Privacy Policy

3.1 Account Information

When you create a Sunslider account, we collect:

• Email Address: For account authentication and essential communications
• Username: Your unique identifier on the platform
• Display Name: Optional name shown to other users
• Password: Stored as an encrypted hash, never in plain text
• Birth Date: To verify you meet our 16+ age requirement
• Bio: Optional description (up to 150 characters)
• Profile Picture: Optional image, automatically processed with our open-source privacy tools to remove sensitive metadata

3.2 Interest and Social Data

• Selected Interests: Categories you choose during signup to help with content discovery
• Invitation Relationships: If you joined via an invitation code, we store this relationship to suggest connections
• Social Connections: Users you follow and who follow you
• Content Interactions: Slides you like, comments you make, and basic interaction patterns

3.3 Content You Share

• Photos and Videos: Content you upload as slides or stories
• Captions: Text descriptions you add to your content
• Privacy Settings: Your chosen visibility levels for each piece of content

How Privacy Settings Work:

• "Everyone": Visible to all Sunslider users; may be cached globally if you share via web viewer
• "Followers Only": Only visible to users who follow you; always served from EU servers with authentication
• "Mutuals Only": Only visible to users you mutually follow; always served from EU servers with authentication

3.4 Technical Information

• Device Tokens: For push notifications (only if you enable them)
• App Performance Data: Anonymous information about load times, errors, and feature usage to improve app stability
• Error Reports: When the app crashes or encounters errors, we collect anonymous technical diagnostics (no personal information included)

3.5 What We DON'T Collect

4.1 Essential App Functions

• Account Management: Authentication, profile display, account recovery
• Content Sharing: Displaying your content to users based on your privacy settings
• Social Features: Enabling follows, likes, and content discovery
• Interest-Based Discovery: Showing you content and suggesting users based on your declared interests
• Push Notifications: Sending notifications about app activity (only if enabled)

4.2 Privacy Protection

• EXIF Stripping: Automatically removing sensitive metadata from all uploaded images using our open-source tools
• Privacy Controls: Enforcing your chosen visibility settings (Everyone, Followers, Mutuals)
• Data Security: Protecting your information with encryption and access controls

4.3 Service Improvement

• Bug Fixes: Using anonymous crash reports to identify and fix technical issues
• Performance Optimization: Improving app speed and reliability
• Feature Development: Understanding which features are most valuable to users

4.4 Essential Communications

• Service Updates: Important information about app changes or security updates
• Account Security: Notifications about login attempts or security concerns
• Policy Changes: Updates to our terms or privacy practices

6.1 Data Storage and Infrastructure

Data Storage (Permanent):

All your personal data is stored exclusively on EU-based servers:

• User data and database: Supabase (EU-Central region)
• Photos and videos: Hetzner Cloud Storage (Germany)
• Application servers: Hetzner Cloud (Germany/Finland)

Content Delivery (Temporary Caching):

We use Cloudflare's Content Delivery Network (CDN) to deliver content faster worldwide. How your content is delivered depends on how it's accessed:

• In-App Viewing: When you or others view content within the Sunslider app, it is served through our authenticated API with full privacy enforcement. This content is always fetched from EU servers and is not cached globally.
• Web Viewer Sharing (Opt-In): When you choose to share content via our web viewer (generating a public share link), those images may be temporarily cached by Cloudflare's global network for faster loading. This caching only occurs when you explicitly create and share a web viewer link, is temporary (cached for up to 30 days), and is covered by Cloudflare's GDPR-compliant Data Processing Addendum.

Technical Protections:

• End-to-end encryption for data in transit: HTTPS/TLS
• Encrypted password storage: bcrypt hashing, never stored in plain text
• Multi-layer access controls and authentication: JWT tokens
• Automated attack detection and blocking: Web application firewall, rate limiting
• Regular security audits and updates: Continuous monitoring and improvements

Infrastructure Security:

• EU-based servers with physical security controls: Hetzner Germany/Finland datacenters
• Isolated database with row-level security policies: Supabase RLS enabled
• Automated backup systems: Daily backups with retention policies
• 24/7 monitoring for suspicious activity: Automated intrusion detection

Your Role in Security:

• Use a strong, unique password for your Sunslider account
• Enable two-factor authentication when available (coming soon)
• Report any suspicious activity to [email protected]

Infrastructure Providers:

• Hetzner Online GmbH (Germany): Server hosting and storage
• Supabase Inc.: EU-based database hosting
• Cloudflare Inc.: Content delivery network and security services