Privacy Policy

Your data and how we use it

Effective date: May 2, 2026 · Last updated: May 2, 2026

1. Scope and application

  • This Privacy Policy applies to the Ctoons website, reading experience, and related services ("Services").
  • By using the Services, you acknowledge this policy and consent to the described processing where legally permitted.

2. Information we collect

2.1 Information provided by you

  • Account identifiers and profile details processed through Supabase Auth (for example email or OAuth identifiers, depending on sign-in options you use).
  • Support messages, feedback, and communication records.
  • Payment-related information when you donate or pay through our checkout (processed by Dodo Payments; we do not store full card numbers on our servers in the intended configuration).
  • Email address and similar contact data when you subscribe to email from us (delivered via Resend when enabled).

2.2 Information collected automatically

  • Reading progress, feature interactions, and preference state stored in our database.
  • Session and security signals via Supabase and our hosting provider.
  • HTTP logs and approximate location derived from IP may be visible to our host or infrastructure providers.
  • If you opt in to analytics in the cookie banner, product analytics events are sent to our first-party API and may be forwarded to PostHog for measurement and improvement (see section 4).
  • Web push subscription data if you enable notifications in a supported browser.

3. Lawful basis and purposes

  • Contract necessity: account access, reading continuity, and platform functionality.
  • Legitimate interests: abuse prevention, moderation, performance monitoring, and service improvement.
  • Legal obligations: compliance with lawful requests, anti-fraud duties, and record-keeping requirements.
  • Consent: optional analytics (PostHog via our proxy), marketing preferences, and non-essential cookies or similar technologies where required by law—controlled through our cookie banner and related settings.

4. Sharing and third-party processors

We use the following categories of service providers; they process data on our instructions or as co-processors as described in their terms, only as needed to operate the Services:

  • Supabase. Authentication (sessions), Postgres database, and Storage for creator uploads and related assets; processing location follows your Supabase project configuration.
  • PostHog. Product analytics when enabled for the deployment: if you opt in to analytics cookies, the browser sends events to our first-party endpoint (/api/analytics/event), which forwards them to PostHog. Events may include an anonymous distinct ID stored in localStorage only after analytics consent.
  • Dodo Payments. Payment processing for voluntary donations and similar checkout flows; payment metadata is processed under Dodo Payments’ terms and any webhooks you configure.
  • Resend. Transactional and digest email when email sending is configured for the deployment (e.g. subscriber messages).
  • Web Push (browser standard APIs). Push notifications use the Web Push protocol; subscription endpoints you approve may be stored so we can deliver notifications.
  • Application hosting. The site runs on your hosting provider (for example Vercel), which may process HTTP logs, IP addresses, and operational telemetry under its own policies.
  • We require appropriate confidentiality, security, and data-processing commitments from processors where applicable.
  • We do not sell personal information for money. We do not share personal information for cross-context behavioral advertising as defined under California law. Product analytics with PostHog is used for understanding usage and improving the Services, subject to your analytics cookie choice.

5. Retention, transfers, and security

  • Data is retained only as long as necessary for service, compliance, and fraud prevention.
  • Global infrastructure may involve cross-border processing with suitable safeguards.
  • We apply technical and organizational controls, while no system can be guaranteed 100% secure.

6. Your rights

  • Access, correct, export, or delete personal data (where applicable).
  • Object to or restrict specific processing activities.
  • Withdraw consent for optional processing at any time.
  • Regional addenda: GDPR (EEA), CCPA / CPRA (California).

7. Minors and policy updates

  • We do not knowingly collect personal data from minors in violation of applicable law.
  • We may revise this policy for legal or operational reasons, with updated dates posted on this page.
  • For additional detail on minors, see the Children's privacy policy and the Parents & families guide.