Privacy Policy

Table of Contents

• What we collect
  • Account info
  • Your content
  • Analytics
  • Newsletter subscribers
  • Billing
• What we DON'T collect
• Cookies
• Third parties
• Your rights
• Security
• Changes to this policy
• Contact

What we collect

Account info

When you sign up, we collect your username, email address, and password (stored as a salted hash — we never see your actual password). Optionally: your bio, favicon, and page content.

We also store your last login IP (for security), failed login attempts (for brute-force protection), and account timestamps.

Your content

Everything you create: articles (stored as Markdown), uploaded images (auto-converted to WebP, 10 MB max), and comments.

Analytics

We take a privacy-first approach. When someone visits a Pluma blog, we record:

• A daily anonymous hash — SHA-256 of the visitor's IP + today's date + a server secret. This changes daily, can't be reversed, and can't track anyone across days.
• Country — looked up server-side via IP-API, then the IP is discarded. Only the country name is stored.
• Device type (mobile/tablet/desktop) and browser family (Chrome, Firefox, etc.) — from the User-Agent header, which is not stored.
• Referrer hostname — just the domain, not the full URL.

No cookies are used for analytics. No individual visitor is identifiable, even by us.

Newsletter subscribers

If a reader subscribes to your newsletter: their email address, subscription date, and an unsubscribe token. That's it.

Billing

Your subscription plan and Stripe customer ID. We never store your card number, CVV, or bank details — Stripe handles all of that directly.

---

What we DON'T collect

• No raw IP addresses in analytics (only irreversible hashes)
• No payment card data (Stripe handles it)
• No tracking cookies or advertising pixels
• No Google Analytics or third-party analytics scripts
• No fingerprinting or cross-site tracking
• No data purchased from brokers

---

Cookies

We set exactly three cookies:

Cookie	Purpose	Duration
pluma_session	Keeps you logged in across subdomains	14 days
csrftoken	Protects against cross-site request forgery	Session
pluma-theme	Remembers your dark/light mode preference	1 year

All are strictly necessary or preference-based. No consent banner needed — there's nothing to consent to.

---

Third parties

We use a small number of services to run Pluma:

Service	What they get	Why
Stripe (stripe.com)	Your email, plan info, payment details you enter on their page	Payment processing
Brevo (brevo.com)	Recipient email, subject, body	Sending transactional emails and newsletters
IP-API (ip-api.com)	Visitor IP address (transiently)	Country lookup for analytics — IP is not stored
CDNs (jsdelivr, Cloudflare, Google Fonts)	Your IP + browser info via standard HTTP requests	Serving JavaScript libraries and fonts

We don't sell, rent, or trade your data. We may disclose information if required by law.

---

Your rights

You have control over your data:

• Access & edit — your profile, articles, and settings are all editable in the app.
• Export — download your articles in Markdown via the bulk export feature.
• Delete content — delete individual articles or comments anytime.
• Delete your account — delete your account instantly from your settings page. All your data is removed immediately.
• Object or restrict — contact us if you have concerns about how we process your data.

We won't discriminate against you for exercising your rights.

---

Security

• HTTPS everywhere with HSTS enabled
• Passwords hashed with PBKDF2 + unique salt per user
• CSRF protection on all forms and API endpoints
• Rate limiting on every endpoint
• Brute-force protection — accounts lock after 5 failed login attempts
• Secure cookies — HttpOnly, Secure, appropriate SameSite flags

No system is 100% secure. If we discover a breach affecting your data, we'll notify you as required by law.

---

Changes to this policy

If we make significant changes to how we handle your data, we'll email you at least 30 days before they take effect.

Your continued use of Pluma after changes take effect means you accept them. If you disagree, you can delete your account.

---

Contact

support@pluma.ink — for everything, including privacy requests.

If you're in the EU and want to complain to a regulator, you can find your local Data Protection Authority at edpb.europa.eu.

---

Last updated February 10, 2026.