Privacy Policy

Effective date: April 4, 2026 · Last updated: April 4, 2026

1. Who We Are

The Human Network (thehumannetwork.social) is operated by Alexander McIndoe, a sole proprietor based in Washington State, United States. In this policy, "we," "us," and "our" refer to Alexander McIndoe and The Human Network platform.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Your name and email address, provided by your OAuth sign-in provider (Google or Apple).
  • A display name and handle you choose during onboarding.
  • An optional bio (up to 160 characters) and profile picture.
  • Your OAuth provider ID, used to link your account to your sign-in method.
  • If you use Apple's private relay email, we note that your email is a relay address.

2.2 WebAuthn / Passkey Credentials

The Human Network uses WebAuthn passkeys (FaceID, TouchID, or device PIN) to verify high-impact actions like posting and sending messages. Your biometric data (fingerprint, face scan, PIN) never leaves your device and is never transmitted to our servers. We store only:

  • A credential ID (a public identifier for your passkey).
  • A public key (used to verify signatures — not your private key).
  • A counter (to prevent replay attacks).
  • A transport type (e.g., "internal" for on-device biometrics).

2.3 Content You Create

We store the content you create on the platform, including:

  • Posts, replies, and reposts (text content up to 2,000 characters).
  • Images you upload (stored in AWS S3, max 5 MB, formats: JPG, PNG, WebP, GIF, HEIC).
  • Likes, reposts, and other interactions with posts.
  • AI-content flags (when you flag a post as potentially AI-generated, along with your stated reason).
  • Reports you file against content (your report reason and timestamp).

2.4 Social Graph & Preferences

  • Who you follow and block.
  • Which topics you subscribe to.
  • Your reply policy (who can reply to your posts).
  • Your DM policy (who can send you direct messages: everyone, followers, mutuals, or nobody).
  • Your visibility preference for AI-flagged content (show all, show less, or hide).

2.5 Direct Messages

Direct messages are stored for 30 days in our database, after which they are automatically deleted. Before deletion, messages are archived to cold storage (AWS S3) where they are retained for up to 1 year, then permanently purged. Message metadata includes: sender, recipient, timestamp, and conversation ID.

2.6 Notifications

Notifications (e.g., "someone liked your post") are stored for 30 days, then automatically deleted. We track the last time you viewed your notifications to calculate your unread count.

2.7 Analytics & Technical Data

We collect limited analytics to improve the platform:

  • Custom usage events (e.g., feature interactions, share events via native share or clipboard).
  • Your IP address, recorded with analytics events.
  • A server-side timestamp for each event.

Analytics events are batched and stored in AWS S3. Analytics data is retained for up to 1 year, then permanently purged.

We do not collect: device fingerprints, user agent strings, screen dimensions, browser type, geolocation, GPS coordinates, or any device identifiers (AAID, IDFA, etc.).

2.8 Moderation & Safety Data

  • Reports filed against content (reporter ID, reason, timestamp). Posts receiving 5 or more reports are flagged for review.
  • Ban records: if your account or email is banned, we store the ban expiration date and reason.
  • Admin review of public actions: platform administrators may review your publicly visible activity — including posts you have written, likes you have given, accounts you follow, and reposts you have made — for the purpose of enforcing our Terms of Service and community guidelines. Administrators cannot access your private messages, search history, or browsing behaviour. All administrative actions (bans, content removal) are permanently logged in an audit trail for accountability.

3. How We Use Your Information

  • To operate the platform: display your profile, deliver your feed, route messages and notifications.
  • To personalise your experience: curate your feed based on who and what you follow.
  • To protect the community: enforce our Terms of Service, process reports, administer bans, and review publicly visible user activity for moderation purposes.
  • To improve the product: analyse aggregated, anonymised usage patterns.
  • To communicate with you: we intend to send transactional emails (e.g., security alerts) in the future, but this capability is not yet implemented.

4. What We Do Not Do

  • We do not sell, rent, or trade your personal data to any third party.
  • We do not serve advertisements of any kind.
  • We do not use your content to train AI or machine learning models.
  • We do not use third-party tracking cookies, advertising pixels, or analytics services (no Google Analytics, no Mixpanel, no Segment).
  • We do not collect or store passwords. Authentication is handled entirely through OAuth providers and WebAuthn passkeys.
  • We do not track your search queries, profile views, or browsing patterns. We have no internal analytics on which profiles you visit, what you search for, or how long you spend reading posts.
  • We do not build behavioural profiles or shadow profiles. The only data we hold about you is what you explicitly provide (profile info) and what you publicly do (posts, likes, follows).

5. Third-Party Services

We rely on the following third-party services to operate the platform:

  • Amazon Web Services (AWS) — infrastructure, data storage (DynamoDB, S3), serverless compute (Lambda), message queuing (SQS), and content delivery (CloudFront). Data is stored in the United States.
  • Google OAuth — authentication provider. When you sign in with Google, Google shares your name and email with us per their privacy policy.
  • Apple OAuth — authentication provider. When you sign in with Apple, Apple shares your name and email (or a private relay address) with us per their privacy policy.
  • Cloudflare — bot protection (Turnstile) during account setup. Cloudflare may process your IP address and browser challenge data per their privacy policy.

We may integrate additional third-party services in the future to improve the platform. If we do, we will update this policy accordingly. We do not share your personal data with third parties for their own marketing or advertising purposes.

6. Cookies

We use a single essential session cookie to keep you signed in. This cookie is HTTP-only, encrypted, and expires after 30 days. We do not use third-party cookies, tracking cookies, or advertising cookies. No cookie banner is required because we only use strictly necessary cookies.

7. Data Storage & Security

  • All data is stored in AWS infrastructure within the United States.
  • All data is encrypted in transit (TLS/HTTPS) and at rest (AWS-managed encryption).
  • Authentication uses OAuth 2.0 and WebAuthn — we never store passwords.
  • Session tokens are stored in encrypted, HTTP-only cookies that cannot be accessed by JavaScript.
  • High-impact actions (posting, messaging, deleting) require biometric re-verification via WebAuthn.
  • All mutation endpoints are rate-limited to prevent abuse.

8. Data Retention

DataRetention
Account & profileUntil you delete your account
Posts, replies, likes, repostsUntil you delete them or your account
Direct messages (in-app)30 days, then auto-deleted
Direct message archivesUp to 1 year, then permanently purged
Notifications30 days, then auto-deleted
Analytics eventsUp to 1 year, then permanently purged
Media uploads (images)Until you delete them or your account
WebAuthn credentialsUntil you remove them or your account
Ban recordsUntil ban expiration
Rate-limit countersApproximately 5 minutes (ephemeral)

9. Your Rights

9.1 Account Deletion

Self-service account deletion is coming soon. In the meantime, you can request account deletion by emailing legal@thehumannetwork.social. Upon deletion, we will remove your personal data within 30 days. Anonymised, aggregated analytics data may persist until its 1-year retention period expires.

9.2 Data Export

You may request a copy of your data by emailing legal@thehumannetwork.social. We will provide your data in a machine-readable format within 30 days of your request.

9.3 Content Deletion

You can delete your own posts and media at any time through the platform. Deleted posts are replaced with a tombstone record and are no longer visible to other users.

10. Age Requirement

The Human Network is intended for users aged 18 and older. By creating an account, you represent that you are at least 18 years old. We do not knowingly collect information from anyone under 18. If we learn that a user is under 18, we will terminate their account and delete their data.

11. Changes to This Policy

We may update this policy from time to time. If we make material changes, we will notify you by posting a prominent notice on the platform. Your continued use of The Human Network after changes are posted constitutes acceptance of the updated policy.

12. Contact

Questions or concerns about this privacy policy? Contact us at legal@thehumannetwork.social.