Privacy Policy

Plain language. This policy is written to be understood, not to be lawyered. If anything is unclear, ask us.

flebop is software, not a service. flebop is open source software that anyone can self-host. This privacy policy is a template for node operators — it describes the data practices of this specific node, not of any central authority. The developers of flebop do not operate this node and have no access to any data on it. The operator of this node is solely responsible for their data practices.

What We Collect

When you create an account on this node, we collect:

Username — your chosen display name, visible to other users.
Password — stored as a salted hash. We never have access to your plaintext password.

When you use the platform, we store:

Messages — text messages you send in channels and servers.
Media — files, images, or other media you upload.
Profile information — any optional profile details you choose to set (avatar, bio, etc.).
Server membership — which servers you've joined.
API keys you provide — if you use features that require third-party API keys (e.g. text-to-speech), those keys are stored on this node. They are never shared with other nodes or used for any purpose other than the feature you enabled.

For federation, this node also stores:

Node API keys — unique keys exchanged between nodes during federation enrollment. These authenticate node-to-node communication and are not tied to individual user accounts.

What We Don't Collect

No analytics or tracking
No advertising data
No third-party cookies
No IP address logging beyond what is operationally required — access logs exist solely to keep the service running and are not used to identify or track users
No selling or sharing of data with third parties

Cookies

We use two cookies, both strictly necessary for the platform to function:

Session cookie (sessionid) — keeps you logged in.
CSRF cookie (csrftoken) — protects against cross-site request forgery.

No consent banner is needed because these cookies are essential for the service to work. There are no optional, analytics, or marketing cookies.

Federation

flebop is a federated platform. When you interact with servers on other nodes:

Your username and messages in those servers are shared with the remote node that hosts the server.
Each node is independently operated. This privacy policy only covers this node.
Other nodes may have their own privacy policies and data practices.

Your account data (username, password) stays on this node and is never shared with other nodes in the federation.

Your Rights

You have the right to:

Access & Portability — download a copy of all your messages and uploaded files directly from Profile → Data & Privacy → Export Data.
Correction — update your profile information at any time from Profile → Profile.
Erasure — permanently delete all your messages and uploaded files from Profile → Data & Privacy → Purge All Data, or delete your account entirely via Delete Account on the same page.

For anything not covered by the above, contact the node operator.

Data Retention

Your data is stored for as long as your account exists. If you delete your account, your personal data will be removed. Messages you sent in public servers may be retained but will be disassociated from your identity.

Security

Passwords are hashed using industry-standard algorithms. Node operators are responsible for configuring TLS — connections should be served over HTTPS. Only data that is operationally required to run the service is stored — nothing more.

Changes

This policy may be updated as flebop develops. Significant changes will be communicated to users via an in-app notice.