Privacy Policy

Outreach Syndicate is operated jointly by two private individuals (no company, no association): Jerome Welty (Quebec, Canada) and David Desplanque (France).

Both act as joint data controllers within the meaning of Article 26 GDPR and joint persons in charge of personal information under Quebec Law 25.

Contact for any privacy request: jerome.welty@gmail.com

We do not have a Data Protection Officer (DPO) because the scale and nature of our processing do not require one under Article 37 GDPR. The email above is the single point of contact for all data protection matters.

Account and identity data: display name, email address (if provided through OAuth or manually), unique account identifier, language preference, avatar.

OAuth identifiers: a unique identifier returned by Google, Discord, or Facebook when you log in with one of these providers. We never receive or store your password.

Product activity data: trading sessions, mining reports, corporation membership, fleet (ship list imported via the RSI Sync browser extension), messages you send, preferences, group-finder posts, patch notes you publish.

Technical and security data: IP address (in security logs only), browser user-agent, timestamps of sign-ins, session tokens, CSRF tokens.

Analytics data (only if you explicitly opt in): pseudonymous usage statistics provided by Google Analytics 4 (pages viewed, approximate location from IP, device type).

We do NOT collect special categories of data (Article 9 GDPR): no health, racial, political, religious, biometric, or sexual orientation data.

We do NOT collect payment data. The optional donation button redirects to an external payment processor who has its own privacy policy.

Providing the service (account creation, community features, fleet sync, messaging): performance of a contract — Article 6(1)(b) GDPR / necessity for the service under Quebec Law 25.

Platform security, abuse prevention, audit logs: legitimate interest — Article 6(1)(f) GDPR. Our legitimate interest is to keep the service safe for all users and to be able to investigate incidents.

Google Analytics (opt-in usage analytics): your explicit consent — Article 6(1)(a) GDPR. You can withdraw your consent at any time in the cookie banner or the privacy settings of your account.

Responding to your rights requests and legal obligations: Article 6(1)(c) GDPR.

No processing is based on a legal obligation that would force us to keep your data beyond what is strictly necessary.

Active account data: kept for as long as your account is active.

After an account deletion request: all personal data linked to the account is erased within 30 days, with the exception of minimal audit records (see below).

Activity data (sessions, reports, corporations, messages, fleet): deleted together with your account, within 30 days of the deletion request.

Security and audit logs (IP, sign-in events, abuse reports): retained for a maximum of 12 months from creation, then automatically deleted.

Encrypted backups: rolling 30-day retention. After 30 days, backups are overwritten or expired automatically.

Consent records (cookie banner choice): 6 months, then we will ask you again.

If you stop using your account without deleting it, we may delete inactive accounts after 24 consecutive months of inactivity, after sending you a notification email (if we have an email address).

Vercel, Inc. (340 S Lemon Ave #4133, Walnut, CA 91789, USA) — hosting and edge network. Data Processing Addendum with Standard Contractual Clauses (SCCs). More info: vercel.com/legal/dpa.

Supabase, Inc. (970 Toa Payoh North #07-04, Singapore 318992) — PostgreSQL database, authentication, storage. EU region available. DPA with SCCs. More info: supabase.com/privacy.

Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) — OAuth sign-in (Google), and optional Google Analytics 4 (only after consent). DPA and SCCs in place.

Discord Inc. (444 De Haro St #200, San Francisco, CA 94107, USA) — OAuth sign-in (Discord) and external community server (discord.gg/aRUG36Hw6C). Joining the Discord is optional and governed by Discord's own privacy policy.

Meta Platforms, Inc. (1 Hacker Way, Menlo Park, CA 94025, USA) — OAuth sign-in (Facebook).

Roberts Space Industries / Cloud Imperium Games — Outreach Syndicate is an unofficial fan site and is not affiliated with or endorsed by CIG. The RSI Sync extension reads publicly visible ship data from your RSI fleet page only when you click Sync.

We do NOT sell, rent, or share your personal data with advertisers. We do NOT use your data for marketing emails.

Most of our sub-processors are US-based. This means your personal data may be transferred to, processed, or stored in the United States.

Transfers to the United States are covered by the EU-US Data Privacy Framework (for certified companies) and/or by Standard Contractual Clauses (SCCs) adopted by the European Commission — Article 46(2)(c) GDPR.

For data transferred outside Quebec, Article 17 of Quebec Law 25 is respected through a documented privacy impact assessment and contractual safeguards with our sub-processors.

Technical safeguards: HTTPS/TLS 1.2+ in transit, encryption at rest where supported by the sub-processor.

Access: obtain a copy of the personal data we hold about you.

Rectification: correct inaccurate or outdated data.

Erasure (right to be forgotten): request deletion of your data. You can trigger this yourself from Settings > Privacy.

Restriction: ask us to limit processing in specific situations.

Objection: object to processing based on our legitimate interest.

Portability: receive your data in a structured, machine-readable format (JSON). Available from Settings > Privacy > Export my data.

Withdraw consent: for any processing based on consent (for example Google Analytics), without affecting past lawful processing.

Deindexation (Quebec Law 25, Article 28.1) and right to cease dissemination: request that we stop indexing or disseminating a piece of content about you.

Post-mortem directives (France, Article 85 Loi Informatique et Libertes / Quebec): give instructions about the fate of your data after your death. Send your instructions to jerome.welty@gmail.com.

Automated decisions: we do not carry out automated individual decision-making or profiling with legal or significant effects on you (Article 22 GDPR).

How to exercise your rights: email jerome.welty@gmail.com from the email address registered on your account, or use the tools in Settings > Privacy. We respond within 30 days (extendable once by 60 days in complex cases, with prior notice).

If you believe our processing violates applicable law, you have the right to lodge a complaint with a supervisory authority.

France: Commission Nationale de l'Informatique et des Libertes (CNIL) — www.cnil.fr

Germany: depends on your state (BfDI at federal level for joint controllers outside Germany — www.bfdi.bund.de).

Spain: Agencia Espanola de Proteccion de Datos (AEPD) — www.aepd.es

Other EU member states: your national data protection authority.

Quebec: Commission d'acces a l'information du Quebec (CAI) — www.cai.gouv.qc.ca

Canada (federal): Office of the Privacy Commissioner of Canada — www.priv.gc.ca

United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk

We encourage you to contact us first at jerome.welty@gmail.com so we can try to resolve your concern.

Technical measures: HTTPS/TLS everywhere, hashed session tokens, database access restricted to production services, encryption at rest, automated dependency vulnerability scanning, role-based access control.

Organisational measures: only the two site operators have administrative access, all admin access is logged, no third party has read access to the production database outside of the sub-processors listed above.

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours (Article 33 GDPR) and notify affected users without undue delay if the risk is high (Article 34 GDPR).

Under Quebec Law 25, confidentiality incidents involving a serious risk are reported to the Commission d'acces a l'information and to affected individuals as required by Articles 3.5 to 3.8 of the Act respecting the protection of personal information in the private sector.

Outreach Syndicate is not intended for children under 13 years old.

Spanish users: under Article 7 of Spanish Organic Law 3/2018 (LOPDGDD), the minimum age of digital consent is 14.

German users: under Section 8(1) GDPR and German implementation, parental consent is required below 16 for some services; we do not knowingly process data of users under 16 without parental consent.

If we become aware that a user below the applicable minimum age has created an account, we will delete the account and all associated data as soon as possible. Parents or guardians may contact us at jerome.welty@gmail.com.

We use strictly necessary cookies for authentication and security, and, with your consent only, Google Analytics cookies.

See our Cookie Policy for the full list of cookies, their purpose, and how to manage your consent.

We may update this Privacy Policy to reflect changes in the service or the law.

The 'Last updated' date at the top of this page indicates the most recent revision.

For significant changes, we will display a banner on the site and, where feasible, send an email to registered users at least 30 days before the change takes effect.

Continued use of the service after the effective date of a revised policy constitutes acceptance of that revised policy.

All privacy requests, questions, or complaints: jerome.welty@gmail.com

Please include 'PRIVACY REQUEST' in the subject line and indicate the right you wish to exercise. We may ask for reasonable identity verification before acting on a request.