As a user-owned nonprofit, we have no financial incentive to sell your data. Your data belongs to you, and we only use it to provide and improve TransHarbor.

Hosting and Jurisdiction

TransHarbor is hosted in the United States and subject to US law. Our infrastructure is managed to ISO 27001 security standards - the same framework banks and hospitals use.

This means US law enforcement with valid warrants can compel us to provide data. We’ll fight overbroad requests, but we must comply with valid legal process.

What We Collect

You Provide: Email, username, password (encrypted), optional profile info (display name, bio, pronouns, location), posts, messages, reports, votes

Automatic: IP address (security only), device type, app version, login timestamps, error logs

We Don’t Collect: GPS location, contacts, photos, browsing history, advertising IDs

How We Use It

  • Platform operation and authentication
  • Safety, moderation, and abuse prevention
  • Account notifications (no marketing emails)
  • Bug fixes and improvements

What’s Public

Username, display name, bio, pronouns, location, posts, post count, account creation date, voting member status

What’s Private

Email, password, IP address, direct messages, reports, blocks, individual votes

We Never Sell Your Data

We don’t sell, rent, or share your data with third parties. Ever. Our legal structure prohibits it.

Limited Disclosure: Only with your consent, legal requirements (warrants/subpoenas), safety emergencies, or platform protection

Security

Encryption: Passwords hashed with industry-standard encryption, data encrypted at rest, HTTPS/SSL for all connections

Hardware Security Modules: Encryption keys stored in YubiHSM tamper-resistant hardware devices, not software

ISO 27001 Standards: Infrastructure managed to bank-grade security standards including documented policies, regular audits, incident response protocols, and access controls

Access Control: Restricted access to essential personnel only

Monitoring: Regular security audits and continuous compliance verification

Law Enforcement Requests

We’re subject to US law and must comply with valid warrants and subpoenas.

Our Process:

  • Verify request is valid and properly authorized
  • Challenge overbroad or inappropriate requests
  • Provide only the minimum data legally required
  • Notify affected users when legally permitted

We cannot protect you from valid legal process, but our encryption and hardware security protections ensure unauthorized access is prevented.

Your Rights

Access: View/download your data anytime via Settings or contact support@transharbor.org

Modify: Edit profile, posts, messages within limits

Delete: Delete individual content or entire account (permanently removed within 30 days)

Opt-Out: Disable email notifications and voting reminders in Settings

Data Retention

  • Active accounts: Indefinitely while active
  • Deleted accounts: Permanently deleted within 30 days
  • Backups: Retained 90 days for disaster recovery, then purged

Age Requirement

18+ only. We don’t knowingly collect data from anyone under 18. If we discover a user is under 18, we’ll delete their account immediately.

Open Source

TransHarbor is open source. You can verify our privacy and security claims by auditing the code. Everything we say here is verifiable.

Changes

Privacy Policy updates require democratic governance process. Major changes need supermajority approval (2/3 + 30% quorum).

We’ll notify users of material changes via email and in-platform notification.

International Users

If you’re outside the United States, your data will be transferred to and processed in the US. By using TransHarbor, you consent to this transfer.

For users in countries where government surveillance of trans people is a concern: we use government-grade security to protect you. Encryption and hardware security modules mean even we can’t access your data without physical access to our security hardware.

Contact

Support: support@transharbor.org

TransHarbor is a Wyoming Unincorporated Nonprofit Association
Mission-locked, community-owned, open source