Privacy

Your evidence. Your call.

Sighted is built like an evidence locker — disciplined intake, no quiet edits, and a path to total deletion whenever you want it.

Last updated · May 20, 2026Version 1.0
TL;DR

We collect what we need to run the service, strip what isn't ours to keep, and let you nuke your account whenever you want.

No ads. No trackers. No data sales. The full policy is below — it's short on purpose.

What we collect

The minimum surface area to run Sighted.

  • Email addressFor account access, password reset, and opt-in dispatch emails. Never shared.
  • Display name & avatarOptional. Public on your profile if set; defaults to a generated handle if not.
  • Sighting reportsEverything you submit through /report — title, description, location label, occurred-at, attached media.
  • Comments & validationsPublic corroboration history on every sighting.
  • Session metadataIP + user-agent on sign-in, used for security alerts and rate limiting. Rotated on sign-out.
What we don’t

The things we refuse to hold.

  • GPS EXIFStripped from every photo before storage. We never see it.
  • Browser fingerprintsNo FingerprintJS, no canvas fingerprinting, no advertising identifiers.
  • Third-party trackersNo Google Analytics, no Meta pixel, no Hotjar. The only outbound JS is Mapbox for the live map.
  • Government backchannelsNo agency has a privileged pipeline to our data. None.
  • Sold dataWe never sell your data. Ever. The business model is freemium, not surveillance.
Media pipeline

What happens to your photos and video.

Five steps, in order, every time you upload.

  1. 01EXIF stripGPS, device, and serial metadata removed in-transit. We never persist the raw EXIF block.
  2. 02Perceptual hashA pHash is computed so duplicate uploads surface on the same case.
  3. 03Encrypted storageOriginals land on Cloudflare R2 with at-rest encryption. Only the worker pipeline has read keys.
  4. 04CDN variantsWebP / AVIF derivatives are served via Cloudflare. Original bytes never hit the CDN.
  5. 05Erasure on requestAccount deletion removes the originals, all derivatives, and the pHash record.
Your rights

What you can ask us to do.

Right to exportDownload a portable archive of every report, comment, and validation you ever made.
Right to editUpdate any submission. The revision history is logged and publicly visible — but the latest version is what shows.
Right to deleteSoft-delete your account. After 30 days the username unlocks; reports are anonymised on the public map.
Right to objectEmail privacy@sighted.app and tell us to stop processing your data for any reason. We comply unless legally barred.
Privacy concernsSomething here doesn't sit right? Tell us.We respond to every privacy email within 7 days. No form, no ticket queue.
privacy@sighted.app →