Privacy Policy

Effective date: May 7, 2026 Last updated: May 7, 2026

1. Overview

VoxWind is a personal-projects platform run by an individual based in India. This policy explains what data is collected when you use voxwind.com and the related services (login.voxwind.com, echo.voxwind.com, flow.voxwind.com, and other subdomains). The policy is written to comply with GDPR principles even though VoxWind is operated from India.

2. What Data We Collect

Account information

When you create an account:

  • Email address
  • A password (stored as a bcrypt hash — we never see or store your actual password)
  • Optional display name (only if you set one)
  • Whether your email has been verified
  • The date your account was created

Session information

When you log in, we record:

  • A random session token (hashed in our database)
  • The browser and operating system information your browser sends (user-agent string)
  • Your approximate location (country and city only, looked up from your IP address by Cloudflare). We do not store your IP address with your session.
  • Timestamps for when the session was created and last active

If you sign in with Google

If you choose "Continue with Google" instead of an email/password account:

  • Your Google account's stable user ID (a number Google uses to identify you)
  • Your email address (Google sends this — must be verified)
  • Your name as set on your Google account (we use this as your display name; you can change it later)
  • We do not request or store your Google profile picture, contacts, calendar, or anything else.

Email-related data

  • We send transactional emails (account verification, password reset, account deletion notices) via Resend, a third-party email provider.
  • Resend temporarily stores delivery metadata (bounce status, opens) for operational purposes. See Resend's privacy policy for details.
  • Inbound emails sent to *@voxwind.com (e.g., [email protected]) are forwarded by Cloudflare Email Routing and end up in a Gmail inbox.

Rate limiting

To prevent abuse, we temporarily store:

  • IP addresses associated with login attempts, signup attempts, and similar requests
  • Counts of failed login attempts per email
  • This data lives in Cloudflare's KV storage and automatically expires after 15 minutes to 1 hour depending on the operation.

3. What We Don't Collect

  • No analytics tracking. There is no Google Analytics, no third-party tracking pixels, no behavioral tracking.
  • No third-party advertising networks.
  • No tracking cookies. The only cookie we set is vw_session, used to keep you logged in.
  • No location tracking beyond approximate country/city tied to a session.
  • No social media tracking pixels.
  • No fingerprinting beyond standard browser headers your browser sends with every request.

4. How We Use Your Data

  • Email and password — to authenticate you when you log in.
  • Display name — to greet you in emails and show your name on your account page.
  • Session data — to keep you logged in across our services and to let you see and manage your active sessions on your account page.
  • Approximate location on sessions — so you can recognize which session is yours when reviewing active sessions.
  • Rate-limit data — to block brute-force login attempts.
  • Google account ID and email (if you sign in with Google) — to recognize you on subsequent logins.

We do not sell, rent, or trade any user data. We do not use your data for advertising. We do not share your data with anyone other than the technical providers listed in section 5, who only process data on our behalf to operate the service.

5. Service Providers

We use the following providers. They process data on our behalf and only for the operational purposes described:

  • Cloudflare — hosts our infrastructure (Workers, Pages, D1 database, KV storage, DNS, email routing). Cloudflare may briefly process your IP address and request data as part of standard CDN/security operations. See Cloudflare's privacy policy.
  • Resend — sends our transactional emails. Resend processes recipient email addresses and email content for delivery. See Resend's privacy policy.
  • Google (only if you use Sign in with Google) — Google's OAuth service authenticates you. Your interaction with the Google login screen is governed by Google's privacy policy.

We do not have any other data processors or partners.

6. Data Retention

  • Account data: retained for as long as your account exists.
  • Session data: sessions automatically expire 30 days after creation (or 30 days after last active — sessions are extended on each use). You can revoke any session at any time from your account page.
  • Rate-limit data: automatically expires within 15 minutes to 1 hour.
  • Email delivery logs: retained by Resend per their retention policy (typically 30 days).
  • Deleted accounts: when you delete your account, we mark it for deletion and permanently remove all associated data after a 7-day grace period. During this window you can log back in and cancel the deletion. After 7 days, the data is irreversibly removed from our database.

7. Your Rights (GDPR)

If you are in the EU/EEA, UK, or any jurisdiction granting these rights, you have the right to:

  • Access the data we hold about you. Most of it is visible on your account page; for anything else, contact us.
  • Correct inaccurate data. You can update your display name from your account page; for other corrections, contact us.
  • Delete your account and all associated data. You can do this yourself from your account page (with a 7-day grace period).
  • Export your data. Contact us and we'll send you a JSON export of your account data within 30 days.
  • Restrict or object to certain processing. Contact us.
  • Withdraw consent for any optional processing. Contact us.

To exercise any of these rights, email [email protected]. We respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority if you believe your rights have been violated.

8. Data Transfers

VoxWind is operated from India. Your data may be processed in:

  • India (where the operator is based)
  • United States (Cloudflare and Resend operate global infrastructure)
  • Other regions where Cloudflare's edge network operates

By using VoxWind, you consent to the transfer of your data outside your home jurisdiction for processing. We rely on standard contractual clauses and the providers' own compliance frameworks for international data transfers.

9. Security

  • Passwords are hashed using bcrypt before storage. We cannot recover your password — only reset it.
  • Session tokens are random and hashed in our database.
  • All connections to VoxWind use HTTPS.
  • We monitor for unusual activity and rate-limit abuse-prone operations.
  • No system is perfectly secure. If we ever discover a breach affecting your data, we will notify affected users by email and post a notice on voxwind.com.

10. Children

VoxWind is not directed at children under 13 (under 16 in the EU/EEA). We do not knowingly collect data from children. If you are a parent or guardian and believe your child has signed up, contact [email protected] and we will delete the account.

11. Changes to This Policy

If we make material changes, we will notify users by email at least 14 days before the change takes effect. Minor edits (typo fixes, clarifications) may be made without notice. The "Last updated" date at the top of this page reflects the most recent change.

12. Contact

For any questions, requests, or concerns about this policy or your data:

Email: [email protected]

We respond within 30 days for GDPR requests, typically within 1–3 days for general questions.