Privacy Policy

1. Introduction and Scope

Weird Confessions, Inc. ("Weird Confessions," "we," "us," or "our") operates an anonymous confession sharing platform accessible via web and mobile applications (collectively, the "Service"). This Privacy Policy describes how we collect, use, process, and disclose your personal information when you use our Service.

Our Privacy Commitment: Anonymity is fundamental to our platform. We are committed to protecting your identity and ensuring that your real-world identity is never revealed to other users or used for commercial purposes without your explicit consent.

2. Information We Collect

We collect information in several ways when you use our Service. This section describes the categories of information we collect and how we obtain it.

2.1 Information You Provide Directly

2.1.1 Account Registration Information

• Email Address: Required for account creation, authentication, and essential communications
• Authentication Data: When using Google Sign-In, we receive your Google account email, name, and profile picture (used only for account verification)
• Password Information: Encrypted and stored securely (if using email/password authentication)
• Account Preferences: Theme settings, notification preferences, language settings

2.1.2 Content and Communications

• Stories and Confessions: Text content you submit to share with the community
• Comments: Your responses and interactions with other users' content
• Direct Messages: Communications with our support team
• Reports and Feedback: Content reports, bug reports, and feature requests
• Survey Responses: Optional feedback and research participation

2.2 Information We Collect Automatically

2.2.1 Usage and Interaction Data

• Content Interactions: Likes, comments, shares, and time spent viewing content
• Navigation Patterns: Pages visited, features used, and user journey through the Service
• Engagement Metrics: Session duration, frequency of use, and feature adoption
• Search Queries: Terms searched within the platform
• Error Logs: Technical errors and crash reports for service improvement

2.2.2 Device and Technical Information

• Device Identifiers: Device ID, advertising ID (where applicable), and hardware information
• Browser and App Information: Browser type, version, operating system, and app version
• Network Information: IP address, internet service provider, and connection type
• Performance Data: Page load times, app performance metrics, and technical diagnostics

2.2.3 Cookies and Similar Technologies

• Essential Cookies: Required for authentication, security, and basic functionality
• Preference Cookies: Store your settings and customization choices
• Analytics Cookies: Help us understand usage patterns and improve the Service
• Security Cookies: Detect fraudulent activity and protect against abuse

2.3 Information We Do NOT Collect

To protect your privacy and maintain anonymity, we explicitly do NOT collect:

• Real Names: Beyond what's provided through OAuth, never displayed to other users
• Precise Location Data: No GPS coordinates, addresses, or location tracking
• Contact Information: No phone numbers, addresses, or contact lists
• Financial Information: No payment details, credit cards, or financial data
• Biometric Data: No fingerprints, facial recognition, or biometric identifiers
• Social Media Connections: No friend lists or social network data
• Cross-Device Tracking: No linking of your activity across different devices
• Third-Party Data: No purchasing of data from data brokers or other sources

3. How We Use Your Information

We use the information we collect for specific, legitimate purposes that are essential to providing and improving our Service while maintaining your anonymity. Here's how we use different types of information:

3.1 Service Provision and Functionality

3.1.1 Core Platform Operations

• Account Management: Create, maintain, and authenticate your account
• Content Display: Show your stories and comments with your assigned anonymous username
• User Interactions: Enable likes, comments, and other engagement features
• Personalization: Remember your preferences, settings, and customizations
• Content Delivery: Serve relevant content and optimize your experience

3.1.2 Communication and Support

• Customer Support: Respond to your inquiries and resolve technical issues
• Service Notifications: Send important updates about your account or the Service
• Policy Updates: Notify you of changes to our Terms of Service or Privacy Policy
• Security Alerts: Inform you of potential security issues with your account

3.2 Platform Safety and Security

3.2.1 Content Moderation

• Policy Enforcement: Review content for violations of our Terms of Service
• Automated Detection: Use algorithms to identify potentially harmful content
• Human Review: Conduct manual review of reported or flagged content
• Community Protection: Remove content that violates our guidelines

3.2.2 Security and Fraud Prevention

• Account Security: Detect and prevent unauthorized access to accounts
• Abuse Prevention: Identify and stop spam, harassment, and other harmful behavior
• Technical Security: Protect against malware, viruses, and security threats
• Platform Integrity: Prevent manipulation of our systems and features

3.3 Service Improvement and Development

3.3.1 Analytics and Research

• Usage Analytics: Understand how users interact with our platform (in aggregate)
• Performance Monitoring: Track system performance and identify technical issues
• Feature Development: Research and develop new features based on user needs
• A/B Testing: Test new features and improvements with user groups

3.3.2 Quality Assurance

• Bug Detection: Identify and fix technical problems
• User Experience: Improve interface design and usability
• Content Quality: Enhance content discovery and recommendation systems

3.4 Legal and Compliance

3.4.1 Legal Obligations

• Law Enforcement: Respond to valid legal requests and court orders
• Regulatory Compliance: Meet requirements under applicable privacy and data protection laws
• Dispute Resolution: Provide information necessary for legal proceedings
• Rights Protection: Protect our intellectual property and legal rights

3.4.2 Safety and Emergency Situations

• Imminent Harm: Prevent immediate physical harm to individuals
• Child Safety: Report suspected child abuse or exploitation to authorities
• Public Safety: Cooperate with law enforcement in emergency situations

3.5 Anonymity Protection Measures

Critical: In all uses of your information, we maintain strict separation between your real identity and your anonymous platform presence:

• Identity Separation: Your email and real name are never linked to your public content
• Anonymous Display: All public content shows only your randomly assigned username
• Data Compartmentalization: Personal identifiers are stored separately from content data
• Access Controls: Strict limits on who can access personally identifiable information

4. Information Sharing and Disclosure

We limit information sharing to specific circumstances necessary for Service operation, legal compliance, and user safety. We never sell your personal information or share it for commercial purposes.

4.1 Public Information Display

4.1.1 What's Publicly Visible

• Anonymous Content: Your stories and comments are displayed with your randomly assigned username
• Interaction Metrics: Like counts, comment counts, and timestamps are visible to all users
• Anonymous Engagement: Your likes and comments on others' content (shown with your anonymous username)
• Content Creation Dates: When stories and comments were posted

4.1.2 What's Never Public

• Real Identity: Your email, real name, or any personally identifiable information
• Account Details: Registration information, preferences, or account settings
• Technical Data: IP addresses, device information, or usage patterns
• Private Communications: Support messages or direct communications with us

4.2 Service Providers and Business Partners

We work with carefully selected third-party service providers who help us operate the Service. These providers are contractually bound to protect your information and use it only for specified purposes.

4.2.1 Infrastructure and Hosting

• Supabase: Database hosting and backend services (data processing agreement in place)
• Cloud Providers: Secure data storage and content delivery networks
• Security Services: DDoS protection, fraud detection, and security monitoring

4.2.2 Authentication and Analytics

• Google OAuth: Authentication services (limited to email and basic profile information)
• Analytics Providers: Aggregated, anonymized usage analytics (no personal identification)
• Performance Monitoring: Application performance and error tracking services

4.2.3 Communication and Support

• Email Services: Transactional email delivery for account notifications
• Customer Support: Help desk and support ticket management systems
• Push Notifications: Mobile notification delivery services

4.3 Legal and Safety Disclosures

4.3.1 Legal Requirements

We may disclose your information when required by law, including:

• Court Orders: Valid subpoenas, warrants, or court orders
• Government Requests: Lawful requests from law enforcement or regulatory agencies
• Legal Proceedings: Information necessary for litigation or dispute resolution
• Regulatory Compliance: Requirements under applicable privacy and data protection laws

4.3.2 Safety and Protection

We may disclose information to protect safety and prevent harm:

• Imminent Danger: Preventing immediate physical harm to individuals
• Child Protection: Reporting suspected child abuse or exploitation
• Platform Security: Investigating fraud, abuse, or security threats
• Terms Enforcement: Investigating violations of our Terms of Service

4.3.3 Transparency and User Rights

• Notice When Possible: We will notify you of legal requests unless prohibited by law
• Narrow Scope: We disclose only the minimum information necessary
• Legal Challenge: We may challenge overly broad or inappropriate requests
• Transparency Reports: We publish annual transparency reports about government requests

4.4 Business Transfers and Corporate Changes

In the event of a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred to the acquiring entity, subject to the following protections:

• Continued Protection: The same privacy protections will apply
• User Notification: We will notify you before any transfer occurs
• Opt-Out Rights: You may delete your account before the transfer
• Anonymity Preservation: Your anonymous identity will be maintained

4.5 What We Never Share

We will never:

• Sell Personal Information: We do not sell, rent, or trade your personal information
• Share for Marketing: We do not share your information with advertisers or marketers
• Cross-Platform Tracking: We do not participate in cross-site tracking or data sharing
• Data Broker Sales: We do not sell information to data brokers or aggregators
• Identity Revelation: We never reveal your real identity to other users

5. Data Security and Protection

We implement comprehensive security measures to protect your information and maintain the anonymity that is central to our platform. Security is built into every aspect of our Service.

5.1 Technical Security Measures

5.1.1 Encryption and Data Protection

• End-to-End Encryption: All data is encrypted in transit using TLS 1.3
• Database Encryption: All stored data is encrypted at rest using AES-256
• Key Management: Encryption keys are securely managed and regularly rotated
• Secure Protocols: All communications use industry-standard security protocols

5.1.2 Infrastructure Security

• Secure Hosting: Data is hosted on SOC 2 Type II certified infrastructure
• Network Security: Firewalls, intrusion detection, and DDoS protection
• Regular Updates: Security patches and updates are applied promptly
• Vulnerability Scanning: Regular security assessments and penetration testing

5.2 Access Controls and Authentication

5.2.1 Employee Access

• Principle of Least Privilege: Employees have access only to data necessary for their role
• Multi-Factor Authentication: All employee accounts require MFA
• Access Logging: All data access is logged and monitored
• Regular Reviews: Access permissions are reviewed quarterly
• Background Checks: All employees undergo security background checks

5.2.2 System Security

• Secure Authentication: Strong password requirements and account security
• Session Management: Secure session handling and automatic timeouts
• API Security: Rate limiting, authentication, and input validation
• Monitoring Systems: 24/7 security monitoring and alerting

5.3 Anonymity Protection Architecture

5.3.1 Identity Separation

• Data Compartmentalization: Personal identifiers are stored separately from content data
• Anonymous Mapping: Random usernames are generated using cryptographically secure methods
• No Reverse Lookup: It is technically impossible to trace anonymous usernames back to real identities
• Content Isolation: Public content is never directly linked to personal information

5.3.2 Privacy by Design

• Minimal Data Collection: We collect only the minimum data necessary for Service operation
• Purpose Limitation: Data is used only for specified, legitimate purposes
• Storage Minimization: Personal data is deleted when no longer needed
• Default Privacy: Privacy-protective settings are enabled by default

5.4 Incident Response and Breach Notification

5.4.1 Security Incident Response

• Incident Response Team: Dedicated team for handling security incidents
• Response Procedures: Documented procedures for different types of incidents
• Containment Measures: Immediate steps to contain and mitigate breaches
• Forensic Analysis: Thorough investigation of security incidents

5.4.2 Breach Notification

• Regulatory Notification: Authorities will be notified within 72 hours as required by law
• User Notification: Affected users will be notified promptly if their data is compromised
• Transparency: We will provide clear information about what happened and what we're doing
• Remediation: Steps will be taken to prevent similar incidents in the future

5.5 Third-Party Security

• Vendor Assessment: All third-party providers undergo security assessments
• Data Processing Agreements: Contractual obligations for data protection
• Regular Audits: Ongoing monitoring of third-party security practices
• Compliance Requirements: Vendors must meet our security and privacy standards

6. Data Retention and Deletion

We retain your information only as long as necessary to provide the Service, comply with legal obligations, and protect user safety. Our retention practices are designed to minimize data storage while maintaining Service functionality.

6.1 Retention Periods by Data Type

6.1.1 Account and Authentication Data

• Active Accounts: Retained while your account remains active
• Email Addresses: Deleted within 30 days of account deletion
• Authentication Tokens: Expire automatically and are deleted regularly
• Login History: Retained for 90 days for security purposes
• Account Preferences: Deleted immediately upon account deletion

6.1.2 Content and Interaction Data

• Stories and Comments: May remain on the platform indefinitely for community value
• Likes and Interactions: Deleted when associated account is deleted
• Reports and Moderation Data: Retained for 2 years for safety purposes
• Deleted Content: Permanently removed within 30 days (except for legal holds)

6.1.3 Technical and Usage Data

• Log Files: Retained for 90 days for security and performance monitoring
• Analytics Data: Aggregated data retained indefinitely (no personal identification)
• Error Reports: Retained for 1 year for technical improvement
• Performance Data: Retained for 6 months for optimization purposes

6.2 Account Deletion Process

6.2.1 User-Initiated Deletion

When you delete your account:

• Immediate Effect: Account access is terminated immediately
• Personal Data: Email and personal information deleted within 30 days
• Content Options: You can choose to delete your content or leave it anonymous
• Irreversible Process: Account deletion cannot be undone

6.2.2 Content After Account Deletion

• Anonymous Preservation: Content may remain with anonymous username only
• Community Value: Stories and comments that provide value to the community
• No Personal Link: No way to trace content back to deleted account
• User Control: You can delete individual content before account deletion

6.3 Legal and Safety Retention

6.3.1 Legal Holds

• Court Orders: Data may be preserved longer if required by legal proceedings
• Investigation Support: Information relevant to ongoing investigations
• Regulatory Requirements: Compliance with applicable data retention laws
• User Notification: We will inform you if your data is subject to legal hold

6.3.2 Safety and Security

• Abuse Prevention: Data related to Terms violations retained for 2 years
• Security Incidents: Information related to security breaches retained as needed
• Fraud Prevention: Data necessary to prevent fraud and protect users

6.4 Automated Deletion

• Scheduled Cleanup: Automated systems delete expired data regularly
• Backup Purging: Old backups are automatically deleted according to schedule
• Log Rotation: System logs are automatically rotated and deleted
• Cache Clearing: Temporary data is regularly cleared from caches

7. Your Privacy Rights and Choices

You have significant control over your personal information and how it's used. We provide multiple ways for you to access, update, and delete your data.

7.1 Universal Privacy Rights

Regardless of your location, you have the following rights:

7.1.1 Access and Transparency

• Data Access: Request a copy of all personal information we have about you
• Processing Information: Learn how your data is being used and why
• Third-Party Sharing: Understand what information is shared and with whom
• Data Sources: Know where your information came from

7.1.2 Control and Correction

• Data Correction: Update or correct inaccurate personal information
• Preference Management: Change your communication and privacy preferences
• Content Control: Edit or delete your stories and comments
• Account Settings: Modify your account configuration and settings

7.1.3 Deletion and Portability

• Data Deletion: Request deletion of your personal information
• Account Deletion: Permanently delete your entire account
• Content Removal: Remove individual stories or comments
• Data Export: Receive a copy of your data in a portable format

7.2 Regional Privacy Rights

7.2.1 European Union (GDPR)

If you're in the EU, you have additional rights under the General Data Protection Regulation:

• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your personal data ("right to be forgotten")
• Right to Restrict Processing: Limit how we use your data in certain circumstances
• Right to Data Portability: Receive your data in a machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Rights Related to Automated Decision-Making: Protection from automated profiling
• Right to Lodge a Complaint: File complaints with your local data protection authority

7.2.2 California (CCPA/CPRA)

If you're a California resident, you have rights under the California Consumer Privacy Act:

• Right to Know: What personal information we collect and how it's used
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: Opt out of the sale of personal information (we don't sell data)
• Right to Non-Discrimination: Equal service regardless of privacy choices
• Right to Correct: Request correction of inaccurate personal information
• Right to Limit: Limit use of sensitive personal information

7.2.3 Other Jurisdictions

• Canada (PIPEDA): Access, correction, and complaint rights
• Brazil (LGPD): Similar rights to GDPR including access, correction, and deletion
• Australia (Privacy Act): Access and correction rights
• Other Regions: Rights may vary based on local privacy laws

7.3 How to Exercise Your Rights

7.3.1 Self-Service Options

• Account Settings: Access most privacy controls through your account settings
• Content Management: Delete or edit your content directly on the platform
• Preference Center: Manage communication and privacy preferences
• Download Data: Export your data through account settings

7.3.2 Contact Methods

• Privacy Request Form: Submit requests through our online form
• Email: Contact [email protected]
• Verification: We may need to verify your identity before processing requests
• Response Time: We respond to requests within 30 days (or as required by law)

7.4 Privacy Controls and Settings

7.4.1 Communication Preferences

• Email Notifications: Control what emails you receive from us
• Push Notifications: Manage mobile app notification settings
• Announcement Preferences: Choose how you receive platform announcements
• Marketing Communications: Opt out of promotional emails (we send very few)

7.4.2 Data Collection Controls

• Analytics Opt-Out: Opt out of non-essential analytics tracking
• Cookie Management: Control cookies through browser settings
• Usage Data: Limit collection of usage and interaction data
• Error Reporting: Opt out of automatic error reporting

8. Cookies and Similar Technologies

We use cookies and similar technologies to provide, secure, and improve our Service. This section explains what these technologies are and how you can control them.

8.1 What Are Cookies

Cookies are small text files stored on your device when you visit our Service. They help us recognize you, remember your preferences, and provide a better user experience.

8.2 Types of Cookies We Use

8.2.1 Essential Cookies

• Authentication: Keep you logged in and verify your identity
• Security: Protect against fraud and unauthorized access
• Session Management: Maintain your session across page loads
• Load Balancing: Ensure optimal performance and availability

8.2.2 Functional Cookies

• Preferences: Remember your theme, language, and other settings
• User Interface: Maintain your customization choices
• Accessibility: Support accessibility features and preferences

8.2.3 Analytics Cookies

• Usage Analytics: Understand how users interact with our Service (anonymized)
• Performance Monitoring: Track page load times and technical performance
• Error Tracking: Identify and fix technical issues
• Feature Usage: Understand which features are most valuable to users

8.3 Cookie Management and Control

8.3.1 Browser Controls

• Cookie Settings: Most browsers allow you to control cookie settings
• Selective Blocking: You can block specific types of cookies
• Deletion: You can delete existing cookies at any time
• Notification: Set your browser to notify you when cookies are set

8.3.2 Impact of Cookie Choices

• Essential Cookies: Blocking these may prevent the Service from working properly
• Functional Cookies: Blocking these may reset your preferences each visit
• Analytics Cookies: Blocking these won't affect functionality but limits our ability to improve

8.4 Other Tracking Technologies

• Local Storage: Store preferences and settings locally on your device
• Session Storage: Temporary storage that's cleared when you close your browser
• Web Beacons: Small images used to track email opens and engagement
• Device Fingerprinting: We do NOT use device fingerprinting for tracking

8.5 Third-Party Cookies

• Limited Use: We minimize third-party cookies to essential services only
• Service Providers: Some cookies are set by our service providers (e.g., Supabase)
• No Advertising: We do not use advertising cookies or tracking pixels
• No Cross-Site Tracking: We do not participate in cross-site tracking networks

9. Children's Privacy Protection

9.1 Age Restrictions

• Minimum Age: Our Service is not intended for children under 13 years old
• Parental Consent: Users aged 13-17 should have parental consent
• Age Verification: We may request age verification during registration
• Regional Variations: Age requirements may vary based on local laws

9.2 Protection Measures

• No Targeted Collection: We do not knowingly collect information from children under 13
• Immediate Deletion: If we discover underage users, we delete their accounts immediately
• Parental Rights: Parents can request deletion of their child's information
• Educational Resources: We provide resources for parents about online safety

9.3 COPPA Compliance

• No Personal Information: We do not collect personal information from children under 13
• No Behavioral Advertising: We do not engage in behavioral advertising to children
• Parental Notification: Parents will be notified if we discover underage use
• Safe Harbor: We follow COPPA safe harbor provisions

10. International Data Transfers and Global Operations

10.1 Cross-Border Data Processing

As a global service, your information may be processed in countries other than where you live. We ensure appropriate protections are in place for all international data transfers.

10.2 Transfer Safeguards

10.2.1 Legal Frameworks

• Adequacy Decisions: We transfer data to countries with adequate protection levels
• Standard Contractual Clauses: Use EU-approved contracts for data transfers
• Binding Corporate Rules: Internal policies ensuring consistent protection
• Certification Programs: Participation in recognized privacy certification programs

10.2.2 Technical Safeguards

• Encryption in Transit: All data transfers are encrypted
• Secure Protocols: Use of secure communication protocols
• Access Controls: Strict controls on who can access transferred data
• Data Minimization: Transfer only necessary data

10.3 Regional Data Localization

• EU Data: EU user data is primarily processed within the EU
• Local Requirements: We comply with local data residency requirements
• Backup Locations: Secure backup facilities in multiple regions
• Emergency Access: Procedures for accessing data during emergencies

11. Policy Updates and Changes

11.1 How We Update This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We are committed to transparency about any changes.

11.2 Types of Changes

11.2.1 Material Changes

For significant changes that affect your rights or how we use your data, we will:

• Email Notification: Send notice to your registered email address
• Platform Notice: Display prominent notices on the Service
• Advance Notice: Provide at least 30 days notice before changes take effect
• Opt-Out Option: Allow you to delete your account if you disagree with changes

11.2.2 Minor Changes

For minor updates like clarifications or administrative changes:

• Updated Date: We will update the "Last updated" date at the top
• Change Log: Maintain a summary of changes for transparency
• Continued Use: Your continued use indicates acceptance of minor changes

11.3 Your Choices When We Update

• Review Changes: We encourage you to review updates when notified
• Contact Us: Ask questions about changes you don't understand
• Account Deletion: Delete your account if you disagree with material changes
• Continued Protection: Your anonymity remains protected regardless of changes

12. Contact Information and Privacy Support

12.1 Privacy Team Contact

For any questions, concerns, or requests related to this Privacy Policy or our privacy practices, please contact our dedicated privacy team:

12.2 Privacy Request Process

12.2.1 How to Submit Requests

• Online Form: Use our privacy request form at weirdconfessions.com/privacy-request
• Email: Send detailed requests to [email protected]
• Account Settings: Many requests can be handled through your account settings
• Identity Verification: We may need to verify your identity for security

12.2.2 What to Include in Your Request

• Request Type: Clearly state what you're requesting (access, deletion, etc.)
• Account Information: Provide your email address or account identifier
• Specific Details: Be specific about what information you're asking about
• Verification: Be prepared to verify your identity

12.3 Business Information

13. Our Privacy Commitment