← back to vault

PRIVACY POLICY

Last updated: March 2026

The Short Version

We don’t track you. We don’t log your IP address. We don’t sell your data. We don’t run analytics. We don’t use cookies for advertising. Your privacy and operational security are not just features — they’re fundamental to how this platform operates.

What We Collect

The absolute minimum required to make the Platform function:

  • Account credentials — your username and a hashed password. We never store your password in plain text. If you enable 2FA, we store your TOTP seed encrypted.
  • Profile information — anything you choose to fill out (display name, bio, avatar, banner). This is all voluntary and can be changed or removed at any time.
  • Messages & uploads — content you send through DMs, group chats, and public chat is stored in our database to deliver it to recipients. Auto-delete features are available for DMs.
  • Session token — a single authentication cookie to keep you logged in. It’s a standard JWT, contains only your user ID and expiration, and is not shared with anyone.

What We Don’t Collect

This is the part that actually matters:

  • IP addresses — we do not log, store, or track your IP address. Server logs are configured to not retain connection metadata.
  • Device fingerprints — we don’t collect browser fingerprints, device identifiers, screen resolutions, or hardware info.
  • Location data — we have no geolocation tracking, no GeoIP lookups, nothing.
  • Analytics / tracking pixels — there are no third-party analytics services, no Google Analytics, no Meta Pixel, no tracking scripts of any kind embedded in the Platform.
  • Advertising data — we don’t serve ads and we don’t build advertising profiles.
  • Call recordings — voice and video calls use peer-to-peer WebRTC. Audio and video data flows directly between participants and never touches our servers. We don’t record, intercept, or monitor calls.

Cookies

We use exactly one cookie: pfp_token. It’s your login session. That’s it. No tracking cookies, no third-party cookies, no cookie consent banners needed because we’re not doing anything sketchy with cookies.

Third-Party Services

The Platform interacts with the following external services:

  • Stripe — for processing payments (rank purchases). We don’t store your payment details; Stripe handles that directly. Their privacy policy governs payment data.
  • Google STUN servers — used to establish peer-to-peer WebRTC connections for calls. These servers help with NAT traversal but don’t relay your actual call data.
  • Twemoji CDN — for consistent emoji rendering. This loads static image assets, not a tracking service.

Data Storage & Security

Your data is stored on our servers with industry-standard security measures. Passwords are hashed with bcrypt. Sessions use signed JWTs. All connections are encrypted via TLS. We apply security headers (CSP, HSTS, X-Frame-Options, etc.) and implement CSRF protection on all state-changing requests.

We retain your data only as long as your account exists. If you delete your account, your data is removed. Auto-delete features for DMs give you additional control over message retention.

Data Sharing

We don’t sell, trade, rent, or share your personal data with anyone. Period. The only scenario where data might be disclosed is if compelled by valid legal process — and even then, we retain so little data that there’s essentially nothing to hand over.

Your Rights

You have the right to:

  • Access your data (everything is visible in your profile and settings)
  • Correct your data (edit your profile at any time)
  • Delete your data (delete your account)
  • Use auto-delete features for conversations

Changes

If we ever change this policy, we’ll update this page. Our commitment to not logging IPs and not tracking users is non-negotiable and won’t change.

Contact

Privacy concerns? Reach out to a platform administrator through the service.

Terms of Service|Home