Privacy Policy
Last updated: 12 May 2026
This Privacy Policy explains how WTF ("we", "us", "our") collects, uses, and protects personal data when you use im.wtf (the "Service"). We comply with the EU General Data Protection Regulation (GDPR) and the Irish Data Protection Act 2018.
1. Data Controller
WTF, registered office in the Republic of Ireland.
Contact for data protection: arewewtf@gmail.com
2. Data we collect
- Account data: username, email address, hashed password, optional profile fields (display name, short bio, country, city, gender, birthdate).
- Profile content: avatars, links, social handles, badges, and other content you choose to publish.
- Analytics: aggregated profile views and clicks. We derive an anonymous, salted, daily-rotating SHA-256 hash from a visitor's IP and user-agent so that we can count unique views without storing the raw IP. Coarse geolocation (country) is derived from the IP at the moment of the request and only the country code is stored.
- Technical data: request timestamps, derived browser/device family, and HTTP referrer category. Raw IP addresses are not persisted.
3. Legal basis (Art. 6 GDPR)
- Art. 6(1)(b) — performance of the user contract (account, profile hosting).
- Art. 6(1)(f) — legitimate interests (security, fraud prevention, aggregated analytics, service improvement).
- Art. 6(1)(c) — compliance with legal obligations (tax, takedown notices).
- Art. 6(1)(a) — consent, where required (e.g. optional features).
4. Cookies & local storage
We use a strictly necessary HttpOnly session cookie to keep you signed in. We use localStorage to remember your theme and editor preferences. We do not use advertising cookies or third-party tracking pixels.
5. Third parties / processors
- Hosting and content delivery providers used to operate the Service.
- Avatar image generation (e.g. dicebear.com) when no custom avatar is uploaded.
- Email delivery provider for transactional messages.
All processors are bound by data processing agreements compliant with Art. 28 GDPR.
6. International transfers
Where data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards under Art. 46 GDPR.
7. Retention
Account data is retained for as long as your account is active. Aggregated analytics counters are retained indefinitely in non-identifying form. You may delete your account at any time, after which personal data is removed within 30 days unless retention is required by law.
8. Your rights (Art. 15–22 GDPR)
- Access, rectification, erasure ("right to be forgotten").
- Restriction of processing and data portability.
- Objection to processing based on legitimate interests.
- Withdrawal of consent at any time, without affecting prior lawfulness.
- Right to lodge a complaint with the Irish Data Protection Commission or your local supervisory authority.
To exercise any of these rights, contact arewewtf@gmail.com.
9. Children
The Service is not directed to children under 13. We do not knowingly process data from children under that age.
10. Security
We use encrypted connections (TLS), hashed passwords, role-based access control, and minimum-necessary data principles. No system is perfectly secure; we cannot guarantee absolute security.
11. Changes to this policy
We may update this policy from time to time. Material changes will be announced via the Service. Continued use after a change constitutes acceptance.