PRIVACY
what we store, what we don't, and what we promise. last updated Jun 13, 2026.
the short version
we keep the minimum amount of information needed to make the site work. we do not run ads. we do not sell, rent, or share your data with third parties (there are no third parties). we don't track you off-site. the server logs IP addresses for a couple of weeks for abuse response and that's it.
what we collect
- account info: your handle, email, password hash (bcrypt — we never store the plain password), the year of your birth (only the year — used to confirm you're 18+ at signup, never displayed), and your bio if you write one.
- posts: everything you post. text, attached images (resized + EXIF-stripped server-side), the time you posted, and an optional scheduled publish time. shared posts include a pointer to the original.
- relationships: who you are friends with, who you've blocked, who you've sent a friend request to, which posts you've noted.
- preferences: public/private profile, optional accent color, optional profile frame.
- session cookies: a single secure HTTP-only cookie keeps you logged in. it contains a session id, nothing else.
- technical logs: the web server records timestamp, requested URL, response status, IP address, and user agent for each request. these logs are kept for about 14 days and rotated. they exist for debugging and abuse response.
what we don't collect
- no third-party analytics. no Google Analytics, no Fathom, no Plausible.
- no advertising trackers. there are no ads.
- no fingerprinting.
- no location data beyond the IP address in standard server logs.
- no phone numbers.
- no social-graph sharing. your friends list never goes anywhere.
how data is shared
with other users: whatever you post on a public profile is public. your handle, bio, avatar, and posts on a public account are visible to anyone. on a private account, your posts are visible to confirmed friends only — your handle and bio remain visible at the profile URL with a "this profile is private" notice.
with anyone else: we don't share your data with anyone. we don't sell it. we don't share it for "personalization." we don't have a business relationship where data is the product.
with law enforcement: we don't volunteer your data. if we receive valid legal process from US law enforcement (subpoena, court order, search warrant) we will comply to the extent the law requires and will resist any process that we think is overbroad. for emergency life-safety situations, we may act faster. we will tell you when this happens unless we are legally barred from doing so.
where the data lives
so called life runs on NearlyFreeSpeech.NET, a US-based shared hosting provider, in their NYC region. the database is MariaDB. images live on disk. backups are nightly to a private directory on the same server and are not transmitted off-site. there are no AWS S3 buckets, no Cloudflare, no Google Cloud — there's a server.
cookies
we set one cookie: a session id used to keep you logged in. it's secure, http-only, samesite=lax, with the __Host- prefix. when you log out the cookie is cleared. there are no other cookies. there is no cookie banner because there is nothing to consent to under the consent-banner laws.
your rights
you have the right to:
- see what we have on you — it's almost entirely the stuff you can see on your own profile and in account. if you want a structured export, ask @onion; it'll be a JSON of your account plus your posts.
- correct anything wrong — update your bio, change your email/password from account, edit posts within 5 minutes, delete posts at any time.
- delete your account — there's a button in account → DANGER ZONE. it soft-deletes the account so handles can't be re-registered for impersonation. your posts get reattributed to
@deletedand your bio is wiped. - complain to a regulator if you're in the EU/UK and we've been bad about your data. you can reach your national data protection authority directly.
retention
- active account: data kept as long as the account exists.
- deleted account: handle + email are retained (so nobody can re-register them and pretend to be you), all posts are reattributed to
@deleted, bio is wiped immediately. - server logs: ~14 days, then rotated.
- database backups: nightly, kept ~30 days, then rotated.
children
the minimum age to use the site is 18. we collect birth year at signup specifically to enforce this and for no other reason. we do not knowingly retain accounts for anyone under 18. accounts created before this policy took effect are grandfathered.
changes
material changes are posted from @onion and the "last updated" date at the top of this page is bumped. the current version of this policy is always at /privacy.