Privacy Policy

Home Manifesto ISMS

🕵️ Privacy Policy: Surveillance Capitalism Meets Anarchist Data Protection

GDPR Compliance as Competitive Advantage: Privacy Through Transparency (or: How I Learned to Stop Worrying and Weaponize Regulation)

Nothing is true. Everything is permitted. Except harvesting user data without consent—GDPR made that expensive (up to 4% global revenue or €20M). FNORD. Are you paranoid enough yet?

Think for yourself. Question authority. Especially the authority that says "we value your privacy" while selling your behavioral surplus to 847 "partners" (read: data vampires). At Hack23, privacy isn't marketing bullshit—it's our public Privacy Policy with specific retention periods, encryption controls, and user rights implementation. We put our ISMS where our mouth is.

Privacy isn't dead. It's being held hostage by surveillance capitalism—the bastard child of Orwell and Zuckerberg. But psychonauts have a weapon: GDPR—the only regulation that makes data brokers actually sweat (and hire lawyers). At Hack23, we weaponize GDPR compliance as competitive advantage: 72-hour breach notification (because hiding breaches is so 2015), data minimization by default (collect less, worry less), privacy-by-design architecture (bake it in, not bolt it on), transparent user rights across all platforms.

ILLUMINATION FOR PSYCHONAUTS: GDPR penalties that actually hurt (4% revenue) change corporate behavior faster than a bad acid trip. Hack23 implements privacy controls not because Brussels demands it—but because our CIA, Black Trigram, and CIA Compliance Manager platforms demonstrate consulting expertise through systematic privacy engineering. The conspiracy is real, but we're on your side. Maybe. Nothing is true.

Our approach combines legal compliance (GDPR Article 5 principles, Swedish data protection laws) with technical precision: encryption at rest and in transit (because plaintext is for chumps), automated retention policies (digital hoarding disorder is real), user data export within 30 days (your data, your freedom), complete deletion within 90 days (right to be forgotten means actually forgotten). Full technical implementation in our public Privacy Policy. No NDAs. No "proprietary methods." Just radical transparency.

The Five GDPR Principles: Not Marketing, Actual Implementation

1. 🎯 Purpose Limitation (GDPR Art. 5.1.b)

Collect data for specific, explicit purposes documented in our Privacy Policy. CIA platform: democratic transparency. Black Trigram: game progress. CIA Compliance Manager: security assessment. Mission creep is how surveillance states are born.

Implementation: Every data field mapped to legitimate purpose. Analytics pseudonymized. Third-party sharing: zero (except payment processors with contractual DPA).

If you can't articulate why you need data in a single sentence, you don't need it.

2. 📦 Data Minimization (GDPR Art. 5.1.c)

Collect only what you need. Every byte is a liability, a target, and a responsibility. CIA: username + email. Black Trigram: player ID + progress. CIA CM: org account + assessments. More data ≠ better insights. Usually just more risk.

Implementation: No tracking pixels. No cross-site cookies. No "partners" enriching profiles. Minimal collection enforced by form validation, database constraints, and code review.

The best data to protect is data you never collected. GDPR-compliant by design, not by retrofit.

3. ⏱️ Storage Limitation (GDPR Art. 5.1.e)

Delete data when you're done with it. Hoarding data "just in case" is how breaches become catastrophes. Automated retention: Logs 90 days, user accounts (lifetime + 2 years), analytics 12 months, session data 90 days.

Implementation: Automated deletion jobs. No "archive everything forever." Inactive accounts purged after retention period. Legal hold capability for compliance when required.

Data is toxic waste—dispose of it properly or it poisons everything. Retention policies enforced by code, not policy documents.

4. 🌐 Transparency (GDPR Art. 12-14)

Tell people what you're doing with their data. In plain language, not legalese. Radical transparency isn't just security—it's respect. Our Privacy Policy: Public GitHub repo. Version controlled. Changelog tracked. No burying updates in ToS amendments.

Implementation: Privacy dashboard showing collected data. Export function (30 days). Deletion request (<90 days). Email notifications for policy changes. No dark patterns.

If your privacy policy requires a law degree to understand, it's designed to hide something. Ours is GitHub-hosted and plain English.

5. ✅ User Control (GDPR Art. 15-22)

Give users rights: access, correction, deletion, portability. They own their data, not you. Act accordingly or face GDPR fines that actually hurt (4% global revenue or €20M, whichever higher). User rights: Export data (JSON), delete account, correct information, object to processing.

Implementation: Self-service privacy dashboard. Automated data export. Deletion cascades across all systems. No "we'll consider your request"—you control your data, period.

User rights aren't optional features—they're legal requirements backed by penalties that matter. Implementation beats promises.

Privacy by Design: Architecture, Not Checkbox Compliance

Privacy isn't something you bolt on after building surveillance infrastructure. It's architectural per GDPR Article 25 (data protection by design and by default):

PlatformData CollectedEncryptionRetentionUser Rights
🏛️ CIA PlatformUsername, email, activity logsTLS 1.3, AES-256 at restAccount + 2 years, logs 90 daysExport, delete, correct
🎮 Black TrigramPlayer ID, game progress, sessionTLS 1.3, encrypted storageAccount lifetime, sessions 90dExport save, delete account
📊 CIA Compliance ManagerOrg accounts, assessments, metricsTLS 1.3, encrypted backupsEnterprise retention policyExport reports, delete data

Technical Implementation:

  • Default to Privacy — Opt-in, not opt-out. Make the secure choice the default choice. No pre-checked consent boxes.
  • Encrypt Everything — TLS 1.3 in transit, AES-256 at rest, encrypted backups. If it's not encrypted, assume it's already compromised.
  • Minimize Attack Surface — Fewer databases, fewer copies, fewer access points. Simple is survivable. No data lakes—data ponds only.
  • Anonymize When Possible — You can't leak PII you don't have. Analytics: pseudonymized. Logs: IP hashed after 24h. Aggregate, anonymize, pseudonymize.
  • Audit Access — Log who accessed what, when. CloudTrail integration. Trust, but verify. Mostly verify. Access reviews quarterly.
  • Automated Enforcement — Retention policies executed by cron jobs, not manual deletion. User rights requests automated via API, not ticket systems.

META-ILLUMINATION: Privacy by default means users don't have to trust you—your architecture protects them whether they understand it or not. GDPR compliance through engineering, not promises.

GDPR: The Only Regulation With Teeth

GDPR isn't perfect, but it's the closest thing we have to a weapon against surveillance capitalism:

  • Real Penalties — Up to 4% of global revenue or €20M, whichever is higher. Companies actually care about this.
  • Extraterritorial Reach — EU citizens' data is protected everywhere. Can't hide in another jurisdiction.
  • User Rights — Right to access, rectification, erasure, data portability. With enforcement.
  • Breach Notification — 72 hours to report. No hiding breaches for months/years anymore.
  • Privacy by Design — Baked into the regulation. Not optional.

Operation Mindfuck the data brokers: Exercise your GDPR rights. Request your data. Delete it. Make them work for it. Every request costs them time and money.

CHAOS ILLUMINATION: The best way to fight surveillance capitalism is to make it economically unviable. GDPR is a start.

Our Implementation: Transparent, Minimal, User-Controlled

At Hack23, we practice what we preach through systematic privacy engineering across all platforms:

🔐 Data Controller Information:

  • Legal Entity: Hack23 AB (559534-7807)
  • Registered Address: Carl Grimbergsgatan 25, 413 13 Göteborg, Sweden
  • Data Protection Officer: James Pether Sörling (CEO)
  • Privacy Contact: privacy@hack23.com
  • Public Policy: GitHub ISMS-PUBLIC (version controlled, changelog tracked)

📊 Data Scope by Platform:

  • CIA Platform: User accounts (username, email), activity tracking for personalized dashboards, analytics on platform usage. No personal data of politicians (public data only).
  • Black Trigram: Player profiles (progress, achievements), game statistics, device/session info, in-app purchases (when applicable).
  • CIA Compliance Manager: Organization accounts, security assessment data, compliance reports/metrics, system configuration.
  • Consulting Services: Client contact info, project data, communication records, deliverables.

✅ User Rights Implementation (GDPR Art. 15-22):

  • Access (Art. 15): Self-service privacy dashboard showing all collected data. Export within 30 days.
  • Rectification (Art. 16): Profile editing, data correction via UI. Verified changes logged.
  • Erasure (Art. 17): Account deletion cascades across all systems. Complete within 90 days. Irreversible after confirmation.
  • Portability (Art. 20): JSON export of all user data. Machine-readable format. No vendor lock-in.
  • Object (Art. 21): Opt-out of analytics, marketing. Legitimate interest processing explained.
  • Restrict (Art. 18): Temporary processing halt during dispute resolution.

🔒 Technical Security Controls:

  • Encryption: TLS 1.3 in transit, AES-256 at rest, encrypted S3 backups with KMS.
  • Access Control: MFA required, role-based access, quarterly privilege reviews.
  • Monitoring: CloudTrail access logging, GuardDuty threat detection, Security Hub aggregation.
  • Breach Response: 72-hour notification per GDPR Art. 33. Incident Response Plan public in ISMS.
  • Data Minimization: No third-party tracking. No analytics that track across sites. No ad networks. No data brokers.
  • Retention Enforcement: Automated deletion jobs. Logs 90 days, accounts (lifetime + 2 years), analytics 12 months, sessions 90 days.

📋 Legal Basis per GDPR Art. 6:

  • Contract (Art. 6.1.b): Account management, service delivery, feature functionality.
  • Legitimate Interest (Art. 6.1.f): Security (fraud prevention, threat detection), analytics (UX improvement), performance monitoring.
  • Consent (Art. 6.1.a): Marketing communications (explicit opt-in only), third-party integrations.
  • Legal Obligation (Art. 6.1.c): Tax records, financial reporting, law enforcement compliance.

Full details in our public Privacy Policy—because transparency includes our data handling, retention schedules, and user rights procedures. Not marketing fluff—actual implementation documentation.

Welcome to Chapel Perilous: Privacy Edition (You're Already Being Watched—Make Them Pay for It)

Nothing is true. Everything is permitted. Except non-consensual data collection—that's expensive now (4% revenue or €20M, whichever higher). GDPR works because penalties hurt (actual pain, not compliance-washing). FNORD. The surveillance state hates this one weird trick.

Privacy is possible. Not easy, not convenient, but possible. GDPR proved companies can function without selling user souls to the highest bidder (though some still try—looking at you, ad-tech). At Hack23, privacy compliance is competitive advantage: demonstrable through public policy, automated retention, transparent user rights, systematic encryption. We're paranoid in ways that protect you, not exploit you.

Our privacy framework demonstrates consulting expertise (and healthy paranoia):

  • Public Privacy Policy — GitHub-hosted, version controlled, changelog tracked (no hiding updates in ToS amendments at 3 AM)
  • Automated Retention — Logs 90 days, accounts (lifetime + 2 years), analytics 12 months (delete or get hacked—we choose delete)
  • User Rights API — Export within 30 days, delete within 90 days, self-service dashboard (your data, your control, actually)
  • Privacy by Design — TLS 1.3, AES-256, MFA, quarterly access reviews, CloudTrail audit (baked in, not bolted on)
  • 72-Hour Breach Notification — GDPR Article 33 compliance via Incident Response Plan (because hiding breaches is so Equifax 2017)

Think for yourself. Read privacy policies (we know, they're boring—ours is too, but at least it's honest). Exercise your rights. Make surveillance capitalism unprofitable through GDPR request volume—every request costs them time and money. Death by a thousand data subject access requests. It's beautiful.

ULTIMATE ILLUMINATION FOR PSYCHONAUTS: You are now in Chapel Perilous (population: you and your paranoia). Privacy is both a right (GDPR Art. 15-22) and a responsibility (implement it properly or watch it die). GDPR penalties changed the game (€50M+ fines get attention). Companies that ignore privacy face financial consequences (and should). Companies that implement it transparently demonstrate expertise (and survive). Choose wisely. Or don't. Nothing is true. Everything is permitted. Your data is already monetized. FNORD.

All hail Eris! All hail Discordia!

"Think for yourself, schmuck! Question everything—especially anyone who claims to 'value your privacy' while monetizing your behavioral surplus. Demand receipts. Check their Privacy Policy (actually read it, not just scroll and click). Exercise your GDPR rights (export everything, delete strategically, make them work for it). The panopticon is real. Make it expensive."

— Hagbard Celine, Captain of the Leif Erikson 🍎 23 FNORD 5