Privacy Policy

Last updated: February 2026 · Draft — pending legal review

The short version

Sally Forth! was designed so we don’t have your personal data in the first place. Our database contains random identifiers, not people. We don’t track your location. We don’t sell anything. Your credentials belong to you.

What we collect

Authentication: Handled by Clerk (clerk.com). They may collect your email and login credentials. We receive only a random identifier confirming you’re logged in. We don’t store your name, email, or phone number.

Location: When you check in, your GPS confirms you’re within range. Coordinates are reduced in precision before storage. We don’t maintain a location history — no tracking, no movement logs.

Credentials: We store the signed credential, a random account ID, the associated quest, and a timestamp. Credentials contain an anonymous, irreversible identifier — not your real identity.

What we don’t collect

Names, emails, phone numbers, device IDs, browser fingerprints, browsing behavior, social connections, biometric data, or payment information.

How we protect your data

Identity is pseudonymized — random IDs, not real names
Credentials use irreversible hashes, not account IDs
Row-level security isolates each user’s data at the database level
All data encrypted in transit (HTTPS/TLS)
Signing keys stored in secure environment variables

Your rights

View all your credentials in your wallet at any time
Export your credentials in standard Quest Protocol format
Request deletion of your account and data
Stop using Sally Forth! at any time — no marketing, no data collection to opt out of

Service providers

Provider	Purpose	Certifications
Clerk	Authentication	SOC 2 Type II, HIPAA
Neon	Database	SOC 2 Type II, ISO 27001
Vercel	Hosting	SOC 2 Type 2

Children’s privacy

Sally Forth! is not directed at children under 13. For educational use involving minors over 13, our architecture (no personal data, anonymous credentials, no tracking) is designed to minimize privacy concerns.