Privacy Policy

Information you provide directly:

• Account information: username, email address, and password
• Profile information: display name and profile preferences
• Content you create: confessions, diary entries, stories, aspirations, reviews, and comments
• Messages sent to other users
• Feedback and support requests

Information collected automatically:

• IP address at time of account registration
• Browser and device information (user agent)
• Session data for authentication
• Approximate location derived from IP address (country/region level only, not precise location)

• To create and manage your account
• To provide, operate, and maintain the platform
• To send email verification codes and password reset links
• To enforce our Terms and Conditions and community guidelines
• To detect and prevent abuse, fraud, and security threats
• To respond to your support requests and feedback
• To send important service-related announcements

We take the security of your data seriously. The following measures are in place:

• Email addresses and display names are encrypted using AES-256-GCM encryption at rest
• Passwords are hashed using bcrypt with 12 salt rounds and are never stored in plain text
• Email lookups use SHA-256 hashing for privacy-preserving authentication
• Session tokens are securely generated and transmitted over HTTPS
• Password reset and verification tokens are hashed before storage

We do not sell, rent, or share your personal data with third parties for marketing purposes. We may disclose your information only in the following circumstances:

• Legal obligations: When required by law, court order, or government request
• Safety: When we believe disclosure is necessary to prevent harm, investigate fraud, or protect the rights and safety of our users
• Law enforcement: Content involving criminal activity may be reported to relevant authorities as described in our Terms
• Service providers: We may share limited data with email delivery services (SMTP) solely to send transactional emails such as verification codes and password resets

• Account data is retained as long as your account is active
• When you delete your account, your personal data is marked for deletion and removed from active use
• Password reset tokens expire after 1 hour and are invalidated after use
• Email verification codes expire after 15 minutes
• Session data expires after 30 days of inactivity
• We may retain anonymized, non-personal data for analytics purposes

You have the following rights regarding your data:

• Access: You can view your account information through your profile settings
• Correction: You can update your profile information at any time
• Deletion: You can delete your account, which will remove your personal data from active use
• Session management: You can view and revoke active sessions from your account settings
• Data portability: You may request a copy of your data by contacting us

• Session cookies: Used to maintain your login session (httpOnly, secure)
• Preference cookies: Used to store your theme and language preferences
• Cookie consent: We display a cookie consent banner and respect your choices

We do not use third-party tracking cookies or advertising cookies.