Privacy Policy

Last updated: March 2026

What we collect

Email address — used to identify your account and send transactional emails.
Password — stored as a bcrypt hash. Your password is never stored or transmitted in plaintext.
Stints — title, motivation text, and creation date that you provide.
Check-ins — date and optional notes that you provide.
Session cookie (100d_auth) — set on login; HttpOnly, Secure, SameSite=Strict, 30-day sliding expiry. Used only for authentication, contains no tracking data.
Password reset tokens — temporary; expire after 1 hour and are deleted on use.

How we use your data

Your data is used exclusively to provide the service. We do not sell it, share it with advertisers, or use it for analytics.

Third-party processors

Railway — hosts the application and database. All stored data lives on their infrastructure.
Resend — sends transactional emails. Your email address is shared only when delivering a password reset email.
Cloudflare — provides DNS and DDoS protection. Processes request metadata (IP address, HTTP headers).

Lawful basis (GDPR)

Processing is carried out on the basis of contract — it is necessary to perform the service you signed up for.

Data retention

All your data is deleted immediately and permanently when you delete your account. There is no application-level grace period. Note: Railway, as the infrastructure provider, may retain point-in-time database backups independently of application-level deletion.

Your rights

Export — download all your stints and check-ins as JSON via Settings → Export.
Deletion — delete your account and all associated data immediately via Settings → Delete Account.
Contact — for any privacy questions or requests: [email protected]

Cookies

One session cookie is set on login. It is used only for authentication and contains no tracking or advertising data. No cookie consent banner is required.