Privacy
This page tells you, plainly, what data we collect from visitors and applicants, how it is stored, who can see it, and when it is deleted. We have tried to be specific rather than reassuring.
Visiting the site (everyone)
When you load any page on ardeshir.net, our server records, in standard nginx access logs:
- The time of the request
- The page that was requested
- The HTTP status code we returned
- The size of the response in bytes
- Your IP address
- The browser identifier your client sent (User-Agent)
- The page that referred you, if any (Referer)
We keep these logs for 14 days for operational reasons (debugging, rate-limit tuning, attack detection). They are not shared with any third party. They are not used for advertising, analytics, profiling, or any purpose other than running the site.
We do not use analytics cookies. Most pages run no JavaScript at all. The one exception is the join page, which uses a small self-hosted script as progressive enhancement for the GitHub-verification flow. If you use that flow, the site also sets short-lived security cookies described below. We do not run trackers, analytics, ad scripts, or any third-party JavaScript.
We do not load fonts, scripts, or any other asset from any domain other than ardeshir.net itself, except in one narrow case: after a successful GitHub verification on the join form, the verified badge may hot-link your public GitHub avatar from avatars.githubusercontent.com. There is no tracker, no analytics, and no consent banner because there is nothing here to consent to beyond the narrow verification flow you choose to use.
Submitting an application via /join/
When you submit the application form, we collect exactly what you typed:
- Your chosen name or nickname
- Your X (Twitter) handle, if you provided one
- Your GitHub username (required for membership invite routing)
- Your chosen contact channel and your handle on that channel
- Your description of who suggested you apply
- Your written reason for wanting to join
We do not store your IP address with your submission. The submission record contains a one-way hash of your IP combined with a daily salt - that hash lets the steward spot patterns of automated submission without preserving who you are. The salt rotates every 24 hours, so the hash becomes uncorrelatable after a day.
What happens to that data, in order
- On arrival, your submission is encrypted to the steward’s PGP key within milliseconds of reaching our server. The plaintext exists only in process memory long enough to be encrypted, then it is overwritten with zeros. Plaintext is never written to any disk.
- Within seconds, the encrypted blob is re-encrypted to a transport key and uploaded to a private repository where the steward can fetch it later.
- The steward decrypts your submission offline, on a separate device, using a YubiKey hardware token. The decrypted plaintext exists only in the steward’s memory during the review session.
- After the steward decides, the encrypted file is removed from the private repository and either kept locally on the steward’s hardware-encrypted laptop (still encrypted) until the retention window below expires, or purged immediately. The plaintext from the decryption session is discarded and never written to disk.
If you click “Verify with GitHub”
The join form offers an optional “Verify with GitHub” button. If you use it:
- Your browser is redirected to github.com to authorise our application named “Ardeshir Join.”
- The authorisation requests the
read:userscope: GitHub returns only your public profile (username, numeric ID, display name, public avatar). We do not request access to your email address, your repositories, or any other information. - We use the authorisation token once, to read your username, then discard it. We do not retain it; no follow-up requests to GitHub are made on your behalf.
- A short-lived signed cookie (15 minutes) carries the verified username from the OAuth callback to the form submission. The cookie is HttpOnly, Secure, and signed with a key rotated daily on our server.
- GitHub keeps its own record that you authorised our application; you can review and revoke it at https://github.com/settings/applications.
There is no manual fallback. If you do not authorise our application, the form does not let you submit. You can email Artaxshathra@proton.me instead.
Who can see your data
- The steward, during the offline decryption session.
- Nobody else. Not other members. Not the people who operate our server. Not the host of our private repository (they hold the file but cannot decrypt it without the YubiKey).
How long we keep it
| Decision | Retention |
|---|---|
| Approved | The encrypted submission is kept for 1 year after the membership decision, in case the membership decision is questioned later, then deleted. |
| Rejected | The encrypted submission is kept for 90 days after the decision, then deleted. We do not contact you about a rejection. |
| Held for clarification, then resolved | The clock starts when the resolution happens, and the retention follows the resolved outcome above. |
| Abandoned (no clarification reply within 14 days) | Deleted. |
Deletion means the encrypted file is removed from our infrastructure. We cannot guarantee deletion from third-party copies that may have been made by an adversary, by a court order on our service providers, or by anyone who has obtained a copy without our knowledge.
How to ask for your data to be deleted earlier
Write to Artaxshathra@proton.me and reference, as best you can, the contact handle you used when applying. The steward will identify the matching submission and delete it. You will receive a confirmation. We will not retain a record of the deletion request itself beyond what is necessary to confirm it happened.
Releasing software
If you are a contributor to a released project, your chosen contributor handle and the contributions you make appear in that project’s public git history, by the nature of git. The handle you use for that purpose is your choice; we recommend it not be tied to your real-world identity.
What we will not do
- We will not sell, rent, share, or otherwise disclose your data to any third party for any commercial purpose. There is no commercial purpose to disclose it for.
- We will not use your data for anything other than reviewing your application (for applicants) or operating the site (for visitors).
- We will not retain anything we have committed to delete on the schedule above, except as required by a legal order we cannot lawfully refuse - and if such an order is ever received, the warrant canary at /canary/ will reflect it.
What we cannot promise
We are a volunteer collective operating in a hostile environment. We are not a regulated data processor. We do not have an in-house counsel, a data protection officer, or a legal entity that can be sued for breach of these promises. We can only commit to the practices above and to keeping the commitments visible and honest.
If the threat model in your situation requires guarantees we cannot make, please do not submit data to this site.
Changes to this page
Material changes to this page are committed to the public repository where the site source lives, so the history of what we have promised over time is itself publicly auditable.
Last updated: 2026-05-20.