Privacy Policy
Last updated: July 8, 2026
open-record.org helps people request, organize, and understand personal records. We collect only the information needed to operate the service, respond to requests, and maintain account security.
Information We Process
We may process contact details, request metadata, user-provided files or messages, authentication records, and operational logs needed to provide and secure the service.
How We Use Information
We use information to provide user-directed record request workflows, send authorized messages, maintain security, debug reliability issues, and comply with legal obligations.
Subprocessors
These are every third party that processes personal information on our behalf, what they do, and where your data physically sits. Your data is stored in the European Union. Several of these companies are US-incorporated, which is a separate question from where the data lives — we name both.
| Subprocessor | What it does | Where your data sits |
|---|---|---|
| Cloudflare (US) | Application hosting, request routing, database connection pooling, and the private object storage holding your uploads and the files controllers send back | European Union (R2 EU jurisdiction) |
| Neon (US) | The database: your account, the organizations you trace, the requests we send for you, and their replies | Frankfurt, Germany |
| Mailgun (US) | Sending your data requests and receiving the replies, including any attachments controllers send | European Union (Mailgun EU region) |
| OpenAI (US) | Reading fields off an identity document, only if you upload one (see below) | United States |
OpenAI is the only subprocessor to which personal data leaves the European Union, and only for the identity document described below.
Identity Document Processing
If you upload an identity document, the image is stored in private, EU-resident object storage and is sent once to OpenAI (a US-based subprocessor) to extract document fields such as name and expiry date. The extraction result only assists a manual review by the open-record.org operator — verification decisions are always made by a person. Every access to your identity document is logged, raw images are deleted on a fixed retention schedule (90 days after verification, 7 days after rejection), and you can request earlier deletion at any time.
Your Choices
You can contact us to request access, correction, deletion, or export of personal information associated with your use of open-record.org.
Contact
For privacy questions, contact alberto@open-record.org.