Privacy Policy

This Privacy Policy explains how SneekyLinq, Inc. ("SneekyLinq," "we," "us," or "our") collects, uses, shares, and protects your personal information when you use sneekylinq.com and any related services (the "Platform").

By using the Platform you agree to the practices described in this Policy. If you do not agree, please do not use the Platform. For questions, contact privacy@sneekylinq.com.

Information you provide directly

• Account registration: display name, email address (stored as a SHA-256 hash), and password (bcrypt hash). We never store your plaintext email or password.
• Provider applications: display name, email, phone number (optional), city, website, years of experience, and a free-text response.
• Provider profiles: bio, service categories, availability settings, and photographs you upload.
• Introduction Requests and messages: message content sent between Members and Providers through the platform.
• Reviews: star ratings, structured tags, and written narratives submitted by Members.
• Communication preferences: the communication policy text you compose or select from our template library.

Information we collect automatically

• Server logs: IP address, browser type, operating system, referring URL, and pages visited. Logs are retained for 90 days.
• Session tokens: a cryptographically random token stored in an HttpOnly cookie. The raw token is never stored — only its SHA-256 hash is retained server-side.
• Security events: failed login attempts, suspicious request patterns, and other security-relevant signals, stored in an append-only security log.

Information from third parties

• Identity verification: Veriff (our verification partner) returns a pass/fail result and a reference ID. We do not receive or store raw ID document images.
• Payment processors: Bitcoin payments processed via BTCPay Server. We receive payment status events (paid, expired) but do not receive wallet addresses or transaction details beyond what is necessary for order fulfillment.

We use a single first-party session cookie (nv_session) to maintain your authenticated session. This cookie is:

• HttpOnly — inaccessible to JavaScript, preventing XSS-based theft.
• Secure — transmitted only over HTTPS.
• SameSite=Lax — provides CSRF protection while allowing normal navigation.

We do not use advertising cookies, third-party tracking cookies, or persistent fingerprinting techniques. Cloudflare Turnstile (bot protection on public forms) may set a short-lived cookie. We use Plausible Analytics, which is cookie-free and does not track individuals across sessions or sites.

SneekyLinq uses Plausible Analytics, a privacy-first analytics platform. Plausible does not use cookies, does not fingerprint browsers, does not track users across sites or sessions, and does not collect any personally identifiable information. Aggregate traffic data (page views, referral sources, country-level geography) is used solely to understand how the Platform is used and to improve it.

We do not use Google Analytics, Meta Pixel, or any behavioral advertising tracking infrastructure.

Your email address is stored as a one-way SHA-256 hash. This allows us to enforce uniqueness and prevent duplicate accounts without retaining your plaintext address in application storage. For transactional email (invitations, confirmations), we temporarily pass your address to our email provider (Resend), subject to their privacy policy.

Passwords are hashed using bcrypt (cost factor 12+) before storage. We cannot recover your password. Sessions are maintained via a short-lived cryptographic token stored in an HttpOnly cookie.

Administrative accounts require multi-factor authentication (TOTP). All login events and session activity are recorded in an append-only audit log.

Identity verification is processed by Veriff, an independent identity verification provider. When you initiate verification, you are redirected to Veriff's platform where you submit your government-issued ID and selfie. Veriff returns a session result (verified / not verified) and a reference ID to SneekyLinq. We store the result and reference ID; we do not receive or store the raw document images.

Veriff's handling of your identity data is governed by their own privacy policy. SneekyLinq retains verification results for the lifetime of your account and for a minimum of seven years after account closure, as required to demonstrate compliance with age verification obligations.

18 U.S.C. § 2257 compliance. Where required by law, we maintain records sufficient to demonstrate that all depicted individuals in Provider content are adults. These records are available for inspection upon lawful request by authorized officials.

Payments are processed by third-party payment processors (currently BTCPay Server for Bitcoin). SneekyLinq does not collect or store payment card numbers, bank account details, or cryptocurrency wallet addresses.

We receive payment confirmation events (invoice ID, status, amount) from our processors and retain these for accounting, dispute resolution, and compliance purposes for a minimum of seven years.

Providers may compose or select a communication policy that is displayed on their public profile. This text is stored in our database and is publicly visible to Members.

Transactional email. We send email for account events: email verification, password reset, invitation delivery, and billing receipts. We do not send marketing email unless you separately opt in.

Sensitive content. Provider phone numbers (where provided and enabled) are encrypted at rest and are only decrypted and revealed to a verified Member after that Member has completed an Introduction Request that the Provider has acknowledged, and after the Member has affirmatively confirmed a privacy disclosure. This disclosure is logged with the Member's consent timestamp.

We retain your personal data for as long as your account is active and for the periods required by law. Specific retention rules:

• Active accounts: retained until you close your account.
• Closed accounts: profile content deleted within 30 days. Audit logs, payment records, and verification records retained for a minimum of 7 years.
• Provider photographs: deleted from our CDN within 30 days of account closure or manual deletion by the Provider.
• Server logs: 90 days.
• Security event logs: 2 years.
• Compliance incident records: 7 years minimum (law enforcement cooperation requirements).

Where data is subject to a legal hold or active law enforcement request, retention is extended for the duration of that hold.

We implement the following measures to protect your data:

• All data transmitted between your browser and our servers is encrypted via TLS 1.2 or higher.
• Passwords are hashed with bcrypt; emails are stored as SHA-256 hashes.
• Sensitive fields (encrypted email, phone numbers) are encrypted at rest using AES-GCM.
• Session tokens are stored as SHA-256 hashes; raw tokens exist only in the user's cookie.
• Audit logs and security event logs are append-only — existing entries cannot be modified or deleted by application code.
• Provider photographs are stored in a private bucket during scanning and only moved to the public CDN after passing automated image-safety screening and admin review.
• Administrative access requires multi-factor authentication and is restricted by IP allowlist.

Despite these measures, no system is perfectly secure. If you discover a vulnerability, please report it to security@sneekylinq.com.

Depending on your location, you may have the following rights regarding your personal data:

• Access: request a copy of the personal data we hold about you.
• Correction: request correction of inaccurate data.
• Deletion: request deletion of your personal data, subject to legal retention requirements.
• Portability: request your data in a machine-readable format.
• Restriction: request that we restrict processing of your data in certain circumstances.
• Objection: object to processing based on legitimate interests.

To exercise any of these rights, email privacy@sneekylinq.com with your request and sufficient information to verify your identity. We will respond within 30 days. Some rights may be limited where we have a legitimate legal basis to retain data.

We do not sell personal data. We do not share personal data with advertisers or data brokers.

The Platform is strictly for adults aged 18 and over. We do not knowingly collect personal data from anyone under 18. If we discover that we have inadvertently collected data from a minor, we will delete it immediately and may notify appropriate authorities. If you believe a minor has created an account, contact safety@sneekylinq.com immediately.

We may update this Privacy Policy periodically. Material changes will be communicated via email to the address on file or via a platform notification at least 14 days before the change takes effect. The "Effective date" at the top of this page will always reflect the current version. Continued use of the Platform after the effective date constitutes acceptance of the updated Policy.

For privacy-related questions, requests, or concerns: