Privacy

Data retention

We keep your data only as long as we need it to run the service. If you delete your account, we remove your data promptly. For accounts that have been inactive (no sign-in) for 24 months, we will delete the account and associated data. Logs and records we hold for security or abuse prevention (such as email delivery logs) may be retained for up to 24 months, then removed.

Service providers (sub-processors)

We use a small set of providers to host and operate the service. Each processes data only as needed to perform their role:

• hosting (Workers), database (D1), Turnstile (bot detection on signup and other forms), and edge infrastructure. Data stays within their network to serve the app and store your information. See Cloudflare’s privacy policy for how Turnstile and other Cloudflare services handle data.
• transactional email (e.g. verification, password reset, draw results, invites). We send them only the recipient address and content needed for each email.
• Amazon SES (Simple Email Service): transactional email (e.g. verification, password reset, draw results, invites). We send them only the recipient address and content needed for each email.

Data location and residency

Your data is stored and processed on Cloudflare’s infrastructure (Workers, D1, and related systems) in the EU. Cloudflare is GDPR-compliant and maintains appropriate safeguards for the storage and transfer of personal data.

Security

We use industry-standard measures to protect your data:

• Encryption in transit — all traffic to and from the site uses TLS (HTTPS).
• Encryption at rest — the database and stored data are encrypted at rest.
• Passwords — hashed with Argon2; we never store or transmit plain-text passwords.
• Sessions — we use secure, httpOnly cookies for login; sessions are ended when you sign out.