I've Made This

Privacy Policy

Last updated: March 30, 2026

1. Data We Collect

We collect the following information:

  • Account information: name, email address, password (hashed)
  • Profile information: bio, social media links, profile photo (optional)
  • Submitted content: artwork files, evidence files, descriptions, tools used
  • Usage data: IP address, browser type, pages visited (for security and rate limiting)
  • Votes and interactions: community votes on works

2. How We Use Your Data

  • To provide and operate the certification service
  • To verify your identity and authenticate your account
  • To display your certified works in the public gallery
  • To send transactional emails (verification, password reset, certification notifications)
  • To prevent abuse through rate limiting and captcha verification
  • To maintain audit logs of administrative actions

3. Cookies and Sessions

We use a session cookie (authjs.session-token) to keep you logged in. We use Cloudflare Turnstile for bot protection, which may set its own cookies. We do not use tracking cookies or third-party analytics.

4. Data Security

We protect your data through:

  • Passwords hashed with bcrypt
  • Evidence files encrypted at rest with AES-256-GCM
  • HTTPS encryption in transit
  • Role-based access control for private evidence
  • Rate limiting on authentication and upload endpoints
  • Optional two-factor authentication (TOTP)

5. Data Sharing

We do not sell your data. We share data only with:

  • Cloudflare: traffic routing and bot protection
  • Resend: transactional email delivery

6. Your Rights

You have the right to:

  • Access: view all data associated with your account in your dashboard and settings
  • Rectify: update your profile information at any time
  • Delete: delete your account through Settings — your credentials, profile photo, bio, and social links are removed immediately (see Data Retention for details on what is kept)
  • Restrict: set evidence files as private to limit visibility

7. Data Retention

Your data is retained as long as your account is active. When you delete your account:

  • Immediately removed: password, profile photo, bio, social media links, two-factor authentication, and all active sessions
  • Retained for up to 12 months: your name and email address are kept in our internal audit logs for platform security, fraud prevention, and certification integrity purposes (legal basis: legitimate interest under Art. 6(1)(f) GDPR)
  • Retained indefinitely: certified works and their associated certificates remain publicly visible as part of the permanent certification record. Evidence files linked to certified works are retained to preserve the integrity of the certification

After the 12-month retention period, audit log entries containing your personal data are permanently deleted. You may request earlier deletion by contacting us at [email protected], subject to our legal obligations.

8. Children

The Service is not intended for users under 16 years of age. We do not knowingly collect data from children.

9. Changes to This Policy

We may update this policy at any time. We will notify registered users of significant changes via email. Continued use of the Service constitutes acceptance.

10. Contact

For privacy-related questions or data requests, contact us at [email protected].