100 Loves

Privacy Policy

Last updated: 2026-04-27. Privacy contact: 100loves@collager.ai. Applicable law: GDPR (EEA), FZ-152 (RU), CCPA (California).

1. Who we are

100 Loves is an anonymous web service developed by a solo founder. The service has no commercial structure at MVP stage and operates on the principle of data minimisation (GDPR Art. 5(1)(c)).

The service provides best-effort anonymity — we don’t store name, IP, User-Agent, third-party cookies. However a combination of open entries with age could theoretically allow identification if the user published very specific details. Automatic protection: a profile with fewer than 5 publicly open entries is not shown in the public feed.

If you recognise yourself or someone close in another’s list — write to 100loves@collager.ai, the profile/entry will be hidden immediately (faster than the 30-day GDPR SLA).

2. What we collect

Required at registration

  • Year of birth — for the 18+ gate and the age-slider compass in the «Echo» feed.
  • Anonymous token (UUID) — in localStorage and in an HttpOnly cookie for 1 year.
  • Entry content — what the user writes.

Optional

  • Email — only if the user provides it. Used in three cases, each with its own consent (GDPR Art. 7(2)):
    1. Magic Link for recovery — primary use, on user request from settings.
    2. One «your list awaits» email after a year — a separate checkbox, off by default.
    3. Marketing — NOT in MVP; will appear in v1.1 as a separate opt-in with one-click unsubscribe.
  • Email is stored hashed for matching (bcrypt) + AES-256 for sending. Decryption only at the moment of delivery.
  • Echo-circle nickname — if the user provides one.

What we DO NOT collect

  • IP address — not persisted in the product DB (nginx access logs, 14-day rotation, only).
  • User-Agent — not collected.
  • Exact date of birth — only year.
  • First or last name — never.
  • Geolocation — never.
  • Browser fingerprint — never.
  • Cross-site tracking cookies — no third-party trackers.

3. Where data is stored

  • Active data — MySQL on a VPS in AWS (us-east-1).
  • Backups — RDS snapshots, retained 30 days.
  • Logs — same VPS, 14-day rotation (application) / 12 months (audit log, GDPR Art. 30).

4. Why we collect (GDPR Art. 6 legal basis)

  • Year of birth — Art. 6(1)(b) contract performance (18+ gate, feed slider).
  • Entry content — Art. 6(1)(b) — core function of the service.
  • Email — Art. 6(1)(a) explicit consent, for Magic Link.
  • Audit log — Art. 6(1)(c) legal obligation (Art. 30 records of processing).
  • Application logs — Art. 6(1)(f) legitimate interest, debugging.
  • Anonymous product analytics — Art. 6(1)(f), without anonymous_id in events.

Special categories (Art. 9 — health, sexual orientation, religion) — only with an additional explicit checkbox at the moment of publishing the entry.

5. Third parties

LLM provider for PII checks

When you try to publish an entry, its text is sent to Mistral Small 3 via La Plateforme (Mistral AI, Paris, France) for automatic detection of names of other people, addresses and special categories.

What is sent: only the entry text at the moment of the «eye» click. What is NOT sent: your anonymous_id, email, year of birth, history of other entries.

Mistral AI is a European company, servers in the EU. Mistral publishes SCC and DPA for processors. Data transfer doesn’t leave the EEA — no Art. 44 GDPR risk.

In our DB we DO NOT store the entry text in AI-check logs. We store only: model, latency, result flags, and SHA-256 hash of the first 200 characters (for dedup of repeat checks).

Email service

If you provide an email — it’s sent to AWS SES for Magic Link delivery. AWS SES retains delivery metadata for 14 days.

Hosting

AWS Lightsail (app), AWS RDS MySQL (DB), AWS Route 53 (DNS) — standard AWS DPA applies to all three.

6. Your rights

  • Art. 15 — Access. «Download my data (JSON)» button in settings.
  • Art. 16 — Rectification. Each entry can be edited at any time. Edit history is visible only to you.
  • Art. 17 — Erasure («right to be forgotten»). «Delete everything» button in settings. Removed from the active DB within 30 days, from backups within 90 days.
  • Art. 20 — Portability. The same «Download my data» button returns JSON in a machine-readable format.
  • Art. 21 — Objection. Untick «publish to feed» in settings — all published entries are temporarily hidden.
  • SLA on requests — 30 days (GDPR standard). Urgent cases — to the email above.

7. Age requirement

The service is for 18+. This is protection under COPPA (USA), GDPR-K (EU, 16 years) and FZ-152 (RU, 14 years with parental consent).

If a registration attempt has a calculated age <18, access is blocked; no data is saved on the server. The localStorage draft is deleted.

8. Cookies

The service uses only functional cookies:

  • HttpOnly cookie with the anonymous token (1 year) — basis of identification.
  • Language cookie (1 year) — lang=ru or lang=en.

A cookie banner is NOT required (GDPR Recital 30, ePrivacy Art. 5.3 exception for strictly necessary cookies). No advertising or third-party analytics trackers.

9. Policy changes

Material changes — with 30-day notice via email to those who left one, and via a banner on the site. Minor edits — without notice; the date in the header reflects the change.

10. Contact

For any privacy questions — 100loves@collager.ai.

The Data Protection Officer (DPO) at MVP stage is the solo founder. After the first 1000 EEA users — DPO will be appointed in line with GDPR Art. 37.

By using the service you confirm that you have read and agree to this Privacy Policy. Consent is recorded when you tick the explicit checkbox on first attempt to submit an entry.

Privacy Policy — 100 Loves