Privacy Policy

1. The Short Version

We collect as little as possible. Your IP address is one-way hashed. We never store it in plaintext and cannot reverse it. Location is captured at post time only and is not linked to any persistent identity. Posts expire from public feeds after 30 days but may be retained so you can view your post history. We never sell your data. AI moderates all content.

2. Who This Applies To

This Privacy Policy applies to all users of jawwing.com and any associated apps or APIs. By using the Service, you agree to this policy.

Jawwing is available to users in the United States only. You must be 18 years of age or older to use the Service.

3. What We Collect: No-Account Users

Most users never create an account. In no-account mode, we collect:

IP address: Stored as a one-way cryptographic hash only, never plaintext. Used for rate limiting, deduplication, and abuse prevention.

GPS coordinates: Stored with the post record at the moment you post. Not linked to your IP hash or any persistent profile. Not tracked over time. Slightly fuzzed for privacy (rounded to approximately 1km precision).

Post content (text): Stored with the post record. Publicly visible in feeds for up to 30 days.

Uploaded images: Stored on Vercel Blob CDN. Publicly visible as part of your post.

Timestamp: Stored with the post. Used for expiration and ordering.

Vote actions: Anonymous, not linked to user identity.

That is everything. We do not collect your name, device fingerprint, browsing history, contacts, or any other personally identifying information.

4. What We Collect: Account Users

Creating an account is optional. If you sign in with email:

Email address: Stored as a one-way cryptographic hash (for account lookup) and separately encrypted using AES-256-GCM (for sending notifications). We never store your email in plaintext at rest.

Session identifiers: Your anonymous session IDs are linked to your account so we can associate your posts with your account for features like post history.

Notification preferences: Your chosen notification settings (reply alerts, trending alerts).

Everything else (IP hash, GPS, content) is the same as no-account users.

5. IP Address Hashing

When your device connects to Jawwing, your IP address is received by our server and immediately passed through a one-way cryptographic hash function (HMAC-SHA256 with a secret server key). The hash is stored, never the original IP. The hash cannot be reversed to recover your IP, even by us.

The hash is used only for rate limiting, block/mute features, and abuse prevention.

Important caveat: The hash is still data. If compelled by valid legal process, we may be required to produce it.

6. Location Data

Location is the core of Jawwing. When you post, your device provides GPS coordinates. These are fuzzed (rounded and randomized by approximately 1km) before storage to protect your precise location.

We do not build a location history for you. Each post is an isolated record. We do not track where you go.

Location data is inherently sensitive. If you post from your home or workplace, the approximate coordinate will be associated with that post. Think before you post from a sensitive location.

7. Uploaded Images

Images are uploaded to Vercel Blob, a third-party CDN storage service. Images are publicly accessible via CDN URL as part of your post. All images are scanned by AI moderation for prohibited content before being shown publicly.

Exif data: We do not automatically strip Exif metadata from images. If your image has embedded GPS coordinates, device model, or other metadata, that data may be accessible to anyone who downloads the image. Strip Exif data before uploading if this concerns you.

Do not upload images containing personal information you do not want publicly exposed.

8. Cookies

We use only essential cookies:

Session cookie (jw_session): Identifies your anonymous session for voting and posting. No personal data.

Account cookie (jw_account): If signed in, a secure httpOnly JWT token that keeps you logged in for up to 3630 days.

Account flag (jw_account_ok): A non-sensitive flag so the page knows to show signed-in UI.

We do not use advertising cookies, tracking pixels, Google Analytics, Meta Pixel, or any third-party analytics that sell your data.

9. AI Moderation

All posts (text and images) are processed by our AI moderation system before appearing in feeds. We currently use Anthropic's Claude API as our primary moderation provider, with fallback providers for reliability.

This means your content is sent to a third-party AI API for analysis. These providers' use of API data is governed by their respective terms, which generally prohibit using API inputs to train models.

Our moderation rules are published in our Constitution at jawwing.com/constitution. Moderation decisions are logged in our Transparency page at jawwing.com/transparency.

10. AI-Generated Content

Jawwing may use AI agents to seed content on the platform, particularly in lower-traffic areas during early launch. These posts are processed, stored, and moderated the same way as user-generated content.

11. Post Expiry and Data Retention

Posts expire from public feeds after 30 days. After expiry, posts are no longer visible in the feed or discoverable by other users.

However, posts are not necessarily permanently deleted from our database at expiry. Jawwing retains post data so that account holders can view their post history, including past performance (scores, replies). This allows you to see your best-performing posts and your posting history over time.

Jawwing reserves the right to decide when and whether to permanently delete expired post data from its systems. Expired posts are never re-surfaced in public feeds.

Full retention summary:

Post content (text): Visible in feeds for up to 30 days. Retained in database for account holder history. Permanent deletion at Jawwing's discretion.

Post images: Publicly visible while post is in feeds. May be deleted from CDN after post expires from feeds. Permanent deletion timing at Jawwing's discretion.

GPS coordinates (with post): Retained with the post record.

IP hash: Retained for rate limiting and abuse prevention. Reviewed periodically.

Email hash and encrypted email (if account): Retained while account is active. Deleted on account deletion request.

Moderation logs: Retained indefinitely for transparency and abuse prevention.

Session tokens: Expire on logout or after cookie expiry.

12. Law Enforcement and Legal Process

We will comply with valid United States legal process, including subpoenas, court orders, and law enforcement requests.

What we could produce if compelled: Hashed IP addresses associated with a post or account, post content, approximate GPS coordinates associated with a post, timestamps, email hash and encrypted email (if account exists), moderation logs.

What we cannot produce: Raw IP addresses (we do not have them), location history (we do not track it), identity of anonymous users (we do not know it).

If legally permitted, we will attempt to notify affected users before producing data. We may be prohibited from doing so under a gag order or similar legal restriction.

Jawwing is not designed to protect against lawful government access. Do not rely on Jawwing for anonymity in situations where government surveillance is a concern.

13. Third-Party Services

Vercel: Hosting, CDN, and Blob storage (vercel.com/legal/privacy-policy).

Anthropic Claude API: AI moderation (anthropic.com/privacy).

Turso: Database hosting (turso.tech/privacy-policy).

Resend: Email verification codes (resend.com/legal/privacy-policy).

We do not sell your data to any third party. We do not share data with data brokers, advertisers, or analytics companies.

14. Age Restriction

Jawwing is restricted to users 18 years of age or older in the United States. We do not knowingly collect personal information from anyone under 18. If we become aware we have collected data from someone under 18, we will delete it.

If you are a parent or guardian and believe a minor has used Jawwing, contact support@jawwing.com.

15. Data Security

We take reasonable steps to protect your data: hashing identifiers (IP, email) rather than storing plaintext, encrypting email addresses using AES-256-GCM, using HTTPS for all connections, storing images on a third-party CDN, and using secure httpOnly session cookies.

No system is perfectly secure. We cannot guarantee that unauthorized access, hacking, or data breaches will never occur. If a breach occurs that affects your rights, we will notify as required by applicable law.

16. Your Rights

Account holders may request:

Access: View what data we hold about your account by visiting Settings.

Deletion: Request account deletion by contacting support@jawwing.com. We will delete your account record and encrypted email. Posts previously made may be retained in anonymized form.

For no-account users: Because we store only hashed identifiers, we may be unable to identify which data is "yours" without additional information. This is by design for your privacy.

17. Changes to This Policy

We may update this Privacy Policy at any time. We will update the "Last Updated" date at the top. Continued use of the Service after changes means you accept the updated policy.

18. Contact

Privacy inquiries: support@jawwing.com General support: support@jawwing.com