Privacy Policy

Last updated 2026-04-25 · Version 1.

What we collect

• Newsletter subscribers: the email address you give us, plus the IP and user-agent of the request, plus the source page.
• Profile content (/links): what the creator types into the admin and any image they upload.
• Image uploads (/dump): the file bytes; EXIF, GPS and other metadata are stripped before storage.
• Server logs: URL, status code, request timing, IP. Retained ~30 days by Heroku.

Why

• To deliver the service you asked for (send the newsletter, render the profile).
• To prevent abuse (rate-limit signups, reject malformed uploads, audit unsubscribe events).
• To comply with anti-spam law (honor unsubscribe within the legally required window).

Third-party processors

• Heroku — application hosting and request logging.
• DigitalOcean — managed Postgres (subscriber + profile data) and Spaces (uploaded images).
• jsDelivr CDN — serves the client-side image-compression library used in the profile admin.

No data is shared, sold, or rented to anyone. We do not run third-party analytics or advertising trackers on this site.

How long we keep it

• Subscriber rows: until you unsubscribe (we keep the timestamp for audit), or until you ask us to delete the row entirely.
• Uploaded images: until the creator removes them.
• Server logs: ~30 days at Heroku.

Your rights

• Unsubscribe at /unsubscribe (link is in every newsletter email).
• Data export or deletion: email privacy@chokala.gg. We'll respond manually within a reasonable window.

Contact

Privacy questions: privacy@chokala.gg.

Session analytics cookie (rsid)

We use a single first-party cookie named “rsid” to measure how visitors navigate the site. The cookie is HMAC-signed, contains no personal information, and is not shared with third parties. EU/EEA/UK visitors are not issued this cookie. Visitors who send a Global Privacy Control signal (Sec-GPC: 1) are not issued this cookie. The cookie expires after 90 days.

17. Fan account data

When you create a fan account, we collect: your email address (for authentication and communication), social-media handles you choose to provide (publicly displayed only on your profile in Phase 15a; see roadmap below for any expansion), a short bio you choose to provide, and your tipping history (associated with your account for tier calculation).

Why we collect. Authentication, supporter recognition through tier badges, and (with your separate explicit consent) future supporter-list features.

Retention. Profile data is retained for the life of your account. Upon account deletion, profile data is erased within 30 days. Payment records are retained for up to 6 years for tax and legal compliance, with personally identifying fields redacted. Magic-link tokens are single-use; redemption records expire after 30 days.

Sharing. We do not sell or share fan-account data with third parties for marketing purposes. We use the following sub-processors to operate the platform: Heroku (US-hosted application + database), Resend (transactional email delivery), PayPal (payment processing). Each has been onboarded under their standard data-processing terms; copies of those agreements are available on request to legal@chokala.gg.

Your rights. You have the right to access, correct, delete, and export your fan-account data. Self-service controls live in your fan dashboard; you may also email legal@chokala.gg to exercise these rights. We respond within 30 days.

EU/UK residents. Fan accounts are not currently available to EU/EEA/UK residents. Compliance with the full requirements of GDPR (EU/EEA), UK GDPR, LGPD, and country-specific data-protection regimes — including DSAR fulfillment within strict timelines, sub-processor data-processing-agreement audits, and EU representative designation — is more operational lift than the current team can responsibly maintain. We plan to revisit once the platform’s compliance posture has been reviewed by counsel. If you believe you have created an account from these regions, please email us for prompt deletion.

California residents. You have additional rights under the CPRA, including the right to know, delete, correct, and limit use of your data. We do not sell personal information.

We update this policy when our practices change. Material updates will be announced in the newsletter.

See also: Terms of Service · Accessibility Statement

← back to chokala.gg/links