Privacy Policy

Last updated: March 19, 2026

1. Introduction

This Privacy Policy explains how fireflare ("we," "us," or "the Service") collects, uses, and protects your personal information when you use our platform. By using the Service, you consent to the practices described in this policy.

2. Information We Collect

Information you provide

  • Account information: username, email address, display name, and password (stored as a one-way hash; we never store your plain-text password)
  • Profile information: bio, avatar, and other optional details you choose to share
  • Content: prompts, descriptions, comments, tags, and media you upload
  • OAuth data: if you sign in via GitHub or Google, we receive your email address and basic profile information from the provider. We do not receive or store your OAuth provider password.

Information collected automatically

  • Usage data: pages visited, features used, timestamps of activity
  • Technical data: IP address, browser type, operating system, device type, referring URL
  • Session data: server-side session tokens used to authenticate your requests

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Authenticate your identity and manage your account
  • Display your public profile and content to other users
  • Send transactional emails (account verification, password reset, security alerts)
  • Generate personalized feeds and recommendations
  • Compute trending content and search rankings
  • Detect and prevent abuse, fraud, and spam
  • Analyze usage patterns to improve the Service (in aggregate, not individual tracking)

We do not sell your personal data to third parties. We do not use your data for advertising or behavioral profiling.

4. Cookies and Local Storage

We use a single, essential session cookie to keep you logged in. This cookie is:

  • Strictly necessary for authentication — the Service cannot function without it
  • HttpOnly — not accessible to JavaScript, protecting against XSS
  • Secure — transmitted only over HTTPS in production

We do not use analytics cookies, tracking pixels, or third-party advertising cookies.

5. Data Sharing

We may share your information only in the following circumstances:

  • Public content: prompts, comments, and profile information you choose to make public are visible to all visitors and may be indexed by search engines
  • Service providers: we use third-party services to operate the platform (email delivery, object storage, search indexing). These providers process data on our behalf under data processing agreements and have no independent right to use your data.
  • Legal requirements: we may disclose information if required by law, regulation, legal process, or governmental request
  • Safety: we may disclose information if we believe it is necessary to prevent harm, fraud, or violations of our Terms of Service

6. Data Security

We implement industry-standard security measures to protect your data:

  • Passwords are hashed with Argon2id (memory-hard, resistant to brute-force attacks)
  • All connections are encrypted via TLS/HTTPS
  • Session tokens are hashed server-side; raw tokens are never stored
  • CSRF protection on all state-changing operations
  • Rate limiting on authentication endpoints

No system is perfectly secure. While we take reasonable measures, we cannot guarantee absolute security of your data.

7. Data Retention

  • Account data: retained while your account is active. Deleted accounts are soft-deleted (marked inactive) and permanently purged after 30 days.
  • Content: public prompts and comments remain visible until you delete them. Deleted content is soft-deleted and permanently purged after 30 days.
  • Session data: expired sessions are automatically cleaned up.
  • Server logs: access and error logs are retained for up to 90 days for debugging and security purposes, then automatically deleted.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate information via your account settings
  • Delete your account and associated data
  • Export your content
  • Object to certain processing activities

To exercise these rights, contact us at privacy@fireflare.io. We will respond within 30 days.

9. Children's Privacy

The Service is not directed at children under 13. We do not knowingly collect personal information from children under 13. If we learn we have collected data from a child under 13, we will promptly delete it.

10. International Data Transfers

Your data may be processed in countries other than your own. By using the Service, you consent to the transfer of your data to countries that may have different data protection laws. We take steps to ensure your data is treated securely and in accordance with this policy.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact

For privacy-related questions or requests, contact us at privacy@fireflare.io.