted at the top of this page with a new "last updated" date. operators notified by email.

contact

  • privacy + DSAR: privacy@goku.codes
  • security: security@goku.codes
  • general: hi@goku.codes