Privacy Policy

Overview

mrmr is designed to be minimal. We collect only what we need to run the service and prevent abuse. We do not sell your data or run advertising.

What We Collect

Account Information

• Username — your chosen display name, publicly visible
• Password — stored as a one-way bcrypt hash; we cannot read it
• Secret word — stored as a one-way bcrypt hash; used for account recovery

We do not collect your email address, phone number, real name, or any other personal identifiers at registration.

Session & Security Data

• IP address — logged at login and during active use
• User-Agent string — your browser/device identifier
• Device fingerprint — a hash generated from browser characteristics (screen size, timezone, GPU renderer, etc.). The raw characteristics are never sent to our server; only the hash is stored

This data is used exclusively for abuse prevention (ban enforcement, bot detection, multi-account detection). It is not used for tracking, advertising, or profiling.

Content

• Thoughts — automatically deleted after 24 hours
• Direct messages — retained until removed via a data removal request
• Reports — if you report content, the report text and context are stored for moderation

Analytics

We use Umami, a privacy-focused, open-source analytics tool that we self-host on our own infrastructure. Umami does not use cookies, does not collect personal data, and does not track users across websites. It collects only anonymous, aggregated page-view data (pages visited, referrer, browser type, device type, country). No data is sent to third parties — all analytics data stays on our servers.

Umami is compliant with GDPR, CCPA, and PECR without requiring a cookie consent banner.

What We Do Not Collect

• Email address or phone number
• Real name or date of birth
• Location data (beyond what an IP address implies)
• Contacts, photos, or files from your device
• Browsing history or activity outside of mrmr

How We Store Data

Data is stored in a PostgreSQL database hosted by Supabase (AWS US-West-2). Connections are encrypted in transit via TLS. Passwords and secret words are hashed with bcrypt and cannot be reversed.

Third Parties

We use the following third-party services:

• Supabase — database hosting (your data is stored on their infrastructure)
• Vercel — web hosting (serves the frontend; may log request metadata)

Analytics (Umami) is self-hosted on our own server — no data is sent to any external analytics provider. We do not share your data with advertisers, data brokers, or any other third parties.

Data Retention

• Thoughts: auto-deleted after 24 hours
• Messages: retained until removed via a data removal request
• Account data: removed upon request (contact us through the Service)
• Security logs (IP, fingerprint, session data): may be retained for up to 90 days after account removal for abuse prevention

Your Rights

You can:

• Request account or data removal by contacting us through the Service
• Request your data by contacting us through the Service
• Block and mute other users to control your experience

If you are located in the EU/EEA, you may have additional rights under GDPR, including the right to access, rectification, erasure, and data portability. Contact us through the Service to exercise these rights.

Children's Privacy

mrmr is not intended for children under 13. We do not knowingly collect data from anyone under 13. If we learn that a child under 13 has created an account, we will delete it.

Changes

We may update this policy. Material changes will be communicated through the Service. Continued use after changes constitutes acceptance.

Contact

Privacy questions? Reach us through the Service by messaging an admin.