TDRTraining Data Registry

Privacy Policy

Version 1.2February 2026

The data controller for your personal data is Daniel Gage, trading as Training Data Registry, based in England. You can contact us at contact@trainingdataregistry.org.

The short version

We collect the minimum data needed to run the registry: your email address, the URLs you register, and metadata about your opt-out preferences. We do not use tracking cookies or third-party advertising, we do not sell your data, and we do not hold any of your actual content — just records of your preferences.

What we collect and why

Account information

  • Email address — to create and manage your account, send transactional emails (registration confirmations, verification status changes), and contact you if needed.
  • Password — managed by our authentication provider (Supabase). Passwords are hashed and we do not have access to them in plain text.

Registration data

  • URLs you register — the web addresses you want to opt out of AI training.
  • Content hashes — a SHA-256 hash of the URL you register. This is a one-way mathematical fingerprint used for verification purposes.
  • Opt-out preference — which categories of AI use you have opted out of. The registry currently supports three categories: Training (use of your content to train AI models), Inference (use of your content in AI outputs), and Archive (storage of your content in AI datasets).
  • Timestamps — when you registered each URL and any subsequent changes.
  • Metadata — titles, descriptions, or tags you choose to add to your registrations.

Domain verification data

  • Domain names you verify ownership of.
  • Verification method — whether you verified via meta tag, DNS record, or WordPress plugin.
  • Verification timestamps.

Usage data

  • Verification lookups — when someone checks your registration via the public search or API, we log the method used, when the check occurred, and the identifier of the checking party (API key name or "public"). We do not log IP addresses of public searchers. This logging allows you to see who is checking your content.

What we do not collect

  • We do not store your actual content — no files, images, text, or copies of your web pages.
  • We do not use tracking cookies or advertising cookies (see Cookies section below).
  • We do not collect payment information directly. When paid features are introduced, payments will be handled by a third-party payment processor and their privacy policy will apply.

How we use your data

Your data is used to:

  • Operate the registry — storing and displaying your opt-out preferences.
  • Verify domain ownership.
  • Allow third parties (AI companies, data brokers) to check whether content has been opted out, via the public registry and API.
  • Send transactional emails related to your account and registrations.
  • Generate anonymised, aggregate statistics (e.g., total registrations) to demonstrate registry adoption.

We do not use your data for marketing, advertising, or profiling.

Lawful basis for processing

As a UK-based data controller, we process personal data in accordance with UK GDPR. Our lawful bases are:

  • Contractual necessity — processing your email address and account data is necessary to provide you with an account and operate the registry service.
  • Legitimate interest — operating the public registry (making opt-out preferences discoverable) and logging verification lookups (providing transparency about who checks your content) are necessary for the core function of the service. We have assessed that these interests do not override your rights, particularly as the data involved (URLs and preferences) is information you have chosen to make public by registering it.

If you are in the EU/EEA, equivalent protections apply under EU GDPR.

What is publicly visible

The Training Data Registry is, by design, a public registry. When you register a URL, the following information is publicly accessible:

  • The registered URL.
  • Your opt-out preference type.
  • Your verification status (unverified, domain-verified, etc.).
  • The date of registration.
  • Any metadata you chose to add (title, description).

Your email address is never publicly visible.

This public visibility is fundamental to how the registry works — it allows AI companies and data brokers to check and respect your preferences. By registering content, you are choosing to make your opt-out preference public.

Cookies

We use only essential cookies required for the service to function:

  • Session cookies — set by our authentication provider (Supabase) to keep you logged in. These are strictly necessary and do not require consent.
  • Hosting cookies — our hosting provider (Vercel) may set cookies necessary for security and performance.

We do not use analytics cookies, advertising cookies, or any third-party tracking cookies.

Third-party services

We use the following services to operate the registry. Each processes some of your data as described:

ServiceWhat it handlesPrivacy policy
SupabaseDatabase hosting, user authenticationsupabase.com/privacy
VercelWebsite hosting, serverless functionsvercel.com/legal/privacy-policy
ResendTransactional email deliveryresend.com/legal/privacy-policy
ZohoContact email infrastructurezoho.com/privacy.html
GitHubTimestamping transparency logs (public Merkle roots only — no personal data)docs.github.com/privacy

We do not share your personal data (email address) with any third party for their own purposes.

Data retention

  • Active accounts — your data is retained for as long as your account is active.
  • Deleted accounts — when you delete your account, all associated data is permanently removed from our systems. This includes your email address, account credentials, all registered URLs, verified domains, API keys, and individual verification lookup logs. Once deleted, your content is no longer recorded as opted out and may be used for AI training without restriction. This action cannot be undone.
  • Verification lookup logs — retained to provide you with a record of who has checked your content. Individual lookup logs are removed when the associated registration is deleted. Anonymised, aggregate statistics (such as total lookup counts and registration counts over time) are retained separately and contain no data linked to individual accounts or URLs.
  • Timestamping records — cryptographic proofs published to public transparency logs (e.g., GitHub) cannot be removed, as they exist on third-party platforms. These contain only Merkle root hashes — single mathematical values derived from all registrations in a given period. A Merkle root reveals nothing about individual URLs and cannot be used to identify any specific registration without data that is deleted from our systems when your account is removed.

Your rights

Regardless of where you are based, we extend the following rights to all users:

  • Access — you can view all your data in your dashboard at any time.
  • Export — you can export all your registration data.
  • Deletion — you can delete individual registrations or your entire account. Deletion is permanent and removes all associated data from our systems. Please note that once a registration is deleted, your content is no longer recorded as opted out of AI training. We recommend exporting your data before deletion.
  • Correction — you can update your registrations and account details at any time.

These rights are guaranteed under UK GDPR. If you are in the EU/EEA, equivalent rights apply under EU GDPR.

To exercise any of these rights, you can use the tools in your dashboard or contact us at contact@trainingdataregistry.org. We will respond to data protection requests within 30 days.

If you are unsatisfied with how we have handled your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk, or by calling 0303 123 1113.

International data transfers

Our infrastructure providers (Supabase, Vercel, Resend) may process data in the United States. These providers utilise Standard Contractual Clauses and/or operate under applicable data transfer frameworks to ensure adequate protection of your data. By using the registry, you acknowledge that your data may be processed outside your country of residence.

Data security and breach notification

We take reasonable measures to protect your data, including encryption in transit and at rest via our infrastructure providers. In the event of a data breach affecting your personal data, we will notify the relevant supervisory authority within 72 hours where required by law, and will notify affected users without undue delay.

Children

The Training Data Registry is not intended for use by anyone under the age of 16. We do not knowingly collect data from children.

Changes to this policy

If we make material changes to this policy, we will notify registered users by email. The "last updated" date and version number at the top of this page will always reflect the most recent version.

Contact

For any questions about this policy or your data:

Email: contact@trainingdataregistry.org

Operated by: Daniel Gage, trading as Training Data Registry, based in England.