Privacy Policy
Last updated: 27 June 2026
VAS ("we", "us") is a private social app for the "Hey sticklestack" family plane-spotting game. This policy explains what we collect, why, and who we share it with. It's written in plain language — if anything is unclear, email privacy@sticklestack.com.
What we collect
- Account details: your email address (for sign-in), the display name and username you choose, and your "team" spelling preference.
- Posts and photos: images you capture and upload, plus any captions.
- Engagement: likes, comments, and replies you make, and the friend requests you send or accept.
- Usage signals: basic, automatically-collected technical data (rough location by country/region, device type, browser) used to keep the service secure and debug issues. We don't build an advertising profile.
- Sign-in codes: when you sign in from the installed app (PWA), we email a one-time code. The code is stored only as a hash and expires in 5 minutes.
Why we use it
- To create and manage your account, and to sign you in.
- To show your posts, likes, and comments to your friends (and theirs to you).
- To send you the sign-in link or code you requested.
- To prevent abuse and bot sign-ups (see "Bot protection" below).
Who sees what
- Your posts and profile are visible to your accepted friends and to you. There are no public profiles.
- Friend requests are seen only by the person you send them to.
- We do not sell your data, and we do not share it with advertisers.
Third-party services
We use a small number of trusted providers. Each receives only what's needed to perform its job:
| Provider | What they get | Why |
|---|---|---|
| Cloudflare R2 | Your uploaded photos (with unguessable keys) | Object storage; photos are served from R2's CDN. Access is enforced by which image URLs our API returns to whom. |
| Cloudflare Turnstile | A bot-detection token and fingerprint data | Protects the sign-in email step from abuse. Cloudflare receives fingerprint data to evaluate it. |
| Resend | Your email address and the sign-in message | Delivers your magic link or sign-in code. |
| Neon (Postgres) | The data described above | Our database host. |
Cookies
We set a single session cookie so you stay signed in between visits. It's how we know you're you. It's not used for tracking or advertising.
How long we keep your data
- Sign-in codes are deleted or expire within minutes.
- Account and content data is kept for as long as your account is active. You can request deletion of your account and its content at any time by emailing privacy@sticklestack.com.
- Server logs are kept for a short period for security and debugging, then automatically deleted.
Bot protection (Cloudflare Turnstile)
The sign-in email step uses Cloudflare Turnstile (invisible mode) to detect automated abuse. When you submit your email, a token is generated in your browser and verified by Cloudflare. Cloudflare receives fingerprint data (such as your IP address and browser characteristics) for this check. See Cloudflare Turnstile's privacy policy.
Your rights
You can ask to see, correct, or delete the data we hold about you, or to receive a copy of it. Email privacy@sticklestack.com and we'll respond within a reasonable timeframe.
Changes
If this policy changes, we'll update the date above and, for significant changes, notify you in the app or by email.
Contact
Questions? Email privacy@sticklestack.com.