Privacy Policy
Last updated: April 2026
1. Introduction
The Automotive Security Research Group ("ASRG," "we," "us," or "our") operates the website at asrg.io and the member portal at portal.asrg.io (together, the "Site"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit the Site, use the member portal, or interact with our services. ASRG is a community-led organisation dedicated to advancing automotive cybersecurity through research and collaboration.
2. Consent
By using the Site, you consent to this Privacy Policy and agree to its terms. Non-essential cookies (analytics) are loaded only after you accept them via the cookie consent banner that appears on first visit. If you do not agree with this policy, please discontinue use of the Site and our services.
3. Information We Collect
We collect the following categories of information depending on how you interact with the Site:
| Category | Data Collected | Purpose |
|---|---|---|
| Account | Name, email, password (hashed), avatar (optional) | Member portal access and authentication |
| Professional | Job title, organisation, bio, LinkedIn URL, location, meeting link (optional) | Member profile, community matching |
| Business account | Company name, company website, industry — looked up against the ASRG company directory | Linking your account to a verified employer |
| Knowledge Base activity | Articles you've expressed interest in, change requests you've submitted | KB personalisation and contribution tracking |
| API usage | Personal API tokens (hashed) and last-used timestamps for users with the API role | Authenticating programmatic access to /api/v1/intelligence/* |
| Email subscriptions | Email address and your opt-in preferences | Newsletter and event notifications you've requested |
| Usage data | Pages visited, session duration, referrer (only after analytics consent) | Service improvement; not linked to your name |
| Server logs | IP address, user-agent, timestamps, request paths | Security, abuse prevention, debugging |
4. How We Use Your Information
We use the information we collect to:
- Provide, operate, and maintain the Site, member portal, and programmatic API
- Authenticate you, manage sessions, and verify business accounts
- Send transactional email (verification codes, account approvals, security notifications)
- Analyse aggregate usage patterns through opt-in analytics to improve our services
- Detect, investigate, and prevent fraudulent or abusive activity (rate limiting, error monitoring)
- Facilitate collaboration among members, chapters, and working groups
- Comply with legal obligations
6. Authentication and Account Data
We use Payload CMS's built-in authentication. When you create an account or sign in:
| Data | How it's stored | Purpose |
|---|---|---|
| Email address | Stored verbatim in our PostgreSQL database | Account identification, login, transactional email |
| Password | One-way hashed (never stored in plaintext) | Authentication on sign-in |
| Session token (payload-token) | HMAC-signed JWT stored in an HttpOnly cookie | Maintaining your authenticated session |
| Email verification code | SHA-256 hashed, expires after 10 minutes | Confirming you control the email address |
| API token | SHA-256 hashed; full token shown once at creation | Authenticating requests to /api/v1/intelligence/* |
ASRG does not currently offer social-login providers (Google / GitHub / Microsoft). All authentication happens via email and password against our own infrastructure.
7. Third-Party Services
ASRG is a community-led organisation and does not partner with advertising networks. The third-party services we use to operate the platform are:
| Service | Purpose | Data shared |
|---|---|---|
| Postmark | Transactional email delivery (verification codes, account approvals, security notifications) | Recipient email address, sender, message content |
| Resend | Backup transactional email provider | Recipient email address, sender, message content |
| Google Analytics 4 (GA4) | Aggregate usage measurement; loaded only after explicit consent | Pageviews, session duration, anonymised IP |
| Sentry | Application error tracking and source-map symbolication | Error stack traces, request URL, anonymised IP — no cookies, headers, or PII auto-collected |
| OpenCTI (operated by Filigran, sponsored by Upstream Security) | Source of automotive threat-intelligence shown on the Intelligence Dashboard | Outbound only — we send no user data; we receive aggregated public threat reports |
| Crunchbase | Smart Company Search during business-account signup | Domain or company name you typed into the signup form |
| GitHub Container Registry | Hosting and serving Docker images of the platform itself | No user data — infrastructure only |
| Contabo (hosting provider) | VPS hosting for the application and database | All data we store, encrypted in transit and at rest |
8. Email Subscription Preferences
When you create an account or join a chapter, you may opt in to receive email communications including event announcements, research digests, and community updates. You can manage your email preferences at any time through your account settings, or by clicking the "unsubscribe" link in any email. We will never sell your email address to third parties.
Transactional email (verification codes, account approvals, security notices) is not optional and is sent regardless of your subscription preferences because it is required to operate your account.
9. Chapter Location Data
ASRG operates local chapters worldwide. When you join or browse chapters, we collect and display general location data (city and country) to connect you with nearby communities. We do not track precise geolocation. Chapter location information is displayed publicly on our chapter map to facilitate community engagement.
10. CCPA Privacy Rights
Under the California Consumer Privacy Act, California consumers have these rights:
| Right | Description |
|---|---|
| Right to Know | Request disclosure of categories and specific pieces of personal data collected |
| Right to Delete | Request deletion of personal data collected about you |
| Right to Opt-Out | Request that your personal data not be sold (ASRG does not sell data) |
| Right to Non-Discrimination | Exercise your rights without receiving discriminatory treatment |
ASRG does not sell personal data. To exercise these rights, contact [email protected], or use the self-serve options on your account settings page (Download my data, Delete my account).
11. GDPR Data Protection Rights
If you are a resident of the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under the GDPR / UK GDPR:
| Right | Description |
|---|---|
| Access (Art. 15) | Request a copy of your personal data |
| Rectification (Art. 16) | Request correction of inaccurate or incomplete data |
| Erasure / Right to be forgotten (Art. 17) | Request deletion of your personal data |
| Restrict Processing (Art. 18) | Request restriction of processing under certain conditions |
| Data Portability (Art. 20) | Request transfer of your data in a structured, machine-readable format (JSON) |
| Object (Art. 21) | Object to processing of your personal data |
| Withdraw Consent | Withdraw analytics consent at any time by clearing your cookies |
Self-serve options for the most common requests (data export and account deletion) are available on your account settings page. For all other requests, contact [email protected]. We will respond within 30 days.
12. International Data Transfers
Our application servers and primary database are hosted in the European Union. Several of our subprocessors (Sentry, Google Analytics 4, Crunchbase, Postmark) operate from or store data in the United States. Where personal data is transferred outside the EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs) or equivalent safeguards.
13. Children's Information
ASRG does not knowingly collect personal information from children under the age of 13. If you believe your child has provided such information, contact us immediately and we will promptly remove it.
14. Data Retention
We retain your personal data only as long as necessary for the purposes set out in this Privacy Policy or as required by law. Account data is retained while your account is active. If you request account deletion (self-serve from account settings or via email), we will remove your personal data within 30 days, except where retention is required for legal or compliance purposes.
Server logs and Sentry error reports are retained for up to 90 days. Email-verification codes and API tokens are stored only as one-way hashes and are pruned after expiration.
15. Security
We protect your data with industry-standard practices: HTTPS (TLS 1.2+) for all traffic, password hashing, HMAC-signed session tokens, per-IP rate limiting on authentication endpoints, daily off-host database backups, and a strict security headers policy (HSTS, CSP, X-Frame-Options, etc.). No system is perfectly secure; if you believe your account has been compromised, contact [email protected] immediately.
16. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last updated" date. We encourage you to review this policy periodically.
17. Contact Us
If you have questions about this Privacy Policy, your personal data, or wish to exercise your rights:
Email: [email protected]