but they make no assurances that other entities are not doing so.
Because there are not assurances to be had. You can't guarantee that, there's no way of knowing. You'd have to own all hardware and infrastructure between the client and server--all of them. They're doing the best they can given that fact. Apache/Nginx/IIS logs but no correlative data, basically--I assume.
Phuks' "Third-party disclosure" section of the privacy policy is satisfactory to me. They recognize that they might be required to share info under the law, and with those involved in the operation of the site, but otherwise commit to not selling or transferring personal info without advance notice.
I'm also satisfied with Phuks' canary, with the minor grammar nitpick that "to which we currently am an active contributor" should probably read "to which we are currently an active contributor."
I hate to be that guy, but I am that guy. So here are my observations.
1) Canaries don't mean much. They rely on an active system admin that is both unable to be compelled to lie, and willing/able to verify their identity. Better than nothing, but they are not sure-fire.
2) Why does it take months of begging to get someone to click the edit button and hit save to update a canary?
3) Does editing without adding a statement legally constitute a declaration of free will that the contents are true?
4) "We" in the context of the account "Voat" is ambiguous.
5) Nowhere in the voat canary, user agreement or in the privacy policy is it stated that voat will not share your information. It is stated that they will not log your information in a personally identifiable way, but they make no assurances that other entities are not doing so.