1. Who We Are

Honeymilk Spinners (the "Site") is operated by Contact Info Pending — see docs/LEGAL-COMPLIANCE-OWNER-ACTIONS.md("we," "our," "us"). This Privacy Policy explains what personal information we collect, why we collect it, who we share it with, and what choices you have. It applies to the Site, our APIs, our newsletter emails, and our progressive web app ("PWA").

The Site is intended for adults only. We do not knowingly process personal information from anyone under 18 (or under 13 in any jurisdiction). See Section 9.

2. Information We Collect

2.1 Information you give us

• Account information when you sign up (email address, username, and any profile details you provide). Authentication is handled by our identity provider, Clerk; we do not store passwords ourselves.
• Newsletter subscription state and your email opt-in preference, including a timestamp of the last change for audit purposes.
• Library and saved-content data (items you add to your library, your saved scenes/performers/products, your video edits, and library-share tokens).
• User settings (display, accessibility, playback, and notification preferences).
• Feedback and support submissions (the message itself, the page URL it was sent from, and basic device information). Feedback may be submitted anonymously.

2.2 Information collected automatically

• IP address and a derived country / U.S. state, used for geo-restriction enforcement, abuse prevention, and security logging.
• Device and browser information (user agent, viewport size, connection type) for compatibility and abuse detection.
• Security and audit logs (admin actions, blocked-IP events, request errors) including IP and user agent.
• Analytics events (page views, clicks, basic session data) — only when you have given explicit consent through our cookie banner. See Section 6.

2.3 Information we do NOT collect

• We do not process payment-card data. The Site does not currently sell anything directly; product links route to third-party retailers and creator platforms via affiliate URLs.
• We do not allow users to upload sexually explicit imagery.

3. How We Use Your Information

• To create and operate your account and library.
• To send transactional emails (sign-up confirmations, account changes, abuse-related notices).
• To send newsletter emails when you have opted in, and to let you opt out at any time.
• To enforce geographic and age restrictions and to protect the Site from abuse, fraud, and unauthorized access.
• To respond to feedback, support requests, legal requests, DMCA notices, and 2257 record-removal requests.
• To measure and improve the Site (only with your consent for analytics — see Section 6).
• To comply with legal obligations.

4. Legal Bases (GDPR / UK GDPR)

• Contract — to operate your account and provide the Site.
• Consent — for optional analytics cookies and for newsletter sign-ups; you may withdraw at any time.
• Legitimate interests — for security, abuse prevention, geo-enforcement, fraud detection, and service improvement, balanced against your rights.
• Legal obligation — to respond to lawful requests, takedown notices, and record-keeping obligations.

The Site geo-restricts access from the United Kingdom and certain EU member states. Where applicable EU/UK law still applies (for example, to a residual visit before the geo check completes, or to legal-page access), the bases above govern.

5. Service Providers and Sub-Processors

We rely on a small set of third-party service providers to run the Site. We do not sell your personal information.

• Clerk — user authentication, session management, and 2FA. Stores email, password hash, username, profile metadata.
• Google Analytics 4 (GA4) — opt-in analytics. Loaded only after consent is granted via the cookie banner.
• Bunny.net — video and media content delivery network. Receives request metadata (IP, user agent) when streaming media.
• SMTP email provider — used to send account, newsletter, and transactional emails. Receives recipient email and message content.
• Push-notification service (web-push) — used only if you have opted in to PWA push notifications.
• IP geolocation provider — used at the edge to determine country / U.S. state for geo-blocking and abuse prevention. Receives only the request IP.
• Self-hosted infrastructure — the application database (MySQL) and application servers run on infrastructure controlled by us. Standard server access logs are retained for security and debugging.

We may also disclose information when required by law, subpoena, court order, or to protect our rights, our users, or the public; or in connection with a sale, merger, or other transfer of business assets, with notice where required.

6. Cookies and Similar Technologies

We use the following categories of cookies and local storage:

• Strictly necessary — Clerk session cookies, geo-restriction cookies (e.g. geo-restricted), age-gate confirmation (hms_age_verified), CSRF protection, and consent-state storage. These cannot be disabled because the Site cannot function without them.
• Analytics (opt-in)— Google Analytics 4. Only loaded after you click "Accept" in the cookie banner. You can withdraw consent at any time using the cookie button in the footer.

We do not currently use third-party advertising or cross-site tracking cookies.

7. Data Retention

• Account data — retained while your account is active. Deleted on account deletion; some records (e.g. legal/audit) may be retained where required.
• Library, edits, and settings — deleted when you delete your account.
• Newsletter subscription state — retained while you remain subscribed; the unsubscribed-at timestamp is kept as proof of consent withdrawal.
• Security event and audit logs — retained in accordance with our security data-retention policy and applicable law.
• Analytics data — retained per the defaults of our analytics provider.
• Backups — periodic backups may contain copies of the above for a limited rolling period before being overwritten.

8. Your Rights

Depending on your location, you may have some or all of the following rights:

• Access — request a copy of the personal information we hold about you.
• Correction — request correction of inaccurate or incomplete information.
• Deletion — request deletion of your account and associated personal information. You can do this directly from the account settings page.
• Restriction / objection — ask us to restrict or object to certain processing (GDPR / UK GDPR).
• Portability — request a structured copy of certain data you have provided.
• Withdraw consent — for analytics or newsletter, at any time, without affecting prior processing.
• Lodge a complaint — with your local data protection supervisory authority (GDPR / UK GDPR).

California residents (CCPA / CPRA): You have the right to know what personal information we collect, the right to delete it, the right to correct inaccurate information, and the right to limit use of sensitive personal information. We do not sell or share personal information for cross-context behavioral advertising as those terms are defined under the CPRA. To exercise your rights, contact us at the address in Section 11.

9. Children's Privacy

The Site is for adults. We do not knowingly collect personal information from anyone under 18. We do not knowingly collect personal information from any child under 13, in accordance with the U.S. Children's Online Privacy Protection Act (COPPA). If we learn that we have collected information from a child, we will delete it and terminate the associated account.

10. International Data Transfers

Our infrastructure and most service providers are located in the United States. If you access the Site from outside the United States, your information will be transferred to, stored in, and processed in the United States. Where required by law, we rely on appropriate safeguards (including, where applicable, standard contractual clauses) for such transfers.

11. Contact Us

If you have questions about this Privacy Policy or want to exercise any of the rights above, contact us:

12. Changes to This Policy

We may update this Policy from time to time. Material changes will be reflected in the "Last updated" date at the top of the page. Where required by law, we will provide additional notice.