Legal

Privacy Policy

Last updated May 29, 2026

DebateThis collects the minimum information needed to run a 1v1 debate platform with audience voting and persistent rankings. This page is the plain-English version of what we do with your data — what we keep, what we don't, how we protect it, and what you can do about it.

What we collect

Account & identity

  • Username + email + bcrypt password hash. The password itself is never stored — only a one-way hash with a per-account salt.
  • OAuth provider IDs if you sign in via Google, GitHub, or X — just the opaque ID, never the provider password.
  • Avatar glyph you pick in Settings (a Unicode character, e.g. — no upload, no image data).

Gameplay

  • Debate transcripts — every argument you post, timestamped, attributed to your username.
  • Match metadata — opponent, topic, category, timing, round breakdowns, AI-judge scores, audience votes cast for you.
  • Rankings — Elo, tier, win/loss record, achievement progress, longest streak, peak Elo.
  • Social graph — friend connections, block list, challenges sent and received, notifications.
  • Preferences — chosen language, tone (formal vs casual), theme (light/dark/auto), sound on/off, sidebar layout. Stored both in your account and in browser localStorage for instant load.

Security & forensics

  • Salted SHA-256 hashes of your IP address on vote rows and a small set of audit events. Used for audience-vote sockpuppet detection and post-incident forensics. The raw IP itself is not persisted.
  • JWT identifiers (jti claims) of revoked sessions, kept in-memory until they would have expired anyway — so a logged-out token can't be replayed.
  • Rate-limit counters keyed by IP and identifier (login attempts, message submission, etc.). Counters reset on their natural window and are not tied to your account record.

Operational telemetry

  • Server logs — HTTP method, path, status code, response time, timestamp. Used for debugging and uptime. Retained roughly 30 days, then rotated out.
  • Crash reports via Sentry when something errors server-side. Stack traces only — no request bodies, no PII fields.
  • Socket presence — who's online, in queue, or in a debate. Transient (in-memory), cleared on disconnect.

What we don't collect

  • Tracking cookies for cross-site advertising.
  • Third-party analytics (no Google Analytics, no Meta Pixel, no Mixpanel, no Segment).
  • Real-time location or precise geolocation.
  • Browsing history outside DebateThis.
  • Your contact list, address book, or social graph from outside the platform.
  • Microphone or camera access. Voice-input is opt-in and runs entirely in your browser via the Web Speech API — audio never leaves your device. We only receive the already-transcribed text you choose to send.
  • Biometric data, government ID, or financial information. DebateThis is free; we never ask for a card on file.
  • Children's data. The service is not directed at users under 13. If we learn an account belongs to a child under that age, we delete it.

How we protect what we have

  • HTTPS-only end-to-end, with HSTS preload so even the first request can't be downgraded to plaintext.
  • Passwords are bcrypt-hashed with a per-account salt and a work factor tuned to roughly 250ms per check on our hardware. A leaked database row is computationally expensive to crack.
  • Auth uses signed JWTs in HttpOnly + Secure + SameSite cookies — they can't be read by page-injected scripts. Access tokens are short-lived; the refresh token can be revoked server-side.
  • Single active session per account. When you sign in on a new device, prior sessions (other browsers, other tabs) are invalidated server-side. Stops "session hopping" account takeovers cold.
  • CSRF double-submit pattern on every state-changing request — both the cookie AND a header token must match, so a malicious site can't trigger writes on your behalf.
  • Per-IP and per-identifier rate limits on login, registration, password reset, magic-link send, argument submission, and vote casting. Brute-force is throttled before it can land.
  • Content Security Policy + Permissions-Policy headers restrict what scripts, frames, and device APIs the page can use — defense in depth against XSS and clickjacking.
  • IP addresses are salted and hashed the moment we see them; the raw IP doesn't sit at rest in our database.
  • Spectator block enforcement at the socket layer — if you've blocked someone, their debates don't show up in your live view, and they can't watch yours.
  • Database connections are encrypted(TLS-required at Neon), and only our application can reach them — no public Postgres port.

Who we share with

  • Hosting: Fly.io runs the application; Neon hosts the Postgres database. Both are US-based.
  • LLM providers: Groq, Google Gemini, Mistral, Cerebras, and Anthropic — for bot opponents and (optionally) scoring. Your argument text is sent to these providers when your bot opponent generates a response or when an AI-assisted score is requested. We don't include your email or any identifier beyond an internal user_id with the request body.
  • OAuth providers: Google, GitHub, X — only when you choose to sign in via them, and only the standard OpenID Connect payload (provider ID, email if you grant it).
  • Email delivery: magic-link login emails are sent via a transactional provider (Postmark) — they see your email address and the message body, which is just the link + boilerplate.

We don't sell your data. We don't run cross-site ad tracking. We don't share anything with data brokers.

Where your data lives

Application servers run in Fly.io's US regions. The Postgres database is hosted by Neon, also in the US (us-east). If you access the service from outside the US your traffic crosses borders to reach us; by signing up you consent to that transfer.

How long we keep it

  • Account record + PII — as long as your account exists. When you delete your account, your PII (email, username, password hash, OAuth IDs) is scrubbed immediately.
  • Debate transcripts persist after account deletion with your username replaced by an opaque placeholder (e.g. gone-42-abcd) so opponents' Elo histories and audience votes stay coherent. The transcripts themselves never identify you by name.
  • Server access logs — about 30 days, then rotated off the host.
  • Rate-limit counters — minutes to hours, until the window resets.
  • Revoked-session list — until each token would naturally expire (max 30 days).
  • Salted IP hashes on vote rows — kept with the vote for the lifetime of the debate's audit record. Useful for catching ballot-stuffing weeks later; useless for identifying the human behind the keyboard.
  • Inactive accounts — kept indefinitely while the service exists. You can delete from Settings at any point; we don't auto-purge.

Your rights

  • Delete your account at any time from Settings. Effective immediately — sessions terminated, PII scrubbed.
  • Export your data — email hello@debatethisnow.com. We respond within 30 days with a JSON dump of everything on your account.
  • Correct errors in your profile — Settings.
  • Object to specific processing — same email, and we'll honor the request unless we have a legal obligation to retain (we currently don't).
  • California (CCPA) users have the same rights to know, delete, and opt out of "sale" — note that we don't sell data to anyone, so opt-out is the default.
  • EEA / UK (GDPR) users have rights of access, rectification, erasure, restriction, portability, and objection. Our legal basis for processing your account data is the contract to deliver the service; for security telemetry it's legitimate interest in keeping the platform from being abused.

Cookies

  • dt_access + dt_refresh — auth (HttpOnly + Secure + SameSite=Lax).
  • dt_csrf_access — CSRF double-submit token (readable by your scripts, required on every write).

No third-party tracking cookies are set by us. (If you opt into ads, the AdSense library may set its own — disclosed in the cookie consent banner.) Browser localStorage stores your UI preferences (theme, tone, sound, sidebar layout, radio station) — these never leave your machine.

Data breach notification

If we discover unauthorized access to a database or service that holds your PII (email + password hash + identifiers), we'll notify affected users by email within 72 hours of confirming the breach, with the technical details we've established by that point and the steps we recommend (force password reset, invalidate sessions). State and federal notifications follow as required.

Contact

Privacy questions, data requests, security disclosures: hello@debatethisnow.com. We read everything; response within 30 days.

Changes

If we materially change what we collect or share, we'll notify you in-app and via email before the change takes effect. Cosmetic edits and clarifications (like this revision) just bump the "Last updated" date.