Privacy Policy
1. Who We Are
The data controller responsible for personal data processed through Project LFG is Project LFG, based in Russia. Contact for privacy questions and requests: artgreg.tga@gmail.com. This notice is provided in line with transparency requirements such as Articles 13–14 GDPR where they apply. It is not legal advice; a small team cannot offer every jurisdiction-specific nuance—consult a qualified adviser for high-risk processing.
2. What Project LFG Is
Project LFG is a web platform for discovering projects, applying to roles, messaging, friend connections, notifications, and related collaboration features. Processing described here covers visitors and registered users of the public website and authenticated application.
3. Categories of Personal Data
We process the following categories, depending on how you use the service: Account and credentials — email address, password hash, optional Google account linkage when you choose Google sign-in, email verification and security tokens, account role and visibility flags, timestamps of signup and login, and recent IP address and browser user-agent strings associated with signup or login for abuse prevention. Profile — display name, public profile link, avatar image, “about” text, language and timezone preferences, project format preference, location selections (for example country/region/city identifiers from our location catalogue), and visibility settings for how your projects appear. Activity and content — projects you create or join, role applications, chat messages, favorites, friend requests, blocks/ignores, notifications, feedback and abuse reports you submit, and similar operational records. Technical and security — server and application logs, request identifiers, rate-limit and anti-abuse signals, optional aggregated or diagnostic telemetry, and client error reports you or your browser send (which may include error message text, page URL, user agent, and account id when you are logged in). Communications — messages we send you about security, account recovery, or service updates via our email provider.
4. Purposes and Legal Bases
We process personal data on these legal bases, as applicable: Performance of a contract — providing accounts, profiles, search, applications, chats, and features you request. Legitimate interests — securing the service, detecting and preventing fraud and abuse, enforcing our Terms, improving reliability, internal reporting in aggregated form, and communicating important service information; where required, we balance these interests against your rights. Consent — where we rely on consent (for example optional Vercel Analytics and Speed Insights after you accept via our cookie banner), you may withdraw consent at any time without affecting prior processing; withdrawal may limit certain optional features. Legal obligation — where we must retain or disclose data to comply with law, court orders, or competent authorities.
5. Cookies and Similar Technologies
We use cookies and similar storage on your device. Strictly necessary cookies include the session cookie for logged-in users, short-lived cookies used during Google OAuth, and the `app_locale` cookie so the site can render in your chosen language on the next visit. Guests may also have language preference mirrored in browser localStorage. Optional analytics: Vercel Analytics and Vercel Speed Insights load only after you accept optional cookies through our banner; your choice is stored in browser localStorage (`project_lfg_analytics_consent_v1`). Rejecting optional analytics disables those tools on your device via our integration. For more detail on cookie law in the EU/EEA and UK, see national guidance implementing the ePrivacy Directive alongside GDPR.
6. Service Providers (Subprocessors)
We use reputable service providers (“subprocessors”) who process personal data on our instructions: Vercel — hosting, edge delivery, and (if you consent) product analytics and speed metrics; Neon — managed PostgreSQL database hosting; Resend — transactional and operational email; Google — authentication when you choose “Sign in with Google”. Each provider’s own privacy policy and data processing terms apply in addition to this notice. We do not sell your personal data as “sale” is commonly understood in modern privacy statutes.
7. International Data Transfers
Some providers may process or store data in the United States and other countries outside your own. Where GDPR or UK GDPR applies and transfers are not covered by an adequacy decision, we rely on appropriate safeguards offered by our vendors (for example standard contractual clauses in their Data Processing Addenda) or other lawful transfer mechanisms. You may obtain copies of relevant safeguards from vendors where they make them available online.
8. Retention
We retain data only as long as needed for the purposes above. Account and profile data are kept while your account is active and for a short period afterward to allow recovery, dispute handling, or legal compliance. Logs and security records are kept for a limited rolling period appropriate to abuse prevention. Backup copies may persist briefly. If you request deletion, we will delete or anonymize personal data unless a narrow legal exception requires retention (for example unresolved claims). Exact retention periods may evolve with infrastructure; we document criteria rather than every TTL in this MVP notice.
9. Your Rights
Depending on your location, you may have rights to: access your personal data; rectify inaccuracies; erase data (“right to be forgotten”) where applicable; restrict certain processing; object to processing based on legitimate interests; data portability for data you provided where processing is automated and based on contract or consent; withdraw consent where processing is consent-based; and lodge a complaint with a supervisory authority (for example in your EU/EEA country of residence or the UK ICO). To exercise rights, contact artgreg.tga@gmail.com from your account email where possible. We are a small team and will respond within a reasonable period (typically within one month for GDPR-style requests, subject to extension for complex requests as permitted by law).
10. Children
Project LFG is not directed at children. You must be at least 16 years old to use the service, or the age of digital consent in your country if higher and we have not implemented parental consent flows. If you believe we have collected data from someone under that threshold, contact artgreg.tga@gmail.com and we will take appropriate steps, including deletion where appropriate.
11. Security
We implement appropriate technical and organizational measures (such as access controls, encryption in transit, hashed passwords, rate limiting, and monitoring) appropriate to the risk. No method of transmission or storage is completely secure; we cannot guarantee absolute security.
12. Automated Decision-Making
We do not make automated decisions that produce legal or similarly significant effects about you under Article 22 GDPR. Features such as search ordering may use algorithms or filters; they do not replace human judgment for rights affecting decisions.
13. Changes to This Policy
We may update this Privacy Policy by posting a revised version on this page and changing the “Last Updated” date. Where required by law or where changes are material, we will provide additional notice (for example through the service or by email).
14. Contact Us
For privacy requests and questions: artgreg.tga@gmail.com. You may also use the Contacts page on this website. Operational support may use the same channel unless we publish a dedicated address.