Privacy Policy

Last updated: 22 April 2026

This is the privacy policy for Kronoscript (the "Service"), operated by an independent solo developer ("we", "us"). It describes what we collect, why, and the choices you have. Plain language, no dark patterns. If anything here is unclear, email info@kronoscript.net.

1. What we collect

  • Account information — username, email, password (stored as a salted hash, never in clear text), and optional profile fields (first/last name, birth date, place of birth, current location, gender, nationalities, profile photo, profile card background). You choose which of these are visible to whom.
  • Content you create — life-event posts (text, dates, locations, optional music links), photos and videos you attach, comments, reactions, and connection requests. This is the data the Service is built to store for you.
  • Connection graph — who you're connected to and at what tier (Acquaintance, Friend, Family). Used to determine post visibility.
  • Activity timestamps — last login / last seen, used to power the "active friends" sidebar. Logged-in users can opt out of online-status broadcasting in settings.
  • Technical logs — request paths, user agent, IP address (transient), and error stack traces. Used for security, debugging, and abuse prevention. We do not run analytics trackers, advertising SDKs, or fingerprinting libraries.
  • Cookies — a session cookie for sign-in, an antiforgery cookie for form security, and a small client-side preference (theme, dismissed onboarding) stored in your browser's localStorage. No third-party cookies.

2. What we do not collect

  • No advertising identifiers, IDFA, or AAID.
  • No precise GPS location. "Location" on a post is whatever free-form text you type.
  • No contact list, calendar, or device address book access.
  • No microphone, camera, or photo library access without your explicit selection of a file.
  • No biometric data, health data, or financial data.
  • No analytics SDKs (Google Analytics, Mixpanel, Segment, etc.).

3. How we use it

  • To run the Service: render your timeline, deliver your posts to the people you choose, send password-reset emails, and back up your content.
  • To keep your account secure: detecting brute-force login attempts, locking accounts after repeated failures, validating session tokens.
  • To respond to you when you contact us.

We do not use your content to train AI models, sell to data brokers, or target advertising. That's the model — donation-funded, ad-free, your data is yours. If any of that ever changes, we'll update this policy and tell you before the change takes effect, so you can decide whether to stay.

4. Third parties we share with

We use a small number of vendors to operate the Service. We share only the minimum data each vendor needs:

  • Microsoft Azure — application hosting and PostgreSQL database. Your data lives on their servers.
  • Microsoft Azure Translator — when you click "Translate" on a post, the post body and comments are sent to Azure Translator and the translated text is cached in our database. We disable Microsoft's content logging on translation requests.
  • SendGrid (Twilio) — sends transactional emails (password reset, invitations). Click and open tracking are disabled on our outgoing email; the email content is not retained beyond what SendGrid keeps for delivery diagnostics.
  • Ko-fi — if you click the "Tip" link, you leave our Service for ko-fi.com. We do not see your payment information; Ko-fi's privacy policy applies on their site.

We do not sell, rent, or trade personal data with anyone.

5. Visibility of your content

Each post you publish has a visibility setting you choose: Public, Acquaintances, Friends, Family, or Private (only you). The Service enforces these on the server. Public posts may also surface in the discovery feed of users who aren't connected to you. You can edit any post's visibility at any time; older saved versions remain bound by the most recent visibility setting.

6. How long we keep your data

Your account data lives on our servers for as long as your account exists. When you delete a post, both the live row and the version history are removed. When you delete your account (see Section 7), all your posts, comments, reactions, connection records, profile data, uploads, and translation cache are permanently removed within 30 days. Some operational logs (security events, error traces) may persist for up to 90 days for incident investigation, then auto-expire.

7. Your rights

  • Access & export — at any time, "Export My Story" in your user menu downloads a copy of your posts as a document.
  • Correction — you can edit any post, comment, or profile field yourself.
  • Deletion — you can delete individual posts and comments. To delete your entire account, email info@kronoscript.net from the address on file; we'll confirm and complete it within 30 days. (A self-service "Delete account" button is on the roadmap.)
  • Portability — the export is a standard document format (currently .docx) that you can take to any other tool.
  • Object / restrict — if you're in the EU/UK or California, you have additional rights under GDPR/CCPA. Email us and we'll honor them.

8. Children

The Service is not intended for users under the age of 13 (or under 16 in the EU/UK). We do not knowingly collect data from children. If you believe a minor has registered, email us and we'll remove the account.

9. Security

Passwords are stored as salted hashes (ASP.NET Core Identity's default scheme). Connections to the Service are encrypted in transit (HTTPS). Database access is restricted to the application service principal. We do not use SMS or email as a primary auth factor; password reset links expire in 24 hours. No system is perfectly secure — if you discover a vulnerability, please email us before disclosing it publicly.

10. Changes to this policy

If we make material changes, we'll update the date at the top and, where reasonable, surface a notice on next sign-in. Continued use after a change means you accept the updated policy.

11. Contact

Email: info@kronoscript.net
General inquiries: info@kronoscript.net

This document is provided in good faith but is not legal advice. Where required by law, your local consumer-protection authority is the final arbiter.