Privacy Policy

1.1 Your one-word answer

The word you submit is stored anonymously and aggregated into a public word cloud. It is never linked to your name, email, or any identifier you can be tracked by.

1.2 Hashed identifiers (to enforce one-answer-per-day)

To make sure each person can only answer once per day, we compute a one-way SHA-256 hash of:

• your IP address (we never store the raw IP, only the hash)
• your browser User-Agent header
• a random cookie identifier (ow_uid) we set the first time you visit
• your screen resolution and timezone (sent by your browser when you submit)

These hashes cannot be reversed back to your IP or identity. We use them only to detect repeat submissions and spam.

1.3 Country and (when available) city — approximate

Our hosting providers (Cloudflare and Vercel) infer the country your request came from, for example US, JP, BR. We store this country code with each answer so the global feed can show country statistics. When the provider also returns a city name (e.g. Warsaw) we store that too, so the feed can read “Poland · Warsaw said love”. We never store street, postal code, GPS coordinates, or any precise location.

1.4 Audit log of blocked attempts

When a submission is blocked (rate limit, scraper user-agent, banned word, etc.), we record the blocked attempt with the hashed identifiers from §1.2, the reason, and the approximate location from §1.3. This is kept for up to 30 days for abuse review and is not used for any other purpose.

1.5 Email (only if you opt in)

If you choose to subscribe to the daily question, we store your email address and the date you confirmed. You can unsubscribe with one click from any of our emails.

1.6 Standard server logs

Cloudflare and Vercel keep request logs (timestamp, URL, status code, raw IP) for up to 30 days for security and abuse detection. We do not have direct access to these except through their dashboards.

• Your real name
• Your precise location (only country + city, when the edge network supplies it)
• Your phone number
• Browser history outside our site
• Behaviour on other websites (no cross-site tracking pixels)
• Biometric data, payment data, or any government-issued identifiers

• To display today's word cloud and country statistics
• To enforce one-answer-per-day (the whole point of the site)
• To block spam and abuse (rate-limiting, blocked words list)
• To send the daily email if you subscribed
• To comply with legal obligations

We never sell your data. We never share it with third parties for marketing.

• Submitting an answer: legitimate interest in providing the service you came to use
• Email subscriptions: your consent
• Advertising cookies: your consent (via the banner)
• Spam protection: legitimate interest in keeping the site usable

You have the right to:

• Ask what data we hold about you
• Ask us to delete your data (GDPR Article 17 — “right to be forgotten”)
• Object to processing or restrict it
• Withdraw consent for cookies, emails, or analytics at any time
• Lodge a complaint with your local data protection authority

The quickest way to delete your data is the form at oneword.online/forget. You can also email hellooneword.online@gmail.com for any rights request and we will respond within 30 days.

See our Cookie Policy for an exhaustive list. In short:

• 2 essential cookies (ow_uid and your consent choice)
• 2 local-storage items in your browser only (ow_streak_v3, ow_journal_v3) — never sent to our server
• Google AdSense cookies — only after you click "Accept all" in the banner
• Google Analytics 4 (anonymised IP) — only after you click "Accept all" in the banner
• No Facebook Pixel, no Hotjar, no cross-site trackers

With your consent, we serve ads via Google AdSense. Google may set cookies (including the DoubleClick DART cookie) and collect anonymised information to show ads relevant to you. You can opt out at google.com/settings/ads or, for EU users, at youronlinechoices.com.

Google's own data practices are described at policies.google.com/technologies/ads.

• Aggregated, anonymous answers — kept indefinitely as public artefacts of each day
• Hashed identifiers — kept indefinitely (cannot be reversed)
• Email subscriptions — until you unsubscribe
• Server logs — up to 30 days at the hosting layer

The service is not directed at children under the age of 13, and we do not knowingly collect personal data from children under 13, in accordance with the U.S. Children’s Online Privacy Protection Act (COPPA) and similar provisions in other jurisdictions. If you are a parent or guardian and believe we have inadvertently collected information from a child, email hellooneword.online@gmail.com and we will delete it without delay.

We host on Cloudflare (global edge network) and Vercel (US / EU regions), and use Supabase (EU region — Frankfurt). Aggregated answers may be processed in either region. Standard contractual clauses are in place at the infrastructure level.

We will update this page with a new "Last updated" date when anything material changes. Significant changes (such as adding a new tracker) will trigger a fresh consent prompt in the banner.

hellooneword.online@gmail.com