Privacy Policy
Last updated: May 7, 2026
The Online Reader ("we," "us," or "our") operates the website at theonlinereader.com (the "Service"). This Privacy Policy explains what information we collect when you use the Service, how we use it, who we share it with, and the choices you have. By using the Service you agree to the practices described here.
1. Information We Collect
a. Information you provide
- Account information. When you sign up using email and password, we store your email address and a one-way hashed version of your password (we never store your password in clear text). When you sign in with Google, we receive your email address and display name from Google as part of the OAuth flow.
- Content you create. Ratings you submit, items added to your library, and URLs you submit for indexing.
- Communications. Any messages you send to us via the contact form or email.
b. Information collected automatically
- Log data. Standard server logs including your IP address, browser type, the pages you request, and the time of the request. This is used for security, abuse prevention, and rate limiting.
- Cookies and local storage. See section 4 below for the full list and purpose of each.
- Cloudflare Web Analytics. Our infrastructure provider, Cloudflare, runs a cookieless analytics beacon (
static.cloudflareinsights.com/beacon.min.js) that measures aggregate site performance - Core Web Vitals, page-load timings, and visit counts. The beacon does not set cookies, does not read or write to your device's storage, and does not build a profile of you across visits or other sites. Cloudflare states it does not retain individual visitor IP addresses for this product. See Cloudflare's Web Analytics privacy notice.
What we do not collect. Aside from the cookieless Cloudflare Web Analytics beacon described above, we do not run behavioural or session-replay analytics (no Google Analytics, no Mixpanel, no Hotjar, no Plausible, etc.), we do not embed advertising or marketing trackers, and we do not use any cross-site tracking technology.
2. How We Use Your Information
- To create and maintain your account and keep you signed in.
- To send you essential service emails - sign-in one-time passwords (OTPs), password resets, and account-management notifications such as deletion confirmations.
- To aggregate ratings and surface recommendations to other users (your individual ratings are visible on your profile by default; aggregated ratings are anonymous).
- To detect, prevent, and respond to abuse, spam, fraud, and security incidents.
- To comply with legal obligations.
3. Legal Bases for Processing (EU/UK Users)
If you are located in the European Economic Area or the United Kingdom, we rely on the following legal bases under the GDPR / UK GDPR:
- Performance of a contract - to provide the Service you've signed up for (e.g., maintaining your account, processing your ratings).
- Legitimate interests - to keep the Service secure, prevent abuse, and operate it efficiently.
- Consent - where required by law (e.g., optional marketing communications, if any). We currently do not send marketing emails.
- Legal obligation - where we are required by law to process information.
4. Cookies and Local Storage
The Online Reader uses only strictly-necessary cookies and local-storage entries - those required for the Service to function (authentication and login state). Because all cookies in use are strictly necessary, we do not require or collect explicit consent for non-essential cookies, as we do not set any. The full list:
| Name | Type | Expiry | Purpose |
|---|---|---|---|
auth_token | HTTP cookie (HttpOnly) | 7 days | Keeps you signed in after login. Holds your authentication token; cannot be read by JavaScript. |
connect.sid | HTTP cookie (HttpOnly) | Session (cleared on browser close) | Used only during the Google sign-in redirect to securely complete the OAuth round-trip. |
tor-pending-library | sessionStorage | Until browser tab closes | Remembers a rate-this-page action you started before signing in, so you can complete it after login. |
tor-cookie-notice-ack | localStorage | Persistent (until you clear browser storage) | Records that you've seen the cookie notice, so the banner doesn't reappear on every page load. |
5. Third-Party Services
We use a small number of third-party services to operate the Service. Each is listed below with the data shared and the provider's role:
- Cloudflare (CDN, security, and Web Analytics). Cloudflare sits in front of the Service as a CDN and DDoS-mitigation layer; in that role it processes your IP address and request headers as a regular network proxy. Cloudflare also provides the cookieless Web Analytics described in section 1b. See Cloudflare's Privacy Policy.
- Google (OAuth sign-in). If you choose to sign in with Google, your browser is redirected to Google to authenticate. We receive your email address and display name from Google. Google's handling of this data is governed by their Privacy Policy.
- Resend (transactional email). We use Resend to deliver one-time passwords, password-reset links, and account notifications. Your email address is shared with Resend solely to deliver these messages. See Resend's Privacy Policy.
- MongoDB Atlas (database hosting). Account data and content are stored in a MongoDB Atlas cluster operated by MongoDB, Inc. See MongoDB's Privacy Policy.
- OpenAI (content moderation). When you submit a URL for indexing, the metadata we scrape from that URL (page title, description, and keywords) is sent to OpenAI's Moderation API for automated content classification before the URL is added to the public catalog. No account identifiers, IP addresses, or personal data are sent. OpenAI states that data submitted to the Moderation API is not used to train their models. See OpenAI's Privacy Policy and the API Data Usage Policy.
- Stripe (payments - when subscriptions launch). If and when you subscribe to a paid plan, payment processing is handled by Stripe. We do not store full payment-card numbers; Stripe receives card details directly. See Stripe's Privacy Policy.
6. How We Share Your Information
We do not sell, rent, or trade your personal information. We share it only in the following circumstances:
- With service providers listed in section 5, strictly to operate the Service.
- For legal reasons - when required by law, court order, or to protect the rights, property, or safety of the Service, our users, or the public.
- In a business transfer - if we are involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you of any such change of ownership and the choices you have.
- With your consent - for any other purpose, only with your explicit consent.
7. Data Retention
- Account data is retained while your account is active. When you request deletion, your account enters a 30-day grace period during which it can be cancelled and restored. After 30 days the account and personal data are permanently deleted.
- Ratings and submitted URLs may remain in the public catalog after account deletion, but are anonymized - they are no longer linked to your identity.
- Server logs are retained for up to 90 days for security and abuse-prevention purposes, then rotated or deleted.
8. Your Rights and Choices
Depending on your location, you may have some or all of the following rights with respect to your personal information:
- Access. View your account data from your profile page. For anything not visible there, request a copy by emailing us.
- Correction. Update inaccurate information from your profile page, or request a correction by emailing us.
- Deletion. Delete your account from your profile page; deletion follows the 30-day grace-period process described in section 7. You may also request deletion by emailing us.
- Restriction or objection. Ask us to restrict or stop processing your data in certain circumstances by emailing us.
- Data portability. Request a machine-readable copy of the data you've provided by emailing us.
- Withdraw consent. Where processing is based on consent, withdraw it at any time (without affecting prior processing).
- Lodge a complaint. EU/UK users may complain to their local data-protection authority.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
9. Data Security
We protect your data using industry-standard practices: HTTPS for all traffic in transit, JWTs stored in HttpOnly cookies (so they cannot be read by client-side JavaScript), bcrypt-hashed passwords (we never see your password in clear text), rate limiting on authentication endpoints, and access controls on internal services. No system is perfectly secure, however, and we cannot guarantee absolute security.
10. Children's Privacy
You must be at least 13 years old to use the Service. If you live in a country where the age of digital consent is higher than 13 (16 in most EU countries), you must have the consent of a parent or guardian if you are below that age. Age is self-declared at registration; we do not verify it. If you become aware that someone below the applicable age has registered, please contact us and we will remove the account and any associated personal information.
11. International Data Transfers
Our service providers (including MongoDB Atlas, Resend, Google, OpenAI, and Stripe) operate in multiple jurisdictions, which may include the United States, the European Union, the United Kingdom, and elsewhere. By using the Service, you understand that your information may be transferred to and processed in countries other than your own. Where required by law, we rely on appropriate safeguards such as Standard Contractual Clauses.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes that affect your rights, we will provide a more prominent notice (e.g., via email or an in-app announcement). Please review this page periodically.
13. Contact Us
Questions, comments, or requests regarding this Privacy Policy? Email us at [email protected], or use the contact form.
Related
- Terms of Service - the rules of using the Service.
- Cookie Policy - focused expansion of section 4 above, with browser controls.
- Disclaimer - limits on the content displayed on the Service.