Privacy Policy

Last updated: April 24, 2026

Summary, in plain English

We run a curated directory of adult creators. We do not require accounts, do not host any of the linked content, and do not sell or share your data with advertisers. When you visit the site or tap a creator card, we record your IP address, country code (from our CDN), user-agent string, and the referring page, along with a salted hash of your IP used internally for rate limiting. There are no third-party tracking cookies on the public site.

1. Information we collect

a. Click and impression events

When a creator's card is shown to you on the home page, or when you tap a card, we record:

  • A timestamp (UTC).
  • Country, derived from a header our CDN attaches at the edge.
  • Your user-agent string (sent by your browser).
  • The HTTP Referer header (the URL of the page that linked to us, if any).
  • Your IP address. We use it for security, abuse prevention, geographic analytics, and to operate the rate limits that stop refresh-spam from inflating click and impression counts.
  • A SHA-256 hash of your IP address combined with a site-secret salt, derived from the IP for use as a fast, stable comparison key in our internal rate-limit windows.
  • The creator whose card was shown or tapped.

b. Cookies

The public Site sets a single cookie:

  • cnd_age_verified — set when you confirm you are 18+ on the age gate. HttpOnly, Secure in production, SameSite=Lax, 30-day lifetime. Used only to suppress the age gate on subsequent visits.

When an administrator signs in to /admin, our authentication provider (Supabase Auth) sets standard session cookies on the admin path. Those cookies are not used by, and are not set on, public-facing pages.

c. Analytics

We use Vercel Web Analytics and Vercel Speed Insights, which collect aggregate, cookie-less, anonymized data about page views and Core Web Vitals. Vercel does not assign persistent identifiers to visitors for these products.

2. Information we do not collect

  • We do not collect your name, email address, phone number, payment information, or any other directly identifying information from public visitors.
  • We do not use third-party advertising trackers, retargeting pixels, or social-media SDKs on the public Site.
  • We do not knowingly collect data from anyone under 18.

3. How we use information

We use the data in Section 1 to:

  • Direct you to the creator's page when you tap a card.
  • Compute aggregate analytics (clicks today, last 7 days, top performers, geographic distribution) so we and the listed creators can understand interest.
  • Detect and limit abuse — bot traffic, click flooding, and similar — including by enforcing a 60-second per-source rate limit.
  • Diagnose and fix Site reliability and performance issues.

We do not use this data to build advertising profiles, do not sell or rent it, and do not share it with anyone except as described in Section 5.

4. Legal bases for processing (GDPR)

If you are in the European Economic Area, the United Kingdom, or another jurisdiction with similar law, we rely on the following legal bases:

  • Legitimate interests — for click analytics, fraud and abuse prevention, and Site performance monitoring. We've assessed that those interests are not overridden by your rights, given the limited and pseudonymized nature of the data.
  • Consent — for the age-verification cookie, set only after you confirm on the age gate.
  • Legal obligation — to respond to lawful requests, takedown notices, and similar.

5. Sharing and service providers

We share data only with the providers we use to operate the Site:

  • Supabase — database and authentication hosting. Click events, creator records, and admin auth state are stored in our Supabase project. Supabase privacy policy.
  • Vercel — application hosting, edge network, and the analytics products mentioned above. Standard request logs (status codes, latency, sanitized URL paths) are processed by Vercel for reliability. Vercel privacy policy.

Both providers act as our processors / sub-processors and are contractually bound to handle data only on our instructions.

We will additionally disclose data when required by valid legal process (subpoena, court order) or when necessary to investigate and respond to suspected fraud, abuse, or threats to safety.

6. Outbound links

When you tap a creator card we redirect you to that creator's tracking URL on a third-party platform. Once you leave our Site, the destination's privacy policy applies. We do not control, see, or receive whatever data the destination collects from you.

7. Data retention

  • Click and impression events — retained for as long as we consider necessary for analytics, abuse detection, security, and operational purposes. We may keep this information indefinitely.
  • Age-verification cookie — 30 days from when you confirm.
  • Admin auth records — retained for the life of the administrator account, then deleted.
  • Server logs at Vercel — retained per their standard log policy (typically a small number of days).

8. International transfers

Our infrastructure is hosted in the United States (Supabase region us-east-2; Vercel region iad1). If you access the Site from outside the U.S., the data described above will be processed in the U.S. We rely on appropriate safeguards (such as Standard Contractual Clauses with our processors) where applicable.

9. Your choices and rights

Because we do not collect directly identifying information from public visitors, our ability to respond to individual data-subject requests is limited — there is generally no record we can link to you. Where we can:

  • Access and deletion — if you can give us enough information to identify the relevant click record (for example, the exact timestamp, country, and creator), we will make a reasonable effort to locate and delete it.
  • Cookies — you can clear the age-verification cookie at any time through your browser settings; the gate will reappear on your next visit.
  • Do Not Track / Global Privacy Control — we honor GPC signals by limiting our processing to what is strictly necessary to deliver the Site (we already do not run advertising or cross-site tracking, so the practical effect is unchanged).

If you are a resident of California, the EEA, the UK, or another jurisdiction with specific privacy laws, you may have additional rights — including the right to know, the right to correct, the right to delete, the right to opt out of sales (we do not sell), and the right to non-discrimination. To exercise any of these, contact us using the address in Section 13.

10. Children's privacy

The Site is for adults only and is not directed to children. We do not knowingly collect personal information from anyone under 18 (or under the age of legal adulthood in your jurisdiction, if higher). If you believe a minor has provided information through the Site, contact us and we will delete it promptly.

11. Data security

We protect data with industry-standard measures, including transport-layer encryption (HTTPS), strict server-side access controls, environment-isolated secrets, salted hashing of IP addresses, and Supabase row-level security policies that prevent the public from reading the click table. No system is perfectly secure, however; you use the Site at your own risk.

12. Changes to this Policy

We may update this Policy from time to time. The "Last updated" date at the top reflects the most recent version. Material changes will be communicated via a notice on the Site for a reasonable period before taking effect.

13. Contact

For privacy questions, deletion requests, or to invoke any right described above:

Creators Next Door
Email: legal@creatorsnextdoor.com