Privacy Policy

Vabling is operated by an individual controller. TODO before launch: replace with the operator's full legal name. TODO before launch: replace with the operator's public mailing address.

Privacy requests go to [email protected]. Abuse or safety reports go to [email protected].

• Email address for magic-link login, account security, bans, and service emails.
• Account profile data such as public handle, avatar URL, done count, abandoned count, and account creation time.
• Public content you submit, including quests, tags, city text, updates, comments, captions, proof photos/videos, profile images, and related media URLs.
• Activity data such as claims, votes, claps, comment claps, cheers, feed impressions, reports, report reasons, and moderation audit records.
• Session and authentication data, including the session cookie and short-lived magic-link token.
• Technical logs that may include IP address, user agent, request URLs, timestamps, and error data from our hosting and infrastructure providers.

• To provide the service: accounts, posting, claiming, proof uploads, voting, comments, and profile pages.
• To keep the community accountable while allowing public anonymous display where the UI says "anon".
• To moderate content, investigate reports, prevent abuse, enforce bans, and preserve an audit trail for kills/restores.
• To send magic links and service notices such as proof-result emails.
• To operate, secure, debug, and improve the site.
• To comply with legal obligations and respond to valid legal, copyright, privacy, and safety requests.

Quests, comments, public handles, profile images, proof media, captions, and share-card images may be visible to anyone. Media uploaded for proofs, comments, updates, and profiles is stored in Vercel Blob using public URLs, so do not upload private or sensitive material.

We use a required HTTP-only session cookie named wtl_sessionthat can last up to 60 days. Magic-link tokens expire after 30 minutes. We do not currently use analytics or marketing cookies. If we add analytics or tracking cookies, we will update this policy and use a consent banner where required.

• Session cookies can last up to 60 days unless you log out earlier.
• Magic-link tokens expire after 30 minutes.
• Feed impressions are pruned after 30 days.
• Account, quest, proof, comment, vote, clap, report, and moderation records are kept while needed to run the service, preserve public context, enforce rules, resolve disputes, or meet legal obligations.
• Deleted or killed public content may be hidden rather than immediately erased so moderation can be audited and reversed where appropriate.
• Blob media may remain in backups, caches, provider logs, or public copies for a limited time after removal requests are processed.

We use service providers to operate the app:

• Vercel for hosting, serverless functions, logs, cron, and deployment infrastructure.
• Vercel Blob for public user-uploaded media storage.
• Neon for Postgres database hosting.
• Resend for magic-link and service email delivery.
• OpenAI moderation, if enabled, to help classify quest text before posting.

Depending on where you live, including in the EU/EEA, UK, or similar privacy-law regions, you may have rights to access, correct, delete, export, restrict, or object to the processing of your personal data. These rights are not always absolute, especially where we need data for safety, moderation, legal compliance, or legal claims.

To make a request, email [email protected]from the email address connected to your account. We may need to verify your identity before acting on the request.

Our providers may process data in the United States and other countries. Where required, we rely on provider data-processing terms, transfer mechanisms, and similar safeguards.

Vabling is not for children or quests involving minors. If you believe a minor has provided personal data or appears in uploaded content, report it to [email protected].