Privacy Policy

1. Who we are

The Sunset Ink is an independent long-form publication. The Service is operated as a single-developer project; details of the operating entity, jurisdiction, and registered address will be added to this section once finalised. When we say "we," "us," or "The Sunset Ink," we mean the operator of the Service.

2. Information we collect

a. Information you provide

• Reader accounts. When you register as a reader, we store your email address and display name. Reader sign-in is passwordless - at each cold sign-in we mail you a six-digit one-time code, so no reader password is stored in our database. If you sign in with Google instead, we store a reference to your Google identity in place of the email-OTP flow.
• Author accounts. Authors join by invitation. We store the invited email address, the display name and pen-name (handle) you set during activation, and any profile fields you fill in (bio, avatar, social links). Author sign-in is also passwordless (one-time code at each cold sign-in).
• Articles and columns. Content you submit as an author - drafts, published articles, columns, taxonomy selections, and the editorial-notes thread between you and the editors.
• Saved items and reading groups. If you save an article to your library or organise it into a reading group, we store that mapping privately against your account.
• Content reports. If you report a published article, we store the article you reported, the reason you selected (e.g. misleading, spam, harmful, plagiarism, low quality, other), the optional free-form note you typed (up to 1,000 characters), and a reference to your account. Reports are visible only to our editors - see section 6.
• Communications. Any messages you send via the contact form or by email are retained so we can respond and improve the Service.

b. Information collected automatically

• Log data. Standard server logs including IP address, browser type, the pages you request, and the time of the request. Used for security, abuse prevention, and rate limiting.
• Cookies and local storage. See the Cookie Policy for the complete list, scope, and expiry of every cookie and storage entry the Service uses.
• Aggregate analytics. If a privacy-respecting (cookieless) analytics provider is in use on the Service, this section will be expanded to name the provider and the data they receive.

3. How we use your information

• To create and maintain your account and keep you signed in across the apex, authors, and admin surfaces.
• To send essential service emails - one-time sign-in codes (OTPs) for readers and authors, password-reset links for administrators, account-management notifications, and (for authors) editorial-status updates.
• To run the editorial workflow - submission, review, publication, and revision of articles and columns.
• To present your published author profile, articles, and columns on the public Service when you choose to publish.
• To review reader-submitted content reports and take editorial action where appropriate, including removing a published article from public view ("taking down") or restoring it.
• To detect, prevent, and respond to abuse, spam, fraud, and security incidents.
• To comply with legal obligations.

We do not use your data for targeted advertising. We do not build individual interest profiles. We do not sell, rent, or trade your personal information.

4. Cookies and local storage

The Sunset Ink uses only strictly-necessary cookies and local-storage entries - those required for the Service to function (authentication state, cookie-banner acknowledgement). Because no non-essential cookies are set, we do not require separate opt-in consent. For the full list, see the Cookie Policy.

5. Third-party services

We use a small number of third-party services to operate the Service. Each is listed below with the data shared and the provider's role:

• MongoDB Atlas (database hosting). Reader and author account data, articles, columns, and library mappings are stored in a MongoDB Atlas cluster. See MongoDB's Privacy Policy.
• Resend (transactional email). We use Resend to deliver one-time sign-in codes, administrator password-reset links, editorial notifications, and account-management notices. During beta, outbound emails are sent from an @theonlinereader.com address pending domain-verification of thesunsetink.com. See Resend's Privacy Policy.
• Google (OAuth sign-in). If you choose to sign in with Google, your browser is redirected to Google to authenticate. We receive your email address and display name. See Google's Privacy Policy.
• Cloudflare (CDN and security). Cloudflare may sit in front of the Service as a CDN and DDoS-mitigation layer; in that role it processes your IP address and request headers as a regular network proxy. See Cloudflare's Privacy Policy.

6. How we share your information

We do not sell, rent, or trade your personal information. We share it only in the following circumstances:

• With service providers listed in section 5, strictly to operate the Service.
• Published content. When an author chooses to publish an article or column, the content, the author's display name and pen-name, and the editorial metadata they have made public become accessible to anyone who visits the published URL.
• Content reports stay between you and our editors. If you report a published article, your identity and the contents of your report are visible only to our editors during review. The author of the reported article does not see who reported them, the reason you selected, or the note you wrote.
• For legal reasons - when required by law, court order, or to protect the rights, property, or safety of the Service, our users, or the public.
• In a business transfer - if we are ever involved in a merger, acquisition, or sale of assets, we will notify you of any such change of ownership.
• With your consent - for any other purpose, only with your explicit consent.

7. Data retention & account deletion

• Account deletion is two-phase. When you request deletion of your account from your profile, your account enters a 30-day grace period during which the deletion can be cancelled. During the final two days of the grace period, cancellation is locked to prevent last-minute reversal of a confirmed intention. At day 31, your account and the personal data associated with it are permanently removed.
• Reader cascade. When a reader account is permanently deleted, the saved-items library, reading groups, and account profile data are removed. Content reports you previously filed are retained as part of the editorial-audit record, but the link to your deleted account is dropped from our user interfaces - your past reports will appear to editors as filed by an unknown reader. If you would like past reports affirmatively scrubbed instead, request that under your deletion right (section 8).
• Author cascade. When an author account is permanently deleted, the author's profile, all their drafts and unpublished articles and columns, and (per the Contributor Agreement) their published articles and columns are removed as well. Published articles may be retained in anonymised form where required for audit or legal record-keeping.
• Server logs are retained for up to 90 days for security and abuse-prevention purposes, then rotated or deleted.

8. Your rights and choices

Depending on your location, you may have some or all of the following rights with respect to your personal information:

• Access. View your account data from your profile page. For anything not visible there, request a copy by emailing us.
• Correction. Update inaccurate information from your profile page, or request a correction by emailing us.
• Deletion. Delete your account from your profile page; deletion follows the two-phase process described in section 7. You may also request deletion by emailing us.
• Restriction or objection. Ask us to restrict or stop processing your data in certain circumstances by emailing us.
• Data portability. Request a machine-readable copy of the data you have provided.
• Withdraw consent. Where processing is based on consent, withdraw it at any time without affecting prior processing.
• Lodge a complaint. EU / UK users may complain to their local data-protection authority.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

9. Data security

We protect your data with industry-standard practices: HTTPS for all traffic in transit; JWTs stored in HttpOnly cookies that cannot be read by client-side JavaScript; cookies scoped host-only to each surface (apex / authors / admin) so a token from one surface cannot leak to another; reader and author sign-in is passwordless (one-time codes), so no reader or author password is stored; administrator passwords (used only by site administrators, who additionally require multi-factor authentication) are stored only as bcrypt hashes; rate-limiting on authentication and reporting endpoints; and access controls on internal services. No system is perfectly secure, however, and we cannot guarantee absolute security.

10. Children's privacy

You must be at least 13 years old to use the Service. If you live in a country where the age of digital consent is higher than 13 (16 in most EU countries), you must have the consent of a parent or guardian if you are below that age. Age is self-declared at registration. If you become aware that someone below the applicable age has registered, please contact us and we will remove the account.

11. International data transfers

Our service providers (MongoDB Atlas, Resend, Google, Cloudflare) operate across multiple jurisdictions. By using the Service, you understand that your information may be transferred to and processed in countries other than your own. Where required by law, we rely on appropriate safeguards such as Standard Contractual Clauses.

12. Changes to this Privacy Policy

We may update this policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes that affect your rights, we will provide a more prominent notice - via email or an in-app announcement - at least 14 days before they take effect. Continued use of the Service after the effective date constitutes acceptance of the revised policy.

13. Contact us

Questions, comments, or requests regarding this Privacy Policy? Email us at [email protected], or use the contact form.