Privacy Policy
Last updated: July 18, 2026
1. What we collect
Account data: when you sign up, we store your email address and a hashed password (handled by Supabase Auth — we never see the plaintext). If you sign in with a magic link, only your email is stored.
Profile data: display name, username, bio, avatar (optional), location (optional), accent color and theme choice, public/private flag, branding flag, VIP flag.
Content you create: links you add to your page, story cards you create, and messages you send to other users.
Messages you receive: when someone sends you a message via your public profile, we store the message text, an optional sender name/hint, and whether it was sent anonymously.
Technical data: when a visitor views your public profile, we record a salted SHA-256 hash of their IP address (the original IP is discarded), their browser user-agent, their language preference, and the referring page. This is purely for spam/abuse investigation and we do not use it to track visitors across profiles.
2. How we use your data
- To render your public profile, dashboard, and inbox
- To send you transactional emails (magic links, password resets, account-deletion confirmations)
- To detect and prevent abuse — message rate limits are tied to the hashed IP, not the IP itself
- To respond to legal requests when compelled by valid court order
We do not sell your data. We do not use your content to train AI models.
3. Where your data is stored
All data is stored in our managed Supabase project (Postgres + object storage). Database backups are encrypted at rest. The project region is shown in your Supabase dashboard.
4. Sharing
Your public profile is, by definition, public. Anyone with the link can see your display name, bio, links, and story cards. Private fields (email, account settings) are never exposed to the public.
Hidden messages you receive are visible only to you in the dashboard inbox. We do not share message content with third parties.
5. Your rights
You can at any time:
- Update your profile, links, and cards from the dashboard settings
- Download your data (request via the contact form below)
- Delete your account, which removes your profile, links, cards, and messages
6. Cookies
We set strictly necessary cookies for authentication (Supabase session token). We do not set advertising cookies. We do not use third-party analytics by default.
7. Children
Talinum is not directed at children under 13. We do not knowingly collect data from children. If you believe a child has signed up, contact us and we will delete the account.
8. Changes to this policy
If we make material changes, we'll notify you by email and update the "Last updated" date above.
9. Contact
For privacy questions or data requests: privacy@talinum.com