Privacy Policy — cosign.fyi

1. Overview

cosign.fyi ("we," "us," or "our") is committed to protecting your privacy. This Policy explains what information we collect, how we use it, who we share it with, and your rights. By using the Site you agree to the practices described here.

We collect only what we need to operate the service. We do not sell your personal data. We do not run advertising. We do not use tracking pixels or third-party analytics scripts.

2. Information We Collect

2a. Information you provide directly

Email address — collected when you purchase a slot, redeem a gift, create an account, request a magic link, reset your password, or join the waitlist.
Display name / handle — optional. Shown publicly on your slot if provided.
Recommendation content — the recommendation, note, URL, and category you submit. This is public and displayed on the Site permanently.
Password — stored as a bcrypt hash. We never store your plain-text password.

2b. Information collected automatically

Server logs — standard web server logs (IP address, browser type, pages visited, timestamps) retained for up to 30 days for security and debugging purposes.
Session cookies — a single session cookie is used to keep you logged in. No third-party cookies are set by the Site.

2c. Payment information

Payments are handled entirely by Stripe. We never receive or store your card number, CVV, or full billing address. Stripe returns a session ID and confirmation to us, which we use to create your slot. Stripe's privacy practices are described at stripe.com/privacy.

3. How We Use Your Information

To create and manage your account and slot.
To send transactional emails: slot confirmation, gift notifications, magic login links, and password resets.
To send waitlist updates if you opted in (you can unsubscribe at any time).
To prevent fraud, abuse, and violations of our Terms of Service.
To diagnose technical issues using server logs.

We do not use your data for advertising, profiling, or sale to third parties.

4. Public Information

The following slot fields are publicly visible to anyone who visits the Site:

Slot number
Recommendation, note, URL, and category
Display name or handle (if provided; otherwise shown as anonymous)

Your email address is never shown publicly. The slot is intended to be permanent, and submitted content may be indexed by search engines.

5. Data Sharing

We do not sell, rent, or trade your personal data. We share data only in the following limited circumstances:

Stripe — to process payments.
Email service provider — your email address and name are passed to our transactional mail provider to deliver account emails. Our provider processes this data solely on our behalf.
Legal requirements — we may disclose information if required by law, court order, or to protect the rights, property, or safety of cosign.fyi, its users, or others.
Business transfer — in the event of a merger, acquisition, or sale of assets, user data may be transferred. We will notify you before your data is subject to a different privacy policy.

6. Data Retention

Slot content — retained permanently as part of the grid record.
Account data — retained as long as your account is active or as needed to operate the service. You may request deletion (see Section 8).
Waitlist emails — retained until you unsubscribe or request deletion.
Magic link tokens — expire after 15 minutes and are deleted upon use or expiry.
Server logs — retained up to 30 days.

7. Security

We use industry-standard practices to protect your data: HTTPS for all data in transit, bcrypt password hashing, encrypted storage of sensitive configuration values, and CSRF protection on all forms. No method of transmission or storage is 100% secure. In the event of a data breach that affects your personal data, we will notify you as required by applicable law.

8. Your Rights

Depending on where you live, you may have the following rights regarding your personal data:

Access — request a copy of the personal data we hold about you.
Correction — request correction of inaccurate data. You can update your slot content and display name from your account page.
Deletion — request deletion of your account and personal data. Note that slot content may be retained in anonymized form as part of the permanent grid record.
Portability — request your data in a machine-readable format.
Opt-out of marketing — unsubscribe from waitlist emails at any time by clicking the unsubscribe link in any email or contacting us.

To exercise any of these rights, email hello@cosign.fyi. We will respond within 30 days.

9. Children's Privacy

The Site is not directed to children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with their personal data, contact us and we will delete it promptly.

10. International Users

The Site is operated in the United States. If you access it from outside the US, your data may be transferred to and processed in the US. By using the Site, you consent to this transfer. We comply with applicable data protection laws including GDPR obligations for EU/EEA users and CCPA rights for California residents.

11. Cookies

We use only essential cookies required to operate the Site: a session cookie to keep you logged in and a CSRF token cookie to protect form submissions. We do not use advertising cookies, tracking pixels, or third-party analytics cookies. Your browser's local storage is used solely to remember your dark/light mode preference.

12. Changes to This Policy

We may update this Policy as the service evolves. Material changes will be reflected with an updated effective date at the top of this page. We encourage you to review it periodically. Continued use of the Site after changes constitutes acceptance.

13. Contact

Privacy questions or requests: hello@cosign.fyi.