Privacy Policy

1. Information We Collect

Account Information:

• Username (publicly visible)
• Email address (kept private, used for authentication and notifications)
• Password (hashed using Argon2id, never stored in plain text)
• Account creation date and last update timestamp

User-Generated Content:

• Posts you create (title and content)
• Comments/messages you send
• Vote history (which posts you've upvoted or downvoted)
• Message edit history (timestamps of edits)

Activity & Engagement Data:

• Points earned through platform activity
• Badges and achievements earned
• Invite codes generated and used
• Posts you follow and notification preferences
• User who invited you (if applicable)

Technical Information:

• Session cookies (for authentication)
• IP address (for rate limiting and security)
• CAPTCHA responses (Cloudflare Turnstile, processed for bot detection)

2. How We Use Your Information

• Authentication: To verify your identity and keep your account secure
• Service Provision: To display your posts, comments, and profile information
• Communication: To send email notifications about replies, follows, and activity (only if you've enabled email notifications)
• Gamification: To track points, assign ranks, and award badges
• Invite System: To manage invite codes and track who invited whom
• Security: To prevent abuse, detect bots, and protect against attacks

3. Cookies and Storage

We use the following cookies and storage mechanisms:

• Session Cookie ("session"): Essential for authentication. HTTP-only, secure in production, 7-day expiration.
• SessionStorage: Temporarily stores invite codes during registration flow and feed scroll position for better UX.

4. Third-Party Services

We use the following third-party services:

• Cloudflare Turnstile: For CAPTCHA verification during registration. Cloudflare processes your request to determine if you're human. See Cloudflare's Privacy Policy.
• Scaleway Transactional Email (TEM): For sending email confirmations, invite emails, and notification emails. Scaleway processes your email address and email content.
• Font Awesome: For icons. Their CDN may log requests.

5. Data Storage and Security

We take data security seriously:

• Passwords: Hashed using Argon2id with memory cost of 65536, time cost of 3, and parallelism of 1
• Database: PostgreSQL with SSL/TLS encryption in production
• Caching: Redis with TTL-based expiration for sensitive data
• Transport: HTTPS/TLS for all communications in production
• Rate Limiting: 30 requests per 15 minutes for auth endpoints, 20 requests per 15 minutes for email confirmation

6. Data Retention

• Account data: Retained until account deletion
• Posts and comments: Retained indefinitely (soft-deleted messages marked but kept)
• Email confirmation tokens: Expire after 24 hours
• Session cookies: 7 days
• Mobile auth tokens: 30 days
• Invite codes: 7 days until expiration
• Cache data: 30-300 seconds depending on data type

7. Your Rights

You have the right to:

• Access your personal data (via your profile and settings)
• Edit your posts and comments (within 60 seconds for posts, unlimited for comments)
• Delete your messages (soft delete, marked as "[deleted]")
• Disable email notifications in settings
• Request account deletion (contact us)

8. Children's Privacy

Yaply is not intended for children under 13. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last updated" date. Continued use of Yaply after changes constitutes acceptance of the new policy.

10. Contact Us

If you have any questions about this Privacy Policy, please contact us at [email protected].