Privacy policy

Plain-language. What we collect, what we don't, and exactly when anything is revealed.

What we ask you for

Email and password — only for login. Password stored as PBKDF2-SHA256 (100,000 iterations, 16-byte salt).
Display name — shown only on a match reveal. Not searchable.
Three kids numbers — kids you have, kids not yours you'll support, kids you want total. These are the only matching inputs apart from foot ratings.
A private 1–10 rating bar — never shown to anyone, ever. Used server-side only to compute whether a match can resolve.
A mode toggle — dating on / rating-only. Determines whether you can produce matches.
Foot photos (when that feature ships) — reviewed by humans before becoming visible. Tagged "dating" or "rating-only" and shown only to users in the compatible mode.

What we don't ask

We don't ask for gender, gender preference, race, religion, political affiliation, disability status, sexual orientation, age beyond the 18+ attestation, city, real name, income, employment, family status (other than the three kids numbers), health data, or biometric data. This isn't an oversight — it's a design commitment. The matching mechanic needs none of it.

Ratings and reveals

Every rating you give is private to you until and unless a match resolves. The other person never sees your rating of them if no match happens. If a match resolves (mutual bar clear + kids compatibility), both ratings are shown to the matched pair — the reveal is the point.

Your bar is never revealed, not even on a match. It stays server-side.

Photos

Human-moderated before first appearance anywhere.
Tagged dating (shown to dating-enabled users) or rating-only (shown only to rating-only users) — never cross-mode.
You can delete any photo at any time. Any unresolved ratings on that photo are invalidated immediately.
Photos are stored in Cloudflare R2 (EU/US) with short-lived signed URLs on serve. They aren't publicly linkable.

Deletion

Close your account from the profile page. All photos you uploaded, ratings you gave, and ratings you received are permanently deleted within 30 days.
Display name + kids numbers go with the account immediately.
Audit logs (login timestamps, IP hashes, abuse reports) are retained for 90 days for safety and debugging; they contain no profile data.
Legal holds (active fraud investigation, regulatory request) can delay deletion for that specific account; we'll tell you if that applies.

Cookies

One cookie only: fon_session. HttpOnly, Secure, SameSite=Lax, 30-day expiry. It carries a signed JWT identifying your user ID. No advertising cookies. No analytics cookies. No third-party trackers embedded on page.

Third parties

Cloudflare — hosts the site, serves the API, stores the database (D1) and photos (R2). Standard cloud processor agreement.
No ad networks, no analytics SDKs, no pixel trackers. Zero.

Reports and contact

Use the feedback panel (bottom-right corner of any page) for bugs, harassment reports, or privacy questions. The panel posts to a secured endpoint; reports are answered within 24 hours.

Changes

Material changes trigger an in-app notice + email to active accounts. You can always close the account if you don't accept a change.