Privacy

Privacy Policy

Last updated: April 2026

At agidion, privacy isn't a feature — it's a foundation. This policy explains how we handle your data. Simply. Clearly. Honestly.

1. What we collect

We collect different categories of data depending on how you use agidion:

Account information — email address, username, display name, bio, and avatar image. We authenticate you via one-time codes sent to your email; no passwords are stored.
Profile data — any information you add to your public profile, such as your display name, bio, website, and status message. You can edit this at any time from your profile settings.
Posts and social content — text posts, images, polls, comments, likes, and follow relationships you create on the platform.
Stories — story content you publish and any reactions other users leave on your stories.
Direct messages — messages are encrypted end-to-end using ECDH P-256 key exchange and AES-GCM encryption. We store only the encrypted ciphertext; we cannot read your messages.
Images and media — photos and images you upload for posts, stories, or your profile avatar. These are resized and compressed server-side, then stored on Hetzner Object Storage in Nürnberg, Germany.
Terms of Service acceptance — we record the timestamp when you explicitly accepted these Terms of Service during onboarding.
Newsletter subscription — if you opt in, we record your preference and the timestamp of your consent. Subscription requires a double opt-in confirmation click. You can unsubscribe at any time via the link in any email.
Usage data — anonymous, aggregated analytics including page views and events to understand how people use agidion. No personal identifiers are stored in analytics records.
Consent record — when you accept or decline cookie tracking we log that decision with a hashed IP address and timestamp for GDPR compliance.
Push notification tokens — if you enable browser or device notifications, we store the token needed to deliver real-time updates.

2. How we use your data

Provide the service — display your profile, deliver your posts and messages, and power social features like follows, likes, and comments.
Authentication — send one-time codes to your email so you can sign in securely without a password.
Notifications — deliver real-time in-app and push notifications for likes, comments, follows, and messages.
Communication — send account-related transactional emails (sign-in codes, security notices) and, if you opted in, newsletter updates.
Improvement — use anonymous analytics to understand usage patterns and improve the product.

3. What we don't do

We don't sell your data. Ever.
We don't track you across the web.
We don't serve ads, so we have no interest in profiling you.
We don't share your data with third parties for marketing.
We don't store passwords — authentication is handled entirely through one-time codes.
We cannot read your direct messages — they are end-to-end encrypted and we only store ciphertext.

4. How we protect your data

Data is stored on servers operated by Hetzner Online GmbH, headquartered in Nürnberg, Germany. All infrastructure is located within the European Union.
Access is restricted to authorised team members only.
IP addresses used for analytics and consent logging are stored as non-reversible SHA-256 hashes, not raw values.
Direct messages are protected with end-to-end encryption (ECDH P-256 key exchange + AES-GCM). Only the sender and recipient can decrypt message content.
Authentication uses secure, time-limited one-time codes sent to your email — no passwords are ever stored or transmitted.
Uploaded images are validated, stripped of metadata, and processed server-side before storage to prevent malicious file uploads.

5. Cookies

Authentication cookie — a signed JWT (JSON Web Token) cookie keeps you signed in. This is strictly necessary for the service to function and does not track you.
Consent cookie — records your cookie preference (accept or decline analytics) in your browser's local storage.
Analytics cookies — only set after you explicitly accept them via our consent banner. No tracking cookies or advertising cookies are used.

6. Third-party services

We use a minimal number of third-party services to operate agidion:

Hosting — our servers are hosted by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. Application servers are located in Nürnberg, Germany.
Object storage — uploaded images and media files are stored on Hetzner Object Storage (EU-based, Nürnberg data centre). Only the files you explicitly upload are stored there.
Email delivery — we use Apple iCloud SMTP to send authentication codes and transactional emails. Your email address is shared with this provider solely for delivery purposes.

We do not use any third-party advertising, tracking, or social media integration services.

7. Data retention

Account data — retained for as long as your account is active. Permanently deleted within 30 days of an account deletion request.
Posts, comments, and social content — retained until you delete them or request account deletion.
Uploaded images and media — retained until you delete the associated post/story/profile, or upon account deletion.
Encrypted messages — stored as encrypted ciphertext until deleted by participants or upon account deletion.
Analytics data — stored in anonymised, aggregated form with no personal identifiers.
Newsletter subscription — retained until you unsubscribe. Unsubscribing does not delete your account.
ToS acceptance record — retained for as long as your account is active as a legal record of consent.

8. Your rights (GDPR)

Access — request a copy of your data at any time by contacting us.
Deletion — ask us to delete your data (within 30 days) or delete your account directly from your profile settings.
Correction — update incorrect data from your profile settings or contact us.
Portability — request your data in a structured, machine-readable format.
Withdrawal — unsubscribe from the newsletter at any time via the link in any email we send.
Objection / restriction — contact us to restrict or object to specific processing of your data.

9. Legal basis for processing

Contract performance — processing necessary to provide the service (account, posts, messaging).
Legitimate interests — anonymous analytics and security logging.
Consent — newsletter emails and optional analytics cookies, both freely given and withdrawable at any time.
Legal obligation — ToS acceptance records and consent logs for GDPR compliance.

10. Children's privacy

agidion is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

11. Changes to this policy

If we update this policy, we'll change the date above and notify registered users via email for material changes.

12. Contact

Questions or requests: support@agidion.com

— The agidion team