Privacy Policy

April 27, 2025

This Privacy Policy explains how R34.net (“we”, “our”, “us”) collects, uses, and protects your information when you use our website (“the App”).

1. Information We Collect

We collect only the minimum information necessary to provide and secure the App. No email addresses or real names are required to use our service.

Account Information

  • Username and display name
  • Password hash (securely hashed with Argon2id)
  • Encrypted TOTP secret (if you enable one-time passwords “OTPs”)
  • Google ID and name (when using Google OAuth)

Profile Data

  • Avatar URL, cover URL
  • Bio
  • website
  • Blacklist

Usage & Security Data

  • Sessions (managed by encrypted session cookies)
  • Premium expiration date, gems
  • Reputation, likes count, following count, followers count
  • Like “created at” timestamp

Analytics Data

  • We use a cookieless web analytics service
  • It's operated on our own servers
  • Does not create persistent identifiers

⚠️ XOR IP-Fingerprint

We briefly see your IP address from request headers, but we never store it. We just create an anonymized, irreversible fingerprint from it to help with rate-limiting and spotting unusual login attempts. See how it works:

1.1 How We Handle Your IP Address (Without Really Handling Your IP)

“Wait… you're saying this is a privacy-first app—so how do you even know if someone's logging into my account from an unusual place?” 💬

TL;DR: You Stay Safe, Your IP Stays Hidden

  • We don't store your IP address.
  • We don't hash it, because that's still risky.
  • Instead, we use a privacy-respecting fingerprint based on XOR that can't be reverse-engineered.
  • It's incredibly effective at spotting unusual logins—without compromising your privacy.
  • Even if someone leaked our entire database, your IP is still unknown, safe, and untraceable.

Most apps track your IP address directly, often storing it in full or as a hash. That's risky, and we don't like it. Instead, we've built a system that lets us spot suspicious logins without ever knowing or storing your actual IP address. Sound too good to be true? Let us explain.

Why Hashing Isn't the Privacy Hero It Seems to Be

You've probably heard that hashing is a secure way to store things. And that's mostly true — for passwords. But for IP addresses, it's not ideal in privacy-sensitive apps. IP addresses are limited. There are only about 4.3 billion IPv4 addresses out there. That means a hacker who steals a database of hashed IPs can just generate a hash for every single one of those 4.3 billion IPs, compare the hashes, and boom—they can figure out exactly which IP belongs to which user. This process is called a preimage attack, and it's totally feasible for IPs due to the small space of possibilities.

This is why even hashed IPs are considered personal data under laws like GDPR and similar regulations in the U.S. They're technically reversible.

So What Do We Do Instead?

We use a technique called XOR fingerprinting. It's simple, smart, and extremely privacy-friendly. Every IP address is made of four numbers (called octets), like 192.1.192.1. We split it in half: the first two numbers and the last two. Then we apply a bitwise operation called XOR (pronounced “ex-or”) between the halves. Without going full nerd-mode, XOR compares each bit and says: “Are these different? If yes, mark it down.”

The result (that we store) is a small number between 0 and 65,535. Think of it as a fuzzy fingerprint—lots of IPs can produce the same result, but that's exactly the point.

Why This is Great for Privacy and Security

Because many IPs can produce the same fingerprint, there's no way to reverse-engineer the original IP from the fingerprint alone. Even if someone dumped our database, they'd only see a sea of these fuzzy little fingerprints, and there's no way to tell which IP they originally came from.

“But doesn't that make your detection worse?” - Not really.

Let's say you usually log in from your home network. That gives us 1 known XOR fingerprint. Now someone tries to break into your account from a totally new IP. What's the chance that this attacker's IP produces a collision—a fingerprint that matches yours? The chance of a collision is 1 in 65,536. That means our system will catch 99.9985% of unusual logins, even though it has no idea what your IP actually is. And the attacker? They get no clues about your location or devices.

2. How We Use Your Data

  • Authentication & Account Management: to log you in, secure your session, and support optional OTP codes.
  • Security & Abuse Prevention: to detect suspicious activity, rate‑limit requests, and protect the App.
  • Service Personalization: to maintain your blacklist, profile, and preferences.
  • Feature Usage & Analytics: to understand how the App is used and improve performance and functionality.
  • In-app currency (gems) operations: to reconcile balances, premium expirations, and related transactions

3. Legal Basis for Processing

Performance of a contract: processing account data and executing user‑initiated operations (e.g., following, liking). Legitimate interests: securing the service (rate‑limiting, fraud detection), analytics, and personalization (storing preferences). Consent (where required): cookies used by our authentication and bot‑detection services are necessary for core functionality and do not require consent under GDPR.

4. Data Retention

We retain your account and profile data for as long as your account exists. You may request deletion at any time.

5. Data Sharing & Transfers

We do not sell, trade, or otherwise provide your personal data to third parties. We use internal services to process some data.

  • Cookieless web analytics: operated on our own servers, without persistent identifiers.
  • Session cookie-based authentication: performed securely on our own infrastructure.
  • Cloudflare (bot‑detection via Turnstile, WAF, rate‑limiting)
  • Google (OAuth authentication)

6. Know Your Rights

Under the GDPR or similar regulations, you have the right to:

  • Access your personal data
  • Rectify inaccurate or incomplete data
  • Erase your data (“Right to be forgotten”)
  • Restrict processing under certain conditions
  • Object to processing based on legitimate interests
  • Data portability to receive your data in a structured, machine‑readable format
  • Withdraw consent at any time (where processing is based on consent)

To exercise any of these rights, please contact us at [email protected].

7. Security Measures

We implement industry‑standard measures to protect your data:

  • Encryption in transit (TLS) and at rest where applicable
  • Passwords and other secrets hashed with Argon2id
  • Encrypted session cookies for secure session management
  • Secure configuration of Cloudflare services

While we strive to protect your data, no system is 100% secure.

8. Cookies & Similar Technologies

These are essential for the App's core functionality and security.

  • Session Cookies: used to maintain your login state securely
  • Turnstile Cookies: used by Cloudflare to detect bots and prevent abuse
  • Analytics: cookies are not used and no personal data is collected. There are no persistent identifiers.

9. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Continued use after updates constitutes acceptance of the new policy.

10. Contact & Complaints

If you have any concerns or complaints about our processing of your data, please contact us at [email protected].

For questions or concerns, contact us at [email protected]. 💬