This notice supplements our Privacy Policy with the additional disclosures required by the California Consumer Privacy Act of 2018 ("CCPA") and the California Privacy Rights Act of 2020 ("CPRA"), together referred to here as "CCPA". It applies only to California residents.
1. Notice at Collection
At or before the point of collection we tell you:
- the categories of personal information we collect (see §2 below);
- the purposes for which each category will be used (see §3);
- whether we sell or share personal information — we do not;
- how long we keep each category (see §6);
- a link to this notice.
2. Categories of personal information we collect
The CCPA defines specific categories (Cal. Civ. Code § 1798.140(v)). In the past 12 months we have collected the following categories from California residents:
| CCPA Category | Examples | Collected? |
|---|---|---|
| (A) Identifiers | Real name, email, IP address, account identifier, Google account ID | Yes |
| (B) Customer records (Cal. Civ. Code § 1798.80(e)) | Name, contact information | Yes — overlap with (A) |
| (C) Protected classifications | Race, sex, age, marital status, etc. | No |
| (D) Commercial information | Records of products purchased | Only when paid plans exist; not currently |
| (E) Biometric information | Fingerprint, faceprint, voice recognition | No |
| (F) Internet/network activity | Pages visited, requests made, interaction logs, cookies | Yes |
| (G) Geolocation | Approximate location derived from IP | Yes (country-level only; we do not use precise geolocation) |
| (H) Sensory data | Audio, video, thermal | No |
| (I) Professional/employment | Job title, employer | No |
| (J) Education information | FERPA-protected records | No |
| (K) Inferences | Profiles drawn from any of the above to predict preferences | No — we do not build user-level inference profiles |
| (L) Sensitive personal information (CPRA) | SSN, driver's licence, financial-account credentials, precise geolocation, racial/ethnic origin, religious beliefs, biometric for ID, health, sex life or orientation, communications contents | No |
3. Sources of personal information
- Directly from you — when you create an account, submit content, or contact us;
- From Google — when you sign in with Google OAuth (name, email, profile photo URL, Google account ID);
- Automatically — when your browser visits our site (IP, user-agent, pages visited);
- From service providers — Cloudflare (security signals), our SMTP provider (delivery logs).
4. Purposes for use
- To create and operate your account, and to provide the Service;
- To authenticate sign-in attempts and detect fraud or abuse;
- To send transactional notifications (sign-in alerts, security notices);
- To improve product features through aggregate analysis;
- To comply with legal obligations and respond to lawful requests;
- For audit, debugging, and short-term, transient uses (CCPA § 1798.140(e)(4));
- For any other purpose disclosed to you at or before collection.
5. Categories disclosed to third parties
In the past 12 months we have disclosed the following categories to our service providers for business purposes (subject to written contracts that prohibit them from using the data for their own purposes):
- Identifiers and Internet/network activity → Cloudflare (security, CDN);
- Identifiers and Customer records → SMTP provider (email delivery);
- Identifiers → Google (sign-in authentication round-trip);
- Identifiers and Internet/network activity → DigitalOcean (hosting).
We have not sold personal information in the past 12 months. We have not shared personal information for cross-context behavioural advertising in the past 12 months. We will not sell or share your personal information without your prior opt-in.
6. How long we keep personal information
| Category | Retention period |
|---|---|
| Identifiers and customer records | Life of the account, then 30 days post-deletion (plus up to 30 days in backups) |
| Internet/network activity (logs) | 30 days |
| Geolocation (country-level) | 30 days within request logs |
| Commercial information (when applicable) | As required by tax/accounting law in [TBD — fill in src/lib/legal/config.ts] — typically 6–8 years |
| User-generated content (posts, comments) | Until you delete it or close your account; thereafter as in the Identifiers row |
7. Your CCPA/CPRA rights
- Right to Know — what categories of personal information we have collected, the sources, the business purposes, the categories of third parties to whom it has been disclosed, and the specific pieces of personal information we hold about you.
- Right to Delete — request that we delete personal information we have collected from you, subject to certain exceptions (e.g. transactions in progress, security, legal compliance).
- Right to Correct — request correction of inaccurate personal information.
- Right to Opt-Out of Sale or Sharing — we do not sell or share, so there is nothing to opt out of today. If that ever changes, a "Do Not Sell or Share My Personal Information" link will appear in our website footer.
- Right to Limit Use of Sensitive PI — we do not collect any sensitive PI categories, so there is nothing to limit.
- Right to Non-Discrimination — we will not deny you the Service, charge you a different price, or provide a different quality of service because you exercised any of these rights.
- Right to Data Portability — receive a copy of your personal information in a portable, machine-readable format (we use JSON).
- Right re. Automated Decision-Making (CPRA) — we do not make decisions about you using solely automated processing that produces legal or similarly significant effects.
- "Shine the Light" Request (Cal. Civ. Code § 1798.83) — once per calendar year you may request a list of personal information we disclosed to third parties for their own direct- marketing purposes. We do not make such disclosures.
8. How to exercise your rights
Submit a request by emailing [email protected] from the email address on your account. Include the right you wish to exercise and any information that helps us locate your records. See our Data Subject Request page for the full process.
We will acknowledge receipt within 10 business days and substantively respond within 45 days (extendable to 90 if necessary, with notice).
9. Verifying your identity
Before we act on a Right to Know, Delete, or Correct request, we need to verify that the request comes from you. For account holders, we typically rely on the email address on file. For high-volume or detailed requests we may ask additional verifying questions about account activity that only the legitimate account holder would know.
10. Authorized agents
You may designate an authorized agent to make a request on your behalf. We will require: (a) a signed, written authorization from you naming the agent, and (b) verification of your identity directly with us. Businesses operating as agents must be registered with the California Secretary of State.
11. Minors
The Service is not directed to children under 16. We do not knowingly sell or share the personal information of California residents under 16. If you believe a child under 16 has provided personal information, contact [email protected] and we will delete it.
12. Financial incentives
We do not currently offer any financial incentive or price/service difference in exchange for personal information. If we ever do, a separate notice meeting CCPA § 1798.125(b) will be provided before collection.
13. Changes to this notice
We will update this notice at least every 12 months as required by CCPA. The current version and effective date appear at the top of this page.
14. Contact
Email [email protected] or write to us at the address on our Imprint page.