Privacy Policy
What Learn In Public collects about you, what it shows the world, who else touches it, and how to make us stop.
01Who we are and what this covers
Learn In Public is operated by Niranjan V S (Kochi, Kerala, India). For the purposes of the Digital Personal Data Protection Act, 2023 (India), we are the Data Fiduciary for your personal data; under the GDPR, we are the controller. You are the Data Principal / data subject.
This policy covers the Learn In Public website and the accounts on it. It does not cover other websites we link to, or the login providers you choose to use — they have their own policies. It sits alongside our Terms of Service.
02What we collect
Information you give us directly:
- Account: your email address, and — if you sign up with a password rather than Google or GitHub — a password, which we store only as a bcrypt hash and never in a readable form.
- Profile: username, display name, an optional bio (up to 160 characters), an optional avatar image, and your timezone (which we need in order to work out what “today” means for your streak).
- What you write: topics, posts, comments, reactions, and who you follow — together with the times you created them.
- Reports: if you report someone, we store what you reported, the reason, any note you added, and that it was you who reported it. The person reported is not told who reported them.
- Correspondence: emails you send us, including support and grievance messages.
Information from Google or GitHub, if you use them to sign in: your email address, your name, your profile picture, your account identifier at that provider, and the OAuth tokens that let the sign-in work. We ask for the minimum scope needed to identify you. We never get your password there, and we cannot post as you.
Information collected automatically:
- Server and security logs. Our hosting provider processes your IP address, user-agent and the requests you make, in order to serve the site and to defend it against abuse and attacks. These logs are short-lived and are not used to build a profile of you.
- Aggregate analytics. Page views and referrers, with no cookies and no cross-site identifier — see section 6.
- Rate-limit counters held briefly in memory to stop flooding.
What we never ask for: payment details, phone number, government ID, precise location, or any special-category data (health, religion, biometrics, and so on). Please do not put such data into your posts or bio — if you do, it is public, and you have made it so.
03What is public, and what never is
- Public to everyone
- Username, display name, avatar, bio, topics, posts, comments, reactions, streaks and heatmaps, followers and following. Visible without signing in, and crawlable by search engines and other bots that may cache or copy it.
- Visible to us only
- Email address, password hash, linked-provider identifiers and tokens, verification and reset tokens, reports you have filed, moderation records, server logs.
- Never visible to anyone
- Your plaintext password — we do not have it. Passwords are stored as bcrypt hashes; verification and reset tokens are stored as SHA-256 hashes, so even we cannot replay them.
Content that is hidden by moderation (a suspended or banned account) is removed from public view but retained internally for audit — see section 9.
04Why we use it, and our legal basis
Under the DPDP Act we process your data with your consent, given when you create an account and accept the Terms of Service, and for the “legitimate uses” that Act permits (such as complying with law and preventing fraud). Under the GDPR, for users in the EU/UK, the equivalent bases are set out below.
- Run your account
- Create and authenticate your account, keep you signed in, verify your email, reset your password. GDPR basis: performance of a contract (Art. 6(1)(b)).
- Publish your content
- Show your posts, comments, profile, streaks and social graph to the public, which is the service you asked for. GDPR basis: contract (Art. 6(1)(b)).
- Email you
- Verification and password-reset emails; occasional service notices (for example a change to these documents). We do not send marketing email. GDPR basis: contract, and legitimate interests (Art. 6(1)(f)).
- Keep the place safe
- Spam and profanity filtering, rate limits, handling reports, moderation, suspensions and bans, and the audit records behind them. GDPR basis: legitimate interests in a safe, non-abusive service (Art. 6(1)(f)).
- Improve the product
- Aggregate, cookieless analytics about which pages get used. GDPR basis: legitimate interests (Art. 6(1)(f)); no profiling, no individual-level tracking.
- Comply with law
- Respond to lawful orders, preserve records where the law requires, and enforce our terms. GDPR basis: legal obligation (Art. 6(1)(c)) and legitimate interests (Art. 6(1)(f)).
No automated decision-making. The spam filter can block a submission, but no account is suspended or banned without a human deciding it, and you can always contest that decision (section 11).
06Analytics
We use Cloudflare Web Analytics to see which pages are being used. It is deliberately chosen for being privacy-first: it sets no cookies, stores nothing on your device, uses no fingerprinting, and does not track you across other sites. It records page views, referrers, and coarse technical information (country, browser family), and reports them to us only in aggregate. We cannot single you out in it, and it is not linked to your account.
If we ever adopt an analytics or advertising tool that does set cookies or track individuals, we will ask for your consent first, and this policy will say so before it happens.
08Where your data goes
Our providers operate globally, so your data may be processed on servers outside your country, including in the United States and the European Union. Where personal data of EU/UK users is transferred out of that region, it is done under an approved mechanism — typically the European Commission’s Standard Contractual Clauses — together with the technical measures in section 12. Indian users’ data may likewise be processed outside India, as permitted by the DPDP Act.
09How long we keep it
- Account data
- For as long as your account exists. When you delete it, the personal parts are scrubbed immediately — see section 10.
- Your posts and comments
- Indefinitely, unless you delete them. They survive account deletion in anonymized form, no longer linked to you.
- Email verification tokens
- Expire 24 hours after they are issued; stored only as a SHA-256 hash and consumed on first use.
- Password reset tokens
- Expire 1 hour after they are issued; stored only as a SHA-256 hash and consumed on first use.
- Moderation records
- Reports, and the content of suspended or banned accounts, are retained for audit and to stop the same abuse recurring. Hidden from the public, kept internally.
- Server and security logs
- Kept for a short period (typically days) by our hosting and CDN providers, then discarded.
- Backups
- Deleted data may persist in encrypted backups for a limited period before those backups roll over, after which it is gone.
10Deleting your account
You can delete your account at any time from Settings. Read this before you do, because it is probably not what you assume:
- What we scrub, immediately: your email address, display name, bio, avatar, timezone and password hash, and your links to Google or GitHub. Your username is released, so someone else may take it. Your session is destroyed and you are signed out everywhere.
- What stays: your posts and comments, now attributed to an anonymous “Deleted User” and no longer connected to you or your email. We keep them because deleting them would tear holes in the conversations other people took part in — a comment thread with the replies removed is unreadable for everyone else in it.
- If you want your writing gone, delete the posts and comments first, then delete the account. Or write to us and we will do it for you.
- Minimal records may be retained where the law requires it, or where an unresolved abuse or safety issue makes it necessary.
11Your rights and how to use them
Whoever and wherever you are, you can exercise these by emailing mail.niranjanvs@gmail.com from the address on your account. We will respond within 30 days, and will not charge you or penalise you for asking.
Under the DPDP Act, 2023 (India) you have the right to:
- get a summary of the personal data we process about you;
- have inaccurate or incomplete data corrected or completed;
- have your data erased — which, for content, means anonymized as described in section 10;
- nominate someone to exercise these rights on your behalf if you die or become incapacitated;
- have a grievance heard, through the Grievance Officer named in section 15, before escalating to the Data Protection Board of India.
If you are in the EU or UK, the GDPR also gives you the right to:
- access a copy of your personal data;
- rectify it, or have it erased;
- restrict or object to processing based on legitimate interests;
- receive your data in a portable, machine-readable format (much of it is already public on your profile);
- withdraw consent at any time, without affecting past processing;
- complain to your national supervisory authority (in the UK, the ICO).
Most of this you can do yourself, immediately: edit your profile, delete a post, or delete your account — all from within the app.
Please file only genuine requests. Requests that are manifestly unfounded, repetitive or made to harass someone may be refused, and we will tell you why.
12Security
- Traffic is encrypted in transit with TLS.
- Passwords are stored as bcrypt hashes — we cannot read them, and neither can anyone who steals the database file.
- Email-verification and password-reset tokens are stored as SHA-256 hashes, are single-use, and expire (24 hours and 1 hour respectively).
- Sessions are re-validated against the database on every request, so deleting your account, or a suspension, takes effect at once rather than whenever a token happens to expire.
- Access to production data is limited to those who need it.
No system is perfectly secure, and we do not pretend otherwise. If we discover a breach affecting your personal data, we will notify you and the relevant authority without undue delay, as the law requires. If you find a vulnerability, please report it to mail.niranjanvs@gmail.com rather than exploiting it — we will not pursue good-faith researchers who give us a reasonable chance to fix it.
13Children
Learn In Public is for people aged 16 and over. It is not directed at children, and we do not knowingly collect their personal data. If you believe someone under 16 has an account, tell us and we will delete it. We do not run behavioural advertising or tracking of any user, of any age.
14Changes to this policy
We will update this policy as the product changes. The “last updated” date at the top always reflects the current version. If a change materially affects your rights or what we do with your data, we will give you notice — by email or in the app — before it takes effect, and where the law requires consent for the change, we will ask for it.
15Contact and grievances
For any privacy question or request, email mail.niranjanvs@gmail.com.
If you are not satisfied, our Grievance Officer — Niranjan V S, mail.niranjanvs@gmail.com — will acknowledge your complaint within 24 hours and resolve it within 15 days. Beyond that, you may complain to the Data Protection Board of India, or, if you are in the EU or UK, to your national supervisory authority.