1. Overview
Verdant is a privacy-focused communication platform. We collect the minimum data necessary to operate the Service and protect our users. We do not sell your data, serve ads, or use third-party analytics.
2. Data We Collect
| Data | Purpose |
|---|---|
| Email address | Account authentication, security notifications, password recovery |
| Username | Display identity within the Service |
| Password (hashed) | Authentication — stored as Argon2id hash, never in plaintext |
| IP address | Abuse prevention, rate limiting, login security (new-location detection) |
| Uploaded content hashes | Content deduplication and abuse detection |
| Device fingerprint | Session management, new-device detection (browser + OS hash only) |
| Messages | Core functionality — stored until deleted by sender or server admin |
3. Upload Validation and Moderation
Upload handling depends on instance configuration. Uploaded files may be validated for file type and size before storage. Some instances may also run an operator-managed moderation process or a configured content scanner; others may not.
When content is removed, preserved, or reported under instance policy or legal requirements:
- The content may be preserved as evidence in restricted storage
- The uploader's IP address and email may be recorded with the moderation record
- The uploader's account may be suspended
- The incident may be reported to NCMEC (National Center for Missing & Exploited Children) and/or law enforcement where legally required
4. Data Retention
- Messages: Retained until explicitly deleted by the sender or a server administrator
- Account data: Retained while your account is active; deleted within 30 days of account deletion request
- Login history: Retained for 90 days for security purposes
- Flagged content evidence: Retained indefinitely for legal compliance — this data cannot be deleted via user request
- Audit logs: Retained for 1 year
5. Third-Party Data Sharing
We do not sell, rent, or trade your personal data. Data may be shared with:
- Optional safety providers: File hashes or related metadata may be sent to configured moderation or scanning services when enabled by the instance
- NCMEC / law enforcement: Flagged content and associated metadata when required by law
- Infrastructure providers: DigitalOcean (hosting, object storage) — subject to their data processing agreements
We do not use any analytics services, advertising networks, or tracking pixels.
6. Data Security
- All connections use TLS encryption (client-server, server-database, server-cache)
- Passwords are hashed with Argon2id
- Session tokens are stored as SHA-256 hashes — the raw token is never persisted server-side
- Evidence storage uses private ACL with time-limited presigned URLs for admin access
- Database volume encryption at rest
7. Your Rights
You have the right to:
- Delete your account and all associated data (via Settings > Account > Delete Account)
- Export your data — contact us to request a data export
- Revoke sessions — manage and revoke active sessions from Settings
- Correct your data — update your email, username, and profile through the application
Note: Flagged content evidence is exempt from deletion requests due to legal retention requirements.
8. Children's Privacy
The Service is not intended for users under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that a user is under 13, their account will be terminated.
9. Changes to This Policy
We may update this Privacy Policy from time to time. Significant changes will be communicated through the application. Continued use of the Service after changes constitutes acceptance of the updated policy.
10. Contact
For privacy-related questions or data requests, contact us at privacy@verdant.app.