privacy policy · draft · v0

privacy

last updated: 2026-05-20 · effective: TBD

v0 — pending counsel review. reflects current panel data practices. wording may change after legal review. for questions: use the contact form (topic: privacy).

tl;dr

panel.goku.codes is a captcha-shape feedback layer. when you click "i'm human" on a partner site we show you one short judgment task. your answer doubles as preference data for AI agents. we keep your identity pseudonymous (a random cookie id), collect the minimum behavioral data we need to block bots, and delete it on request.

who we are

panel (UltraInstinct0x). contact: contact form (topic: privacy). host: Oracle Cloud Frankfurt (DE). repo: github.com/UltraInstinct0x/panel.

what we collect

when you interact with a panel widget

we do NOT collect

why we collect it (lawful basis)

retention

sub-processors

we do not sell your data, share it with advertisers, or feed it to third-party AI providers without your explicit consent.

your rights

regardless of where you live, you can:

we respond within 30 days. you can also complain to your DPA (BfDI in Germany, KVKK Kurumu in Türkiye, ICO in the UK, etc.). if you've cleared cookies we cannot link you back — by design.

EU / UK (GDPR)

panel is hosted in Frankfurt (DE). most EU/EEA operators can use panel without cross-border concerns. for non-EU operators, our DPA includes SCCs (2021/914) and the UK addendum where applicable. controller: panel (UltraInstinct0x). DPO not required (Art. 37). contact via the contact form (topic: privacy).

Türkiye (KVKK)

panel KVKK uyarınca veri sorumlusudur. VERBIS kayıt eşiğinin altındayız; ilk TR-resident operatör onboardingi sonrası kayıt yapılacak. yurt dışına veri aktarımı (Frankfurt) için açık rıza alınacak. tam aydınlatma metni /tr/privacy üzerinde yayımlanacak.

USA / health data

panel does not collect, store, or transmit PHI by default. operators in healthcare settings must (1) sign a BAA, (2) route all unit content through scrubber-proxy in hipaa mode, and (3) configure ingest under BAA scope. sending PHI without a BAA violates our terms.

automated decisions

/api/verify returns a probability score. it does not produce legal effects on you — it gives the operator a captcha pass/fail. use the contact form (topic: privacy) if you believe a panel decision unfairly blocked you and we'll do a manual review.

cookies

one cookie: panel_rater on panel.goku.codes (host-only, strictly necessary). no third-party cookies. no analytics. no ads. no banner required today. we'll show a banner the moment any non-essential cookie is added.

security

TLS in transit, host-level disk encryption, AES-256-GCM for reversible mappings in scrubber-proxy, pseudonymous identifiers, append-only audit logging, ratelimit + bot detection. not certified (SOC 2 / ISO 27001).

breaches

72h notification to the supervisory authority (GDPR Art. 33). high-risk: notify affected individuals without undue delay (Art. 34).

children

not directed to people under 13. we do not knowingly collect data from children.

changes

material changes posted at the top of this page with a new "last updated" date. operators notified by email.

contact