Privacy.

• The email, handle, display name, and password hash you enter at sign-up.
• Anything you post — tribes, posts, replies, endorsements, vouches, bookmarks, reactions, profile text, uploaded images.
• Lettersyou write — recipient list, delivery timestamp, seal choice, and body. Held sealed until delivery; treated like 1:1 DMs (encrypted at rest, operators don't read, disclosed only under valid legal process).
• Gift dedications — the recipient user id you address a post to. Rendered publicly on the post.
• Open-to signals— the optional glyphs you set in profile settings (friendship, romance, mentorship, etc.), the visibility mode you chose (quiet / visible), and the allow-list of people you've explicitly let see them. This is sensitive: it can indicate relationship-seeking intent. We store it only because you asked us to, we never sell or share it, and you can remove it entirely at any time.
• Slow Room visit records — a per-user timestamp the first time you click into an opened episode or chapter. Used to unlock reply counts once you've taken the “no-spoilers” handshake.
• In-silence state— if you enter retreat mode, the return timestamp you set and the optional short public note (“back in a week”) are stored on your user row. The note is shown to anyone visiting your profile so they know not to expect a reply; clearing silence removes both values.
• Session and theme preferences, stored in cookies. No third-party advertising cookies.
• Server logs (IP, user agent, timestamp) for a rolling 30 days so we can debug outages and investigate abuse.

We don't track you across other sites. We don't run analytics that report anything identifiable off-platform.

• To show you the parts of Ingle you're entitled to see.
• To send transactional emails: welcome, verification, password reset, sign-in codes.
• To spot and stop abuse.
• To improve Ingle — changes are informed by looking at aggregate patterns, not individuals.

We do not sell your data, train commercial AI on it, or hand it to advertisers.

• Cloudflare — DNS, edge caching, Turnstile bot protection. Sees IP + request metadata.
• Hetzner — server hosting. Sees the ciphertext of everything; never your data directly.
• Self-hosted Supabase — database + storage, runs on our servers.
• Cloudflare R2 — image storage for avatars, banners, and post images.
• Postal (self-hosted) — outbound transactional email.

• ingle_session — your sign-in, 30 days, httpOnly.
• ingle_theme — your light/dark/auto pick, 1 year.
• ingle_partial_auth — 10 minutes, only during 2FA sign-in.
• ingle_pending_invite — 24h, only if you followed an invite link without signing in.

No analytics, advertising, or tracking cookies. Full stop.