Bleatly

Privacy Policy

Last updated: February 19, 2026

This policy explains what data Bleatly collects, why we collect it, how we use it, and your rights regarding your data. We believe in being straightforward — no legalese.

1. Data We Collect

Account information:

• Username (required) — your public identity on the platform
• Password (required) — hashed with bcrypt before storage. We never store or have access to your plain-text password
• Email address (optional) — only used for password resets. Not required to use the service
• Display name (optional) — a custom name shown alongside your username
• Avatar image (optional) — a profile picture you upload

Content you create:

• Messages in community channels
• Direct messages to other users
• Emoji reactions on messages
• Uploaded images

Community & activity data:

• Community memberships and roles
• Game scores and play history
• XP and level progression

Payment data:

• Payment processing is handled entirely by Stripe. Bleatly never sees, stores, or has access to your credit card number or bank details. We only store a Stripe customer ID to manage your subscription.

2. Data We Do NOT Collect

• IP addresses — we do not log your IP address
• Device fingerprints — we do not fingerprint your browser or device
• Tracking cookies — we use zero tracking cookies, analytics, or third-party trackers
• Location data — we do not collect or infer your location

3. Cookies

We use a single session cookie for authentication. This cookie:

• Is httpOnly (JavaScript cannot access it)
• Is sameSite: lax (not sent on cross-site requests)
• Expires after 7 days
• Is stored server-side in our database (not in your browser beyond the session ID)

We do not use advertising cookies, analytics cookies, or any third-party cookies. Because our cookie is strictly necessary for the service to function, no cookie consent banner is required under GDPR.

4. How We Use Your Data

• Operating the service — displaying your messages, profile, and content to other community members
• Authentication — verifying your identity when you log in
• Password resets — sending a reset link to your email (if provided)
• Payment processing — managing subscriptions via Stripe
• Moderation — enforcing our Terms of Service and Acceptable Use Policy

We do not use your data for advertising, profiling, or selling to third parties.

5. Third-Party Services

We share limited data with these services to operate Bleatly:

• Stripe — payment processing. See Stripe's Privacy Policy
• Cloudflare R2 — file storage for uploaded images and avatars. Files are stored securely and not shared
• Resend — transactional email delivery (password reset emails only). See Resend's Privacy Policy
• Klipy — GIF search for the in-app GIF picker. Search queries are proxied through our server to Klipy's API. No personal data is shared with Klipy

We do not sell, rent, or share your personal data with any other third parties.

6. Your Rights

You have the following rights regarding your data:

• Access — you can view your data in the app at any time
• Export — you can download all your data as a JSON file from your account settings
• Correction — you can edit your profile information (display name, avatar, email) in the app
• Deletion — you can delete your account from your account settings. This anonymizes your profile, removes your personal data, deletes your DMs and game scores, and disassociates remaining channel messages from your identity (messages remain but are attributed to “Deleted User” with no link to your account)

These rights apply to all users, regardless of location. You do not need to cite GDPR or any other regulation — just use the tools in your account settings or email us.

7. Data Retention

• Account data — kept until you delete your account
• Password reset tokens — expire and are invalidated after 1 hour
• Sessions — automatically expire after 7 days
• Messages — kept as long as the community exists. After account deletion, your messages remain but are anonymized (no link to your identity)

8. Children's Privacy (COPPA)

Bleatly is not directed at children under 13. Users must confirm they are at least 13 years old when creating an account. If we learn that a user is under 13, we will:

• Immediately terminate their account
• Delete all their personal data

If you believe a user is under 13, please report it to support@bleatly.com.

9. Security

We take reasonable measures to protect your data:

• Passwords are hashed with bcrypt (cost factor 12)
• Sessions use httpOnly, sameSite cookies
• All connections use HTTPS in production
• Database access is restricted and encrypted in transit

No system is 100% secure. If we discover a data breach that affects your personal information, we will notify affected users promptly.

10. International Users (GDPR)

If you are in the European Economic Area (EEA), UK, or other jurisdiction with data protection laws:

• Our legal basis for processing is contract performance (providing the service you signed up for) and legitimate interest (security, moderation)
• Your data may be transferred to and stored in the United States
• You have the right to lodge a complaint with your local data protection authority
• All the rights listed in Section 6 above apply to you

11. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide notice by email (if you've provided one) or by posting a notice on the site at least 30 days before the changes take effect.