Privacy Policy

Effective date: [[MONTH DAY, YEAR]]

This Privacy Policy explains how [[Legal Entity / Owner]] (“we,” “us,” “our”) collects, uses, and shares information when you use type.

1) Information We Collect

1.1 You Provide

  • Account data: username, email, password (hashed with bcrypt).
  • OAuth (optional): verified email and basic profile/ID from Google or GitHub.
  • Profile content (optional): status, bio, keyboard info.
  • Support messages you send us.

1.2 Automatically Collected

  • IP address, device/browser metadata, pages requested, timestamps.
  • Security/rate-limit signals (e.g., request counts by IP).
  • Cookies for authentication and CSRF protection.

1.3 Typing Test Data

  • Mode (time/words), target, WPM, accuracy, words typed, start/end timestamps.
  • Aggregates: tests completed, cumulative time typing, personal records.

2) How We Use Information

  • Provide and maintain the Service (login, profiles, tests, stats).
  • Security and abuse prevention (rate limiting, fraud detection).
  • Support and service improvement.
  • Legal compliance.

Legal bases (EU/UK): contract (to provide the Service), legitimate interests (security, improvement), and consent (only for optional features like analytics, if enabled).

3) Cookies

We use essential cookies (e.g., NextAuth session and CSRF). If we add optional analytics in the future, we’ll ask for consent first and block non-essential cookies until accepted.

4) Third Parties / Subprocessors

  • Hosting: Vercel
  • Database: MongoDB Atlas
  • Auth: NextAuth (self-hosted in our app), Google/GitHub OAuth (if chosen)
  • Rate limiting (optional): Upstash Redis

These providers act on our behalf under data-processing terms. We don’t allow them to use your data for their own marketing.

5) Data Retention

  • Account and test data: retained while your account is active.
  • Security logs: typically 30–90 days, unless required longer.
  • Deleted accounts: deleted or anonymized within ~30 days (subject to backups/legal).

6) Your Rights

Depending on your location, you may have rights to access, correct, delete, or port your data, and to object/restrict certain processing. You can also withdraw consent where applicable. Contact us at [[privacy email]].

We do not sell or share personal information for cross-context advertising.

7) International Transfers

Data may be processed in countries other than where you live. We use appropriate safeguards (e.g., SCCs) when required by law.

8) Security

We use industry-standard measures, including HTTPS, bcrypt password hashing, and least-privilege access. No method is 100% secure, but we continually improve our safeguards.

9) Children

The Service is not directed to children under 13 (or 16 where applicable). If you believe a child has provided personal data, contact us and we’ll remove it.

10) Changes

We may update this policy from time to time. We’ll change the “Effective date” above and notify you of material changes by reasonable means.

11) Contact

Email: [[privacy email]]
Address: [[postal address]]