Privacy policy

Draft v0.1 — pending legal review before launch.

What we collect

What we don't do

How long we keep things

Your content stays as long as your account is active. If you delete your account, we delete your designs and files within 30 days. Billing records (invoices, payment events) are retained for as long as required by law (typically 7 years). Anonymized audit logs are kept for 18 months for security forensics.

Your rights

You can request:

Cookies

We use a single first-party session cookie, required for you to stay logged in. (Our CSRF protection uses a token stored server-side in your session, not a separate cookie.) We don't use tracking cookies and don't require a banner.

Security

Passwords are stored using Argon2id with a separate server-side pepper. Sessions are HTTPS-only with strict same-site cookies and 24-hour idle / 7-day absolute expiry. Payment data is handled exclusively by Stripe (PCI DSS compliant).

International transfers

QuiltCraft is hosted in the United States. If you're in the EU, we transfer your data under Standard Contractual Clauses where applicable. Stripe handles cross-border transfers for payment data under its own compliance program.

Children

QuiltCraft isn't directed at children under 13. We don't knowingly collect data from anyone under 13 (or 16 in the EU). If you believe a child has created an account, please contact us.

Changes

We'll email you and post in-app at least 30 days before any material change to this policy.

Contact

privacy@quiltcraft.org

This page is a working draft. Final language pending legal review.