Legal
Privacy Policy
Version 2026-07-13.2. Effective July 13, 2026.
1. Scope and operator
This policy explains how CarpeDiction collects and handles personal information when you browse the service, create an account, search, post comments, save favorites, upload a profile image, or register, sign in, or connect an identity provider. CarpeDiction is operated by Zachery A. Bielicki, who is the controller of account information described here.
2. Information collected
- Account information: username, email address, an optional password hash, account timestamps, and the version and time of legal-policy acceptance. The service does not store your plain-text password. Provider-created accounts receive a server-generated editable username and may add a password later.
- Public activity: comments, displayed creator name, likes, and the word associated with a discussion. Comments and creator names are visible to other users.
- Saved activity: favorite words associated with your account.
- Optional profile media: an uploaded profile image. Images are decoded, resized, stripped of metadata, converted to WebP, and stored under a server-generated object key.
- Optional identity providers: Google or Apple provider identifier, provider name, connection time, and a verified email address when the provider supplies one. These values support provider registration, sign-in, linking, and unlinking. CarpeDiction does not receive your provider password.
- Search and reference data: lexical queries and provider responses. Queries may be cached without an account identifier to improve speed and provider efficiency.
- Security and technical data: essential session tokens, short-lived provider authentication and link state, a short-lived provider registration ticket, request origin, and network address used temporarily for abuse prevention. Hosting infrastructure may create ordinary security and access logs.
3. How information is used
Information is used to:
- create and authenticate accounts and provide requested features;
- display favorites, comments, likes, and profile information;
- register, sign in, connect, or disconnect an identity provider at your request;
- retrieve, cache, and present language-reference results;
- prevent fraud, abuse, malicious input, and unauthorized access;
- maintain, troubleshoot, and improve service reliability; and
- comply with applicable law and enforce the Terms of Service.
Depending on where you live, these activities rely on performance of the service agreement, legitimate interests in security and operation, compliance with law, and your affirmative choices for optional features.
4. When information is disclosed
- Publicly: comments, displayed creator names, like counts, and profile images are shown as part of community features.
- Infrastructure providers: hosting, PostgreSQL database, and S3-compatible object-storage providers process data to operate the service.
- Lexical providers: the searched word or phrase is sent to the selected dictionary, thesaurus, rhyme, frequency, slang, or association provider. CarpeDiction does not intentionally send your account ID or email with a lexical query.
- Identity providers: Google or Apple receives information involved in an authentication or connection flow only when you choose that provider.
- Legal and safety needs: information may be disclosed when reasonably necessary to comply with law, protect rights and safety, investigate abuse, or defend legal claims.
CarpeDiction does not sell personal information, use it for cross-context behavioral advertising, or run third-party advertising or analytics trackers.
5. Cookies and local storage
CarpeDiction uses an HTTP-only session cookie that lasts up to 30 days to keep you signed in. Short-lived, HTTP-only cookies protect optional Google or Apple authentication, registration, and connection flows. These cookies are necessary for requested account functions. The service does not use advertising cookies or cross-site tracking cookies, so it does not display a marketing cookie banner.
6. Retention
- Account data is retained while the account exists.
- Session cookies expire after no more than 30 days and are cleared on sign-out.
- Lexical cache entries are active for 12 hours and are removed through bounded cache cleanup.
- Replaced profile images are deleted, and the current profile image is deleted with the account.
- Account deletion removes account, favorites, likes, sessions, and connected-provider records. Public comments may remain with a creator-name snapshot and no user-account relationship; contact the operator to request review or removal.
- Security logs, backups, and records required for legal claims may remain for a limited period based on operational, legal, and provider retention requirements.
7. Your choices and rights
The account page lets you view and correct your username and email, set or change a password, replace or remove your profile image, export favorites, disconnect providers, and delete your account. A provider-only account must retain a sign-in provider until a password is set. Depending on your location, you may also have rights to request access, correction, deletion, restriction, objection, or portability and to complain to a data protection authority. CarpeDiction will not discriminate against you for exercising an applicable privacy right.
Contact the operator for a request not available in the account page. Identity verification may be required before account information is disclosed or changed.
8. International processing
Infrastructure, lexical, storage, and identity providers may process information in the United States and other countries. Those locations may have different data-protection laws. Where required, appropriate contractual or legal safeguards should be used for international transfers.
9. Security
CarpeDiction uses password hashing when a password is set, verified provider identity, HTTP-only cookies, origin checks, input validation, rate limits, least-privilege storage access, and server-side credentials. No online service can guarantee absolute security. Use a unique password when setting one and report suspected unauthorized access promptly.
10. Children
CarpeDiction is a general-audience service and is not intended for children under 13. An account applicant must confirm they are at least 13. If the operator learns that personal information was collected from a child under 13 without legally valid authorization, the account and associated personal information will be reviewed and deleted as required.
11. Policy changes
This page identifies its version and effective date. Material changes will receive a new version and, when required, an in-product notice or renewed acceptance before account features continue.
12. Contact
Contact the operator with privacy questions or requests. Do not send passwords, session tokens, identity-provider tokens, or other authentication secrets.
Contact Zachery A. Bielicki