The fine print, in plain English.

Gwaky (operated under the name Gwaky) runs gwaky.com and provides the comment, voting, and notification features on the site. We’re a US-based company hosting on Vercel. Our users live everywhere — including California and the EU/UK — so we honor the rights described below regardless of where you sign up from.

We collect the minimum we need to run the product. Here is the full list:

• Account basics. Your name, email, profile photo (avatar stored on Vercel Blob), and a username. When you sign in through Google, Apple, or GitHub we receive these from the provider; with email sign-in you give them directly.
• Profile preferences. The markets and neighborhoods you follow, your role (buyer, renter, agent, etc.), and any bio you choose to share.
• Your content. The takes (comments) you post, threads you reply to, likes, red-flag votes, and reports you submit.
• Consent records. Whether you agreed to our Terms, Privacy Policy, marketing, personalization, push notifications, and broader data processing. We store these in a ConsentLog so we can prove the choice you made and when you made it.
• Technical data. IP address, browser type, device info, and event logs from the app, used for security, debugging, and abuse prevention.
• Product analytics. Pseudonymous usage events through PostHog (page views, feature interactions) so we can see what works and what’s broken.

• To run the service. Display your takes, route replies, send the real-time notifications you asked for, and keep your account secure.
• To improve the product. Aggregate analytics tell us which features get used and which ones we should kill.
• To enforce our rules. Spam, harassment, doxxing, and listing fraud get caught using a mix of automated signals and human review.
• To talk to you. Transactional email (account, security, replies) is core to the product. Marketing email is opt-in and tracked in your ConsentLog.

If you’re in the EU, EEA, UK, or Switzerland, GDPR applies. We rely on these legal bases:

• Contract. Running the account features you signed up for.
• Legitimate interests. Keeping the platform secure, preventing abuse, basic product analytics (where you have not opted out).
• Consent. Marketing email, personalization, push notifications, and any non-essential cookies. You can withdraw consent in your profile at any time.
• Legal obligation. When a law, subpoena, or court order requires it.

• Active accounts. For as long as your account exists.
• Deleted accounts. When you request deletion, we begin a 30-day grace period during which you can change your mind by signing back in. After 30 days your personal data is purged. Your public takes are anonymized rather than deleted, because threads and other people’s replies would lose context otherwise.
• Consent logs. Kept for as long as the law requires us to prove consent (usually a few years after withdrawal).
• Backups. Encrypted backups roll off on a normal cycle (typically 30 days).

We do not sell data. We share it only with vendors that help us run the service, under contracts that limit what they can do with it:

• Vercel — hosting, CDN, and Blob storage for avatars.
• PostHog — product analytics (pseudonymous event data).
• Auth providers — Google, Apple, GitHub, and our email-link provider, only for sign-in.
• Email infrastructure — transactional and (opt-in) marketing email.
• Law enforcement — only when legally compelled, and we push back on overbroad requests.

Wherever you live, you can ask us to do the following with your data. We respond within 30 days (faster when we can).

• Access. See what we have on you.
• Export. Download a portable copy of your data. Start a DataExportRequest from your profile settings.
• Correction. Fix anything that is wrong.
• Deletion. Delete your account (subject to the 30-day grace period in section 5).
• Object / restrict. Tell us to stop processing your data for a specific purpose.
• Withdraw consent. Toggle off marketing, personalization, push, or non-essential cookies any time in your profile.
• Complain. EU/UK residents can file with their local data protection authority.

California residents have the same access, deletion, correction, and opt-out rights under the CCPA/CPRA, plus the right not to be discriminated against for exercising them. We do not sell or share personal information for cross-context behavioral advertising.

Gwaky is not for anyone under 13. We do not knowingly collect data from children. If we learn an account belongs to a child, we delete it. Parents who think a child has signed up can write to privacy@gwaky.com.

Gwaky is hosted in the United States. If you’re writing to us from the EU/UK, your data crosses borders. We rely on Standard Contractual Clauses and equivalent safeguards with our vendors.

We use industry-standard practices: encrypted transport (HTTPS), encrypted storage, scoped access controls, and routine reviews. No system is bulletproof — if something goes wrong we’ll tell you and the relevant regulators in line with the law.

When we make material changes, we’ll update the “Last updated” date at the top and, where required, ask you to re-consent before continuing to use Gwaky.

Privacy questions, data requests, or anything that smells off: privacy@gwaky.com.