Privacy Policy

• Account data: email address, password hash (we never store plaintext passwords), handle, and optional profile information (display name, avatar URL, bio, and atmosphere metadata you choose to provide).
• Authentication provider data: if you sign in with Google, we receive your email address, Google account ID, name, and profile picture URL. We do not request any additional Google scopes (calendar, contacts, etc.).
• Multi-factor authentication: TOTP secrets (encrypted at rest with AES-256-GCM), recovery codes (stored as SHA-256 hashes), and WebAuthn/passkey public keys.
• Content you create: posts, resonances (reactions), spaces, and the metadata associated with them.
• Security telemetry: login attempts and security events. IP addresses and User-Agent strings are stored as SHA-256 hashes — we do not retain raw IPs or device fingerprints.
• Cookies: a session cookie used to keep you signed in. No third-party analytics or advertising cookies.

• To provide and operate the Service (sign-in, feed, posts).
• To protect accounts and detect abuse (rate limiting, audit logs, suspicious-login detection).
• To send transactional emails (address verification, security notifications).
• To comply with applicable law.

We do not sell your personal data, and we do not use it for behavioral advertising or training third-party models.

We share the minimum data necessary with the following providers, each of which acts on our behalf under their own security and privacy commitments:

• Vercel — hosting and CDN.
• Neon — managed PostgreSQL database.
• Google — OAuth sign-in (only if you choose to use it).
• Resend — transactional email delivery.

We retain your account data for as long as your account is active. When you delete your account, we delete your personal data and content from active systems within 30 days, with limited exceptions retained for legal compliance, abuse prevention, or backups (typically purged within 90 days). Security event logs may be retained longer in aggregated or hashed form.

You may access, correct, export, or delete your personal data at any time from the Settings page or by emailing us. Depending on your jurisdiction (EEA, UK, California, Japan, etc.), you may also have the right to object to processing, restrict processing, or lodge a complaint with your local data protection authority.

sizuq is not directed to children under 13 (or the equivalent minimum age in your jurisdiction). If you believe a child has provided us with personal data, please contact us and we will delete it.

We use industry-standard measures including TLS in transit, encryption at rest for sensitive secrets, bcrypt password hashing, optional TOTP and passkey MFA, and audit logging. No method is 100% secure; please use a strong, unique password and enable MFA.

Our service providers may process data in the United States, the European Union, or other jurisdictions. By using the Service, you consent to such transfers, which are conducted under contractual safeguards.

We may update this Policy from time to time. Material changes will be announced via email or an in-app notice. The "Last updated" date above always reflects the most recent version.

Questions or requests regarding this Policy can be sent to contact@sizuq.com.