Privacy Policy

Last updated: 2026-02-05

Caneta ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and protect your personal data when you use our pen-pal platform at caneta.ink (the "Service").

1. Data Controller

The data controller for your personal data is the operator of Caneta, accessible at caneta.ink. For privacy-related inquiries, contact us at [email protected].

2. Data We Collect

Account Data

When you create an account, we collect: email address, username, display name (optional), country, preferred language, and interests you select.

Content Data

Letters you write and send through the platform, your signature text, and stamp collection data.

Technical Data

Session tokens for authentication, and basic server logs (IP addresses, timestamps) for security purposes. We do not use analytics or tracking cookies.

3. Legal Basis for Processing

We process your data based on: (a) your consent provided at registration, (b) contractual necessity to provide the Service, and (c) legitimate interests for security and fraud prevention.

4. How We Use Your Data

We use your data to: provide and maintain the Service, match you with pen pals based on interests, deliver letters between users, manage your stamp collection, and ensure platform security.

5. Data Sharing

We do not sell, rent, or share your personal data with third parties. Your letters are only visible to you and the recipient. When you send a letter, the recipient sees your username, display name, country, and letter content.

6. Data Retention

Account data is retained while your account is active. When you delete your account, your personal data is anonymised (email, username, display name, bio are scrubbed). However, letters you have sent – including the display name and signature you used at the time of sending – are retained for the recipient's benefit, as they form part of the correspondence the recipient received. Draft letters are permanently deleted.

7. Your Rights (GDPR)

Under the GDPR, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Request erasure of your data
  • Restrict processing of your data
  • Data portability (export your data)
  • Object to processing
  • Withdraw consent at any time

To exercise these rights, use the account settings in the app or contact us at [email protected].

8. Data Security

We implement appropriate security measures including: password hashing (bcrypt), session token hashing (SHA-256), self-hosted infrastructure (no third-party cloud providers), encrypted connections (HTTPS), and redaction of sensitive data in logs.

9. Cookies

We use a single essential cookie (session_token) for authentication. No consent is required as it is strictly necessary for the service. We also use Plausible Analytics, which is cookie-free and does not collect personal data.

10. Children's Privacy

The Service is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes through the Service or by email.

12. Contact

For privacy-related questions or concerns, contact us at [email protected].