Sign In Join the Initiative
Legal

Privacy Policy

Last updated: May 11, 2026 · Effective immediately

1. Introduction

This Privacy Policy explains how URBAN STUDIO ("we", "us", "our", or "the Platform") collects, uses, stores, and protects personal data when you use our website and services. It is written to comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and applies to every visitor and registered user, regardless of where they reside.

We operate on a principle of data minimisation: we collect only the information that is strictly necessary to run the petition, verify channel submissions, and communicate with you. We do not sell personal data, we do not run third-party advertising on the Platform, and we do not profile users across the web.

2. Data Controller and Contact

The data controller responsible for the processing of your personal data is URBAN STUDIO, operating the website at demonetization.org. For all privacy-related questions, requests to exercise your rights, or complaints, please contact us at support@demonetization.org. We respond to data-subject requests within one (1) month, as required by Article 12(3) GDPR. In complex cases this period may be extended by up to two additional months, in which case we will inform you within the original month.

3. Personal Data We Collect

We only collect the categories of personal data listed below. Nothing else is silently gathered.

  • Account data: your email address, a cryptographic hash of your password (we never store the plaintext password), an optional display name, and optional social handles (X/Twitter, Telegram, Instagram, Discord) that you choose to add to your profile.
  • Authentication via X (Twitter) OAuth: if you sign in with X, we receive your public X user identifier, your handle, and your display name. We request only the users.read tweet.read scope, which is read-only and public. We do not request your email, your direct messages, your follower list, your private tweets, or any permission to act on your behalf.
  • Channel submissions: the YouTube channel URL you submit, the public metrics you enter (subscribers, views, videos), the date of the restriction, the case type (demonetised, terminated, or other), a textual description of what happened, the stated reason from the dropdown (or your custom text), optional supporting links (up to three URLs), an optional proof URL, an optional link to a post on X, and the screenshots you upload (stored as binary attachments in our database).
  • Appeals and support tickets: the text of your appeal, your problem summary, links to evidence, the subject and message of your support tickets, any attachments you include, and the messages exchanged with our team.
  • Public chat content: messages and emoji reactions you post in the in-app community chat. These are visible to other signed-in users.
  • Petition signature: a timestamp recording when you signed the petition, linked to your account. Your display name appears on the public list of signatories if you choose to sign.
  • Session metadata: when you sign in, we record the IP address from which the sign-in originated, the user-agent string sent by your browser, the time of sign-in, and the authentication method (email/password or X). This is stored in a server-side session record and is not shared with the client.
  • Activity log: a short server-side record of significant account events (for example, "account created") used for security and abuse prevention.

Email registration is optional in the sense that you may instead sign in with X. We never require you to verify your identity with Google or YouTube.

4. Legal Basis for Processing (Article 6 GDPR)

Each processing activity has a clear legal basis under Article 6 of the GDPR:

  • Performance of a contract (Art. 6(1)(b)): creating and operating your account, processing channel submissions, handling appeals, and providing support tickets — all of which exist to deliver the service you signed up for.
  • Consent (Art. 6(1)(a)): the optional social handles in your profile, the decision to authenticate via X, the act of signing the petition, and the publication of a verified case on URBAN STUDIO channels. You can withdraw any of these consents at any time without affecting the lawfulness of processing carried out before withdrawal.
  • Legitimate interests (Art. 6(1)(f)): keeping minimal session metadata (IP, user-agent, sign-in time), maintaining an activity log for security, applying rate-limits, and moderating the public chat. Our legitimate interest is to protect the Platform and its users from fraud, abuse, and unauthorised access, and we have balanced this interest against your fundamental rights and freedoms.
  • Legal obligation (Art. 6(1)(c)): where we are required to retain or disclose data to comply with a valid legal request from a competent authority.

5. How We Use Your Data

We use the data described above strictly for the following purposes:

  • To create, authenticate, and operate your account.
  • To verify, by manual human review, the cases you submit.
  • To display your chosen display name on the public petition signatory list (only if you sign).
  • To publish materials from verified cases on the official URBAN STUDIO channels — using only what you have submitted, only after manual review, and only with the purpose of supporting the initiative.
  • To respond to your support tickets and appeals.
  • To operate the in-app chat and moderate it where necessary.
  • To detect and prevent abuse, fraud, automated scraping, and security incidents.
  • To send service-related communications (for example, notifications about your appeal status or material changes to this policy).

We do not use your data for behavioural advertising, profiling, or automated decision-making that produces legal or similarly significant effects (see Section 11).

6. Recipients and Third Parties

We share personal data only with the limited set of recipients listed below, and only to the extent necessary:

  • X Corp. If you choose to sign in via X (Twitter), the standard OAuth 2.0 handshake exchanges authorisation codes with X's servers. We do not share any other personal data with X. Their handling of the OAuth handshake is governed by the X Privacy Policy.
  • NowPayments.io. If you open the donation widget in the "Support" modal, the widget loads content from NowPayments. They may receive data necessary to render and operate the widget (including, on their side, their own cookies) under their Privacy Policy. We do not process payment data ourselves.
  • Hosting and infrastructure providers. The servers and databases that store the Platform's data are operated by infrastructure providers acting as data processors strictly on our written instructions.
  • Competent authorities. Where we are obliged by law, we may disclose data in response to a binding, valid legal request.

We do not use third-party analytics, advertising networks, behavioural-tracking pixels, social-media tracking scripts, or any similar tools on the Platform. We do not sell, rent, or trade personal data.

7. International Transfers

Our infrastructure may process data on servers located outside the European Economic Area (EEA). Where personal data is transferred to a country that has not been recognised by the European Commission as providing an adequate level of protection, the transfer is governed by appropriate safeguards under Articles 44–49 GDPR — typically the European Commission's Standard Contractual Clauses (SCCs). You may request a copy of the safeguards in place by contacting support@demonetization.org.

8. Data Retention

We keep personal data only for as long as we have a clear purpose for it:

  • Account data, channel submissions, appeals, support tickets, and chat messages: for as long as your account is active. When you delete your account, we erase or irreversibly anonymise this data, except where retention is required by law or for the establishment, exercise, or defence of legal claims.
  • Sessions: server-side session records expire automatically thirty (30) days after creation and are deleted thereafter.
  • Activity log: retained for up to twelve (12) months from the event, then deleted.
  • Verified-case archive: if your case has been verified and published on URBAN STUDIO channels as part of the initiative's historical record, we may retain that verified record after account deletion using only the minimum information needed to preserve its evidentiary value (typically: the verified channel handle, the case type, the date, and the display name you submitted).
  • Backups: deleted records may persist in encrypted backups for up to thirty (30) days before being overwritten in the normal backup-rotation cycle.

9. Your Rights Under GDPR

If the GDPR applies to your data, you have the following rights, which you can exercise free of charge:

  • Right of access (Art. 15) — obtain a copy of the personal data we hold about you.
  • Right to rectification (Art. 16) — correct inaccurate or incomplete data.
  • Right to erasure (Art. 17, "right to be forgotten") — request deletion of your data, subject to the limited retention exceptions described in Section 8.
  • Right to restriction of processing (Art. 18) — ask us to limit how we use your data in certain circumstances.
  • Right to data portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21) — object to processing based on our legitimate interests.
  • Right to withdraw consent (Art. 7(3)) — withdraw any consent at any time without affecting the lawfulness of prior processing.
  • Right to lodge a complaint (Art. 77) — complain to your national supervisory authority. The list of EEA supervisory authorities is available at edpb.europa.eu.

To exercise any of these rights, write to support@demonetization.org. We may need to verify your identity (for example, by confirming control of your registered email) before fulfilling sensitive requests.

10. Security

We apply appropriate technical and organisational measures designed to protect your data against unauthorised or unlawful access, accidental loss, destruction, or damage, including:

  • Passwords stored as bcrypt cryptographic hashes — never in plaintext.
  • Session tokens stored server-side in hashed form; the cookie holding the token is HttpOnly, Secure, and SameSite=Lax.
  • HTTPS-only transport and a strict Content Security Policy.
  • Administrative access to the back office is protected by multi-factor authentication.
  • Channel screenshots and ticket attachments are stored as binary records in our database and are served only over authenticated endpoints — they are not exposed as public files.

No system is perfectly secure. If we ever become aware of a personal-data breach affecting you, we will notify the relevant supervisory authority within 72 hours where required by Article 33 GDPR, and we will notify affected users without undue delay where Article 34 GDPR applies.

11. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects within the meaning of Article 22 GDPR. Every channel verification and every appeal decision is reviewed manually by a human member of the URBAN STUDIO team.

12. Children

The Platform is not directed at children under the age of sixteen (16). We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us at support@demonetization.org and we will delete the account without delay.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify registered users by email or through a notice on the Platform at least thirty (30) days before the changes take effect. Your continued use of the Platform after a material change indicates your acceptance of the updated policy to the extent permitted by law.

14. Contact

For any question about this Privacy Policy or to exercise your rights, please contact us at support@demonetization.org.