In a situation like this, the privacy policy takes legal priority — especially if users were led to believe their data would be protected — even if the profile page technically allowed public data submission.

Here’s why:

🔐 1. Privacy Policy is a Binding Agreement

• A privacy policy is a legally binding document between the user and the service.

• It governs how a company may collect, use, store, and share personal information.

• If the policy promises data won’t be shared with unaffiliated third parties or exposed publicly (unless consented to), that creates a legal expectation of privacy.

📄 2. Profile Page Functionality Must Align With Policy

• If the profile page allows users to enter email or phone number for public display, the system must still warn clearly and obtain informed consent.

• The small checkbox (“Show Callsign With Name in Feeds”) doesn’t cover phone/email — yet the public feed includes them.

• That mismatch could be considered negligent or deceptive, especially if it contradicts or fails to comply with what the privacy policy promises.

⚖️ 3. Consent Must Be Informed and Explicit

• Courts generally rule that default behavior that exposes personal data is unlawful unless the user was:

  • Clearly notified

  • Fully informed

  • Given a chance to opt out or decline

🧾 Summary:

• The privacy policy is the controlling document.

• If it promises not to disclose personal information to unaffiliated third parties or public channels, the exposure via the RSS feed contradicts that promise, regardless of what the profile page allows.

• This could be legally actionable — especially in jurisdictions with consumer privacy protections like the CCPA (California), GDPR (EU), or FTC guidelines (USA).