Privacy Policy
Effective date: January 1, 2026 · Last updated: January 1, 2026
Your privacy matters to us. This policy explains what information we collect, why we collect it, and how we use it. We do not sell your personal data.
1. Who We Are
Somerset Communityis a privately operated community website. References to “we,” “us,” or “our” refer to the operator of this Site. For questions about this policy, use our contact form or email [email protected].
2. Information We Collect
Information you provide directly
- Registration data: first name, last name, email address, and password (stored as a secure hash).
- Profile information: optional bio and profile photo you choose to add.
- Content you submit: posts, comments, and contact form messages.
- Agreement records: date and time you agreed to our Terms and Privacy Policy.
Information collected automatically
- Session data: an encrypted session token stored in a secure, httpOnly cookie for authentication.
- Log data: standard server logs may include IP addresses, browser type, and pages visited.
- Last login timestamp: recorded to help detect unauthorized access.
3. How We Use Your Information
- To create and manage your account and authenticate your identity.
- To display your profile information and content to other community members.
- To send transactional emails (account confirmation, password reset, moderation notices).
- To maintain security and detect abuse or unauthorized access.
- To comply with legal obligations.
We do not use your data for advertising, profiling, or sale to third parties.
4. Legal Basis for Processing (GDPR)
If you are located in the European Union or UK, we process your personal data under the following legal bases as required by the General Data Protection Regulation (GDPR):
| Purpose | Legal Basis |
|---|---|
| Manage your account and authenticate you | Performance of contract |
| Display your content to community members | Performance of contract / Legitimate interest |
| Send transactional emails (password reset, notices) | Legitimate interest / Consent |
| Maintain site security and detect abuse | Legitimate interest |
| Comply with legal obligations | Legal obligation |
| Respond to your support inquiries | Legitimate interest |
EU/UK residents may contact us to exercise rights under GDPR, including the right to lodge a complaint with your national supervisory authority.
5. How We Share Your Information
We do not sell, rent, or trade your personal information. Information may be shared only in these limited circumstances:
- With other community members: your display name, username, profile photo, and content you post are visible to other registered members.
- Service providers: hosting infrastructure providers who process data solely to operate the Site, under confidentiality obligations.
- Legal compliance: if required by a valid court order, subpoena, or applicable law.
- Safety: to prevent imminent harm to any person.
6. Cookies & Tracking
We use a single session cookie (“tw_session” by default) to keep you logged in. This cookie is:
- HttpOnly — not accessible by JavaScript, protecting against XSS attacks.
- Secure — transmitted only over HTTPS in production.
- SameSite=Lax — reduces cross-site request forgery risk.
- Session-scoped — expires after 7 days of inactivity.
We do not use third-party tracking cookies, analytics platforms, or advertising networks.
7. Data Retention
We retain personal data only as long as necessary for the purposes described in this policy or as required by applicable law. When data is no longer needed, it is securely deleted or anonymized.
| Data Type | Retention Period |
|---|---|
| Active account data (name, email, profile) | Duration of account |
| Password hash | Replaced on password change; deleted with account |
| Session tokens | 7 days from creation; deleted on logout |
| User-submitted posts and comments | Until deleted by user or admin, or account termination |
| Uploaded images (profile photos, post images) | Until removed by user or admin |
| Server access logs | Up to 90 days (security purposes) |
| Contact form submissions | Up to 1 year |
To request deletion of your account and associated data, use our contact form. We will complete deletion within 30 days except where retention is required by law.
8. Security
We implement industry-standard security measures including: bcrypt password hashing (cost factor 12), HTTPS encryption in transit, httpOnly session cookies, and HMAC-signed webhook tokens. No system is completely secure; we encourage you to use a strong, unique password and notify us immediately if you suspect unauthorized access to your account.
9. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you.
- Correction — request that inaccurate data be corrected.
- Deletion — request deletion of your account and associated data.
- Portability — request your data in a portable format.
- Objection — object to certain uses of your data.
To exercise these rights, contact us via our contact form. We will respond within 30 days.
10. Children's Privacy
This Site is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us personal information, please contact us and we will promptly delete it.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the effective date above. If changes are material, we will notify members via email or a prominent notice on the Site. Continued use of the Site after the effective date constitutes acceptance of the updated policy.
12. Contact
Privacy questions or requests? Contact us via our contact form or at [email protected].