Privacy Policy — Curated

1. Introduction

Curated ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, and your rights regarding your personal data. By using Curated, you agree to the practices described in this Policy.

2. Information We Collect

Information you provide

Account information: name, email address, username, password (hashed)
Profile information: bio, profile photo
Content you upload: images and associated metadata (title, description, tags)
Communications: reports you submit, messages to our support team

Information collected automatically

IP address at each login — we log the IP address and browser user-agent string every time you sign in to your account. This history is retained for the life of your account and is used for fraud prevention, account security, and is provided to NCMEC and law enforcement when required by law.
IP address at each content upload — the IP address used to upload each pin is stored with that pin's record. This is required for mandatory CSAM reporting under 18 U.S.C. § 2258A and Canada's Protecting Canadians from Online Crime Act, which require us to include the uploader's IP in any CyberTipline report.
Browser type, device type, and operating system (from user-agent string)
Pages visited and actions taken within the Service
Timestamps of activity

Cookies

We use a single session cookie to keep you logged in. This cookie is HTTP-only and is not accessible to JavaScript. We do not use third-party tracking cookies or advertising cookies. If you block cookies, you will not be able to stay logged in.

3. How We Use Your Information

To operate and maintain the Service
To authenticate your account and keep it secure
To display your content to other users as you intend
To detect and prevent illegal content — uploaded images are analyzed by automated moderation tools (Google Cloud Vision, Azure Content Safety, Microsoft PhotoDNA, Shield by Project Arachnid / C3P, and perceptual hash matching)
To comply with legal obligations, including mandatory reporting of child sexual abuse material (CSAM) to NCMEC (US, 18 U.S.C. § 2258A) and Cybertip.ca (Canada, Protecting Canadians from Online Crime Act)
To respond to your support requests and reports
To improve the Service

4. How We Share Your Information

We do not sell your personal information. We share data only in these circumstances:

Service providers: We use third-party services to operate the platform, including cloud storage (Cloudflare R2), database hosting (DigitalOcean / PostgreSQL), content moderation (Google Cloud Vision, Microsoft Azure, Microsoft PhotoDNA), application hosting (DigitalOcean), and child safety hash matching (Shield by Project Arachnid, operated by the Canadian Centre for Child Protection, Manitoba, Canada). Image hashes are submitted to Microsoft PhotoDNA Cloud Service solely to detect known child sexual abuse material; no image content is retained by Microsoft for this purpose. These providers process data on our behalf under confidentiality obligations.
Legal compliance: We will disclose information when required by law, court order, or lawful government request. We are required to report CSAM to NCMEC (US) and Cybertip.ca (Canada), which includes user account information and IP addresses associated with the upload.
Safety: We may share information to prevent fraud, abuse, or imminent harm to any person.

5. Data Retention

We retain your account information for as long as your account is active. If you delete your account, we will delete your personal information within 30 days, except where we are required to retain it by law. Specifically:

Login IP logs and upload IP records associated with accounts involved in CSAM reports must be retained as required by 18 U.S.C. § 2258E (US) and applicable Canadian law, and will not be deleted on request where a legal obligation exists.
For accounts with no legal holds, login logs are deleted within 30 days of account deletion.

6. Your Rights

Depending on your location, you may have the right to:

Access the personal data we hold about you
Correct inaccurate personal data
Request deletion of your personal data
Object to or restrict certain processing of your data
Data portability (receive a copy of your data in a common format)

To exercise any of these rights, contact us at privacy@curated.art. We will respond within 30 days.

7. Canadian Privacy Law (PIPEDA)

Curated is operated from Ontario, Canada and complies with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. Under PIPEDA, you have the right to:

Know why we collect, use, and disclose your personal information
Access the personal information we hold about you
Challenge the accuracy and completeness of your information
Withdraw consent to our use of your information (subject to legal obligations)

We collect only the information necessary to operate the Service, retain it only as long as needed, and protect it with appropriate safeguards. To make a PIPEDA request, contact our Privacy Officer at privacy@curated.art. We will respond within 30 days.

8. US Users — California Privacy Rights (CCPA)

Although Curated is operated from Canada, we also respect the rights of California residents under the California Consumer Privacy Act (CCPA). You have the right to know what personal information we collect, to request deletion, and to opt out of the sale of your information. We do not sell personal information. To submit a CCPA request, email privacy@curated.art.

9. Children's Privacy

Curated is not directed at children under 18. We do not knowingly collect personal information from anyone under 18. If we discover that we have collected information from a minor, we will delete it immediately. If you believe we have inadvertently collected information from a minor, please contact us at privacy@curated.art.

10. Security

We implement reasonable technical and organizational measures to protect your information, including encrypted passwords, HTTPS-only connections, and HTTP-only session cookies. No system is completely secure, and we cannot guarantee absolute security.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will update the "Last updated" date at the top of this page. Continued use of the Service after changes constitutes your acceptance of the updated Policy.

12. Contact

Questions about this Privacy Policy? Contact us at privacy@curated.art.