Privacy Policy
Last updated: 2 July 2026
This Privacy Policy explains how The Haunted Lighthouse Limited (“we”, “us”, “our”) collects, uses and protects your personal data when you use:
- our main website at haunted.lighthouse.co.im (the “Website”);
- The Sovereign Auditor, our articles and subscription service published at haunted.lighthouse.co.im/articles (the “Articles Service”);
- our Mastodon instance at lighthouse.co.im (the “Mastodon Service”); and
- our Forgejo-based git hosting at git.lighthouse.co.im (the “Forgejo Service”).
We take a privacy-first, data-minimal approach. We only collect what we genuinely need to provide and protect the services, and we do not sell, rent or trade your data.
1. Who we are
The Haunted Lighthouse Limited is a company based in the Isle of Man (Company No. 138512C). For any questions about this policy or your data, you can contact:
The Haunted Lighthouse Limited
Peel, Isle of Man
Email: compliance@haunted.lighthouse.co.im
Data Controller Registration (Isle of Man): R744503
For the purposes of UK GDPR and aligned Isle of Man data protection law, we act as the data controller for personal data processed via our Website, Articles Service, Mastodon Service and Forgejo Service.
2. What data we collect
2.1 Data you provide to us directly
-
Account details
When you create an account on our Mastodon or Forgejo services, we collect information such as:- email address;
- chosen username and display name;
- password (stored in hashed form only);
- profile information you choose to provide (bio, avatar, header image, links, etc.).
-
Subscription details (Articles Service)
If you subscribe to The Sovereign Auditor, we collect your email address, name, and a payer reference from PayPal so we can deliver access credentials and manage your subscription. We do not receive or store your full payment card or bank details — these are held by PayPal. -
Content you publish
On Mastodon this includes posts, replies, direct messages, media uploads and any other activity you perform. On Forgejo this includes repositories, issues, pull requests, comments and other project content. -
Support and correspondence
When you email us or contact us through other channels, we collect the information you provide so we can respond and keep appropriate records.
2.2 Data collected automatically
-
Server logs
Our servers automatically record technical information when you access our services, such as:- IP address;
- date and time of requests;
- requested URLs and HTTP status codes;
- user-agent (browser / client information).
-
Session and security data
We may store limited session identifiers and security tokens (for example, to keep you logged in, to prevent cross-site request forgery, and to enforce rate limits). -
Analytics (Website and Articles Service)
We use GoatCounter, a self-hosted, privacy-respecting analytics tool, to record aggregate visit counts and popular pages. GoatCounter does not use cookies and does not track individuals across sites. -
Listening data (Articles Service)
Where an article has an audio version, we record basic playback events (for example, that an audio version was started) to understand which articles are used this way. This data is not linked to your subscriber identity.
2.3 Federated data (Mastodon)
Mastodon is a federated social network. This means that when you interact with users on other Mastodon instances or compatible services:
- your public posts and profile data may be copied to other servers outside our direct control;
- remote servers may cache or retain copies of your data according to their own policies;
- when remote users interact with you, we receive their public profile information and content.
We cannot enforce deletion or correction of data stored on third-party servers that have already federated with our instance. We will, however, honour your rights on the data we control directly.
3. How we use your data
We process your personal data for the following purposes:
-
Providing the services
To create and manage your account, deliver timelines, serve repositories, deliver article access, and enable the features you use.
Legal basis: performance of a contract. -
Processing subscription payments
To manage your Sovereign Auditor subscription via PayPal, including billing and access provisioning.
Legal basis: performance of a contract. -
Security and abuse prevention
To protect the services from spam, abuse, unauthorised access and attacks, and to apply moderation decisions.
Legal basis: legitimate interests; in some cases legal obligation. -
Backups and disaster recovery
To maintain reliable backups of Mastodon, Forgejo and Articles Service data on secure storage (including off-site, geographically separate storage) so we can restore service after a failure.
Legal basis: legitimate interests. -
Communication with you
To send essential service messages (such as password reset emails, subscription/billing notices, security notices or critical service updates). We do not send marketing newsletters.
Legal basis: performance of a contract; legitimate interests. -
Legal compliance
To comply with applicable laws, respond to lawful requests and enforce our Terms of Service and our Content & AI Use Terms.
Legal basis: legal obligation; legitimate interests.
4. Data sharing and processors
We do not sell your personal data. We may share it only with:
-
Hosting and infrastructure providers
Our services are hosted on infrastructure provided by Netcup GmbH (Germany). Off-site backup and object storage is provided by Infomaniak Network SA (Switzerland, primary) and OVH SE (France, geographic disaster-recovery mirror). These providers act as our data processors and are bound by contracts and data protection safeguards, including a signed Data Processing Agreement with Infomaniak. -
Federated services (Mastodon only)
When you interact with users on other instances, your public profile and posts are shared with those servers, as required by the protocol. This is inherent to how the fediverse works. -
Payment processors
Subscription and billing data for the Articles Service, and payment data for paid Forgejo hosting plans, is processed by PayPal. We do not store your full card or bank details on our servers. -
Legal authorities
Where we are required to do so by law, or where we reasonably believe it is necessary to protect the rights, property or safety of our users, the public or ourselves.
5. International transfers
Our infrastructure is hosted in Germany, Switzerland and France. Switzerland benefits from an EU adequacy decision, meaning transfers there are treated the same as transfers within the EU/EEA without additional safeguards. Where data is transferred outside the UK or EU/EEA without an applicable adequacy decision, we will take reasonable steps to ensure that appropriate protection is in place (for example, contractual safeguards).
6. How long we keep your data
- Account data – kept while your account is active. If you delete your account, we delete or anonymise data within a reasonable period, subject to backups.
- Subscription and billing data – kept for the duration of your subscription and for a reasonable period afterwards to meet accounting and tax obligations.
- Backups – kept for a limited rolling retention period and used only for disaster recovery.
- Logs – retained for a limited time then deleted or anonymised unless needed for investigations.
7. Your rights
You may have rights to:
- access the data we hold about you;
- request correction, deletion or restriction;
- object to certain processing;
- request data portability where applicable;
- withdraw consent where processing is based on consent.
To exercise these rights, email compliance@haunted.lighthouse.co.im.
You also have the right to lodge a complaint with the Isle of Man Information Commissioner if you believe we have not handled your data appropriately.
8. Cookies
We use only a limited set of cookies necessary for login, security, essential preferences, and recording agreement to our Content & AI Use Terms where applicable. See our Cookie Policy for details.
9. VPNs, Tor and network privacy
We allow access via VPNs and Tor, provided behaviour complies with our Terms and community rules. Moderation decisions focus on behaviour, not IP address or physical location.
10. Changes to this Policy
We may update this Privacy Policy from time to time. Significant changes may be announced via the Website or Mastodon.
11. Contact
Questions about this Policy can be sent to compliance@haunted.lighthouse.co.im.