cresset

Privacy

Cresset is built and run by two people. We collect what we need to make the site work, and that's it. No behavioral ads, no third-party analytics, no profile sold off to anyone.

This policy is written in plain English. If something here is ambiguous or wrong, email support@cresset.app and we'll fix it.

What we collect

From you, when you sign up or use the site:

  • An email address, used to send your sign-in link and account notifications.
  • A username you choose. This is shown next to everything you post.
  • One or more passkeys (WebAuthn credentials). We don't store passwords.
  • Whatever you post: posts, comments, votes, saves, and reports. NSFW flag and bot flag where relevant.
  • Your theme preference (light, dark, system) and whether you've opted to view NSFW posts.

Automatically, when your browser talks to the site:

  • Your IP address, hashed (SHA-256) and stored on the active session row. We use the hash to tell sessions apart and to spot ban evasion. Raw IPs are kept only on short-lived sign-in tokens (15 minutes).
  • Your user-agent string, so the "Active sessions" list in settings can label devices like "Chrome on macOS."
  • Timestamps on everything you do: post, comment, vote, sign in, and so on.
  • A small amount of operational telemetry routed to Cloudflare Analytics Engine — counters and timings for the ranking pipeline, vote events (post ID, community ID, voter trust tier), and email delivery outcomes. No browsing history, no per-user clickstream.

Cookies

  • cresset_session — your signed session ID. HTTP-only, secure, SameSite=Lax, 90-day TTL.
  • theme — your light/dark/system preference.
  • wa_chal — a five-minute ticket used during passkey registration and login.

Who we share with

Cresset runs on Cloudflare. That means Cloudflare necessarily processes your traffic, stores the database (D1), holds uploaded images (R2), routes outbound mail (Email Routing), and serves CAPTCHA challenges (Turnstile). Two narrower Cloudflare features are also worth naming:

  • Vectorize + Cloudflare AI: when you submit a post, its title plus the first ~1000 characters of the body are embedded as a vector and compared against recent posts in the same community to detect near-duplicates. The vectors are scoped to that index; nothing gets sent to a third-party model provider.
  • Turnstile: used at signup and login to slow down bots. Cloudflare evaluates browser signals and returns a yes/no token. We never see those signals; we just see the token.

We do not use Google Analytics, Meta Pixel, Mixpanel, or any other third-party analytics. We do not call OpenAI, Anthropic, or any other LLM provider with your content. We do not sell or rent any personal data.

What's public, what isn't

Posts, comments, vote totals (not who voted), usernames, post-creation timestamps, community membership of a post, and the trust tier an account had when it posted are all visible to anyone, signed in or not.

Your email, your IP hash, your user-agent, your individual votes, your saved posts, your read-history, the contents of any reports you file, and any moderator notes are not visible to other users. Reports are visible to moderators of the relevant community and to site admins.

Retention and deletion

  • Sign-in tokens (magic links, passkey challenges): 5–15 minutes.
  • Active sessions: up to 90 days; you can revoke any of them in settings at any time.
  • Rate-limit counters: rolling windows are cleaned up on a schedule once they expire.
  • Posts and comments you delete are soft-deleted: hidden from the site but retained in the database. Mod-removed content is the same. We keep these so threads still read coherently and so we can reverse mistaken removals.

When you delete your account, we hard-delete the user row, null out your email, and revoke every active session. Your posts and comments are reattributed to a sentinel [deleted] user so other people's threads don't fall apart; you can also choose to remove your posts and comments at the same time.

One thing we keep after account deletion: a SHA-256 hash of your normalized email. We use it to spot the same person trying to re-register after a permanent ban. We do not store the email itself, and the hash can't be reversed to recover it.

Children

Cresset is for adults. You confirm you are 18 or older when you create an account. If we learn that an account belongs to someone under 18, we'll close it.

Your rights

You can change your username, email, or theme in settings, revoke any session, and delete your account at any time. If you'd like a copy of the data tied to your account in a portable format, email support@cresset.app and we'll put one together.

Changes to this policy

If we change anything here, we'll update this page and note the date below. Material changes will also be announced on the site.

Contact

Questions, requests, or complaints: support@cresset.app.

Last updated 2026-05-02. See also the terms.