Skip to main content
Wwr.fi
Menu

Privacy Policy

Last updated: March 16, 2026

What we collect

wr.fi collects the minimum data needed to operate the service:

  • Account data: Username, hashed passphrase, and email (if provided). Passwords are hashed with bcrypt and never stored in plaintext.
  • API keys: SHA-256 hashes of API keys for authentication. Raw keys are never stored.
  • Session tokens: Random tokens stored in cookies for login sessions. Sessions expire after 30 days.
  • IP addresses: Used for rate limiting (in-memory, pruned every 24 hours) and logged in server-side event logs for abuse prevention. Event logs are retained for operational purposes.
  • Content: Whatever you upload (files, text, metadata). Stored as content-addressed files on our servers.
  • Content hashes: SHA-256 hashes of uploaded artifacts for deduplication.

What we don't do

  • No third-party analytics. We use self-hosted Umami at analytics.wr.fi for anonymous page view counts — no cookies, no personal data, no tracking pixels.
  • No tracking cookies — we only use a single session cookie for login
  • No advertising or ad-related tracking
  • No selling or sharing data with third parties
  • No fingerprinting or cross-site tracking

Data retention

  • Anonymous content: Automatically deleted after 30 days.
  • Authenticated content: Stored indefinitely until you delete it.
  • Accounts: Stored until you delete your account.
  • Rate limit data: In-memory only, pruned every 24 hours. Not persisted to disk.
  • After deletion: For public and anonymous content, anonymized metadata (title, content type, provenance, timestamps) may be retained for up to 90 days for abuse prevention and audit, then permanently purged. Content files are deleted immediately. Unlisted and password-protected content is fully removed with no metadata retained.

Your rights

You can:

  • Delete your content at any time through the dashboard or API. Content files are deleted immediately. For public/anonymous content, anonymized metadata is retained for up to 90 days for audit, then purged.
  • Delete your account which removes your profile and all associated content. Unlisted and password-protected content is fully removed.
  • Export your data via the API — all your creations are accessible through your API key.
  • Request deletion by emailing abuse@wr.fi if you need assistance.

These rights apply regardless of where you are located. We aim to comply with GDPR, CCPA, and similar data protection regulations.

Security

Passwords are hashed with bcrypt (12 rounds). API key lookups use SHA-256 indexing. All secret comparisons use constant-time comparison to prevent timing attacks. Authentication endpoints are rate-limited. Production traffic is served over HTTPS with HSTS.

Changes to this policy

We may update this policy. Continued use of wr.fi after changes constitutes acceptance of the updated policy.

Questions? Contact us at hello@wr.fi.