Template — not legal advice. Replace placeholders (contact email, data processors, governing jurisdiction) and have counsel review before production launch.

Privacy Policy

Last updated: April 2026

1. What we collect

Account data. Email address, provider account identifier (for Google or Apple sign-in), chosen username.
Content you post. Reports, comments, votes, flags, and any photos or videos you upload, including any metadata embedded in those files (EXIF location/time if present).
Operational logs. IP address, user-agent, and timestamps for authentication events and requests, used for security and abuse detection.
Cookies. Strictly-necessary session and CSRF cookies for authentication. See our Cookies page.

2. What we don't collect

We don't run third-party analytics or advertising trackers at launch. We don't sell personal information.

3. How we use it

To operate and secure the Service.
To attribute posts to your username and tally votes and flags.
To send magic-link sign-in emails when you request them.
To respond to abuse reports and legal process.

4. Service providers

We share data only with processors that help us run the Service:

Vercel — hosting, edge functions, and Blob storage for media.
Neon — managed PostgreSQL database.
Resend — transactional email delivery for magic-link sign-in.
Google and Apple — OAuth sign-in, when you choose those providers.

We don't sell or rent personal information.

5. Legal process

We may disclose information in response to valid legal process (court orders, subpoenas) or where we reasonably believe it's necessary to prevent serious harm. We will attempt to notify affected users unless prohibited by law.

6. Retention

Sessions expire after 30 days of inactivity.
Magic-link tokens expire quickly (minutes) and are single-use.
Deleted accounts are purged within 30 days. Your reports and comments remain visible but are detached from your identity.
Moderation records (flags, takedowns) may be retained longer for audit and abuse-prevention purposes.

7. Your rights

Depending on where you live (EEA, UK, California, and others), you may have rights to access, correct, export, or delete your personal information. You can delete your account and wipe associated data from your account page. To exercise other rights, contact the operator at the email below. We won't charge for reasonable requests.

California residents. We do not sell personal information. You have the right to request access to or deletion of your personal information, and not to be discriminated against for exercising these rights.

EEA / UK residents. Our legal bases for processing are (a) performance of the contract (providing the Service at your request), (b) legitimate interests (security, moderation, preventing abuse), and (c) consent where required (e.g. optional cookies). You can contact the operator or your local data-protection authority with concerns.

8. Children

Road Watchers is not directed to children under 13 (or 16 in the EEA). Don't use the Service if you're under that age.

9. Security

We use reasonable administrative and technical measures to protect your data, but no system is perfectly secure. Report vulnerabilities to the operator.

10. Changes

We may update this policy. Material changes will be announced in-app or by email.

11. Contact

Operator contact: privacy@example.com (replace before production).