Privacy Policy

Last updated: April 29, 2026

Short version: plenty collects the minimum needed to run the site and to verify you're a real person before you submit a listing. We don't sell your data, run ads, or use third-party trackers.

1. What we collect

If you create an account:

• Your email address
• A bcrypt hash of your password (we never see your password in plaintext)
• Email-verification and password-reset tokens (SHA-256 hashed in our database; the plaintext token only ever lives in the email link)
• Account creation and last-login timestamps

If you submit a listing:

• Whatever you put in the form (name, address, hours, contact info, description, eligibility notes)
• Latitude/longitude derived from the address you geocoded
• Your account ID, so a moderator can follow up if needed

For every page view (in our short-term access log):

• Your IP address (used for rate limiting and abuse prevention; rotated out after ~30 days)
• Your browser's User-Agent string
• The path you requested and the HTTP referrer

We do not use Google Analytics, Facebook Pixel, advertising trackers, fingerprinting, or session-replay tools.

2. Cookies

plenty sets two cookies, both first-party and strictly functional:

• session — keeps you signed in. HTTP-only, Secure, SameSite=Lax.
• An anti-CSRF token stored inside the session cookie (no separate cookie).

That's it. No advertising or analytics cookies.

3. Third-party processors

To run the Service, plenty relies on a small set of third-party processors. We do not name them here for security reasons, but we describe what each category receives so you can make an informed decision:

• Hosting provider — receives your encrypted page requests and serves them, like any host would. Located in North America / Europe.
• Email delivery service — when we send you a verification or password-reset email, your email address and the email body are passed to this provider so they can deliver the message. Located in the United States.
• Map tile / CDN provider — when the map renders, your browser fetches map tiles from a content-delivery network. The CDN sees your IP address and the tile coordinates you request, like any image on the web.
• Address-lookup geocoder — if you use the address autocomplete on the submission form, the address you type is sent to a public geocoder so we can convert it to map coordinates. Treat the address you type as if you typed it into a public search box.
• TLS certificate authority — issues the HTTPS certificate; sees no user data.

We do not share, sell, rent, or trade your personal data with anyone else. If you'd like the exact identity of any processor (e.g., for compliance or audit purposes), email us and we'll tell you.

4. How long we keep data

• Account data — kept until you delete your account
• Submitted listings (approved) — kept indefinitely as part of the public map; if you delete your account, your name disappears from the listings but the listings themselves remain (similar to how Wikipedia handles edits)
• Pending / rejected listings — typically deleted within 90 days of moderation
• Access logs (IP + UA) — rotated out after ~30 days
• Email verification / password reset tokens — expire after 24 hours / 1 hour and are then deleted

5. Your rights

Regardless of where you live, you can:

• See what we have on you — email val@polyakov.me and we'll send you an export
• Correct anything inaccurate
• Delete your account and personal data — same email, we'll process it within a few days
• Object to our processing for any reason

We aim to honor GDPR (EU/UK), CCPA/CPRA (California), and similar privacy laws on a best-effort basis as a small operator. Requests via email are the fastest way.

6. Children

plenty is not directed to children under 13. We don't knowingly collect personal information from children under 13. If you believe a child has created an account, email us and we'll delete it.

7. Security

We use HTTPS everywhere, hash passwords with bcrypt, hash tokens with SHA-256, run on a hardened VPS with restricted SSH access, and keep our software patched. No system is bulletproof — if you suspect a security issue, please email us so we can fix it.

8. Changes to this policy

If we materially change this policy, we'll update the "Last updated" date and (for account holders) send a notice to your registered email.

9. Contact

Privacy questions, data-access requests, or anything else — email val@polyakov.me.