Privacy
Your story, secured
Absolute honesty is only possible in a space where identity is protected. Privacy here is an architectural constraint, not just a legal promise. This notice explains what this website collects, what the live Platform handles, and which stronger provenance mechanisms are still planned infrastructure.
This website
This site is an information portal. It hosts no testimony intake, no consent records, and no account system — those live on the separate live Platform. It collects only:
- What you send us in a formIf you use the contact or funding forms, we receive what you type (for example a name, email, and message) solely to reply and to keep a record of the enquiry. It is stored in an insert-only table and is never added to the witness, consent, or research data.
- Your theme preferenceYour choice of light or dark theme is stored locally in your own browser. It never leaves your device and is not sent to us.
We do not sell data, and we do not use it for AI training. To ask about or withdraw a form enquiry, use the contact page.
How the Protocol protects testimony
Testimony submitted through the Protocol is governed by a stricter architecture, designed to separate the “who” from the “what”:
- Identity kept apart from testimonyLegal names and contact details live in a restricted identity vault; the research corpus holds only de-identified moral reasoning. The two never mix.
- Two-pass de-identificationThe Platform strips hard-format identifiers before Gate model calls. Candidate Isolation is then used for PII classification and de-identification: only isolated candidate tokens are sent to the classifier for that step, never the full testimony context.
- Tamper-evidenceLive records use content hashes and disclosure-ledger entries to make sharing auditable. RFC-3161 timestamping and IPFS-style content-addressed archival are planned provenance layers; the portal demo shows simulated values until those layers are live.
- Revocation that cascadesConsent can be withdrawn. Revocation blocks future use and export, marks disclosure-ledger exposures as revoked, and triggers eligible internal or partner data-removal paths. Already public or cited copies cannot be globally recalled, but future distribution stops.
See this demonstrated in the revocation simulator and the provenance explorer, or read the full detail in the research library.
This is a plain-language summary, not the complete legal policy. For the formal privacy policy or a data request, contact The Witness Protocol Foundation initiative via the contact page.