Last updated: March 2026
1. Who we are
The operator of Reboound ("we", "us", "our") is the entity identified on our Imprint page. That page lists how to reach us for privacy questions.
2. Scope
This Privacy Policy describes how we process personal data when you use Reboound's websites and services (the "Service"). It should be read together with our Terms of Service and Cookie Policy.
3. Data we collect
3.1 Account and profile
- Identifiers and contact: email address, username/handle, display name.
- Profile: bio, avatar image (uploaded or linked from a sign-in provider), account status, and timestamps such as account creation.
- Authentication: password hash if you use email/password; session tokens; records of sign-in events and session management.
- Optional onboarding or preference data you provide (for example topics, builder type, or similar fields offered in the product).
3.2 Content and activity
- Posts, comments, reactions, bookmarks, poll votes, and other content you submit.
- Social graph: who you follow, block, or mute; group memberships and join requests; topic follows.
- Notifications: in-app notification records and your notification category preferences.
- Reports and moderation: when you report content or when we act on abuse, we may process related identifiers and descriptions.
3.3 Technical and security data
- IP address, approximate location derived from IP, user agent, request timestamps, and similar technical data from your browser or device.
- Server and application logs for security, debugging, and reliability.
- Rate-limiting and abuse-prevention signals processed through our infrastructure (for example Redis-backed limits in production).
3.4 Communications
- Transactional email delivery and related metadata (for example verification, password reset, security notices) sent via our email provider.
3.5 OAuth sign-in
- If you sign in with Google or GitHub, we receive identifiers and profile information those providers share with us (such as provider user ID, email, name, and profile image URL) according to your settings with the provider.
3.6 Media and link previews
- Images and files you upload are stored with an object-storage provider (S3-compatible or similar), not inside our primary database.
- When posts include URLs, we may fetch public metadata (title, description, image) to show link previews.
4. How we use personal data
We use personal data to:
- Provide and operate the Service (accounts, feeds, posts, groups, search, notifications).
- Authenticate you, maintain sessions, prevent fraud, enforce rate limits, and protect security (including CSRF protections).
- Send transactional messages and respond to your requests.
- Moderate content, investigate reports, and enforce our Terms of Service.
- Improve reliability and product experience, including optional analytics and performance measurement as described in our Cookie Policy.
- Comply with legal obligations and defend our legal rights.
5. Legal bases (EEA/UK and similar jurisdictions)
Where GDPR or similar laws apply, we rely on one or more of: performance of a contract with you; legitimate interests (for example security, abuse prevention, product improvement, and analytics compatible with those interests); consent where required; and legal obligation.
6. Sharing and subprocessors
We do not sell your personal data. We share data with:
- **Service providers** who process data on our instructions, including hosting (for example Vercel), database and infrastructure, email delivery (Resend), object storage, rate limiting (Upstash Redis in production), and analytics or performance tools when enabled (Vercel Analytics, Vercel Speed Insights, and Google Analytics if configured).
- **OAuth providers** (Google, GitHub) according to your use of social sign-in.
- **Other users** as needed for the Service—for example, your public profile, public posts and comments, and interactions visible in the product.
- **Authorities** when required by law or to protect rights, safety, and integrity.
A non-exhaustive list of categories of recipients appears above; specific vendors may change as we operate the Service.
7. International transfers
We may process data in the European Economic Area, the United Kingdom, the United States, and other countries where we or our providers operate. Where required, we use appropriate safeguards (such as Standard Contractual Clauses) for transfers outside your region.
8. Retention
We retain personal data while your account is active and as needed to provide the Service. After account deletion, we remove or anonymise personal identifiers associated with your account. Depending on the deletion option you choose, your posts and comments may remain on the Service attributed to a generic deleted account, or may be removed or hidden as described in the deletion flow.
We may retain certain records longer where required for security, legal compliance, or dispute resolution (for example audit logs or backups for a limited period).
9. Your rights
Depending on your location, you may have the right to access, rectify, delete, restrict, or object to certain processing, and to data portability. You can export a JSON copy of certain account data and request account deletion from your account settings where available. You may also contact us via our Imprint page to exercise rights or ask questions.
You may lodge a complaint with a supervisory authority in your country.
10. Security
We implement technical and organizational measures appropriate to the risk, including encryption in transit, access controls, and secure handling of credentials. No online service is completely secure; we cannot guarantee absolute security.
11. Children
The Service is not directed to children under 13, and we do not knowingly collect personal data from children under 13. If you believe we have collected such data, contact us and we will take appropriate steps.
12. Automated decision-making
We do not use solely automated decision-making that produces legal or similarly significant effects on you. We may use automated signals for security and spam detection.
13. Changes
We may update this Privacy Policy. We will post the new version and revise the "Last updated" date. Where changes are material, we will provide additional notice when reasonable.
14. Contact
Privacy inquiries: use the contact details on our Imprint page.