Legal
Privacy Policy
Last updated: June 30, 2026
Effective date: June 30, 2026
1. Who We Are
Heritage.KRD ("we", "our", "us") is a digital archive dedicated to preserving and sharing Kurdish civilization, history, art, and culture. Our website is available at heritage.krd.
We are the data controller for personal information collected through this website. We are committed to protecting your privacy and handling your data transparently. This policy explains what information we collect, why we collect it, how we use it, and your rights.
2. Information We Collect
Information you provide directly:
- Registration data – full name, email address, and phone number when you create an account
- Identity verification – one-time passcodes (OTP) sent to your phone number for registration and login verification
- Profile information – optional biography, country, and city if you add them to your profile
- Contributions – any text posts, translations, historical records, corrections, or sources you voluntarily submit to the platform
- Photos – images you upload to the Community Gallery, including title, description, and category; image metadata such as file size and dimensions
Information collected automatically:
- Technical data – IP address, browser type and version, operating system, device type (desktop/mobile/tablet), and approximate geographic location (country and city) derived from IP
- Usage data – pages visited, time and date of visits, and referring URLs
- Security data – failed login attempts, suspicious activity, and session information for the purpose of protecting your account
- Cookies and similar technologies – see our Cookie Policy for full details
We do not collect sensitive personal data such as payment information, government IDs, biometric data, or health data.
3. Legal Basis for Processing
We process your personal data on the following legal grounds:
- Contract performance – to create and manage your account, verify your identity, and provide the services you have requested
- Legitimate interests – to keep the platform secure, detect and prevent fraud and abuse, maintain activity logs for operational purposes, and improve the site – provided these interests are not overridden by your rights
- Legal obligation – where we are required to process data to comply with applicable law
- Consent – for optional features such as language preference cookies; you may withdraw consent at any time
4. How We Use Your Information
- To create and manage your account and verify your identity via SMS OTP
- To send account-related communications (registration confirmation, password resets, moderation decisions)
- To display your contributions and community gallery photos on the platform
- To moderate user-submitted content and maintain community standards
- To detect, investigate, and prevent security threats, fraud, and abuse
- To understand how visitors use the site and improve content and navigation
- To comply with legal obligations
We do not sell, rent, or trade your personal data to third parties for marketing purposes.
5. Third-Party Services
We use the following third-party services that may process your data:
- Namabar (SMS gateway) – your phone number is shared with Namabar to send OTP verification codes. Namabar processes this data solely for message delivery. Please refer to Namabar's own privacy policy.
- Google Fonts – fonts are loaded from Google's servers (fonts.googleapis.com, fonts.gstatic.com). Your browser sends your IP address to Google when loading these fonts. Google may log this data. Refer to Google's Privacy Policy.
- Cloudflare CDN (Font Awesome) – icons are loaded from Cloudflare's content delivery network (cdnjs.cloudflare.com). Your IP address is transmitted to Cloudflare servers. Refer to Cloudflare's Privacy Policy.
Each third party has their own privacy policy governing how they use data transmitted to them.
6. Data Retention
- Account data – retained for as long as your account is active. Upon account deletion, your personal data is deleted within 30 days, except where we are required to retain it for legal compliance.
- Activity and security logs – IP logs, page views, and security events are retained for a maximum of 12 months and then deleted automatically.
- Contributed content – posts, translations, and records you submit remain on the platform after account deletion unless you specifically request their removal.
- Community photos – gallery photos you upload remain on the platform after account deletion unless you request removal.
- OTP records – phone verification records expire and are purged automatically after 24 hours.
7. Data Security
We take the security of your data seriously. Measures we have in place include:
- Passwords are secured using industry-standard, salted cryptographic hashing functions – we never store your password in plain text and it cannot be recovered even by us
- Session tokens are stored as salted cryptographic hashes, not the raw token value – a stolen database record cannot be used to impersonate you
- HTTPS encryption for all data transmitted between your browser and our servers
- Session cookies are marked
HttpOnly and Secure to prevent JavaScript access and transmission over unencrypted connections
- Account lockout after repeated failed login attempts
- IP-based rate limiting and brute-force detection
No method of transmission over the internet or electronic storage is 100% secure. While we use commercially reasonable measures to protect your data, we cannot guarantee absolute security.
8. International Data Transfers
Your data may be processed or stored on servers located outside your country of residence. When we transfer data internationally, we ensure appropriate safeguards are in place. Third-party services such as Google and Cloudflare may process your data in various countries in accordance with their own data transfer mechanisms.
9. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Right of access – request a copy of the personal data we hold about you
- Right to rectification – request correction of inaccurate or incomplete data
- Right to erasure – request deletion of your personal data ("right to be forgotten")
- Right to restriction – request that we limit how we use your data in certain circumstances
- Right to data portability – receive your data in a structured, commonly used, machine-readable format
- Right to object – object to processing based on legitimate interests
- Right to withdraw consent – where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
- Right to complain – if you are located in the EU/EEA, you have the right to lodge a complaint with your local data protection supervisory authority
To exercise any of these rights, contact us at privacy@heritage.krd. We will respond within 30 days.
10. Cookies
We use a small number of cookies to keep you signed in and remember your language preference. We do not use advertising or tracking cookies. For full details, please read our Cookie Policy.
11. Children's Privacy
Heritage.KRD is not directed at children. We require users to be at least 13 years of age to create an account. If you are located in the European Economic Area, you must be at least 16 years old, or have verifiable parental consent to use our services. If you believe a child has provided us with personal data without appropriate consent, please contact us at privacy@heritage.krd and we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will update the "Last updated" date at the top of this page. For significant changes, we may also notify registered users by email. We encourage you to review this page periodically.
13. Contact
If you have any questions, requests, or concerns about this Privacy Policy or how we handle your data, please contact us: