Your data, your rules.

We collect only what we need to operate the service you signed up for. Specifically:

Identity (required)

• Email or phone number — to authenticate you (magic-link or SMS OTP). We never use these for marketing without explicit opt-in.
• Handle — chosen by you. Visible to others.
• Display name, bio, pronouns, location, avatar URL — optional, visible to others where you scope them.

Content you create

• Whispers (text, voice, image, video), threads, vouches, corrections, echoes, passes, saves.
• Topic tunes (which topics you follow), village memberships.
• Insider-credential claims, including any evidence URL or note you submit.

Operational signals (minimum necessary)

• IP address at sign-in — kept 30 days for abuse prevention, then discarded.
• User-agent at sign-in — same retention.
• Push-subscription endpoint and keys — stored only if you opt in to web push.
• Rate-limit events — stored 7 days, used to detect abuse and bot activity.
• Error reports — anonymised stack traces sent to our error monitor (Sentry).

What we do NOT collect

• No tracking pixels.
• No third-party advertising identifiers.
• No fingerprint data beyond standard server logs.
• No location at the GPS level — only your self-stated location field.
• No address book, contacts, calendar, or device sensors.

Operationally, your data is used only to:

• Show your whispers to the audiences you scoped them to (private, village, network, public).
• Surface relevant whispers in your feed based on your tuned topics, vouches, and village memberships.
• Send transactional notifications you enabled (e.g. invite-to-thread, correction-on-your-whisper).
• Detect and prevent abuse (hate, doxxing, threats, automation).
• Comply with legal obligations (court orders served on the operator).

What we never do: never sell your data, never use it to train external AI models, never share it with advertisers, never run ad-tech tracking. See Pact promises P1, P4, A1.

Visibility is controlled by the “scope” you set on each whisper:

• Private — only you.
• Village — the specific thread or circle you posted to.
• Network — people you have vouches or threads with.
• Public — anyone on Chatter, and visible to the open web at chatter.today/w/[id] URLs.

Profile fields (handle, display name, bio, pronouns, avatar) are visible to anyone signed in to Chatter. Your email and phone number are never shown to other users.

AI features that affect what you post or see (suggested replies, opt-in summarisation, opt-in translation, voice transcription) are off by default. You enable each one explicitly.

We never use your whispers, voices, photos, or vouches to train external AI models. Where we use AI internally — for safety classification on hate / spam / threats, or for transcription you submitted — the processing happens on a per-input basis and the original is not added to any training corpus. AI cannot post, reply, echo, or vouch in your name.

• Account data and content: until you delete the content or your account.
• Deleted content: removed immediately from the live database; purged from technical backups within 30 days.
• IP / user-agent at sign-in: 30 days.
• Rate-limit events: 7 days.
• Error reports: 90 days, anonymised.
• Pact-violation reports and moderation history: retained while account is active for accountability; purged 90 days after account deletion.

Regardless of your jurisdiction, Chatter gives you:

• Export — full JSON of your account + content via /api/export. Always available, no review required.
• Delete — remove your account and content at settings → account. Effective immediately, with the 30-day backup-purge window.
• Pause — soft-disable your account without deleting; reactivate any time.
• Block, mute, hide — granular content controls at settings → privacy.
• Appeal any moderation action within 7 days; 72-hour SLA on admin response.
• Where local law applies (GDPR, CCPA, India DPDP Act): right to access, rectify, restrict, port, and object to processing. Contact us via the address below.

Primary database: Supabase Postgres in us-east-1. Storage (images, voice): Supabase Storage same region. Email delivery: Resend (US). Push notifications: VAPID keys held by us, delivery via browser push services. SMS verification: Twilio (US).

By using Chatter, you consent to your data being processed in the United States. We use industry-standard transport encryption (TLS 1.3) and at-rest encryption on the database.

Chatter is not for anyone under 13. Accounts identified as belonging to under-13 users are removed.

Teen accounts (13–17) default to: village-or-narrower scope, no public-broadcast surfaces, parental-supervision email if you provided one. We don't collect more from teens than from adults — we restrict what teens can do, not what we know.

We use a small number of strictly-necessary cookies for sign-in and locale preference. We do not set advertising or tracking cookies. We do not use third-party analytics that fingerprint users.

If we discover a breach affecting your data, we will notify you within 72 hours of confirmation by email and by in-app banner, including what data was exposed, what we are doing about it, and what you should do.

We will notify you of any material changes by email and in-app banner at least 14 days before they take effect. The Pact promises override anything weaker that might appear here in a future revision.

Privacy questions, data-subject requests, or breach reports: hello@chatter.today (subject line: PRIVACY). Pact-violation reports: the form on /pact.