Privacy Policy

1. Information We Collect

1.1 When You Submit a Report

When you report a Bluesky account, we collect:

• Bluesky Profile Information: Handle, display name, and avatar URL of the account you're reporting (obtained from Bluesky's public API)
• IP Address: Your IP address is temporarily stored for abuse prevention, then hashed with a secret salt after 7 days
• Geographic Data: Country, region, city, and continent (provided by Cloudflare)
• Browser Information: User agent string
• Timestamp: When the report was submitted
• Cloudflare Turnstile: Verification token to prevent bot submissions (not stored)

1.2 When You Search

When you use the search feature:

• Search Query: The text you enter in the search box (not stored)
• We do not log or store your search queries

1.3 When You Visit Our Site

• No Cookies: We don't use cookies
• No Tracking Pixels: We don't track you across the web
• No Third-Party Analytics: We don't use Google Analytics or similar services

2. How We Use Your Information

2.1 Primary Purpose

• Database Operation: To maintain a public database of reported accounts
• Abuse Prevention: To prevent spam and abuse through rate limiting
• Service Improvement: To understand usage patterns and improve the service

2.2 IP Address Handling

• Temporary Storage: Raw IP addresses are stored for 7 days for abuse investigation
• Permanent Storage: Only the irreversible hash is kept long-term
• Purpose: Rate limiting (10 reports per hour per IP) to prevent spam
• No Personal Identification: The hash cannot be linked back to you

3. Data We Make Public

3.1 Public Database

The following information is publicly accessible via our search feature:

• Bluesky handle and display name of reported accounts
• Avatar URLs
• Number of times an account has been reported
• Timestamp of most recent report

3.2 Not Made Public

The following information is never publicly disclosed:

• IP addresses (raw or hashed)
• Geographic data of reporters
• Browser information
• Any personally identifiable information about reporters

4. Data Retention

• Raw IP Addresses: Deleted after 7 days
• Hashed IP Addresses: Retained indefinitely for rate limiting
• Report Data: Retained indefinitely (append-only database)
• Account Information: Retained indefinitely
• Search Queries: Not stored at all

5. Third-Party Services

5.1 Cloudflare

Our service is hosted on Cloudflare Workers and uses:

• Cloudflare Workers: Serverless compute platform
• Cloudflare D1: Database service
• Cloudflare Turnstile: Bot protection (privacy-friendly CAPTCHA alternative)
• Cloudflare Geolocation: Provides country/city data from IP addresses

Cloudflare's privacy policy: https://www.cloudflare.com/privacypolicy/

5.2 Bluesky

We use Bluesky's public API to resolve profile information:

• We fetch public profile data (handle, display name, avatar)
• This data is already public on Bluesky
• We do not authenticate with Bluesky on behalf of users

Bluesky's privacy policy: https://bsky.social/about/support/privacy-policy

6. Your Rights

6.1 Right to Access

You can search our database to see if an account has been reported.

6.2 Right to Deletion

Since reports are anonymous and we cannot verify reporter identity, we cannot delete individual reports. However:

• Raw IP addresses are automatically deleted after 7 days
• Hashed IPs cannot be traced back to individuals

6.3 Reported Account Rights

If your Bluesky account has been reported and you believe it's inaccurate:

• The data comes from public reports by other users
• We display factual information (number of reports received)
• We do not make claims about the truthfulness of reports

7. Security

7.1 Technical Measures

• SHA-256 Hashing: IP addresses are hashed with a secret salt
• HTTPS: All connections are encrypted with SSL/TLS
• SQL Injection Protection: All database queries use parameterized statements
• Rate Limiting: 10 reports per IP per hour
• Bot Protection: Cloudflare Turnstile prevents automated abuse
• Sandboxed Environment: Workers run in isolated containers

7.2 Access Control

• Database is not directly accessible from the internet
• No admin panel or backdoor access
• Environment variables are encrypted

8. Children's Privacy

Our service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has submitted a report, please contact us.

9. International Users

Our service is available worldwide. Data is stored on Cloudflare's global network:

• Data may be processed in multiple countries
• Cloudflare complies with GDPR and other privacy regulations
• We use the same privacy protections for all users regardless of location

10. Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. Continued use of the service after changes constitutes acceptance of the updated policy.

11. Contact

For privacy-related questions or concerns:

• Follow us on Bluesky: @stillonx.com
• Visit our homepage: https://stillonx.com

12. Data We DON'T Collect

• ❌ No email addresses
• ❌ No phone numbers
• ❌ No names
• ❌ No payment information (service is free)
• ❌ No social media authentication
• ❌ No tracking cookies
• ❌ No advertising identifiers
• ❌ No browsing history
• ❌ No cross-site tracking
• ❌ No device fingerprinting (beyond basic browser info)

13. Legal Basis for Processing (GDPR)

For users in the European Economic Area, our legal basis for processing personal data is:

• Legitimate Interest: Operating a public accountability database
• Consent: By submitting a report, you consent to the processing described in this policy

14. California Privacy Rights (CCPA)

California residents have the right to:

• Know what personal information we collect
• Know whether we sell personal information (we don't)
• Request deletion of personal information (subject to limitations)

We do not sell personal information to third parties.