Gifthood Privacy Policy
Last updated: [DATE]
This Privacy Policy explains what information Gifthood (the "Service," "we," "us") handles, how, and why. It's a companion to our Terms of Use and Community Rules.
Gifthood is built on the AT Protocol (atproto) — the open network behind Bluesky. That changes the privacy story in an important way, so please read the next section before the details.
1. The most important thing to understand: your data isn't ours
On Gifthood, the listings you create are public records stored in your own atproto data repository (your "repo"), hosted by your atproto provider — not by us. When you post a listing, you are publishing a public record to the open network, much like posting publicly on Bluesky.
This means:
- Your listings are public. Anyone — on Gifthood or anywhere else on the atproto network — can see, copy, index, and keep a copy of them. The network is designed for open, global replication. Do not put anything in a listing you wouldn't want to be permanently public.
- We don't own or control your records. We index them (read them off the network's public feed, the "firehose") to make them discoverable by area. You control the originals in your own repo.
- You manage your listings right here in the app. Editing or deleting a listing through Gifthood updates the record in your own repo for you — you don't need to touch your atproto provider directly. When you delete a listing, we stop indexing it and remove it from our index.
- Advanced: you can also manage records yourself. Because the records are yours, you're never locked in. If you ever want to inspect or remove them outside of Gifthood — including records from an app you no longer use — you can, using a general-purpose atproto tool such as pdsls.dev (which lets you log in and manage the records in your repo directly). Most people will never need this; the app is the easy way.
- The public-network caveat still applies. Deleting removes a record from your repo and from our index, but because the network is public, other people or services may have already copied it, and we can't retrieve those copies.
The rest of this policy describes the limited information we hold in addition to your public records.
2. Information we handle
Information you provide by using Gifthood
- Your atproto identity. When you sign in, we receive your atproto identifier (your DID) and handle. We never see or store your password — you authenticate with your own provider via OAuth, and they hand us only a limited access token.
- Your public listings and interests. The content you publish: titles, descriptions, photos, approximate area, and your public "interested" notes. These live in your repo; we index them.
Information we generate or store to run the Service
- Our index. To make listings discoverable, we keep a database of indexed details: your DID, the listing's network addresses (URIs and content IDs), its type (offer/request) and status, its approximate location at roughly 1.2 km precision (geohash-6), an optional area name, and timestamps. This is derived from your public records.
- Approximate location only. We store and display location only as a coarse geographic cell (~1.2 km). We never store or display your precise coordinates or address. If a record somehow arrives with finer precision, we truncate it before indexing. Precise location is a safety risk, and the Service is designed so we never hold it.
- Area names. We look up a human-readable name for an area (e.g. a neighborhood) from the approximate cell using OpenStreetMap's Nominatim reverse-geocoding service, and cache it. This is keyed to the coarse cell, not to you.
- Listing images. We fetch, cache, and serve the photos attached to listings (which live as files in posters' repos) so they load quickly — acting like a content delivery network. Photos are re-encoded to WebP in your browser before upload, which strips all embedded metadata (including any GPS/EXIF) — see §7.
- Basic operational logs. Like any web service, our servers may briefly record technical information needed to operate and secure the Service (such as IP addresses and request data). [Confirm what is actually logged, retention period, and whether IPs are stored or discarded — keep this minimal and accurate.]
Information for specific features
- Cookies / session. We use a small number of cookies strictly to keep you
signed in and to remember basic preferences. Specifically: a session cookie
(
bn_session) that keeps you signed in, and a small preference cookie (bn_area) that remembers your approximate browse area; signing in may also set short-lived cookies for the atproto OAuth handshake. We do not use advertising or cross-site tracking cookies. - Push notifications (planned, not yet live). If you opt in to notifications, we will store the push subscription your browser provides, associated with your DID, so we can send you alerts (e.g. when someone is interested in your listing). Notification content will respect the same approximate-location floor as everything else. You can turn this off at any time. [Publish this section only when the feature ships.]
- Invite codes / membership (planned, beta only). During an invite-only beta, we will keep a small database recording invite codes, who redeemed them, and who invited whom (by DID), to manage access and trace abuse. This is temporary scaffolding for the beta. [Publish this section only when the feature ships.]
- In-app messaging. Gifthood includes in-app messaging for privately coordinating a pickup. Message content is encrypted at rest (AES-256-GCM) and we do not read it in normal operation. To make messaging work, we necessarily know — and store in the clear — who is coordinating with whom about which listing (this "envelope" metadata is not encrypted). You control retention: you can delete your own messages (which removes them for both people), and a listing owner can delete an entire conversation; we do not auto-expire or purge messages on a timer. We will not overstate the protection: this is at-rest encryption, not end-to-end encryption — the operator holds the keys and could, in principle, decrypt stored messages.
3. How we use information
We use the information above only to:
- Operate the Service — index listings, make them discoverable by area, serve images, and keep you signed in.
- Keep the Service safe — moderate content, stop spam and abuse, enforce the Community Rules and Terms (including declining to index a bad actor's records).
- Communicate with you about the Service where you've opted in (e.g. notifications).
- Comply with the law.
We do not sell your information, and we do not use it for advertising or behavioral profiling.
4. How information is shared
- Publicly, by design. Your listings and interests are public network records, visible to anyone (see §1).
- With your atproto provider. Sign-in happens through your provider; their handling of your data is governed by their own policies.
- With third-party infrastructure we rely on. This includes the atproto network's relay and feed services (operated by Bluesky and others), our hosting provider, and a reverse-geocoding provider (OpenStreetMap Nominatim). We share only what's needed for them to function. [Confirm the full provider list — hosting and any relay/network operators — before publishing.]
- For legal and safety reasons. We may disclose information if required by law or to protect the safety of users or the public. Because message content is encrypted at rest and listings are already public, what we can disclose is limited — but coordination metadata (§2) may be available to us.
- We never sell your data to anyone.
5. Your choices and rights
- Your listings. Manage them directly in the app — edit or delete them here and our index will follow (subject to the public-network caveat in §1). If you'd rather manage the underlying records outside Gifthood, you can use an atproto tool such as pdsls.dev, though most people won't need to.
- Sign out / stop using the Service. You can stop at any time. Revoking our access in your atproto provider's settings cuts off our ability to act on your behalf.
- Notifications. Opt in and out at any time (when available).
- Access, correction, deletion requests. You may contact us about the limited information we hold. Depending on where you live, you may have rights under laws such as the [GDPR / California privacy laws — confirm which apply and detail the request process]. Note that we cannot delete public network copies held by others (§1).
6. Location privacy (the heart of it)
Gifthood is a real-world, meet-your-neighbor service, so location privacy is central, not an afterthought:
- We store and show only an approximate area (~1.2 km) — never your exact location or address.
- The exact spot of a pickup is something you choose to share privately with a specific person, never something the app publishes.
- You should never post a precise address or contact details in a public listing or note.
7. Photos and metadata
Photos can carry hidden metadata (such as the GPS coordinates many phones embed). When you add a photo, Gifthood re-encodes it to WebP in your browser before it is uploaded, and that re-encoding strips all embedded metadata — including any GPS coordinates or other EXIF your phone may have added. So the photos we store and serve do not carry that hidden data. Regardless, avoid photographing anything that reveals your exact address (house number, street sign).
8. Children
Gifthood is not directed to children and is intended for adults [confirm minimum age in the Terms]. We do not knowingly collect information from children. If you believe a child has used the Service, contact us.
9. Security
We take reasonable measures to protect the limited information we hold, including [summarize: HTTPS/TLS everywhere, hardened handling of fetched content, minimizing what we store]. No system is perfectly secure, and the atproto network is public by design, so we can't guarantee the security of information that is inherently public.
10. Data retention
We keep indexed listing data while the underlying record exists on the network and remove it from our index when the record is deleted or when we stop indexing it for moderation reasons. Caches, logs, and any feature-specific data (§2) are kept only as long as needed for the purpose described and then removed. In-app messages are kept until you delete them (or the listing owner deletes the conversation) — there is no automatic expiry (see §2). [Confirm specific retention periods for logs and the geocode cache, and — when it ships — invite data.]
11. International users
The Service is operated from [COUNTRY/REGION]. If you use it from elsewhere, your information may be handled in that location. The atproto network is global, and public records propagate worldwide by design.
12. Changes to this policy
We may update this policy as the Service evolves. Material changes will be reflected in the "Last updated" date and, where practical, announced in the app.
13. Contact
Questions, or a privacy request? Reach us at [CONTACT EMAIL / METHOD].