Privacy Policy

FriendsNotFeeds (“FriendsNotFeeds,” “we,” “us”) is an independently operated photo-sharing service. We are the data controller for personal data processed through friendsnotfeeds.com and app.friendsnotfeeds.com (together, the “Service”).

For privacy questions, data subject requests, or to reach our designated privacy contact, email [email protected]. For postal mail, contact [email protected] and we will provide the operator's correspondence address on request.

We have not designated an Article 27 representative in the EU or a UK GDPR representative at this time, because EU/UK traffic on the Service is not material. If you are an EU/UK/Swiss resident and prefer to contact a representative directly, email [email protected] and we will route your request through a third-party representative service.

• Performance of a contract (GDPR Art. 6(1)(b)) — to operate your account, deliver posts to your friends, send recovery email, and process chip-in payments.
• Legitimate interests (GDPR Art. 6(1)(f)) — to detect abuse, keep the Service secure, and prevent fraud. Where we rely on legitimate interests, we have weighed your rights and concluded the processing is proportionate. You may object at any time (§ 9).
• Consent (GDPR Art. 6(1)(a)) — for web push notifications, optional location (GPS) metadata on posts, RSS feed participation, and any optional preference you explicitly enable. You can withdraw consent at any time without affecting prior processing.
• Legal obligation (GDPR Art. 6(1)(c)) — for tax, accounting, and response to lawful requests.

• Account data, posts, comments, friend graph: for as long as your account exists. When you delete your account, this is erased within 30 days, except where we are required to retain a record (e.g. tax records of payments).
• Photos in object storage: deleted on a best-effort schedule within 30 days of the corresponding post deletion or account deletion. If you enabled RSS, content fetched by a friend's third-party RSS reader before deletion may persist in that service's cache outside our control; deleting a post or account removes it from FriendsNotFeeds but cannot purge external reader caches.
• Server logs and IP hashes: 30 days, then deleted.
• Recovery and email-verification token hashes: until used or expired, then deleted.
• Stripe records: retained by Stripe per their policy. We retain billing records (transaction logs, invoices) for at least seven (7) years to satisfy U.S. tax and accounting obligations; longer where another jurisdiction requires.
• Backups: we use point-in-time recovery on our managed Postgres provider; the recovery window is up to thirty (30) days, after which deleted data is no longer recoverable from backups.

We use a small number of providers to run the Service. Each one is contractually bound to protect your data and to process it only on our instructions.

We will give reasonable advance notice of any new sub-processor by updating this list and the “Last updated” date.

Some of the providers above are based in the United States. When we transfer personal data of EU/EEA, UK, or Swiss residents to a country outside their region, we rely on Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and supplementary safeguards as needed. You may request a copy of the relevant transfer mechanism by emailing [email protected].

Authentication is passkey-only — no passwords are stored anywhere. Connections use TLS in transit. Our managed database and object-storage providers apply at-rest disk encryption across the underlying infrastructure.

On top of that infrastructure-level encryption, we apply application-layer AES-256-GCM (an authenticated-encryption scheme, via the Web Crypto API, with a 256-bit key derived from APP_ENCRYPTION_KEY) to our most sensitive material:

• your account email address;
• your web-push subscription material (the per-device endpoint URL plus the signing keys used to deliver pushes);
• your private “how we met” notes about a friend;
• your account's federation private key.

Email lookups go through a deterministic blind index — an HMAC over the normalized address keyed with APP_BLIND_INDEX_KEY — so we can find a user without ever decrypting the stored email. Other credential-equivalents — recovery and email-verification tokens — are stored only as argon2id hashes and never in plaintext.

Photos are re-encoded on upload to strip EXIF before serving. We enforce a strict Content Security Policy, HSTS, and CSRF origin checks; uploads are sniffed by magic bytes; rate limits guard sensitive endpoints.

Breach notification. If we confirm a security incident that has affected your personal data, we will notify you without undue delay and in any event within 72 hours of confirming the breach, by email and (where appropriate) in-app, and we will notify supervisory authorities where required by law.

No system is perfectly secure. If you believe you've found a vulnerability, please email [email protected] rather than disclosing publicly.

We set one cookie: a first-party, HTTP-only, SameSite=Lax session cookie that keeps you signed in. It is strictly necessary to operate the Service and does not require consent under ePrivacy. We do not set advertising, analytics, or cross-site tracking cookies, and we do not use browser fingerprinting.

The service worker caches static assets and a small number of images on your device to make the PWA usable offline. You can clear it from your browser at any time.

Depending on where you live, you may have the right to:

• access the personal data we hold about you;
• request correction of inaccurate data;
• request deletion (the “right to be forgotten”);
• request a portable copy of data you provided to us;
• object to or restrict processing based on legitimate interests;
• withdraw consent for any consent-based processing;
• not be subject to solely automated decision-making (we do not do this);
• lodge a complaint with your local supervisory authority (in the EU/EEA) or the UK ICO.

You can exercise most of these directly in the app: edit your profile in Settings, delete posts and comments inline, request a portable export of your data, and delete your account at /account/delete. For anything else, email [email protected]. We aim to respond to data-subject requests within 30 days. Where the law allows (e.g. GDPR Art. 12(3) for complex requests, or CCPA's 45+45-day window), we may extend that period and will tell you when we do.

In the past 12 months, we have collected the categories of personal information listed in § 2 (identifiers, internet/network activity, geolocation if you opt in, sensory data in the form of photos, and commercial information related to chip-in payments). We disclose these categories to the service providers in § 5 only to operate the Service.

We do not “sell” or “share” personal information as those terms are defined under the CCPA/CPRA, and we have not done so in the past 12 months. We do not knowingly collect personal information from anyone under 16.

California residents have the rights to know, delete, correct, and limit use of sensitive personal information. To exercise these, email [email protected]. You may also designate an authorized agent to make a request on your behalf. We honor Global Privacy Control (GPC) signals as a do-not-sell / do-not-share request — we do not sell or share regardless, but we will treat a GPC signal from your browser as a continuing opt-out for any future processing that would be subject to the right to opt out under the CCPA/CPRA.

The Service is not directed to anyone under 16, and we do not knowingly collect personal information from children under 16. We chose 16 as a global floor — above the U.S. COPPA threshold of 13 and matching the GDPR Article 8 threshold for digital-service consent — so that the same age rule applies to every user regardless of where they live. If you believe a child has provided us personal information, contact [email protected] and we will delete it promptly.

When we change this policy, we update the “Last updated” date above. For material changes, we'll also notify you in-app or by email at least 30 days before the change takes effect, where required. Continued use of the Service after the effective date constitutes acceptance of the updated policy. Changes that are required by law or that are necessary to address a material security risk may take effect immediately, with notice as soon as practicable.

Questions, requests, or complaints about privacy: [email protected]. For postal mail, contact [email protected] and we will provide the operator's correspondence address on request.