our.directory

Transparency

What we store, what we publish, what leaves the server.

What We Store

  • Your account: email, password hash, handle, signup timestamp, last signin time.
  • Your activity: links you've submitted, edits you've made, vouches you've given, topic subscriptions, follows.
  • Operational data: rate-limit counters (in-memory, not persisted), email-verification tokens, session cookies.

Cookies the site sets

  • Authentication session cookies (the standard set issued by the auth library: one session token plus a CSRF token, plus a short-lived challenge cookie during two-factor sign-in). HttpOnly, SameSite=Lax, Secure in production. Required to keep you signed in.
  • gate_pass: while the directory is in private preview, one signed cookie is issued after you enter the private-preview password. Lasts thirty days. Not set once private preview ends.
  • pending_invite: one cookie set for one hour when you visit a curator's invite link logged-out, so signing up routes you back to follow them. Cleared after use.

No third-party cookies. No advertising or tracking cookies. Plausible analytics is cookie-less by design. Cloudflare Turnstile (the signup CAPTCHA) is designed cookie-less; if you observe one we missed, please email security@our.directory.

We do not store click-through, dwell time, scroll position, mouse movement, viewport size, or any other per-user behavioural signal. The ranking formula has no engagement input. Aggregate page-view and event counts via Plausible are described under Analytics below.

What We Publish

  • Your handle (always public to other signed-in users), the links you've submitted, your vouches on links, the topics you've used, your follow graph.
  • Edit history on links. Every revision is attributed to the curator who made it.
  • Your email address is never shown to other users.

What Leaves the Server

  • Email. The recipient address and body of verification and password-reset emails go to Postmark. No marketing email is sent, ever.
  • Link safety checks. Two separate services, two separate data flows. A URL-reputation service receives the hostname and URL of every submitted link, to check for malware and phishing. A separate moderation classifier receives only the title, description, and curator notes (no URL, no submitter identity, not used for training). See content safety.
  • Signup. A passive browser signal goes to a CAPTCHA service to verify the signup form was filled by a human. No tracking cookie is set; no behavioural data is collected.
  • The crawler (see ranking) fetches candidate sub-pages. Those sites see an HTTP request from our crawler's user-agent. The crawler honors robots.txt and per-domain rate limits.

We do not share submission data, vouches, or follow relationships with search-engine operators, AI-training services, or any third party not listed above.

Analytics

We use Plausible, which counts aggregate page views and referrer domain. No cookies, no cross-site tracking, no individual session traces. No Google Analytics, no pixel, no session replay.

A small number of named events are counted in aggregate: signups, link submissions, vouches, candidate promotions, topic subscriptions, reports filed. These are counts, not per-user traces. No identifier is attached.

Admin and Moderator Accounts

Moderator and admin accounts require a second factor (TOTP) at sign-in. There is no admin bypass; if you see a moderator action, a real person logged in with two factors to take it.

Anti-scraping

The signup wall is there to keep the directory from being ingested into someone else's search index or AI training set. robots.txt disallows bots from app pages. Abusive user-agents are blocked at the edge.

Source

The source code is the authoritative description of what the directory does. If anything on this page contradicts the code, the code wins.