Privacy Policy
Last updated: 2026-05-12 · GDPR-compliant disclosure
1. Data Controller
Martin Dominiak — Dominiak Consulting (sole proprietorship), c/o Autorenglück #43603, Albert-Einstein-Straße 47, 02977 Hoyerswerda, Germany. Contact: ancient.nerds@protonmail.com. Full operator details in the Imprint. No data protection officer is required for the size of this operation.
2. What We Process When You Visit the Site
Standard web-server logs (Caddy / nginx, JSON format):
- IP address
- Browser user agent
- HTTP referer
- Requested URL and timestamp
- HTTP status code and bytes transferred
Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest — operation and security of the service).
Purpose: delivery of the service, abuse protection, error analysis.
Retention: 30 days, after which logs are automatically rotated and deleted. IP addresses are not separately anonymised; they are removed together with the log entry on expiry.
3. Cookies and Browser Storage
We use only strictly necessary technical storage:
- Session storage — temporary AI chat session state, cleared when the tab closes
- Local storage / IndexedDB — UI preferences (theme, filter state) and the offline-mode site cache for the Progressive Web App; controllable through your browser settings
- Cloudflare Turnstile — bot-protection cookie set only on pages with submission forms (contribution form); strictly necessary for spam prevention. Legal basis: § 25 (2) Nr. 2 TDDDG (technical necessity).
We do not use tracking cookies, analytics, advertising pixels, or fingerprinting.
4. External Resources Loaded by Your Browser
When rendering site cards, map tiles, and 3D embeds, your browser fetches assets directly from third-party servers. Your IP address is transmitted in the process:
| Recipient | Location | Purpose |
|---|---|---|
| Mapbox Inc. | USA | Satellite imagery and street map tiles |
| Google LLC | USA / Ireland | Google Maps embeds and Street View panoramas |
| Wikimedia Foundation | USA | Site images from Wikimedia Commons |
| Flagpedia / FlagCDN | EU | Country flag icons |
| SkylineWebcams (VisioRay S.r.l.) | Italy | Live webcam streams near heritage sites |
| Sketchfab Inc. | France / USA | 3D model embeds |
| ipwho.is / geojs.io | USA / EU | Approximate IP-based geolocation to centre the globe (no IP stored on our side) |
Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest — visual source attribution, map rendering, factual data display).
Opt-out: browser extensions such as uBlock Origin or Privacy Badger can block these loads; the core map and data functions remain available.
5. AI and Content Processing (Server-Side)
The stories pipeline, weekly journals (compilations summarising the previous week's stories), research tasks, and the Lyra research assistant use third-party language models and embedding services to process publicly available archaeological content (YouTube transcripts, site descriptions, news sources). User chat queries to Lyra are also sent to the relevant provider in real time. Other personal data from visitors is not sent to these services.
| Processor | Location | Purpose | Third country? |
|---|---|---|---|
| MiniMax (Nanonoble Pte. Ltd., Singapore; parent company in Shanghai, China; API platform processed on servers in the United States) | Singapore / China / USA | Stories, weekly journals, research tasks: summarisation, fact verification, content generation | Yes — SCC under Art. 46 GDPR |
| Anthropic PBC | San Francisco, USA | Lyra research assistant (chat queries and responses) | Yes — USA, SCC under Art. 46 GDPR; EU-US Data Privacy Framework where applicable |
| Voyage AI (MongoDB) | USA | Embeddings and reranking. We have opted out of data training; zero-day retention. | Yes — USA, SCC under Art. 46 GDPR |
| Qdrant (self-hosted) | Our infrastructure | Vector database; telemetry disabled. No data leaves our servers. | No |
MiniMax retention & training: MiniMax's terms of service permit them to use API inputs and outputs "to provide, maintain, develop, and improve" their services. We have not been able to confirm a published opt-out. We do not send visitor personal data to MiniMax — only content from public sources and our own generated text.
Anthropic retention & training: Anthropic's commercial API terms state that input and output is not used for training models by default; retention is limited to operational and abuse-detection purposes.
6. Community Discord Server and Memberships
Ancient Nerds operates a community Discord server with optional paid memberships ("subscriptions") that help fund infrastructure costs. Participation is optional. The following parties are involved:
- Discord Inc. (San Francisco, USA) operates the Discord platform itself. Discord is an independent data controller for your account, messages, presence, and voice data. Their privacy notice applies: discord.com/privacy.
- MEE6 (operated from Paris, France) provides the Monetize subscription bot we use to offer and manage paid memberships on the Discord server. MEE6 receives membership metadata (plan, status, your Discord user ID) and integrates Stripe for billing. Their privacy notice: mee6.xyz/legal.
- Stripe Payments Europe Limited (Dublin, Ireland) processes credit-card payments and is an independent controller for payment data. Stripe is the technical processor; the operator's Stripe-connected account receives the funds. Their privacy notice: stripe.com/privacy.
- The operator (Dominiak Consulting) is the contractual partner and merchant of record for the membership contract. We receive your Discord user ID, membership plan and status, and Stripe payment metadata (transaction ID, last 4 digits of the card, billing country) — but not your full card number, postal address, or other payment data Stripe collects on your behalf.
- If you link your Discord account to features on this site (e.g., AI credit balance), we additionally store your Discord username, role list, and a credit counter on our servers.
Legal basis for processing membership data: Art. 6 (1) lit. b GDPR (performance of the membership contract). Retention: as long as the membership is active, plus the statutory retention period under German tax law (10 years for accounting records, § 257 HGB / § 147 AO).
Third-country transfer: Discord (USA) is based on Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework. MEE6 (France) and Stripe Payments Europe (Ireland) are within the EU/EEA; no third-country transfer.
7. Hosting and Infrastructure
The site is hosted on dedicated servers operated within the European Union. The stack runs in Docker (Caddy, nginx, FastAPI, PostgreSQL + PostGIS, Redis, Qdrant). Server logs and database content are stored on this infrastructure.
8. Recipients and Third-Country Transfers (Summary)
| Country | Recipient | What is transferred |
|---|---|---|
| Germany | Hosting provider (Docker stack) | Full application state, server logs |
| France | MEE6 (Monetize subscription bot) | Discord user ID and membership metadata for paid subscribers |
| Ireland | Stripe Payments Europe Limited; Google Ireland | Card payment processing for memberships; YouTube Data API and embed loads |
| Singapore / China / USA | MiniMax (Nanonoble Pte. Ltd., Singapore; parent in Shanghai; servers in USA) | Public source content for AI generation (stories, journals, research) |
| USA | Anthropic, Voyage AI, Mapbox, Google, Wikimedia, Cloudflare, Discord | Lyra chat queries; embeddings; browser IPs for map tiles / images / embeds; community chat hosting |
| Italy | VisioRay S.r.l. (SkylineWebcams) | Browser IPs for webcam stream playback |
Transfers within the EU/EEA (Germany, France, Ireland, Italy) do not constitute third-country transfers. US transfers are based on Standard Contractual Clauses (Art. 46 (2) lit. c GDPR) and, where the recipient is certified, additionally on the EU-US Data Privacy Framework.
9. Your Rights
Under the GDPR you have the right to:
- Access your data (Art. 15 GDPR)
- Have inaccurate data corrected (Art. 16 GDPR)
- Have your data erased (Art. 17 GDPR)
- Restrict processing (Art. 18 GDPR)
- Receive your data in a portable format (Art. 20 GDPR)
- Object to processing based on legitimate interest (Art. 21 GDPR)
- Withdraw consent at any time, where processing is based on consent
To exercise these rights, contact ancient.nerds@protonmail.com.
10. Right to Lodge a Complaint
You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for the operator's place of residence is:
Saxon Data Protection and Transparency Commissioner (SDTB)
Devrientstraße 5, 01067 Dresden, Germany
www.saechsdsb.de
11. Children
Our service is not directed at children under 16. We do not knowingly collect data from children under 16. Where consent of a child is required under Art. 8 GDPR, such consent must be given or authorised by the holder of parental responsibility.
12. YouTube Creator Opt-Out
If you are a YouTube creator and would like your channel excluded from the news pipeline, contact ancient.nerds@protonmail.com with the subject "Channel Opt-Out" and your channel name or URL. We will remove your channel within 7 days.
13. Changes
We may update this policy as the service evolves. The current version is always accessible at /privacy.html; substantive changes will be announced on the site.