Privacy Policy
Last updated July 17, 2026
The Kingfish Project — kingfish.la · Effective date: July 17, 2026
How to read this policy
Plain language: Every section below starts with a short summary in everyday English, like this one. The summaries help you understand the policy; the detailed text underneath each one is the official version.
Each section of this policy begins with a plain-language summary. We write these summaries following the Federal Plain Language Guidelines and ISO 24495-1, the international plain-language standard. The summaries exist to make the policy understandable; they are not the policy itself. If a summary is ever inconsistent with the full text beneath it, the full text controls.
The short version
Plain language: We’re a nonprofit investigative newsroom. Our business is holding government accountable, not collecting data about you. We gather as little as possible, we never sell it, we don’t run ad trackers, and if anyone demands data about our readers or sources, we will fight before we fold.
Who we are
Plain language: The Kingfish Project is a nonprofit newsroom covering government accountability in central Louisiana. Email [email protected] about anything in this policy.
The Kingfish Project is a nonprofit investigative journalism outlet covering government accountability in central Louisiana. For any question, request, or complaint related to this policy, contact us at [email protected].
What we collect when you read the site
Plain language: Reading the site needs no account. Cloudflare sees standard connection data to deliver the site. We measure traffic with Google Analytics, which sets a first-party cookie to count visits and returning readers — but we run no advertising, never track you across other sites, and never sell or share your data. Send a Global Privacy Control signal and you get no analytics cookie at all.
kingfish.la is a static website. Reading it requires no account, and our own pages run no reader-profiling code.
Network and security logs. The site is delivered through Cloudflare, which processes standard connection data — IP address, browser type, and pages requested — to serve the site and block abuse. Cloudflare retains these logs for a short period under its own policies; we do not archive them.
Analytics. We measure traffic to understand which coverage is useful, using two tools kept to analytics only:
- Cloudflare Web Analytics, which reports aggregate traffic without cookies, cross-site tracking, or advertising profiles.
- Google Analytics 4, loaded through Google Tag Manager. It sets first-party cookies (
_ga) to count visits, sessions, and returning readers so we can see, in aggregate, what’s useful. Every advertising signal is turned off —ad_storage,ad_user_data, andad_personalizationare denied and ad data is redacted — so Google Analytics is used for site analytics only: never advertising, never cross-site tracking, never sold. We have disabled Google Signals and ads personalization and set data retention to the shortest period Google allows. Readers who send a Global Privacy Control signal are never given an analytics cookie.
We do not load analytics at all on our tips or secure-contact pages. No account is required to read the site, and you are welcome to visit using Tor or a VPN.
Newsletter subscriptions
Plain language: If you subscribe, we store your email address on our own systems and send mail through Mailgun. Our newsletters can tell us whether you opened them and which links you clicked — we use that to see what coverage matters and to drop inactive addresses. Unsubscribe anytime and we delete your data.
If you subscribe to a newsletter, we store your email address (and a name, if you provide one) in our self-hosted publishing system, on infrastructure we operate. Newsletters are delivered through Mailgun, an email service provider that processes your address in order to send you mail.
Our newsletters include engagement tracking: a small tracking pixel records when an email is opened, and links are wrapped so we can see which links subscribers click. We use this information to understand which coverage is useful and to remove inactive addresses. We do not share engagement data with anyone.
You can unsubscribe at any time using the link in any email. We remove your address from active lists within 30 days, and your engagement data is deleted along with your subscription.
Contacting us and sending tips
Plain language: The safest way to reach us anonymously is our encrypted tip form. Signal, email, and our web form also work, though email and the web form are less protective. If what you’re sharing is sensitive, start with the encrypted tip form.
What we receive depends on the channel you choose:
- Encrypted tip form — our most protective channel, an anonymous whistleblowing platform (GlobaLeaks) that strips IP addresses and metadata, so we learn nothing about you unless you choose to tell us, and we do not log submissions. Submit at kingfish.la/tips.
- Signal (TheBoatyMcBoatFace.01) provides end-to-end encryption for messages and calls.
- Email is not end-to-end encrypted by default; assume the metadata (who wrote to whom, and when) is visible to email providers in transit.
- Web form submissions are transmitted over HTTPS to systems we operate and are retained as correspondence.
If you are sharing sensitive information, please read our guidance on contacting us securely before you reach out. We treat unpublished source material and newsgathering records as protected journalistic work product.
Embedded content
Plain language: Some pages include videos hosted on YouTube, Vimeo, and similar platforms. When those load or play, the platform may set cookies and collect data about you under its own rules — we don’t control that.
Pages on kingfish.la embed video and other media hosted by third-party platforms, including YouTube and Vimeo. When a page containing an embed loads, or when you play embedded media, your browser connects to that platform’s servers, which may set cookies and collect data — such as your IP address and viewing activity — under the platform’s own privacy policy:
- YouTube (Google) — policies.google.com/privacy
- Vimeo — vimeo.com/privacy
Where we embed from another platform, the player identifies its source. We do not control what these platforms collect.
What we don’t do
Plain language: We don’t sell your data. We don’t run ads or ad trackers. Ever.
- We do not sell, rent, or trade your personal information — to anyone, ever.
- We do not run advertising or third-party ad-tech trackers.
- We do not share data with data brokers.
- We do not embed social media tracking pixels.
Cookies
Plain language: A few cookies: security, newsletter subscriptions, and a first-party analytics cookie that counts visits. Embedded video players may set their own. None of ours are for advertising, and none track you across other sites.
The site uses a small number of cookies:
- Analytics cookies — first-party Google Analytics cookies (
_gaand_ga_*) that count visits, sessions, and returning readers for aggregate analytics only. Not set if you send a Global Privacy Control signal. - Subscription cookies set by our self-hosted publishing system when you sign up for or manage a newsletter subscription.
- Security cookies from Cloudflare, used to distinguish humans from abusive bots.
- Embedded media cookies set by third-party video players, described in Embedded content above.
We set no advertising cookies and nothing that tracks you across other sites. You can block or clear cookies in your browser; the site will still work for reading.
Third parties we rely on
Plain language: We deliberately keep this list short: Cloudflare, Google (Tag Manager + Analytics, analytics-only, no ads), and Mailgun. Everything else runs on machines we operate ourselves.
Each provider receives only what it needs to do its job:
- Cloudflare — hosting, content delivery, security, and aggregate analytics (cloudflare.com/privacypolicy)
- Google — Google Tag Manager and Google Analytics 4 for aggregate site analytics, with all advertising signals denied (policies.google.com/privacy)
- Mailgun — newsletter delivery (mailgun.com/legal/privacy-policy)
Video platforms whose content we embed are covered in Embedded content above. Everything else — our publishing system, document archives, and tip infrastructure — runs on infrastructure we operate ourselves.
Legal demands for your information
Plain language: If we get a subpoena or court order about you, we’ll scrutinize it, fight it if it’s improper or aimed at journalism, tell you about it whenever the law allows, and post a public notice on the site.
We are a news organization. Protecting readers and sources is central to what we do, and we have designed our systems to minimize what exists to be demanded in the first place. If we receive a subpoena, court order, or other legal demand for information about you:
- We will require valid legal process and scrutinize every demand.
- We will challenge demands that are overbroad, improper, or that target journalistic work product, which is protected by the federal Privacy Protection Act and Louisiana’s reporter’s shield law (La. R.S. 45:1451 et seq.).
- We will notify affected people before disclosing anything, unless we are legally prohibited from doing so — and where notice is delayed by law, we will provide it as soon as the prohibition lifts.
- We will post a notice on our site about legal demands we receive, to the fullest extent the law allows.
How long we keep things
Plain language: As little as possible, as briefly as practical.
- Analytics: aggregate statistics only; Google Analytics 4 retention is set to the shortest period Google offers.
- Newsletter data, including open and click history: until you unsubscribe or ask us to delete it.
- Tips and correspondence: as long as journalistically necessary. Sensitive source material is stored encrypted, with access restricted to the journalists working on the story.
- Network logs: held briefly by Cloudflare under its own retention rules; we do not archive them.
Your rights
Plain language: Wherever you live, you can ask what we have about you and ask us to fix it, delete it, or hand you a copy. One honest exception: these requests can’t be used to unmask sources or reach unpublished reporting.
We extend these rights to everyone, regardless of where you live:
- Access — ask what information we hold about you.
- Correction — ask us to fix inaccurate information.
- Deletion — ask us to delete your information.
- Portability — ask for a copy of your data in a usable format.
- Objection — object to or restrict how we use your information.
Email [email protected] and we will respond within 30 days. One limit worth being honest about: rights requests cannot be used to identify our sources or to reach unpublished newsgathering material, which we protect for everyone’s benefit.
Children
Plain language: The site isn’t aimed at kids under 13, and we don’t knowingly collect their information.
The site is not directed at children under 13, and we do not knowingly collect their personal information. If you believe a child has provided us information, contact us and we will delete it.
Security
Plain language: Traffic is encrypted, access is restricted, and most systems run on infrastructure we control. Our Security Policy has the details and tells you how to report a vulnerability.
We use encryption in transit for all site traffic, restrict access to personal information to the people who need it, and run our own infrastructure rather than scattering data across vendors. Our Security Policy describes our practices and how to report a vulnerability.
Changes to this policy
Plain language: If this policy changes, we update the date, keep the old versions available, and tell newsletter subscribers about anything significant before it takes effect.
When we change this policy, we will update the date at the top and preserve prior versions. If a change is material, we will announce it to newsletter subscribers before it takes effect.
Contact
Plain language: Questions? Email us.
[email protected] The Kingfish Project, 1924 Albert St, Alexandria, LA 71301