I've Made This

Privacy Policy

Last updated: March 9, 2026

1. Data We Collect

We collect the following information:

  • Account information: name, email address, password (hashed)
  • Profile information: bio, social media links, profile photo (optional)
  • Submitted content: artwork files, evidence files, descriptions, tools used
  • Usage data: IP address, browser type, pages visited (for security and rate limiting)
  • Votes and interactions: community votes on works

2. How We Use Your Data

  • To provide and operate the certification service
  • To verify your identity and authenticate your account
  • To display your certified works in the public gallery
  • To send transactional emails (verification, password reset, certification notifications)
  • To prevent abuse through rate limiting and captcha verification
  • To maintain audit logs of administrative actions

3. Cookies and Sessions

We use a session cookie (authjs.session-token) to keep you logged in. We use Cloudflare Turnstile for bot protection, which may set its own cookies. We do not use tracking cookies or third-party analytics.

4. Data Security

We protect your data through:

  • Passwords hashed with bcrypt
  • Evidence files encrypted at rest with AES-256-GCM
  • HTTPS encryption in transit
  • Role-based access control for private evidence
  • Rate limiting on authentication and upload endpoints
  • Optional two-factor authentication (TOTP)

5. Data Sharing

We do not sell your data. We share data only with:

  • Cloudflare: traffic routing and bot protection
  • Resend: transactional email delivery

6. Your Rights

You have the right to:

  • Access: view all data associated with your account in your dashboard and settings
  • Rectify: update your profile information at any time
  • Delete: permanently delete your account and all associated data through Settings
  • Restrict: set evidence files as private to limit visibility

7. Data Retention

Your data is retained as long as your account is active. When you delete your account, all personal data, works, and evidence are permanently removed. Anonymized audit logs may be retained for security purposes.

8. Children

The Service is not intended for users under 16 years of age. We do not knowingly collect data from children.

9. Changes to This Policy

We may update this policy at any time. We will notify registered users of significant changes via email. Continued use of the Service constitutes acceptance.

10. Contact

For privacy-related questions or data requests, contact us at [email protected].