Privacy Policy

1.1 Information you give us

• Account details — email address, password (stored only as a bcrypt hash, never as plaintext), display name, username, profile bio, avatar, and banner.
• Posts you publish — text, images, video files, thumbnails, hashtags, and any metadata you choose to attach.
• Direct messages you send to other users.
• Payment information — when you pay for a tip, super chat, membership, or gifted membership, your card data is sent directly to Stripe and never touches our servers; we receive only a session ID, an amount, a status, and a metadata blob describing what was bought.
• Identity verification documents — when you apply for monetization, you upload an image of a U.S. state ID. We pass the image to an AI vision model to extract date of birth and confirm it is a U.S. state-issued document. The image is stored privately in object storage with restricted access.

1.2 Information collected automatically

• Usage data — which posts you view, like, repost, comment on, bookmark, or watch; which creators you follow; how long you stay on a video page (used to compute creator watch hours).
• Device & connection data — IP address, browser user-agent, approximate region inferred from IP, referrer URL.
• Authentication tokens — JWT access tokens stored in your browser's localStorage for the duration of your session.
• Server logs — request paths, status codes, timestamps, kept for security monitoring and rate-limiting.

1.3 Information from third parties

• Payment processors (Stripe) — payment status, amount, currency, last-4 of card (where exposed), and risk flags.
• Vision AI provider — structured output (date-of-birth, state, confidence) extracted from your uploaded ID.
• Object-storage provider — storage paths and content-type metadata for files you upload.

• Provide the service — show you a feed, deliver your DMs, process your payments, credit creators, send you notifications.
• Enforce our Terms and Community Guidelines — detect spam, fraud, CSAM, harassment, and ban evasion.
• Verify creator eligibility — compute follower count, total views, likes received, and watch hours; verify you are 18+ for monetization.
• Improve product quality — diagnose bugs, monitor performance, prioritize new features.
• Comply with law — respond to lawful requests from courts, regulators, and law enforcement.

We do not sell your personal information. We share data only in the cases below.

• Other users — your profile, posts, comments, follower count, and public engagement are visible to anyone with an account. DMs are visible only to you and the recipient.
• Service providers — Stripe (payments), our object-storage provider (file hosting), our LLM provider (KYC age verification), our hosting provider, and email/notification providers. Each is bound by data-processing terms restricting use to providing the service to us.
• Legal — if we receive a valid subpoena, court order, or government request, we may disclose the minimum information required to comply. We will challenge requests we believe are overbroad or unlawful.
• Business transfers — if Community Lounge is acquired or merges with another company, your information may transfer to the successor under terms at least as protective as this Policy.

• Account data — kept while your account is active and for up to 90 days after deletion to handle reversals and legal holds.
• Posts and DMs — deleted when you delete them, with up to 30 days in encrypted backups before final removal.
• Payment records — kept 7 years to comply with U.S. tax and financial regulations.
• Identity-verification documents — kept while you are monetized and for up to 5 years after, then permanently deleted, except where law requires longer retention.
• Server logs — kept up to 90 days for security and abuse investigations.

• Passwords are hashed with bcrypt; we never store, log, or transmit them in plaintext.
• All traffic to and from the platform is encrypted with HTTPS/TLS.
• Identity-verification documents are stored privately and access is restricted to the smallest possible set of staff for verification and audit.
• Rate limiting on login attempts and message-sending defends against brute-force and abuse.
• JWTs expire after 7 days; SSE tickets expire after 60 seconds; both can be revoked by signing out.
• Despite our controls, no system on the internet is 100% secure. If a breach affects your data we will notify you as required by applicable law.

• Access — see your profile data, edit it from /verification and Edit Profile.
• Correction — update your bio, avatar, banner, display name, and email at any time.
• Deletion — delete any post, comment, message, or playlist; delete your full account by emailing privacy@communitylounge.app.
• Portability — request an export of your posts and account data; we will respond within 30 days.
• Withdrawal of consent — stop using the service at any time. Stopping use does not remove past public posts; deletion does.
• California, Virginia, Colorado, Connecticut, and similar U.S. state-privacy-law residents have additional rights to know, delete, correct, and limit certain processing. Email privacy@communitylounge.app to exercise them; we will not discriminate against you for exercising any privacy right.
• EU/UK/Swiss residents have rights under the GDPR and UK GDPR including access, rectification, erasure, restriction, portability, and objection; you may also lodge a complaint with your local data-protection authority.

The Platform is not directed to children under 13. We do not knowingly collect information from children under 13. If you believe a child under 13 has created an account or provided us information, contact privacy@communitylounge.app and we will delete the account and any associated data.

We use browser localStorage to keep you signed in (the JWT “nexus_token” — name retained from a legacy build). We do not currently use third-party advertising cookies. Some service providers (Stripe, our hosting provider) may set their own cookies necessary for their functionality.

Community Lounge is operated from the United States. If you access the service from outside the U.S., your information will be transferred to and processed in the United States. We rely on Standard Contractual Clauses or other lawful transfer mechanisms where required.

We may update this Privacy Policy from time to time. Material changes will be announced in-product. The “Last updated” date at the top of this page reflects the most recent revision.

Questions, requests, or complaints about your privacy? Email privacy@communitylounge.app. For sensitive disclosures we can provide a PGP key on request.