Privacy Policy

Last updated: May 24, 2026

This Privacy Policy describes how RedForums ("we", "us", "the Platform") collects, uses, stores, and protects your personal data when you use our services. By registering an account, you acknowledge that you have read and understood this policy.

1. What We Collect

We collect and store the following categories of data:

Identity and Account Data

  • Username — your chosen display name, stored alongside a lowercase index for lookup, and a log of the dates of any username changes.
  • Email address — your current email and a history of past email addresses used on your account (recorded when you change your email, for security purposes).
  • Password — stored only as a bcrypt hash (minimum 12 rounds). We never store or have access to your plaintext password.
  • Date of birth — used to enforce age restrictions (minimum age 13; accounts under 16 are frozen until age 16).
  • Country — auto-detected from your IP address using a geolocation service at login and when country detection is triggered, at most once every 7 days. Country is not stored permanently per detection — it is updated in place. We do not store a log of past countries or IP addresses beyond the detection timestamp.

Account Status and Activity

  • Email verification status — whether your email is verified, and any pending verification tokens (temporary, expire after 24 hours).
  • Role — your account role: member, VIP, helper, moderator, or admin.
  • VIP status — whether you have VIP, your VIP plan (7-day, 30-day, lifetime), expiry date, and whether the 3-day referral trial has been used.
  • Credits — your current credit balance and a full transaction history (amount, type, reason, and timestamp for each transaction).
  • XP and level — your total earned experience points and current level.
  • Achievements — a list of achievement IDs and the timestamps at which they were unlocked.
  • Reputation — your average reputation score and the count of approved reviews, computed from user-submitted reviews.
  • Login history — the date of your most recent login and your current login streak (consecutive days). We do not store a full log of all past logins or the IP addresses used.
  • Account status flags — whether your account is banned, frozen, and relevant timestamps (ban date, ban reason, age-freeze expiry).
  • Deletion request timestamp — if you request account deletion, the date of the request is recorded.

Content and Social Data

  • Posts and comments — all content you publish, including title, body, hashtags, mandatory tags, VIP-only and NSFW flags, lock configuration, voting data, view counts, and timestamps.
  • Direct messages — message content, sender and receiver identifiers, and timestamps. End-to-end encrypted messages are stored encrypted — their content is not accessible to us.
  • E2E public key — your ECDH public key (in JWK format), stored to enable key exchange for encrypted messaging. This key is public by design. We never store your private key.
  • Referral data — your referral code (if set), whether it is locked, your referral count, and the account that referred you (if applicable).
  • Muted users — a list of user IDs you have muted.
  • Followed hashtags — the hashtags you have chosen to follow.
  • Post bookmarks — a list of posts you have bookmarked.
  • Pinned posts — posts pinned to your profile.
  • Support tickets — the subject, messages, status, and timestamps of support tickets you have opened.
  • Reports — reports you have submitted against content or users.
  • Advertisements — ads you have placed, including content, link, duration, credit cost, status, and impression count.

Behavioral Data

  • Viewed hashtag frequency — a map of hashtags to the number of posts containing that hashtag you have viewed (counted when you spend at least 30 seconds on a post). This is used to power personalized content recommendations.
  • Upvoted hashtag frequency — a map of hashtags to the number of times you have upvoted posts containing that hashtag. Used for recommendations.
  • Anti-XP-farming data — temporary rate-limiting data: a set of recently viewed post IDs (with timestamps), and a message send count and window start timestamp, used to prevent XP farming. This is operational data, not analytics.

Preferences

  • Content filter setting — your chosen filter level (minimal, moderate, or full).
  • Privacy settings — whether your credit balance, referral count, and country are displayed on your public profile.
  • Pending email change — if you have requested an email address change, your new (unconfirmed) email and a confirmation token are stored temporarily until you confirm or the link expires (24 hours).

2. What We Do Not Collect

We explicitly do not collect or store the following:

  • Your real (legal) name
  • Government-issued identification
  • Payment information of any kind — RedForums does not accept real money
  • Phone number
  • Persistent IP address logs or login IP history (IP is used at login for the login alert email and for country detection only; it is not stored)
  • Browser fingerprints or device identifiers
  • Advertising cookies or cross-site tracking identifiers
  • Location data beyond country-level geolocation

3. How We Use Your Data

  • Account operation — to authenticate you, enforce age restrictions, manage your credits and VIP status, and display your profile.
  • Security alerts — your email is used to send login notifications, password change alerts, and verification emails to protect your account.
  • Personalized recommendations — viewed and upvoted hashtag frequency data is used to generate your personalized feed when you select the "Recommended" sort order.
  • Referral rewards — referral code data is used to credit the referrer when a referred user verifies their email.
  • Platform communications — emails are sent for account events (ban, unban, role changes, credit adjustments) and, at admin discretion, site-wide announcements and policy update notices.
  • Moderation — content, account flags, and audit records are reviewed by staff to enforce platform rules.

4. Data Retention

Data is retained while your account is active or in a frozen/deactivated state. Deleting your account (via Settings) freezes your account — it does not permanently purge your data from our database. We retain data for platform integrity, moderation history, and legal compliance. There is currently no automatic scheduled purge of frozen account data. If you wish to request complete data erasure, contact us via a support ticket.

Temporary data (email verification tokens, password reset tokens, pending email change tokens) is cleared once used or expired. Anti-XP-farming rate data is stored as part of your user document and is cleared automatically when the relevant time window expires.

5. Third-Party Services

We use the following third-party services:

  • Gmail / Nodemailer — to deliver transactional emails. Your email address is transmitted to Gmail's SMTP servers for delivery. Gmail's privacy policy applies to this transmission.
  • MongoDB Atlas — our database provider. All user data described above is stored in MongoDB Atlas. MongoDB's data processing terms apply.
  • IP geolocation service — used to detect your country from your IP address. Your IP is sent to this service for country lookup only; we do not store the IP after the lookup completes.

We do not sell your data to third parties. We do not use advertising networks, analytics platforms, or social login providers.

6. Security

Passwords are hashed using bcrypt with a cost factor of 12 before storage. We never store plaintext passwords. Authentication uses signed JWT tokens with a 30-day expiry, delivered via HttpOnly, Secure cookies. End-to-end encrypted messages use ECDH key exchange and AES-GCM encryption performed in your browser — message content is mathematically inaccessible to us. We apply rate limiting to login, registration, and sensitive endpoints to prevent brute-force attacks.

7. Your Rights

Data Export

You may request a full copy of your personal data at any time via Settings > Data & Privacy > Email My Data. The export will be delivered to your registered email address within minutes. The export includes: profile information, all email addresses associated with your account, credit transaction history, advertisement history, referral data, followed hashtags, behavioral data (tag interaction counts), content counts (posts, comments, messages), and account metadata.

Account Deletion

You may request account deletion via Settings > Data & Privacy > Delete Account. After entering your password and confirming your intent, your account is permanently frozen and deactivated. This action is irreversible. As described in Section 4, this is a deactivation and not a physical data erasure. For complete erasure, open a support ticket.

8. Email Communications

You will receive automated emails for account security events: email verification, login alerts, password changes, bans, unbans, role changes, VIP activation, and credit adjustments. You will also receive site-wide announcements and policy update notices when sent by admins. Security emails cannot be opted out of while maintaining an active account. If you no longer wish to receive any emails, you may request account deletion.

9. Children

The Platform is not directed at children under 13. We do not knowingly collect data from users under 13. Accounts discovered to belong to users under 13 will be immediately and permanently terminated. If you believe a user under 13 has registered, please open a support ticket.

10. Changes to This Policy

We may update this Privacy Policy as the Platform evolves. Material changes will be announced via in-site notification and email to all registered users. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the Platform after any update constitutes acceptance of the revised policy.

11. Contact

For questions about this Privacy Policy, data requests, or erasure requests, open a support ticket via the Tickets section.