Privacy Policy

Effective 2026-04-06 · Last updated 2026-04-06

1. Who we are

Society of Self-Hosters operates selfhosters.me and its subdomains. References to "we," "us," or "our" mean the platform operator.

2. What we collect

  • Public member profiles — name, bio, title, location, skills, socials, and projects you choose to publish.
  • Member images — avatars and banners you upload, stored in Cloudflare R2.
  • Authentication identity — when you log in via Cloudflare Access (GitHub OAuth or email OTP), we receive your identity from the provider. We do not store your email unless you opt in.
  • Wallet address — if you subscribe to the RPC proxy, we store the wallet address you provide.
  • API usage events — chain, protocol, method, byte counts, and latency for metering and billing (RPC proxy only).
  • IP addresses — processed at the Cloudflare edge for rate limiting and abuse prevention. Not stored in our application databases.

We do not use third-party analytics, tracking pixels, or advertising scripts.

3. How we use your data

  • Display your public profile on the website.
  • Authenticate you and authorize access to your own profile management endpoints.
  • Meter API usage for billing and capacity planning.
  • Detect and prevent abuse (rate limiting, fraud).

4. Cookies

Our code sets no cookies. If you access an authenticated area, Cloudflare Access sets an essential session cookie (CF_Authorization) for authentication only — not tracking.

5. Data retention

  • Member profiles & images — until you request deletion or an admin deactivates the account.
  • Auth sessions — auto-expire and are pruned on a rolling basis.
  • Invite codes — expire within 72 hours.
  • API keys — until you or an admin revokes them.
  • Usage events — 90 days, then purged.
  • Payment records — retained indefinitely as required for financial and tax records.

6. Third-party services

  • Cloudflare — CDN, DNS, edge compute, D1, R2, Access. Privacy policy
  • GitHub — OAuth identity provider (via Cloudflare Access). Privacy policy
  • Stripe (planned) — fiat payment processing. Card data never reaches our servers. Privacy policy

We do not sell, rent, or share personal data with any third party for marketing or profiling.

7. Your rights

  • Access — request a copy of all data we store about you.
  • Correction — update your profile via the self-service dashboard or by contacting us.
  • Deletion — request full deletion of your account, profile, images, API keys, and usage history.
  • Portability — request a JSON export of your profile data.
  • Objection — object to processing at any time.

To exercise any right, contact the platform operator. We will respond within 30 days.

8. Security

All traffic is encrypted via TLS. Data at rest in Cloudflare D1 and R2 is encrypted (AES-256). Secrets are managed with SOPS + age encryption and are never stored in plaintext in our source code. For full details, see our security documentation.

9. Changes

We may update this policy as the platform evolves. Material changes will be communicated via the website. The effective date at the top of this page reflects the latest revision.

10. Contact

Questions about this policy? Reach us via the contact information on our About page.