Privacy & Data Notice

Effective: 27 May 2026 · Last reviewed: 16 June 2026

About the data in this catalog. The Authoritarian Interference Tracker publishes structured records describing allegations of state-sponsored unlawful conduct — including espionage, cyber intrusion, sabotage, transnational repression, sanctions evasion, and electoral interference — attributed by public reporting to the governments of Russia, China, and Iran, their agencies, and their proxies. Individual incident records may name identifiable persons (intelligence officers, indicted operatives, sanctioned individuals, named dissidents, public officials) where those persons appear in the underlying source reporting.

Each published incident links back to its primary sources. The catalog is a secondary source; nothing here should be read as a judicial finding of guilt. If you are named in an incident and believe the entry is inaccurate, incomplete, out-of-context, or should be removed, see Your rights below or contact us directly at [email protected].

Who is responsible for this site

The data controller for the Authoritarian Interference Tracker is the Institute for Strategic Dialogue (ISD), operating through its US affiliate ISD-US. References to “ISD”, “we”, and “us” on this page mean that organisation. The general ISD privacy notice covering the wider organisation is available at isdglobal.org/privacy-notice/; this page describes processing that is specific to the Tracker.

What this site is

The Tracker is a research and journalism catalog. It does not provide a service to visitors in the consumer sense and does not require an account. The public site has no analytics, no advertising, no marketing cookies, and no third-party trackers. Standard server logs (IP address, requested URL, user-agent, timestamp) are retained briefly for operational and security purposes.

What we process and where it comes from

The Tracker's pipeline collects, classifies, and publishes information from open-source reporting. Source categories are described in our Methodology. The data we process falls into three groups:

Lawful bases for processing

We rely on the following bases under the EU General Data Protection Regulation:

Automated processing and human review

Articles in the pipeline are scored, deduplicated, summarised, and matched to incident records by automated systems built on large language models. Specifically: classification, grafting, and a post-generation deduplication pass use Anthropic's Claude Haiku; the structured incident records are written by Anthropic's Claude Sonnet; semantic embeddings are generated by Voyage AI's voyage-4-lite model.

No incident is published without human editorial review. Every candidate incident enters a two-stage human review — an editor triages and a reviewer confirms publication. Editorial state changes are audit-logged. This human-in-the-loop step is the substantive safeguard against errors introduced by automated processing. Automated processing alone does not produce decisions about individuals that have legal or similarly significant effects within the meaning of Article 22.

Subprocessors and recipients

The pipeline relies on the following external services. All transfers to non-EU jurisdictions are made on the basis of the provider's Standard Contractual Clauses (or equivalent transfer mechanism) under Article 46, supplemented by the content-minimisation practices described below.

ServicePurposeData sent outboundLocation
Anthropic Article classification (Claude Haiku); incident generation (Claude Sonnet); grafting and dedup adjudication (Claude Haiku) Article titles, summaries, and a body excerpt per call — including named persons where present in source reporting United States
Voyage AI Semantic embeddings used for clustering and graft search Article titles and a summary/body excerpt per call United States
Google Cloud (BigQuery) Queries against the public GDELT Global Knowledge Graph dataset SQL query text only (entity/theme strings); no personal data outbound United States
GDELT Project (DOC API) Keyword-based article discovery Keyword query strings only; no personal data outbound United States
OCCRP Aleph Searches against OCCRP's investigative-document corpus Keyword query strings and API credentials; results may contain named persons present in OCCRP's source corpus OCCRP-hosted (EU and US infrastructure)
Publisher websites Direct retrieval of articles for body-text extraction ISD's IP address and user-agent are visible to publishers; we retrieve their published content Globally distributed
Microsoft Azure Hosting (servers, database, backups) The complete article, incident, and entity dataset United States (East)
GitHub Source-code hosting Code only; no production data and no secrets United States

No training on AIT data. We have configured our accounts with the model providers above so that AIT pipeline data is not used to train their models, consistent with each provider's published API data-use policy. We do not consent to AIT data being used for model training by these providers or by any future subprocessor, and we will reflect this in our contractual relationships with them.

How long we keep data

Your rights

Where the GDPR, the UK GDPR, US state privacy laws, or other applicable law gives you rights as a data subject, you can exercise them by contacting ISD's Data Protection Officer using the details below. We will acknowledge receipt and respond within the timeframe required by the law of your jurisdiction (in most cases, one month), in accordance with ISD's internal data-subject-request policy. We may need to verify your identity before disclosing personal data.

Data Protection Officer — AIT data-subject requests
Email: [email protected]  (subject line: “AIT data subject request”)
Post: ISD-US, Suite 285, 1032 15th St. NW, Washington, DC 20005, United States
Please describe what right you are exercising (access, rectification, erasure, restriction, objection, portability) and identify the incident, entity, or record your request concerns.

Available rights include:

A note on direct notification

We do not notify each named individual whose name appears in the source reporting we catalog. The sources we draw on are open-source publications and government statements that are themselves public, and direct notification of every named individual would require a disproportionate effort within the meaning of Article 14(5)(b) GDPR. We rely on this exception in combination with the publication of this notice.

Safeguards we apply

Changes to this notice

We will update this notice as the pipeline, subprocessor chain, or scope of the Tracker changes. The “Last reviewed” date at the top of the page reflects the most recent material change. We will not weaken the protections described here without giving prior notice on this page.

Contact

Data-protection matters and data-subject requests: [email protected], or by post to ISD-US, Suite 285, 1032 15th St. NW, Washington, DC 20005, United States.

Editorial corrections to a specific incident (e.g., factual error in a published entry): [email protected].

← Back to the tracker