Privacy Policy
Effective 2026-05-31. This document tells you what Our Directory LLC, an Oregon limited liability company operating our.directory (referred to here as "we," "our," or "the directory"), collects, why we collect it, who sees it, and how long we keep it. The plain-language summary on the transparency page is shorter; this document is the formal version. If the two ever conflict, this one controls.
The short version
- We do not sell your data. We do not share it with data brokers. We do not run ads.
- We do not use per-user behavioral tracking. The ranking formula has no engagement signals. Aggregate page-view and event counts via Plausible (no cookies, no per-user identifier) are described in section 3.
- We do not license your data to AI training services.
- We use a small number of third-party services to operate the site. They are listed below by name.
- You can delete your account from /settings and request a data export.
1. What we collect, and why
Account data
- Email address: to verify your account at signup, send password resets, send security notifications, and contact you about material changes to these policies. We do not send marketing email.
- Password hash: we store a one-way hash, not your password.
- Handle, optional display name, optional bio: what you choose to show on your profile.
- Two-factor secret: if you enroll in TOTP (required for moderator and admin accounts; optional for everyone else).
- Signup time, last sign-in time, email verification state: operational.
Curator activity
- The links you submit, the URLs and metadata they point to, the curator notes you write.
- Your vouches on links, your votes, your follow relationships, your topic subscriptions.
- The edit history on links you've touched. Every revision is attributed.
Operational data
- Session cookies: one signed cookie that identifies your session. No third-party cookies. No tracking cookies.
- Rate-limit counters: kept in process memory, not persisted to the database, used to limit signups, sign-ins, password resets, and search suggestions by IP or by account.
- Server access logs: standard web-server logs (IP, request path, response code, timestamp) retained for 30 days for debugging and abuse investigation.
- Email-verification, password-reset, and 2FA-challenge tokens: short-lived; consumed or expired on the timeline set by the auth library.
- The
pending_invitecookie: set for one hour when you visit a curator's?invite=1share link logged-out, so that signing up routes you back to their profile to follow them. Cleared after use. - The
gate_passcookie: while the directory is in private preview, a signed cookie is issued when you enter the private-preview password, so you can keep browsing for thirty days without re-entering it. This cookie is not set once private preview ends.
What we do NOT collect
No click-through tracking. No dwell time. No scroll position. No mouse movement. No viewport size. No session replay. No per-user reading-behavior analytics. No device fingerprinting. No third-party advertising or retargeting pixels. The ranking formula has no engagement input by design. Engagement signals are the incentive structure that produces the AI-slop web.
Aggregate page-view and event counts via Plausible (no cookies, no per-user identifier) are described in section 3.
We do not display a cookie banner. Every cookie the site sets is strictly necessary for a service you have asked for — signing in, completing a signup invited by another curator, and (while private preview is on) the private-preview password gate. None of them are used for analytics, advertising, or profile-building. The legal standards that require banners (the EU ePrivacy Directive Art. 5(3); the operational requirements in California, Colorado, Connecticut, and other US state privacy laws) exempt cookies of this kind. We will reconsider if that ever changes; the transparency page lists the cookies that exist today so you can check our claim against the actual code.
2. What is visible to other curators
The directory is signup-walled. Inside the wall, your handle, your submitted links, your notes, your vouches, your topic subscriptions, and your follow graph are visible to other signed-in curators. Your email address is not. Optional display name and bio are visible only if you set them.
See the transparency page for the field-level breakdown.
3. Third parties we share data with
Operating the directory requires a small number of third-party services. Each one is listed below with the data it sees and the reason we use it. None of these vendors are used for advertising, behavioral profiling, or AI training. None of them receive your email marketing list, because there is no marketing list.
| Vendor | Purpose | Data shared | Their policy |
|---|---|---|---|
| Postmark (ActiveCampaign) | Transactional email delivery (verification, password reset, security notifications). Postmark was acquired by ActiveCampaign in 2022; ActiveCampaign's privacy policy applies. | Your email address and the body of the message. | activecampaign.com/legal/privacy-policy |
| Cloudflare Turnstile | CAPTCHA replacement on the signup form. | Passive browser signals (TLS fingerprint, JS execution timing). No cookie. No identifier persisted. | cloudflare.com/privacypolicy |
| Cloudflare URL Scanner + Cloudflare DoH | URL reputation check (malware/phishing) and DNS lookup during link safety triage. | The submitted URL and the hostname. No curator identity. | cloudflare.com/privacypolicy |
| OpenAI Moderation API | Server-side classifier on link text, used at submit-time only. Fails open if the API is down. | The title, description, and curator notes of the submitted link. No URL, no curator identity. OpenAI's terms state moderation-endpoint inputs are not used for training. | openai.com/policies/api-data-usage |
| OFAC sanctions list | One-way read of the US Treasury Specially Designated Nationals list, downloaded periodically to check submitted hostnames. | No data leaves us. The list is fetched from the Treasury; nothing about you or your submissions is sent. | N/A: public CSV read. |
| Plausible Analytics | Aggregate, privacy-respecting page-view counts and counts of named events (signup_completed, link_submitted, link_endorsed, candidate_promoted, topic_subscribed, report_filed). | Page URL, referrer domain, anonymized country, anonymized browser/OS. No cookies. No cross-site tracking. No per-user identifier. No session replay. Plausible does not store full IP addresses; it generates a daily-rotating hash to deduplicate visitor counts and then discards it. | plausible.io/privacy · /data-policy |
| Buy Me a Coffee | If you choose to donate. The donation link in our footer is a plain link to the external site; no widget script runs on our.directory pages. | Nothing automatic. If you donate, BMC sees whatever you tell BMC. | buymeacoffee.com/privacy-policy |
| Render | Server hosting and managed Postgres. | By necessity, everything we store. Encrypted at rest; database backups retained ~30 days. | render.com/privacy |
We do not share submission data, vouches, follow relationships, or moderation history with search-engine operators, AI training services, advertising networks, or any third party not listed above. The signup-wall is in part there to enforce this; it prevents bulk scraping of curator-produced content.
4. Children
our.directory is not directed at users under 13. We do not knowingly collect personal information from anyone under 13. If we discover that an account belongs to a child under 13, we close the account and delete the associated data. If you're a parent or guardian and believe your child has created an account, email legal@our.directory and we will act promptly.
Some of the third-party services listed above (Cloudflare, Postmark) effectively require users to be 16+ under EU/UK law. If you are in the EEA or the UK and under 16, please don't sign up.
5. Your rights
These rights apply to everyone using the directory, not just users in jurisdictions that require them.
- Access. Ask us for a copy of the personal data we hold about you. We respond within 30 days.
- Rectification. Most fields are editable from /settings; for anything you can't change there, email us.
- Deletion. Delete your account from /settings. See section 7 for what survives deletion and why.
- Portability. Email hello@our.directory for a machine-readable JSON export of your profile, submissions, notes, vouches, follows, and topic subscriptions. We respond within 30 days. No charge.
- Objection / restriction. If you object to a specific processing activity, write to us.
- Withdraw consent. Where we rely on consent (we mostly don't; see legal-basis section below), you can withdraw it. Deleting your account is the most effective form of withdrawal.
- Lodge a complaint. If you're in the EEA/UK and unhappy with how we've handled your data, you can complain to your national data-protection authority.
6. Legal basis (GDPR), if you're in the EEA or UK
Where GDPR applies to you:
- Contract performance: account data, curator activity, session cookies. We can't run the service without these.
- Legitimate interests: server logs, rate-limit counters, link-safety screening, moderation, and audit-log retention. The interest is keeping the directory functional, safe, and accountable to a documented decision history.
- Legal obligation: DMCA records, CSAM reports to NCMEC, retention of records required by tax or accounting rules.
- Consent: we don't currently rely on consent for anything substantive. Plausible operates under our legitimate interest because it sets no cookies and collects no personal identifiers. See the "no cookie banner" note in section 1 for the full rationale.
7. Retention and deletion
When you delete your account, this table records what disappears immediately, what disappears within 30 days, and what is retained, with reasons.
| Data | Retention | Why |
|---|---|---|
| Profile (handle, bio, display name) | Anonymized to "@deleted" immediately; deleted within 30 days. | No reason to keep. |
| Email, password hash, 2FA secret, session tokens | Deleted within 30 days. | No reason to keep. |
| Submitted links and curator notes | Reattributed to "@deleted" and retained. | Other curators have built on top of them (vouches, quotes, replies, ranking history). Discarding wholesale would damage their work. You can delete individual submissions or notes from your profile before deleting your account if you don't want them to persist this way. |
| Vouches and votes | Hidden from public surfaces and from ranking calculations immediately. The rows themselves are kept so an unban or undelete is reversible. | Reversibility of moderator/operator actions matters more than minimizing this particular row count. |
| Moderator and admin audit log | Retained indefinitely. | Required for repeat-infringer enforcement under § 512(i), for appeals, and for accountability of moderator actions. References to your account in the audit log persist after account deletion. |
| DMCA notices and counter-notices you filed | Retained indefinitely. | Required as evidence of the safe-harbor process. |
| Server access logs | 30 days. | Debugging and abuse investigation. |
| Database backups | Up to 30 days. | Backups are full-database snapshots; we don't selectively scrub them. They age out on the normal cycle. |
| Plausible analytics | Aggregate, no per-user identifier; retention controlled by Plausible. | There is nothing to delete on a per-user basis because nothing was identified on a per-user basis. |
8. International transfers
The directory is operated from the United States. If you use the directory from outside the US, your data is transferred to the US to be stored and processed. Most of the third-party services listed above also process data in the US. We rely on standard contractual clauses (or equivalent mechanisms) where the vendor offers them; if you want the specifics for a particular vendor, ask them. Their policies are linked above.
9. US state privacy rights
If you're a resident of a US state with a comprehensive privacy law — California, Colorado, Connecticut, Virginia, Utah, Texas, Florida, Oregon, Montana, Iowa, Delaware, New Hampshire, Nebraska, New Jersey, Tennessee, Minnesota, Maryland, Indiana, Kentucky, Rhode Island, or any state added since this policy was last updated — you have the rights listed in section 5 (access, correct, delete, port). The state-specific notes below cover items that go beyond those rights.
- No sale or sharing for targeted advertising. We do not sell personal information and we do not share personal information for cross-context behavioral advertising. We do not run targeted ads of any kind. Because there is nothing to opt out of, there is no "Do Not Sell or Share My Information" link.
- Global Privacy Control (GPC). We honor the GPC browser signal as a valid opt-out of sale and sharing, in compliance with the California Privacy Rights Act regulations effective January 1, 2026 and the equivalent provisions in Colorado, Connecticut, and other states that require GPC handling. Since we do not sell or share for targeted advertising, the practical effect of sending GPC is that nothing changes — we record no behavioral data about you either way.
- Sensitive data. We do not collect or infer sensitive data categories — government IDs, precise geolocation, racial or ethnic origin, religious beliefs, health, sex life, sexual orientation, immigration status, genetic data, biometric identifiers, or neural data — as those are defined under the 2026 CCPA amendments and the equivalent definitions in other state privacy laws. We do not knowingly collect data from anyone under 16.
- California "Shine the Light." We do not share personal information with third parties for their own direct-marketing purposes.
10. Security
We follow standard practices: passwords hashed with a modern algorithm, sessions stored server-side and identified by signed cookie, two-factor authentication available to all curators and required for moderators and admins, password-reset notifications, IP-keyed rate limits, HTTPS everywhere in production. No system is perfectly secure. If you spot a vulnerability, please email security@our.directory . We respond within a few business days.
11. Do Not Track and Global Privacy Control
Some browsers send a "Do Not Track" header. We do not behavioral-track anyone regardless of whether the header is set.
Some browsers also send a Global Privacy Control (GPC) signal — a standardized opt-out of the sale and sharing of personal information for targeted advertising. We treat GPC as a valid opt-out request wherever state law recognizes it. Since we do not sell or share personal information and do not run targeted advertising, GPC has no practical effect here — but the signal is honored, not ignored.
12. Changes to this policy
We will post any material change to this privacy policy at least 30 days before the change takes effect, and notify signed-up curators by email or in-product notice. The current version has an effective date at the top, and we keep prior versions available on request. Adding a new third-party data flow is always a material change. Removing one isn't.
13. Contact
Questions, requests, or complaints about your data: legal@our.directory. Security issues: security@our.directory. Legal/DMCA: legal@our.directory.