← Home

Privacy Policy

Last updated: 25 May 2026

1. Who we are

SlopChop is a miniature painting progress tracker. The data controller is the operator of this service, established in Ireland. Our supervisory authority is the Data Protection Commission (DPC). For data protection queries, contact us at privacy@slopchop.app.

2. What data we collect and why

We collect only what is needed to provide the service.

  • Account data — email address and password hash, to create and secure your account. Legal basis: contract (Art. 6(1)(b) GDPR).
  • Profile data — username, display name, avatar, and preferences. Legal basis: contract.
  • Creative content — projects, steps, photos, paints, journal entries you create. Legal basis: contract. Photos are stripped of EXIF metadata on upload.
  • Hashed IP addresses — used for rate-limiting and abuse prevention. Raw IPs are never stored; we apply a one-way HMAC-SHA256 hash with a salt that is rotated quarterly. Legal basis: legitimate interests (Art. 6(1)(f)).
  • Error logs — stack traces sent to our error-monitoring service to help us diagnose defects. Legal basis: legitimate interests.
  • Gravatar avatar — if you opt in, we compute an MD5 hash of your email server-side and send only the hash to Gravatar. Your raw email is never transmitted. Legal basis: consent (Art. 6(1)(a)) — withdraw at any time in Settings.

3. How long we keep your data

  • Account, profile, and content data — until you delete your account.
  • Hashed IP addresses — 12 months, then automatically purged.
  • Unverified accounts — 7 days, then automatically purged.
  • Read notifications — 30 days; unread notifications — 90 days.
  • Data export files — 24 hours from generation.

4. Who we share your data with

We do not sell your data or share it with advertisers. We use the following processors, each bound by a Data Processing Agreement:

  • Hosting provider — infrastructure.
  • Resend (USA) — transactional email delivery.
  • Sentry (USA) — error monitoring.
  • Gravatar / Automattic (USA) — avatar display, only if you opt in.
  • Google (USA) — OAuth sign-in, only if you choose to use it.

5. Transfers outside the EU/EEA

Some processors listed above are US-based. Transfers to the USA rely on the EU–US Data Privacy Framework (where the processor is certified) or Standard Contractual Clauses adopted by the European Commission.

6. Your rights

  • Access (Art. 15) — request a copy of the data we hold about you.
  • Rectification (Art. 16) — update your profile in Settings at any time.
  • Erasure (Art. 17) — delete your account in Settings → Account → Delete account. Deletion is immediate and permanent.
  • Portability (Art. 20) — download all your data as a ZIP in Settings → Export my data.
  • Restriction (Art. 18) — ask us to pause processing while a dispute is resolved.
  • Objection (Art. 21) — object to processing based on legitimate interests.
  • Withdraw consent (Art. 7(3)) — remove Gravatar in Settings at any time.

To exercise rights not available directly in the app, email privacy@slopchop.app. We will respond within one month (extendable by two further months for complex requests, with notice).

7. Cookies and local storage

  • Authentication cookie (HttpOnly, SameSite=Lax) — keeps you logged in. Strictly necessary; no consent required.
  • Theme cookie — remembers your light/dark preference. Functional; no consent required.
  • localStorage — remembers feed sort order. Functional; no consent required.

We use no analytics, advertising, or tracking cookies.

8. Automated decision-making

Projects may be automatically hidden from public view if they receive three or more reports within a rolling window. This is a temporary safeguard — a human moderator reviews every case and you will be notified. No other automated decisions with significant effects are made.

9. Children

SlopChop is not directed at children under 16. If you believe we hold data about a child under 16, contact us at privacy@slopchop.app and we will delete it promptly.

10. Changes to this policy

We will notify registered users by email of material changes at least 30 days before they take effect.

11. How to complain

Please contact us first at privacy@slopchop.app — we aim to resolve complaints within 30 days.

If you are not satisfied, you can lodge a complaint with the Irish supervisory authority:

Data Protection Commission (DPC)

21 Fitzwilliam Square South

Dublin 2, D02 RD28, Ireland

dataprotection.ie