Privacy Policy

We collect the following categories of personal information:

• Account information — email address, name, and profile image (provided directly or via Google OAuth).
• Reading activity — which sections you visit, pages read, time spent, and completion status.
• Reader profile — self-reported experience level and onboarding preferences.
• Payment information — processed by Stripe. We store your Stripe customer ID and subscription status but never see or store your card number.
• Device and usage data — cookies for authentication and progress tracking (see Section 5).

• Authentication — to verify your identity and manage sessions.
• Content access — to enforce subscription-based access to gated sections.
• Progress tracking — to save and restore your reading progress across sessions.
• Billing — to manage subscriptions via Stripe.
• Transactional email — to send login PINs via Postmark.

We share data with the following services as necessary to operate the Site:

• Stripe — payment processing. Subject to Stripe's Privacy Policy.
• Google — OAuth authentication (optional). Subject to Google's Privacy Policy.
• Postmark — transactional email (login PINs only). Subject to Postmark's Privacy Policy.

We do not sell, rent, or trade your personal information to third parties. We do not engage in cross-context behavioral advertising. No personal information is shared for monetary or other valuable consideration as defined under the California Consumer Privacy Act (CCPA/CPRA).

We use the following cookies:

• Authentication cookies (essential) — JWT session cookies managed by Auth.js. Expire after 7 days.
• Progress cookies (functional) — store reading progress and profile data locally. Expire after 90 days.
• Consent cookie (essential) — remembers your cookie preference.

You can choose "Essential Only" in our cookie banner to disable progress cookies. Your reading still works for the current session but progress will not persist.

Under the CCPA/CPRA, California residents have the right to:

• Right to Know — request a copy of the personal information we hold about you. Use the "Export My Data" feature in your account settings, or contact us.
• Right to Delete — request deletion of your personal information. Use the "Delete Account" feature, or contact us. This cancels your subscription and removes all data.
• Right to Opt-Out of Sale — we do not sell your data, so no opt-out is required.
• Right to Non-Discrimination — we will not discriminate against you for exercising your privacy rights.

• Account and progress data are retained as long as your account exists.
• Progress cookies expire after 90 days.
• JWT session tokens expire after 7 days.
• Login PINs expire after 10 minutes.
• You may delete your account at any time to remove all stored data.

We use industry-standard security measures including encrypted connections (HTTPS), cryptographic PIN generation, Content Security Policy headers, and parameterized database queries. Payment processing is handled entirely by Stripe's PCI-compliant infrastructure.

To exercise your privacy rights or ask questions about this policy, contact us at [email protected].