Legal
Privacy
What we collect, why, and how to get it back or delete it.
Last updated June 2026.
The short version
- We collect what we need to run the site and personalize your feed, nothing more.
- We don't sell your data. There's no ad tech on these pages.
- You can export everything we have on you, or delete your account, from account settings.
- We use a single first-party cookie for sign-in and a short-lived CSRF token. No third-party trackers.
What we collect
If you have an account, we store:
- Your email address and a hashed password (bcrypt). Plain-text passwords are never stored.
- Optional display name and preferences (topics and regions you follow).
- Your bookmarks, annotations, reactions, briefings, and reading history (used for “continue reading”).
- If you enable two-factor authentication: an encrypted TOTP secret and hashed backup codes.
- Sign-in audit log (IP address, user-agent, timestamp) for the most recent sign-ins.
If you're a visitor (not signed in), we collect aggregated request metrics for performance and security (no cookies, no per-user tracking).
Why we collect it
- Authentication and account security. Without an email and password we can't sign you in.
- Personalization. Topics and regions you follow weight your home feed and daily digest.
- Social features. Bookmarks, annotations, reactions, and briefings need user-id linkage to function.
- Abuse prevention. Rate limiting, MFA, and the sign-in audit log help us spot account takeovers.
Cookies
We set one essential cookie (the session cookie used for sign-in) and a short-lived CSRF token. We do not set advertising, analytics, or tracking cookies. There is no third-party tracker on this site.
Third parties
We use third-party services for hosting (Fly.io), for sending email (your provider here), for crash and error reporting (Sentry — aggregated stack traces, no personal data), and for the AI rewrite step (OpenAI). Article text is sent to the AI provider as part of the debiasing pipeline; reader account data is never sent to the AI provider.
Your rights
You can, at any time:
- Download an export of your data (JSON).
- Delete your account. Deletion is permanent; we keep no soft-deleted shadow.
- Email privacy@pure.report for any GDPR / CCPA request we don't already handle in-product.
Changes
Material changes to this policy are announced via a banner on the site and via the daily digest for subscribers, at least 30 days before they take effect. The “last updated” date at the top reflects the most recent revision.