Privacy Policy

Last updated: February 2026

1. Data Controller

The data controller for SpectroSolHub is:

• Name: Cédric Champeau
• Email: privacy@spectrosolhub.com (placeholder)

2. What Data We Collect

We collect only the data necessary for the operation of the platform:

• Account information: username, email address, password (stored as a one-way hash, never in plain text).
• Profile information: display name, bio, location (all optional, provided by you).
• Observation data: observation sessions, equipment metadata, observation dates, and geographic coordinates. Coordinates are coarsened to approximately 55 km precision to protect your privacy.
• Images: solar images you upload, along with titles, descriptions, and processing parameters.
• Community activity: comments, likes, follows, and collections.
• Technical data: session cookie for authentication (see section 6).

3. Legal Basis for Processing

We process your personal data based on:

• Consent: By creating an account and accepting the Terms of Service, you consent to the processing described in this policy.
• Legitimate interest: Operating and maintaining the platform, ensuring security, and preventing abuse.

4. How We Use Your Data

Your data is used to:

• Provide and operate the SpectroSolHub platform.
• Display your public profile and shared content to other users.
• Send transactional emails (account verification, password reset, email change confirmation).
• Moderate content and enforce the Terms of Service.

5. Scientific Research

As described in the Terms of Service (Section 6), by uploading data to SpectroSolHub you grant a license for your content to be used for scientific research purposes. This may include analysis, publication, and sharing within the scientific community. When reasonably possible, appropriate credit will be given to the original contributor.

6. Cookies

SpectroSolHub uses a single session cookie (SPECTROSOLHUB_SESSION) which is strictly necessary for authentication. We do not use any analytics, tracking, or advertising cookies. As this cookie is strictly necessary for the service to function, no consent banner is required.

We also use a LANG cookie to store your preferred display language. This cookie is valid for 1 year and contains no personal data. As it is a functional preference cookie, no consent is required.

7. Third-Party Processors

We use the following third-party services to operate the platform:

• Object storage provider: Your uploaded images are stored using an S3-compatible storage service.
• Email service provider: Transactional emails are sent through an SMTP email service.
• OAuth providers (optional): If you choose to log in with Google or GitHub, we receive your email address and display name from these providers. We only store your email, a provider-specific identifier, and your display name.

We do not sell, rent, or share your personal data with any other third parties.

8. Data Retention

Your data is retained for as long as your account is active. When you delete your account, all your data is permanently removed, including:

• Your profile information
• All observation sessions and images (including from storage)
• All comments, likes, and follows
• All API tokens and authentication data

Your user record is anonymized and marked as deleted.

9. Your Rights Under GDPR

As a data subject under the General Data Protection Regulation, you have the following rights:

• Right of access (Art. 15): You can download all your personal data from Account Settings.
• Right to rectification (Art. 16): You can update your profile, username, email, and password from Settings.
• Right to erasure (Art. 17): You can delete your account and all associated data from Account Settings.
• Right to data portability (Art. 20): You can export your data in JSON format from Account Settings.
• Right to object (Art. 21): You may contact the data controller to object to specific processing activities.
• Right to withdraw consent: You may withdraw your consent at any time by deleting your account.

To exercise any of these rights, you can use the in-app features listed above or contact the data controller at the email address provided in Section 1.

10. Data Security

We implement appropriate security measures to protect your data, including: password hashing (bcrypt), CSRF protection, optional two-factor authentication (TOTP), encrypted connections (HTTPS), and rate limiting.

11. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page indicates when the policy was last revised. Continued use of the service after changes are published constitutes acceptance of the revised policy.

12. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the French data protection authority (CNIL).