1. Overview
Voxlair ("we", "us", or "the platform") is an anonymous, text-first discussion platform operated from India. We are committed to collecting the minimum data necessary to run the service and nothing more.
Voxlair does not require a real name, phone number, date of birth, location, or any other identity signal to create an account or participate. Anonymity is a core product feature, not an afterthought.
This policy covers all users of voxlair.com regardless of location. If you are located in the European Economic Area, additional rights under the GDPR apply — see Section 14. If you are located in India, the Information Technology Act 2000 and the Digital Personal Data Protection Act 2023 (DPDPA) apply — see Section 13.
2. Information We Collect
2.1 Passphrase Accounts
When you create a passphrase account, we store:
- Your randomly generated username (you cannot choose your own)
- A bcrypt hash of your passphrase (cost factor 12). The plaintext is never stored and cannot be recovered.
- Your account creation timestamp and last active timestamp
- Your trust score (a number derived from your activity on the platform)
- Your post and comment counts (cached integers)
No email address is collected for passphrase accounts. There is no recovery option if you lose your passphrase — this is by design.
2.2 Full Accounts
When you create a full account, we store everything in 2.1, plus:
- A SHA-256 hash of your email address combined with a server-side salt. This hash is used only to check whether an email already exists — we never reverse it to look up your address during normal operation.
- An AES-256-GCM encrypted copy of your email address, stored separately. This is decrypted only when we need to send you a transactional email (password reset, notifications you have enabled). The decryption key is stored in an environment variable, never in the database.
- A bcrypt hash of your password (cost factor 12). The plaintext is never stored.
- Whether your email address has been verified.
- Your notification preferences (which categories of email you have opted into).
2.3 Session Data
When you log in, we create a session record containing:
- A 64-character cryptographically random session token (stored as an httpOnly cookie in your browser).
- A hash of your browser fingerprint, used only to detect session anomalies and abuse.
- A hash of your IP address (SHA-256 with a rotating server-side salt). We never store your raw IP address anywhere.
- A device hint string (e.g., "Chrome on macOS") for your sessions list in settings.
- The session creation timestamp and last-seen timestamp.
Sessions expire after 30 days of inactivity and are immediately invalidated on logout or password change.
2.4 Content You Create
We store all posts, articles, comments, debate arguments, and poll responses you submit, linked to your username. This content may be visible to other users according to the board's visibility settings. See Section 8 for details on content and anonymity.
2.5 Moderation Data
If your content is flagged or moderation action is taken against your account, we store a record of the action (type, reason, timestamp). This data is visible only to site administrators and is used to maintain platform safety.
2.6 Analytics
We use a privacy-first analytics servicethat does not use cookies, does not track users across sites, and does not collect any personally identifiable information. It gives us aggregate counts (page views, country-level traffic) with no individual-level data. We will never use Google Analytics or any product from the Google advertising ecosystem.
3. What We Never Collect
The following data is never collected, stored, or processed by Voxlair under any circumstances:
- Real names or legal identity
- Phone numbers
- Date of birth or age
- Physical location or GPS coordinates
- Raw IP addresses (only SHA-256 hashed with a rotating salt)
- Profile photographs or any biometric data
- Social media accounts or linked external accounts
- Payment information (handled entirely by third-party processors if/when monetization is enabled)
- Advertising identifiers
- Device IMEI or hardware identifiers
- Browsing history outside of Voxlair
We do not sell, rent, or share your personal data with advertisers, data brokers, or any third party for marketing purposes.
4. How We Use Your Information
- To authenticate you and maintain your session across visits.
- To display your content (posts, comments, arguments) to other users under your username.
- To send transactional emails you have explicitly requested (password resets, notifications you have opted into). Full accounts only.
- To enforce rate limits and detect spam using your account identifier and hashed IP.
- To propagate bans across accounts using browser fingerprint hashes. This prevents ban evasion without storing identifiable data.
- To calculate your trust score based on your platform activity.
- To allow site administrators to review flagged content and take moderation action.
- To generate aggregate, anonymised analytics about platform usage (page views, traffic sources).
We do not use your data for advertising, profiling, or selling to third parties.
5. Browser Fingerprinting
Voxlair uses FingerprintJS (open-source edition)to generate a browser fingerprint. This fingerprint is derived from signals such as your browser's user-agent string, screen resolution, timezone, WebGL renderer, and installed fonts.
We never store your raw fingerprint. The fingerprint is immediately hashed server-side before storage. The only purpose of this hash is abuse detection: if an account is banned, we flag the fingerprint hash to prevent the same browser from immediately creating a new account to evade the ban.
Fingerprint hashes are not used to identify you across sessions for advertising, analytics, or any purpose other than abuse prevention. They are not shared with any third party.
6. Third-Party Services
We use the following third-party providers to operate the platform. Each receives only the minimum data required for its function.
| Provider | Purpose | Data shared |
|---|---|---|
| Cloud hosting provider | Application hosting | Request logs (auto-deleted per provider policy) |
| Database provider | PostgreSQL database hosting | All database records (encrypted at rest) |
| Cache provider | Rate limiting, sessions, cache | Session tokens, rate limit keys (hashed identifiers) |
| Network provider | CDN, DDoS protection | Requests routed through edge network; raw IPs handled per provider privacy policy |
| Email delivery provider | Transactional email delivery | Your email address (full accounts only, only when sending an email you triggered) |
| Analytics provider | Privacy-first aggregate analytics | Page URL, referrer, country (no cookies, no PII) |
| Content moderation provider | Automated content toxicity scoring | Post and comment text (not linked to any identifier) |
| Spam prevention provider | Proof-of-work spam prevention | Computational puzzle result only — no personal data |
External link safety: All external URL fetching (link previews, image embeds) happens server-side only. Your browser never makes direct requests to third-party domains for embed content — this prevents those services from logging your IP address or tracking you.
8. Content You Post
Content you post (posts, comments, debate arguments) is stored under your randomly generated username. This username carries no real-world identity signal.
Content posted to open boards is publicly visible. Content in unlisted or invite-only boards is visible only to board members.
Soft-deleted content (posts or comments you delete) is hidden from all users but may be retained internally for moderation purposes for up to 90 days before permanent deletion from our database.
Username history (previous usernames you held) is visible to site administrators only and never shown publicly.
Post revision history is public — anyone can view the edit history of a post. Authors cannot delete their revision history. This is intentional for content integrity.
9. Data Security
- All passwords and passphrases are hashed with bcrypt at cost factor 12. They are never logged, never transmitted in plaintext, and cannot be recovered by us.
- Email addresses are never stored in plaintext. We store only a salted SHA-256 hash (for uniqueness checks) and an AES-256-GCM encrypted copy (for sending transactional emails). The encryption key is stored in an environment variable, not in the database.
- IP addresses are never stored in plaintext. We store only a SHA-256 hash with a rotating server-side salt, used only for abuse detection.
- Password reset tokens are stored as bcrypt hashes only. They expire after 15 minutes and are single-use.
- All data in transit is encrypted via HTTPS (TLS 1.2+). All connections to our database are encrypted.
- Sessions are limited to 5 active sessions per account. You can view and revoke individual sessions from your dashboard.
- The platform is protected by network-level DDoS mitigation, WAF, and rate limiting at the edge.
Despite these measures, no system is perfectly secure. In the event of a data breach that affects your personal information, we will notify affected users and relevant authorities as required by applicable law.
10. Data Retention
| Data | Retention |
|---|---|
| Active session tokens | 30 days from last use, or until logout |
| Password reset tokens | 15 minutes from creation, then permanently deleted |
| Email verification tokens | 24 hours from creation, then permanently deleted |
| Posts and comments (active) | Until you delete them or your account is deleted |
| Soft-deleted content | Up to 90 days for moderation review, then permanently deleted |
| Account data | Until you delete your account via Dashboard → Settings → Delete Account |
| Moderation records (ban, warn) | Retained for platform safety; reviewed periodically |
| Aggregate analytics | Indefinitely (no personal data is in analytics records) |
11. Your Rights
You can exercise the following rights directly from your Voxlair account:
- Access: View all your posts, comments, and active sessions from your Dashboard.
- Correction: Change your username (subject to cooldown limits) from Dashboard → Settings.
- Deletion: Delete individual posts and comments at any time. Delete your entire account from Dashboard → Settings → Delete Account. Account deletion is permanent and irreversible.
- Session control: View and revoke any active session individually from Dashboard → Settings.
- Notification opt-out: Full account holders can adjust email notification preferences per category at any time.
- Cookie opt-out: Declining our cookie notice prevents the session cookie from being set. This means you will not be able to log in.
For data requests that cannot be fulfilled through the dashboard (e.g., a full data export or erasure request under GDPR/DPDPA), contact us at the address in Section 16. We will respond within 30 days.
Passphrase account limitation: Because passphrase accounts store no email address, we cannot verify your identity for off-dashboard data requests. Proof of account ownership (logging in) is the only verification method available.
12. Children's Privacy
Voxlair is not directed at children under the age of 13, or under the age of 16 for users in the European Economic Area. We do not knowingly collect personal information from children. If you believe a minor has created an account, contact us and we will investigate and delete the account promptly.
Because we collect no age information during signup, we rely on users to represent that they meet the minimum age requirement.
13. Indian Law (DPDPA & IT Act)
Voxlair is operated from India and is subject to the Digital Personal Data Protection Act 2023 (DPDPA) and the Information Technology Act 2000 (IT Act) including the IT (Reasonable Security Practices) Rules 2011.
Basis for processing
We process your personal data on the following lawful bases under the DPDPA:
- Consent — obtained when you create an account and accept these terms.
- Legitimate uses — operating, improving, and securing the platform; preventing fraud and abuse.
Your rights under DPDPA
- Right to access: request information about what personal data we hold about you.
- Right to correction and erasure: request correction or deletion of your personal data.
- Right to grievance redressal: lodge a complaint with our Grievance Officer.
- Right to nominate: nominate another person to exercise your rights in the event of your death or incapacity.
Grievance Officer (IT Act & DPDPA)
In accordance with the Information Technology Act 2000 and DPDPA 2023, the name and contact details of our Grievance Officer will be published here once the platform formally launches. Until then, direct all privacy queries to the contact address in Section 16.
14. GDPR (European Users)
If you are located in the European Economic Area, United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):
- Right to access: obtain a copy of the personal data we hold about you.
- Right to rectification: correct inaccurate data.
- Right to erasure ('right to be forgotten'): request deletion of your personal data.
- Right to restriction of processing: ask us to limit how we use your data.
- Right to data portability: receive your data in a structured, machine-readable format.
- Right to object: object to processing based on legitimate interests.
- Right to withdraw consent at any time where processing is based on consent.
- Right to lodge a complaint with your national data protection authority.
Legal bases for processing (GDPR Article 6)
- Contractual necessity — processing your account data and content to provide the service you signed up for.
- Legitimate interests — detecting and preventing spam, abuse, and ban evasion; aggregate analytics.
- Consent — email notifications and optional cookies.
We do not transfer personal data to countries outside the EEA without appropriate safeguards. Our infrastructure providers maintain Standard Contractual Clauses or equivalent mechanisms for cross-border data transfers.
15. Changes to This Policy
We may update this policy from time to time. When we make material changes, we will update the effective date at the top of this page. If you have a full account with email notifications enabled, we will also notify you by email.
Continued use of Voxlair after the effective date of a revised policy constitutes acceptance of the updated terms.
16. Contact
For privacy-related questions, data requests, or to exercise your rights, contact us at:
Voxlair Privacy
Email: contact@voxlair.com
Website: voxlair.com
We aim to respond to all privacy-related requests within 30 days. For urgent matters (e.g., suspected data breach), we will respond within 72 hours.
This policy was last reviewed on 24 April 2026. Voxlair — "We moderate behavior, not opinions."