Privacy

This policy describes what data the Encyclopedia of AI Hallucinations ("ENAIH", "we") collects when you use the site, how we use it, and what choices you have. There are no advertising networks and no cross-site tracking. We use Cloudflare Web Analytics — a cookieless, privacy-first measurement service that records aggregate page-view counts without setting cookies, fingerprinting your device, or collecting personal data (see "Third parties" below).

What we collect

When you create an account — submission requires an account. We store a username and an email address (from the signup form or from Google sign-in). Passwords are stored only as an argon2id hash, never in plaintext; if you sign in with Google we store your Google account identifier instead of a password. Your email address is stored in plaintext so we can send the messages described under "How we use it" below; it is visible only to the site owner, never shown publicly, and never to other users.

On submission — when you fill out the submit form, we store:

• Required: the prompt text, the model output, and the AI model name (or, for a link submission, the source URL and a summary).
• Optional: a category, tags, a short summary, additional notes, and a link to a shared chat session (shown publicly on the entry if provided).
• Whether the entry should be attributed to your username publicly or posted anonymously.

By default your username is shown as the author of an entry you submit. If you mark a submission anonymous, your username is hidden from the public entry and only the site owner can see that you filed it.

Automatically: we store a salted SHA-256 hash of your IP address (salted with a server-side secret). We do not store your raw IP address. The hash is used only by site admins for spam triage; it is not used to track individuals across sessions.

How we use it

• Submission content (prompt, output, model, category, tags, summary, notes, shared-chat URL) is published on the site. Publishing an entry makes it public immediately as unreviewed; staff then vet it and it moves up the trust ladder (see the submission guide). Drafts stay private to you.
• We send transactional email to your account address via Resend (see "Third parties" below): a verification code when you sign up, messages from reviewers about your submissions, and a notification when a submission's status changes. We do not send marketing email and we do not maintain a mailing list.
• The IP hash is available to site staff for spam and abuse triage only. It is never exported or sold.

Legal bases (EU/UK users)

If you are in the European Economic Area or the United Kingdom, we process your personal data under the following bases:

• Performance of a contract (GDPR Art. 6(1)(b)) — your email address, username, and password hash, used to create and operate your account and to send the transactional messages described above. We cannot run an account without these.
• Legitimate interests (GDPR Art. 6(1)(f)) — the salted IP-address hash, used solely to prevent spam and abuse. We consider this minimal and unlikely to override your rights, as we never store raw IPs and never use the hash to profile or track you.
• Consent (GDPR Art. 6(1)(a)) — when you choose to publish a submission, you are asking us to make that content public. You can withdraw drafts and unreviewed submissions yourself, or request removal of published entries (see "Your choices").

Cookies

ENAIH sets two cookies:

• eah_session — set when you log in (with any account, not just staff). HttpOnly, Secure, SameSite=Lax, 7-day expiry. Holds a random session token; not set for logged-out visitors.
• eah_csrf — set on pages that contain forms. It holds an HMAC-signed token used to prevent cross-site request forgery. It is not a tracker; it contains no personal information and is not read by third parties.

No advertising cookies, fingerprinting, or persistent identifiers are set for non-admin visitors.

Third parties

• Cloudflare — this site is served through a Cloudflare tunnel, which acts as a TLS edge proxy. Cloudflare sees network-level data (IP addresses, request metadata) as part of providing that service. We also use Cloudflare Web Analytics, which loads a small measurement script (static.cloudflareinsights.com) that reports aggregate, anonymous page-view and performance data back to Cloudflare. It sets no cookies, does not fingerprint your browser, does not track you across sites, and does not build an individual profile. See Cloudflare's privacy policy and Cloudflare Web Analytics.
• Resend — your account email address and the transactional email content (verification codes, reviewer messages, status notifications) are processed by Resend as our transactional email service provider. See Resend's privacy policy.

There are no other third-party services. Aside from the providers listed above (Cloudflare and Resend, plus Google when you choose to sign in with Google), the Content Security Policy restricts which third-party scripts and resources the page is allowed to load.

International transfers. Cloudflare and Resend are US-based providers, so if you are in the EEA or UK your data is transferred to and processed in the United States. These providers offer transfer safeguards (Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework) as described in their privacy policies linked above.

Data retention

Submissions are kept indefinitely unless you withdraw them (see "Your choices" below) or request deletion. We do not automatically purge old records. Encrypted database backups are retained on a short rotation and age out automatically; when you request deletion we remove your data from the live database immediately, and any copy still present in a backup is not restored to live use and expires with that backup's rotation.

Your choices

Drafts are private and can be edited or deleted at any time from your submissions page. Pending-review submissions can be withdrawn back to a draft from the same page.

Entries that have advanced past pending review (pending acceptance or active), or requests to delete your account and the email address attached to it, must be handled manually. Email the maintainer at the address in the "Contact" section below with the entry's A-number or URL, or a description of your submission.

Your rights. If you are in the EEA or UK, you have the right to access, correct, export, or delete your personal data, to object to or restrict processing, and to withdraw consent for anything based on it. To exercise any of these, email the address in "Contact" below. You also have the right to lodge a complaint with your local data-protection supervisory authority. California residents may likewise request access to, or deletion of, the personal information we hold about them.

Contact

Privacy-related requests: [email protected].

Changes to this policy

If we make material changes to data practices, we will update this page. The date below reflects the last revision.

Last updated: 2026-06-03.