Privacy Policy

Effective date: May 30, 2026

The Voynich Archive (“we,” “us,” “our”) is a small research site that helps people trace claims about the Voynich Manuscript across a curated corpus of primary documents, secondary literature, and forum threads. This policy explains what personal information we handle and how. If anything here is unclear or you want your data removed, reach out via the contact options at the bottom.

01. Data controller

The data controller for the Voynich Archive is Edward Bozzard, operating the site as an individual research project from the United Kingdom. For any privacy request, use the contact options at the bottom of this page. We do not have a Data Protection Officer and, as a UK-based individual operating below the relevant thresholds, we are not required to appoint an EU representative under Article 27 GDPR.

02. Information we collect

We collect a small amount of personal information, only when you give it to us or when it's needed to keep the service running:

  • Email address if you submit the contact form, check the “keep me posted” box on a search, or sign in as an administrator.
  • Search queries you submit, stored so we can improve retrieval quality, debug failed searches, and surface common questions. Queries are not tied to your identity unless you are signed in as an admin.
  • Basic server logs (IP address, user agent, timestamp, requested path) generated by our hosting provider for security and abuse prevention.

03. What we don't collect

  • No advertising trackers or third-party ad networks.
  • No cross-site behavioral profiles.
  • No selling, renting, or trading of personal information — ever.

04. Lawful basis (GDPR)

For visitors in the UK and EU, we rely on the following lawful bases under Article 6 of the UK GDPR / EU GDPR:

  • Consent (Art. 6(1)(a)) — mailing list subscriptions and any optional “keep me posted” opt-in. You can withdraw consent at any time.
  • Legitimate interests (Art. 6(1)(f)) — responding to your contact-form message, keeping minimal server logs to secure the site, and storing anonymous search queries to improve retrieval quality. Our interest in operating a functioning research service is balanced against the limited and non-sensitive nature of the data processed.
  • Contract / legitimate interests (Art. 6(1)(b) / (f)) — administrator authentication for the small number of people invited to maintain the corpus.

05. Retention periods

  • Contact-form submissions — kept for up to 24 months after the conversation closes, then deleted.
  • Mailing list addresses — kept until you unsubscribe, after which they are removed within 30 days (we retain a hashed suppression record so we don't accidentally re-add you).
  • Search queries — kept indefinitely in aggregated/anonymous form for retrieval tuning; any incidentally identifying queries are pruned on a rolling 12-month basis.
  • Server logs — retained by our hosting providers for up to 30 days for security and abuse prevention, then discarded.
  • Admin account records — retained for as long as the account is active, plus 12 months after deactivation for audit purposes.

06. Cookies

The site uses only strictly-necessary storage: a Supabase auth token in local storage for administrators while signed in. Public visitors do not need to sign in and no cookies or local storage are set for them beyond what the browser stores incidentally. Because we use only strictly-necessary storage, no consent banner is required under PECR / the EU ePrivacy Directive.

07. How we use information

  • To answer questions you send via the contact form.
  • To send occasional updates about the project if you opted in to the mailing list. Every message includes an unsubscribe link.
  • To investigate bugs, improve search quality, and keep the site running reliably.
  • To detect and prevent abuse of the API and search service.

08. Third parties and subprocessors

We rely on a small number of named subprocessors to operate the site. Each processes data on our behalf under their own data processing agreement:

  • Supabase, Inc. (USA / EU region) — database, file storage, and admin authentication.
  • Cloudflare, Inc. (USA) — CDN, edge runtime, and DDoS protection.
  • Lovable AB (Sweden / EU) — application hosting platform.
  • Vercel, Inc. (USA) — hosting for the research/MCP API endpoint.
  • Resend, Inc. (USA) — transactional email delivery for contact-form notifications.
  • OpenAI, Anthropic, and Google AI (USA) — large language models used to rewrite queries and synthesize answers. Submitted queries may be sent to these providers for inference. Each provider's enterprise terms confirm that submissions via their API are not used to train their models. We do not send your email, name, or other identifying information alongside queries.

Corpus documents themselves are public scholarship and forum posts; their copyright remains with the original authors.

09. International transfers

Several of the subprocessors above are based in the United States. Where personal data is transferred outside the UK/EEA, we rely on the European Commission's Standard Contractual Clauses (and, where applicable, the UK Addendum / the EU-US Data Privacy Framework) as the lawful transfer mechanism. The amount of personal data transferred is intentionally minimal.

10. Your rights

If you are in the UK or EU, you have the right to:

  • Access the personal data we hold about you.
  • Have inaccurate data corrected.
  • Have your data erased (“right to be forgotten”).
  • Restrict or object to certain processing.
  • Withdraw consent at any time (for processing based on consent).
  • Receive your data in a portable format.
  • Lodge a complaint with a supervisory authority. UK residents can contact the Information Commissioner's Office (ICO). EU residents can contact their national data protection authority. We would, however, appreciate the chance to address your concern first.

To exercise any of these rights, use the contact options at the bottom of this page. We will respond within one month.

11. Security

Data is transmitted over HTTPS and stored on managed infrastructure with access controls. No system is perfectly secure, but we take reasonable steps to protect the small amount of personal information we hold. In the unlikely event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by Article 33 / 34 GDPR.

12. Children under 13

The site is not directed at children under 13 and we do not knowingly collect personal information from them. If you believe a child has provided personal information, please contact us and we will delete it.

13. Changes to this policy

We may update this policy from time to time. Substantive changes will be reflected in the effective date at the top. Continued use of the site after an update constitutes acceptance of the revised policy.

14. Contacting us

For privacy questions, data requests, or anything else:

Contact

© 2026 Edward Bozzard. All rights reserved.

← Back to search