Privacy Policy

Last updated: 4 July 2026

Introduction

ObraVera is a registry: we collect the minimum information needed to run it and to establish who registered what and when. We do not run advertising, we do not sell or share your data with advertisers, and we do not track you across other sites. This policy explains what we collect, why, and what rights you have over it.

Information We Collect

Personal Information

When you create an account on ObraVera, we collect:

  • Username and email address
  • Display name and optional creative discipline
  • Organisation affiliation and verification details, where established by an operator or approved provider

Automatically Collected Information

  • The IP address recorded against each work you register, so the record has a verifiable point of origin
  • Session and CSRF cookies needed to keep you signed in and to protect forms from cross-site attacks (see Cookies, below)

We do not use third-party analytics or advertising trackers. Pages do load Bootstrap, htmx, and Alpine.js from public content-delivery networks (CDNs), so those CDN providers see a request for those files when you load a page; ObraVera does not share any account data with them.

How We Use Your Information

We use the information we collect to:

  • Provide and operate the registry — creating registrations, generating receipts, and showing you your own records
  • Verify accreditation claims — confirming organisation membership or identity-provider attestations before applying Verified status
  • Communicate with you about your account by email — verification, password resets, and service notices
  • Protect the security of the service and its accounts

Information Sharing

ObraVera does not currently operate a public creator directory. The lists below describe what appears where, and to whom, within the service.

Shown on your registration receipts (visible to you as the record's owner, and to ObraVera staff):

  • Display name
  • Discipline (if provided)
  • Verification status

Never shown to any other user or made public:

  • Email address
  • Username
  • IP addresses

Invitations

ObraVera occasionally invites specific individuals to join by way of a personal, single-use activation link. An unclaimed invitation stores only the minimum needed to address it: the invitee's name, email address, an optional personal note from the sender, and the link's validity metadata.

  • No account before acceptance. Nothing is created on an invitee's behalf. An account, and any data associated with it, comes into existence only when the invitee explicitly accepts the invitation.
  • Retention. Invitation links expire automatically. The personal data held in expired or revoked invitations is purged and is not retained for any other purpose.
  • Sample records. Accounts created by invitation are seeded with a small number of clearly-labelled demonstration records using ObraVera-authored texts. These are excluded from all public registry counts and can be permanently deleted by the account holder at any time.

Organisation Affiliation Claims

Account holders may claim membership of a professional organisation to seek Verified accreditation. A claim — including any membership identifier or supporting evidence you supply — is personal data and is handled as follows:

  • Minimum collection. We store only the organisation you selected, the membership identifier and/or evidence you chose to supply, and the claim's status and decision record.
  • Never public. Membership identifiers and evidence are visible only to ObraVera staff for the purpose of confirming the claim. They are never displayed publicly or to other users. What may appear publicly on confirmation is the accreditation itself (e.g. “Verified member — [Organisation]”), never the underlying membership details.
  • Confirmation contact. Confirming a claim may involve checking with the named organisation through its stated confirmation mechanism. We share no more than is needed to confirm membership.
  • Deletion. You may withdraw a pending claim yourself at any time from your affiliation settings, which deletes it immediately. All claim data is deleted with your account, and you can ask us to delete decided (confirmed or rejected) claim records at any time via the contact page.

Data Security

In production, ObraVera is served over HTTPS only. Passwords are never stored in plain text: they are hashed using Django's PBKDF2 algorithm. You can add an optional second factor (TOTP authenticator app, with backup recovery codes) to your account for extra protection. Administrative access is restricted to staff accounts and is routed exclusively through the same sign-in flow as everyone else — including its multi-factor authentication — never a separate, unprotected admin login form.

Your Rights

You have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data (most of it directly, from your profile)
  • Delete your account and the data associated with it
  • Object to how your data is processed

You can exercise most of these yourself: a pending organisation affiliation claim can be withdrawn (deleted) at any time from your affiliation settings, and sample records seeded on account activation can be deleted at any time from your registrations list. For anything else — including account deletion or a request about decided claim records — reach us via the contact page.

Cookies

ObraVera uses two cookies, both strictly necessary for the service to function:

  • sessionid — keeps you signed in between requests
  • csrftoken — protects forms against cross-site request forgery

We do not set advertising or analytics cookies.

Changes to This Policy

If we make a material change to this policy, we will update the "Last updated" date at the top of this page and announce the change here.

Contact Us

If you have questions about this Privacy Policy, please contact us.