Legal

Privacy Policy

What Learn In Public collects about you, what it shows the world, who else touches it, and how to make us stop.

Last updated 11 July 2026Operated by Niranjan V S
The short version

Most of your data is public on purpose. Your username, display name, bio, avatar, topics, posts, comments, reactions, streaks and follow lists are visible to anyone on the internet and to search engines. Your email address and password are never public.

We do not sell your data, we run no advertising, and we do not track you across other websites.

The only cookies we set are the ones that log you in. Our analytics are cookieless and count page views, not people — which is why you are not being nagged by a cookie banner.

Deleting your account anonymizes you rather than erasing your writing: your personal details are scrubbed and your posts stay, unattributed. Delete individual posts first if you want them gone.

This summary is here to be read, not to be relied on. The numbered sections below are the actual agreement; where the two differ, the sections win.

01Who we are and what this covers

Learn In Public is operated by Niranjan V S (Kochi, Kerala, India). For the purposes of the Digital Personal Data Protection Act, 2023 (India), we are the Data Fiduciary for your personal data; under the GDPR, we are the controller. You are the Data Principal / data subject.

This policy covers the Learn In Public website and the accounts on it. It does not cover other websites we link to, or the login providers you choose to use — they have their own policies. It sits alongside our Terms of Service.

02What we collect

Information you give us directly:

  • Account: your email address, and — if you sign up with a password rather than Google or GitHub — a password, which we store only as a bcrypt hash and never in a readable form.
  • Profile: username, display name, an optional bio (up to 160 characters), an optional avatar image, and your timezone (which we need in order to work out what “today” means for your streak).
  • What you write: topics, posts, comments, reactions, and who you follow — together with the times you created them.
  • Reports: if you report someone, we store what you reported, the reason, any note you added, and that it was you who reported it. The person reported is not told who reported them.
  • Correspondence: emails you send us, including support and grievance messages.

Information from Google or GitHub, if you use them to sign in: your email address, your name, your profile picture, your account identifier at that provider, and the OAuth tokens that let the sign-in work. We ask for the minimum scope needed to identify you. We never get your password there, and we cannot post as you.

Information collected automatically:

  • Server and security logs. Our hosting provider processes your IP address, user-agent and the requests you make, in order to serve the site and to defend it against abuse and attacks. These logs are short-lived and are not used to build a profile of you.
  • Aggregate analytics. Page views and referrers, with no cookies and no cross-site identifier — see section 6.
  • Rate-limit counters held briefly in memory to stop flooding.

What we never ask for: payment details, phone number, government ID, precise location, or any special-category data (health, religion, biometrics, and so on). Please do not put such data into your posts or bio — if you do, it is public, and you have made it so.

03What is public, and what never is

Public to everyone
Username, display name, avatar, bio, topics, posts, comments, reactions, streaks and heatmaps, followers and following. Visible without signing in, and crawlable by search engines and other bots that may cache or copy it.
Visible to us only
Email address, password hash, linked-provider identifiers and tokens, verification and reset tokens, reports you have filed, moderation records, server logs.
Never visible to anyone
Your plaintext password — we do not have it. Passwords are stored as bcrypt hashes; verification and reset tokens are stored as SHA-256 hashes, so even we cannot replay them.

Content that is hidden by moderation (a suspended or banned account) is removed from public view but retained internally for audit — see section 9.

04Why we use it, and our legal basis

Under the DPDP Act we process your data with your consent, given when you create an account and accept the Terms of Service, and for the “legitimate uses” that Act permits (such as complying with law and preventing fraud). Under the GDPR, for users in the EU/UK, the equivalent bases are set out below.

Run your account
Create and authenticate your account, keep you signed in, verify your email, reset your password. GDPR basis: performance of a contract (Art. 6(1)(b)).
Publish your content
Show your posts, comments, profile, streaks and social graph to the public, which is the service you asked for. GDPR basis: contract (Art. 6(1)(b)).
Email you
Verification and password-reset emails; occasional service notices (for example a change to these documents). We do not send marketing email. GDPR basis: contract, and legitimate interests (Art. 6(1)(f)).
Keep the place safe
Spam and profanity filtering, rate limits, handling reports, moderation, suspensions and bans, and the audit records behind them. GDPR basis: legitimate interests in a safe, non-abusive service (Art. 6(1)(f)).
Improve the product
Aggregate, cookieless analytics about which pages get used. GDPR basis: legitimate interests (Art. 6(1)(f)); no profiling, no individual-level tracking.
Comply with law
Respond to lawful orders, preserve records where the law requires, and enforce our terms. GDPR basis: legal obligation (Art. 6(1)(c)) and legitimate interests (Art. 6(1)(f)).

No automated decision-making. The spam filter can block a submission, but no account is suspended or banned without a human deciding it, and you can always contest that decision (section 11).

05Cookies and local storage

We use the minimum possible: the cookies that are strictly necessary to sign you in and to protect the sign-in form. We set no advertising cookies, no tracking cookies and no third-party cookies, and we do not fingerprint your device. That is why this site has no cookie consent banner: under Indian law and the EU ePrivacy rules, strictly necessary cookies do not need consent — they only need to be disclosed, which is what this section does.

authjs.session-token
Strictly necessary. Your signed-in session (a signed JWT). Without it you cannot stay logged in. Expires after 30 days, or when you sign out. On HTTPS it is set as __Secure-authjs.session-token, HttpOnly and SameSite=Lax, so scripts cannot read it.
authjs.csrf-token
Strictly necessary. Protects sign-in and sign-out from cross-site request forgery. Session cookie — it dies with the browser session.
authjs.callback-url
Strictly necessary. Remembers the page to return you to after signing in. Session cookie.
__cf_bm and similar
Strictly necessary, set by our CDN and security provider (Cloudflare) to tell bots from humans and to protect the site. Short-lived (around 30 minutes) and not used for tracking or advertising.
theme (local storage)
Not a cookie and never sent to us: your light/dark preference is kept in your browser's local storage so the site does not flash the wrong theme. Clearing site data removes it.

You can block or delete cookies in your browser. If you block the ones above, signing in will stop working — there is nothing we can do about that, because they are the sign-in.

06Analytics

We use Cloudflare Web Analytics to see which pages are being used. It is deliberately chosen for being privacy-first: it sets no cookies, stores nothing on your device, uses no fingerprinting, and does not track you across other sites. It records page views, referrers, and coarse technical information (country, browser family), and reports them to us only in aggregate. We cannot single you out in it, and it is not linked to your account.

If we ever adopt an analytics or advertising tool that does set cookies or track individuals, we will ask for your consent first, and this policy will say so before it happens.

07Who we share data with

We do not sell your personal data, we do not rent it, and we do not share it with advertisers or data brokers. We share it only with the service providers that make the product work — each of them a processor acting on our instructions, under contract, and only for the purpose listed:

Hosting + database
Runs the application and stores the database (your account and all content). Processes everything you send us.
Cloudflare
CDN, bot protection, and cookieless web analytics. Processes your IP address and request metadata.
Resend
Sends transactional email — verification and password reset. Processes your email address and the contents of those messages.
Cloudinary
Stores and serves avatar images, if you upload one. Processes that image.
Google / GitHub
Only if you choose to sign in with them. They tell us your email, name, picture and account id; they learn that you signed in to Learn In Public.

We will also disclose data where we are legally required to — a valid court order or lawful government request — or where it is necessary to investigate abuse, enforce our terms, or protect the rights and safety of users. If we are ever involved in a merger or sale, your data may transfer to the acquirer, who would remain bound by this policy or give you notice of a new one.

08Where your data goes

Our providers operate globally, so your data may be processed on servers outside your country, including in the United States and the European Union. Where personal data of EU/UK users is transferred out of that region, it is done under an approved mechanism — typically the European Commission’s Standard Contractual Clauses — together with the technical measures in section 12. Indian users’ data may likewise be processed outside India, as permitted by the DPDP Act.

09How long we keep it

Account data
For as long as your account exists. When you delete it, the personal parts are scrubbed immediately — see section 10.
Your posts and comments
Indefinitely, unless you delete them. They survive account deletion in anonymized form, no longer linked to you.
Email verification tokens
Expire 24 hours after they are issued; stored only as a SHA-256 hash and consumed on first use.
Password reset tokens
Expire 1 hour after they are issued; stored only as a SHA-256 hash and consumed on first use.
Moderation records
Reports, and the content of suspended or banned accounts, are retained for audit and to stop the same abuse recurring. Hidden from the public, kept internally.
Server and security logs
Kept for a short period (typically days) by our hosting and CDN providers, then discarded.
Backups
Deleted data may persist in encrypted backups for a limited period before those backups roll over, after which it is gone.

10Deleting your account

You can delete your account at any time from Settings. Read this before you do, because it is probably not what you assume:

  • What we scrub, immediately: your email address, display name, bio, avatar, timezone and password hash, and your links to Google or GitHub. Your username is released, so someone else may take it. Your session is destroyed and you are signed out everywhere.
  • What stays: your posts and comments, now attributed to an anonymous “Deleted User” and no longer connected to you or your email. We keep them because deleting them would tear holes in the conversations other people took part in — a comment thread with the replies removed is unreadable for everyone else in it.
  • If you want your writing gone, delete the posts and comments first, then delete the account. Or write to us and we will do it for you.
  • Minimal records may be retained where the law requires it, or where an unresolved abuse or safety issue makes it necessary.

11Your rights and how to use them

Whoever and wherever you are, you can exercise these by emailing mail.niranjanvs@gmail.com from the address on your account. We will respond within 30 days, and will not charge you or penalise you for asking.

Under the DPDP Act, 2023 (India) you have the right to:

  • get a summary of the personal data we process about you;
  • have inaccurate or incomplete data corrected or completed;
  • have your data erased — which, for content, means anonymized as described in section 10;
  • nominate someone to exercise these rights on your behalf if you die or become incapacitated;
  • have a grievance heard, through the Grievance Officer named in section 15, before escalating to the Data Protection Board of India.

If you are in the EU or UK, the GDPR also gives you the right to:

  • access a copy of your personal data;
  • rectify it, or have it erased;
  • restrict or object to processing based on legitimate interests;
  • receive your data in a portable, machine-readable format (much of it is already public on your profile);
  • withdraw consent at any time, without affecting past processing;
  • complain to your national supervisory authority (in the UK, the ICO).

Most of this you can do yourself, immediately: edit your profile, delete a post, or delete your account — all from within the app.

Please file only genuine requests. Requests that are manifestly unfounded, repetitive or made to harass someone may be refused, and we will tell you why.

12Security

  • Traffic is encrypted in transit with TLS.
  • Passwords are stored as bcrypt hashes — we cannot read them, and neither can anyone who steals the database file.
  • Email-verification and password-reset tokens are stored as SHA-256 hashes, are single-use, and expire (24 hours and 1 hour respectively).
  • Sessions are re-validated against the database on every request, so deleting your account, or a suspension, takes effect at once rather than whenever a token happens to expire.
  • Access to production data is limited to those who need it.

No system is perfectly secure, and we do not pretend otherwise. If we discover a breach affecting your personal data, we will notify you and the relevant authority without undue delay, as the law requires. If you find a vulnerability, please report it to mail.niranjanvs@gmail.com rather than exploiting it — we will not pursue good-faith researchers who give us a reasonable chance to fix it.

13Children

Learn In Public is for people aged 16 and over. It is not directed at children, and we do not knowingly collect their personal data. If you believe someone under 16 has an account, tell us and we will delete it. We do not run behavioural advertising or tracking of any user, of any age.

14Changes to this policy

We will update this policy as the product changes. The “last updated” date at the top always reflects the current version. If a change materially affects your rights or what we do with your data, we will give you notice — by email or in the app — before it takes effect, and where the law requires consent for the change, we will ask for it.

15Contact and grievances

For any privacy question or request, email mail.niranjanvs@gmail.com.

If you are not satisfied, our Grievance Officer Niranjan V S, mail.niranjanvs@gmail.com — will acknowledge your complaint within 24 hours and resolve it within 15 days. Beyond that, you may complain to the Data Protection Board of India, or, if you are in the EU or UK, to your national supervisory authority.