Privacy Policy

Effective Date: February 28, 2026 · Last Updated: February 28, 2026

Peeld ("we," "us," or "our") is operated by XiPlatform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website at peeld.app (the "Service"). Please read this policy carefully. By accessing or using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please discontinue use of the Service.

1. Information We Collect

1.1 Account Information (Optional)

Creating a Peeld account is entirely optional. If you choose to register, we collect:

Email address
Display name and username
Bio (if provided)
Password hash (for email-based sign-ups only — we never store plaintext passwords)
OAuth provider identifier (if signing in via Google or Microsoft)
Notification preferences

1.2 Peel and Response Data

When you create a "peel" (a set of questions) or respond to one, we collect the content you submit, including text answers, scale ratings, multiple-choice selections, emoji reactions, and rankings. If the peel creator has set a "named" security level, we may collect the respondent name you optionally provide.

1.3 Device and Technical Data

To maintain platform integrity, we collect limited technical data:

Browser fingerprint hash — A one-way SHA-256 hash generated client-side using the open-source FingerprintJS library. This hash is used solely to prevent duplicate responses from the same browser. We do not store the raw fingerprint; only the irreversible hash is retained.
IP address hash — A truncated, one-way SHA-256 hash of your IP address (first 16 characters only). This is used for rate-limiting and abuse prevention. We do not store your actual IP address.

1.4 Usage Data

We collect basic usage information to operate and improve the Service, such as pages visited, features used, and interaction timestamps. This data is collected through standard web server logs provided by our hosting provider (Vercel).

1.5 Push Notification Data

If you opt in to browser push notifications, we store the subscription endpoint and cryptographic keys required by the Web Push protocol to deliver notifications to your browser.

2. How We Use Your Information

We use the information we collect to:

Provide, operate, and maintain the Service
Authenticate your identity (if you create an account)
Enable peel creation, sharing, and response collection
Prevent duplicate responses and detect abuse (via fingerprint and IP hashes)
Moderate content for safety using automated filters (word filters, spam heuristics) and the OpenAI Moderation API
Send transactional emails (first response alerts, milestones, weekly digests) via Resend
Deliver push notifications you have opted in to receive
Respond to support requests or legal obligations
Improve and optimize the Service

We do not sell your personal information to third parties. We share data only in the following limited circumstances:

3.1 Service Providers

We use the following third-party service providers to operate the Service. Each provider receives only the minimum data necessary to perform its function:

Provider	Purpose	Data Shared
Vercel	Application hosting and CDN	All web traffic passes through Vercel infrastructure
Turso (LibSQL)	Database hosting	All application data is stored in Turso
OpenAI	Content moderation (toxicity scoring)	Response text only — no user identifiers are sent
Resend	Transactional email delivery	Email address and notification content
Google OAuth	Authentication	OAuth token exchange only; we receive email and profile name
Microsoft OAuth	Authentication	OAuth token exchange only; we receive email and profile name

3.2 Legal Requirements

We may disclose your information if required to do so by law, or in the good-faith belief that such action is necessary to: (a) comply with a legal obligation, subpoena, or court order; (b) protect and defend the rights or property of XiPlatform; (c) prevent or investigate possible wrongdoing in connection with the Service; (d) protect the personal safety of users of the Service or the public.

3.3 Business Transfers

If XiPlatform is involved in a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email or a prominent notice on our website before your information is transferred and becomes subject to a different privacy policy.

4. Cookies and Tracking Technologies

We use a minimal set of cookies and browser storage mechanisms, all of which are strictly necessary for the Service to function. We do not use advertising or analytics tracking cookies. For a comprehensive breakdown, see our Cookie Policy.

4.1 Cookies

Cookie	Type	Duration	Purpose
`peeld-session`	Essential	7 days	JWT authentication session (httpOnly, Secure)
`peeld-keys`	Essential	1 year	Creator secret pairs for anonymous peel management
`PEELD_OAUTH_STATE`	Essential	Session (consumed after redirect)	OAuth PKCE state verification
`peeld-push-dismissed`	Functional	Session	Remembers dismissal of push notification prompt

4.2 Local Storage

Key	Purpose
`peeld-response-{slug}`	Stores response ID to display reaction badge on the thank-you page
`peeld-revealed-{peelId}`	Tracks reveal state for results page interactions
`peeld-push-dismissed`	Push notification prompt dismissal state

4.3 Browser Fingerprinting

We use the open-source FingerprintJS library (running entirely client-side) to generate a browser fingerprint. This fingerprint is immediately hashed using SHA-256 before being sent to our servers. The resulting hash is a one-way, irreversible value used solely to detect duplicate responses. We cannot reverse this hash to identify you, your device, or your browsing habits. This is not a cookie and does not track you across websites.

5. Data Retention

Account data: Retained until you delete your account. Upon account deletion, all associated peels, responses, reactions, notifications, and other data are permanently and irreversibly deleted via cascading deletion.
Anonymous response data: Retained indefinitely. Because responses are anonymous and cannot be attributed to any identifiable individual, they are not considered personal data under most privacy frameworks.
Fingerprint and IP hashes: Retained alongside the responses they are associated with. Because these are one-way hashes, they cannot be reversed to recover the original fingerprint or IP address.
Push notification subscriptions: Retained until the user deletes their account or the subscription expires.

6. Your Rights and Choices

6.1 All Users

Account deletion: If you have an account, you may delete it at any time from your account settings page. This permanently deletes all your data, including all peels you created, all responses to those peels, all reactions, and all notification data.
Email preferences: You can manage your email notification preferences from your account settings or unsubscribe via the link in any email.
Push notifications: You can disable push notifications at any time via your browser settings.
Cookies: You can manage or delete cookies through your browser settings. Note that disabling essential cookies may impair the functionality of the Service.

6.2 European Economic Area (EEA) Residents — GDPR

If you are located in the EEA, you have the following additional rights under the General Data Protection Regulation (GDPR):

Right of access: You may request a copy of the personal data we hold about you.
Right to rectification: You may request correction of inaccurate personal data.
Right to erasure: You may request deletion of your personal data (account deletion fulfills this right).
Right to restrict processing: You may request that we limit how we use your data.
Right to data portability: You may request your data in a structured, machine-readable format.
Right to object: You may object to processing of your personal data for certain purposes.
Right to lodge a complaint: You may file a complaint with your local data protection authority.

Legal basis for processing: We process your personal data under the following legal bases: (a) performance of a contract (to provide the Service); (b) legitimate interests (abuse prevention, security, service improvement); (c) consent (where required, such as for push notifications and email communications).

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

6.3 California Residents — CCPA / CPRA

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

Right to know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, our purposes for collecting it, and the categories of third parties with whom we share it.
Right to delete: You may request deletion of your personal information (account deletion fulfills this right).
Right to correct: You may request correction of inaccurate personal information.
Right to opt out of sale/sharing: We do not sell or share your personal information for cross-context behavioral advertising. There is nothing to opt out of.
Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To exercise these rights, email [email protected] with the subject line "CCPA Request." We will verify your identity and respond within 45 days.

6.4 Anonymous Responses

Anonymous responses submitted to peels cannot be attributed to any identifiable individual. Because we cannot verify who submitted a particular anonymous response, we are unable to fulfill access, deletion, or portability requests for anonymous response data. The fingerprint and IP hashes associated with responses are one-way and cannot be used to identify the submitter.

7. Children's Privacy

The Service is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13 in compliance with the Children's Online Privacy Protection Act (COPPA). If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [email protected] and we will promptly delete such information.

Users between the ages of 13 and 18 may use the Service with the consent of a parent or legal guardian and are subject to the same terms as adult users.

8. Anonymous Data

A core feature of Peeld is the ability for respondents to submit feedback anonymously. When a response is submitted:

No account or login is required to respond to a peel.
We do not store the respondent's actual IP address — only a truncated, irreversible hash.
Browser fingerprint data is hashed client-side and cannot be reversed.
Unless the peel creator has enabled "named" responses, no personally identifying information is collected from respondents.
Anonymous responses are permanent. Because we cannot verify who submitted a response, individual responses cannot be retracted, edited, or deleted by the respondent after submission.

We may aggregate and analyze anonymous response data in de-identified form for the purpose of improving the Service. Such aggregated data does not constitute personal information.

9. Security

We implement reasonable administrative, technical, and physical safeguards to protect your information, including:

Password hashing: Passwords are hashed using bcrypt before storage. We never store plaintext passwords.
One-way hashing: IP addresses and browser fingerprints are stored only as irreversible SHA-256 hashes.
Secure cookies: Authentication cookies use the httpOnly and Secure flags to prevent client-side access and ensure transmission over HTTPS only.
HTTPS everywhere: All data in transit is encrypted using TLS.
JWT authentication: Session tokens are cryptographically signed and verified on each request.
Creator secrets: Peel creator secrets are hashed before storage, preventing unauthorized access even in the event of a data breach.

While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we are committed to promptly addressing any security incidents.

10. International Data Transfers

Peeld is operated from the United States. Our hosting infrastructure (Vercel and Turso) is primarily located in the United States. If you access the Service from outside the United States, your information will be transferred to, stored in, and processed in the United States. By using the Service, you consent to the transfer of your information to the United States, which may have different data protection laws than your country of residence.

For users in the EEA, we rely on the following transfer mechanisms: (a) Standard Contractual Clauses (SCCs) with our service providers; (b) your explicit consent to the transfer as provided by your use of the Service.

11. Do Not Track Signals

Some web browsers transmit "Do Not Track" (DNT) signals. There is currently no industry standard for how companies should respond to DNT signals. We do not currently respond to DNT signals. However, we do not engage in cross-site tracking, and we do not use advertising or analytics tracking cookies.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last Updated" date at the top of this page. If we make material changes, we will provide notice through the Service (such as a banner notification) or by email to registered users. Your continued use of the Service after the effective date of any revised policy constitutes your acceptance of the changes.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Privacy inquiries: [email protected]
General support: [email protected]
Company: XiPlatform

Privacy Policy

Effective Date: February 28, 2026 · Last Updated: February 28, 2026

1. Information We Collect

1.1 Account Information (Optional)

Creating a Peeld account is entirely optional. If you choose to register, we collect:

Email address
Display name and username
Bio (if provided)
Password hash (for email-based sign-ups only — we never store plaintext passwords)
OAuth provider identifier (if signing in via Google or Microsoft)
Notification preferences

1.2 Peel and Response Data

1.3 Device and Technical Data

To maintain platform integrity, we collect limited technical data:

Browser fingerprint hash — A one-way SHA-256 hash generated client-side using the open-source FingerprintJS library. This hash is used solely to prevent duplicate responses from the same browser. We do not store the raw fingerprint; only the irreversible hash is retained.
IP address hash — A truncated, one-way SHA-256 hash of your IP address (first 16 characters only). This is used for rate-limiting and abuse prevention. We do not store your actual IP address.

1.4 Usage Data

1.5 Push Notification Data

If you opt in to browser push notifications, we store the subscription endpoint and cryptographic keys required by the Web Push protocol to deliver notifications to your browser.

2. How We Use Your Information

We use the information we collect to:

Provide, operate, and maintain the Service
Authenticate your identity (if you create an account)
Enable peel creation, sharing, and response collection
Prevent duplicate responses and detect abuse (via fingerprint and IP hashes)
Moderate content for safety using automated filters (word filters, spam heuristics) and the OpenAI Moderation API
Send transactional emails (first response alerts, milestones, weekly digests) via Resend
Deliver push notifications you have opted in to receive
Respond to support requests or legal obligations
Improve and optimize the Service

We do not sell your personal information to third parties. We share data only in the following limited circumstances:

3.1 Service Providers

We use the following third-party service providers to operate the Service. Each provider receives only the minimum data necessary to perform its function:

Provider	Purpose	Data Shared
Vercel	Application hosting and CDN	All web traffic passes through Vercel infrastructure
Turso (LibSQL)	Database hosting	All application data is stored in Turso
OpenAI	Content moderation (toxicity scoring)	Response text only — no user identifiers are sent
Resend	Transactional email delivery	Email address and notification content
Google OAuth	Authentication	OAuth token exchange only; we receive email and profile name
Microsoft OAuth	Authentication	OAuth token exchange only; we receive email and profile name

3.2 Legal Requirements

3.3 Business Transfers

4. Cookies and Tracking Technologies

4.1 Cookies

Cookie	Type	Duration	Purpose
`peeld-session`	Essential	7 days	JWT authentication session (httpOnly, Secure)
`peeld-keys`	Essential	1 year	Creator secret pairs for anonymous peel management
`PEELD_OAUTH_STATE`	Essential	Session (consumed after redirect)	OAuth PKCE state verification
`peeld-push-dismissed`	Functional	Session	Remembers dismissal of push notification prompt

4.2 Local Storage

Key	Purpose
`peeld-response-{slug}`	Stores response ID to display reaction badge on the thank-you page
`peeld-revealed-{peelId}`	Tracks reveal state for results page interactions
`peeld-push-dismissed`	Push notification prompt dismissal state

4.3 Browser Fingerprinting

5. Data Retention

Account data: Retained until you delete your account. Upon account deletion, all associated peels, responses, reactions, notifications, and other data are permanently and irreversibly deleted via cascading deletion.
Anonymous response data: Retained indefinitely. Because responses are anonymous and cannot be attributed to any identifiable individual, they are not considered personal data under most privacy frameworks.
Fingerprint and IP hashes: Retained alongside the responses they are associated with. Because these are one-way hashes, they cannot be reversed to recover the original fingerprint or IP address.
Push notification subscriptions: Retained until the user deletes their account or the subscription expires.

6. Your Rights and Choices

6.1 All Users

Account deletion: If you have an account, you may delete it at any time from your account settings page. This permanently deletes all your data, including all peels you created, all responses to those peels, all reactions, and all notification data.
Email preferences: You can manage your email notification preferences from your account settings or unsubscribe via the link in any email.
Push notifications: You can disable push notifications at any time via your browser settings.
Cookies: You can manage or delete cookies through your browser settings. Note that disabling essential cookies may impair the functionality of the Service.

6.2 European Economic Area (EEA) Residents — GDPR

If you are located in the EEA, you have the following additional rights under the General Data Protection Regulation (GDPR):

Right of access: You may request a copy of the personal data we hold about you.
Right to rectification: You may request correction of inaccurate personal data.
Right to erasure: You may request deletion of your personal data (account deletion fulfills this right).
Right to restrict processing: You may request that we limit how we use your data.
Right to data portability: You may request your data in a structured, machine-readable format.
Right to object: You may object to processing of your personal data for certain purposes.
Right to lodge a complaint: You may file a complaint with your local data protection authority.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

6.3 California Residents — CCPA / CPRA

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

Right to know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, our purposes for collecting it, and the categories of third parties with whom we share it.
Right to delete: You may request deletion of your personal information (account deletion fulfills this right).
Right to correct: You may request correction of inaccurate personal information.
Right to opt out of sale/sharing: We do not sell or share your personal information for cross-context behavioral advertising. There is nothing to opt out of.
Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To exercise these rights, email [email protected] with the subject line "CCPA Request." We will verify your identity and respond within 45 days.

6.4 Anonymous Responses

7. Children's Privacy

Users between the ages of 13 and 18 may use the Service with the consent of a parent or legal guardian and are subject to the same terms as adult users.

8. Anonymous Data

A core feature of Peeld is the ability for respondents to submit feedback anonymously. When a response is submitted:

No account or login is required to respond to a peel.
We do not store the respondent's actual IP address — only a truncated, irreversible hash.
Browser fingerprint data is hashed client-side and cannot be reversed.
Unless the peel creator has enabled "named" responses, no personally identifying information is collected from respondents.
Anonymous responses are permanent. Because we cannot verify who submitted a response, individual responses cannot be retracted, edited, or deleted by the respondent after submission.

We may aggregate and analyze anonymous response data in de-identified form for the purpose of improving the Service. Such aggregated data does not constitute personal information.

9. Security

We implement reasonable administrative, technical, and physical safeguards to protect your information, including:

Password hashing: Passwords are hashed using bcrypt before storage. We never store plaintext passwords.
One-way hashing: IP addresses and browser fingerprints are stored only as irreversible SHA-256 hashes.
Secure cookies: Authentication cookies use the httpOnly and Secure flags to prevent client-side access and ensure transmission over HTTPS only.
HTTPS everywhere: All data in transit is encrypted using TLS.
JWT authentication: Session tokens are cryptographically signed and verified on each request.
Creator secrets: Peel creator secrets are hashed before storage, preventing unauthorized access even in the event of a data breach.

10. International Data Transfers

11. Do Not Track Signals

12. Changes to This Policy

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Privacy inquiries: [email protected]
General support: [email protected]
Company: XiPlatform

Privacy Policy

1. Information We Collect

1.1 Account Information (Optional)

1.2 Peel and Response Data

1.3 Device and Technical Data

1.4 Usage Data

1.5 Push Notification Data

2. How We Use Your Information

3. How We Share Your Information

3.1 Service Providers

3.2 Legal Requirements

3.3 Business Transfers

4. Cookies and Tracking Technologies

4.1 Cookies

4.2 Local Storage

4.3 Browser Fingerprinting

5. Data Retention

6. Your Rights and Choices

6.1 All Users

6.2 European Economic Area (EEA) Residents — GDPR

6.3 California Residents — CCPA / CPRA

6.4 Anonymous Responses

7. Children's Privacy

8. Anonymous Data

9. Security

10. International Data Transfers

11. Do Not Track Signals

12. Changes to This Policy

13. Contact Us

Privacy Policy

1. Information We Collect

1.1 Account Information (Optional)

1.2 Peel and Response Data

1.3 Device and Technical Data

1.4 Usage Data

1.5 Push Notification Data

2. How We Use Your Information

3. How We Share Your Information

3.1 Service Providers

3.2 Legal Requirements

3.3 Business Transfers

4. Cookies and Tracking Technologies

4.1 Cookies

4.2 Local Storage

4.3 Browser Fingerprinting

5. Data Retention

6. Your Rights and Choices

6.1 All Users

6.2 European Economic Area (EEA) Residents — GDPR

6.3 California Residents — CCPA / CPRA

6.4 Anonymous Responses

7. Children's Privacy

8. Anonymous Data

9. Security

10. International Data Transfers

11. Do Not Track Signals

12. Changes to This Policy

13. Contact Us