Privacy Policy

This Privacy Policy explains how RabbitHole (“we”, “us”, “our”) collects, uses, and protects your personal information when you use our website and services (collectively, the “Service”). We are committed to protecting your privacy in compliance with the European Union’s General Data Protection Regulation (GDPR) and other applicable privacy laws.

By using RabbitHole, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please refrain from using the Service.

The “controller” of your personal data – i.e., the organization responsible for data processing – is Rabbit Tale & Company. LLC., the operator of RabbitHole.

• Company Name: Rabbit Tale & Company. LLC.
• Registered Address: We do not have company yet, so I will not dox myself putting there my adress
• Contact Email: kris@rabbittale.co

If you have questions or requests regarding your personal data, you can contact us by email. We may also designate a Data Protection Officer (DPO) or representative in the EU if required; if so, we will provide their contact details on our website or upon request.

We only collect personal data that is necessary for providing and improving the Service. The categories of personal data we process include:

• Account Data: When you register or maintain an account, we collect information like your email address, display name/username, password hash (we store passwords securely in hashed form), and any profile information you choose to provide (such as profile biography, avatar image, links to your social media). We also store your user settings and preferences.
• User Content: We process the content you create on RabbitHole, which may include posts (artworks, text descriptions), images, videos, audio files, comments you make, likes/favorites, reports you file, collections or folders you organize, and any other material you submit. If you add optional profile features such as background music or gallery descriptions, we will handle the data needed for those features as well. Important: Some content you provide might include personal data if you include it (e.g., if you upload a photo of yourself or tag someone). Content you post is generally public or shared with other users by default, so do not include information you consider private in content postings.
• Direct Messages and Communications: If the Service offers direct messaging (private messages between users), those messages are stored and processed to deliver them to recipients. Note that even though DMs are private between the participants, we as the service provider may access them under specific circumstances (for instance, for safety/moderation if a report is made, or as required by law). We also collect any communications you send to us, such as support tickets, emails, or abuse reports, and our communications with you (like responses from support). These may contain personal data like your email address and the content of your correspondence.
• Usage Data & Technical Information: When you use RabbitHole, our systems automatically record some technical information, such as:
  • IP Address: Used for security (e.g., identifying abusive behavior, preventing unauthorized access) and to infer your general location (at the city/region level) for features or legal compliance (like showing site content appropriate for your region).
  • Device and Browser Data: This includes information like your device type, operating system version, browser type, and screen size. We use this to ensure compatibility and optimize the user experience.
  • Identifiers: If you use our mobile app or website, we may assign an internal user ID. We also utilize cookies or similar technologies to keep you logged in (session cookies) and to remember preferences. Some cookies or local storage identifiers might be used for analytics (with consent, where required).
  • Logs and Interaction Data: We keep logs of certain user actions for security and troubleshooting – for example, login timestamps, features used, content viewed, clicks, and referral URLs (which site/page led you to RabbitHole). We also log crashes or error reports from the app to diagnose issues.
• Billing Information: If you purchase a premium subscription or conduct any financial transaction on RabbitHole, we (via our payment processor) will collect billing data. This includes your subscription status (active, canceled, trial), what plan you purchased, and an identifier from the payment processor (like a Stripe customer ID, payment method ID, or transaction IDs). We do not store full credit card numbers or payment account details on our servers; those are handled by the payment provider. We may store the last four digits of your card or the card’s expiration and the billing name/address if provided for invoicing, as part of the receipts/invoice records.
• Moderation and Safety Data: We maintain records related to moderation of the platform. This can include things like: reports submitted by users about content or behavior, our notes or decisions on those reports, records of rule violations, and any actions taken (warnings, suspensions, content removals). We also keep abuse prevention data such as login attempt records, accounts flagged for spam or fraud, and similar diagnostic data.
• Optional Data from Third-Party Logins: If in future we allow sign-in via third-party services (e.g., Google, Facebook, or others), and you choose to use that, we would receive basic account information from that third party (for example, an OAuth token, your email, and name as per that service). We will inform you at that time what data is obtained from the third-party login. (Currently, we primarily use our own sign-up system.)

We do not intentionally collect any special categories of personal data (such as information about health, political opinions, etc.) unless you voluntarily provide it (for instance, if you include sensitive personal details in a profile bio or in your art content, which we discourage). We also do not knowingly collect personal data from children under the digital consent age (see Section 11).

We collect personal data from a few different sources:

• Directly from You: The majority of data comes from you directly. This includes data you provide when registering (e.g., email), filling out your profile, posting content, or contacting support. You have control over how much information to provide in these cases (beyond what’s necessary for registration/login).
• Generated by Your Activity: Data is also generated automatically as you use the Service. For example, as mentioned under Usage Data, we log interactions and technical data (IP address, device info, etc.) when you access RabbitHole. Also, your content postings, messages, and interactions (likes, follows) generate data about your activities on the platform.
• Third Parties: We may receive some data from third parties in specific scenarios:
  • If you make a payment, our payment processor (e.g., Stripe) might send us confirmation of payment and basic details needed to record the transaction (as described in Billing Information above).
  • If we implement third-party login, we get info from those providers as you authorize.
  • If another user interacts with you (for example, if someone mentions you in a comment or sends you a message), we collect that information as part of running the Service.
  • In future, if we enable social features or importing content from other platforms (with your consent), we would receive data from those external sources as needed.
• Publicly Available Sources: We generally do not collect data from public databases about our users. However, if for example we needed to verify something in a fraud prevention context, we might use public resources or blacklists (e.g., checking if an IP is on a public spam list) – but such checks are limited and primarily for security.

Under GDPR, we must have a valid legal basis for each purpose for which we process your personal data. We outline these below:

• Provide and Maintain the Service (Contractual Necessity – GDPR Art. 6(1)(b)): We use account data, user content, and technical data to operate RabbitHole and provide you with the services you expect. This includes hosting your posts and images, displaying content to you and others, enabling interactions (comments, likes), and maintaining your account settings. If you have a paid subscription, we process your data to give you the features you paid for. These uses are necessary to perform our contract with you (i.e., the Terms of Service, which you agree to by using RabbitHole).
• Premium Billing & Subscription Management (Contract and Legal Obligation – GDPR Art. 6(1)(b) & 6(1)(c)): To process payments and manage subscriptions, we handle billing info and use third-party payment processors. This is part of providing the service you request (contractual). Additionally, we have legal obligations to keep transaction records for accounting and tax compliance, especially since our company operates in Poland/EU (e.g., VAT regulations, accounting laws requiring retention of invoices).
• User Communications & Support (Contractual and Legitimate Interest – Art. 6(1)(b) & 6(1)(f)): If you contact us for support or with a complaint, we use your contact info and communication to respond to you and resolve issues. It’s necessary for providing customer service (and thus part of our service contract to you), and also in our legitimate interest to maintain good user relations and resolve disputes.
• Service Communications (Contractual or Legal Obligation – Art. 6(1)(b) & (c)): We may send you emails or notifications about important service updates: for example, confirming your email or payment, receipts for purchases, critical changes to terms or policies, security alerts, or moderation actions taken on your account. These are necessary for your use of the service or required by law. For instance, if we change our Terms, we might be legally required to notify you. These types of communications are not marketing; you cannot opt out of receiving critical service notices as long as you have an account, except by deleting your account.
• Security and Abuse Prevention (Legitimate Interests – Art. 6(1)(f)): We process certain data to keep RabbitHole and its users safe. This includes using IP addresses and logs to detect and mitigate fraudulent or malicious activities (like detecting multiple accounts for spam, or DDOS protection), using cookies or other measures for rate-limiting requests, and analyzing logs or user reports to prevent harassment or illegal content. It is in our legitimate interest (and that of our users) to ensure the security of the Service and prevent misuse. We carefully balance this with your rights – for example, security logs are accessed only by authorized personnel and retained only as long as needed for safety purposes (see Retention).
• Product Analytics (Legitimate Interests / Consent – Art. 6(1)(f) or Art. 6(1)(a)): We want to understand how users use RabbitHole in order to improve the product. We may use privacy-friendly analytics tools that collect minimal personal data. For example, we might track how often certain features are used or the general geographic distribution of our users. If these analytics involve setting non-essential cookies or similar identifiers, we will seek your consent where required by law (e.g., under EU ePrivacy rules, analytics cookies are not set without consent unless strictly necessary). Our legitimate interest is to improve our service, but we will respect your choice if you opt-out of analytics tracking that is not strictly necessary.
• Marketing Communications (Consent – Art. 6(1)(a)): If you explicitly opt in to receive marketing emails or newsletters (for example, an email newsletter about RabbitHole updates, or notifications about new features and promotions), we will use your email to send you such communications. You can withdraw your consent at any time by unsubscribing (every marketing email will have an “unsubscribe” link) or by adjusting your account email preferences. We will not send you marketing messages without your consent, especially if local law (like ePrivacy Directive implementations) requires opt-in.
• Content Ranking and Personalization (Legitimate Interests – Art. 6(1)(f)): We may use algorithms to personalize your experience – for instance, to sort your feed of followed artists, or recommend posts you might like. This involves processing data about your usage (which artists you follow, what you liked, etc.). We have a legitimate interest in helping users discover relevant content and keep the platform engaging. However, these processes do not produce legal or similarly significant effects on you – they are simply to enhance your content consumption experience (see Section 5 on Automated Decisions for more detail).
• Compliance with Legal Obligations (Legal Obligation – Art. 6(1)(c)): We might process and disclose personal data where necessary to comply with laws or regulations. For example, to respond to lawful requests by public authorities, to comply with tax and accounting laws, or to fulfill transparency obligations under the Digital Services Act (e.g., reporting the number of content removal orders we receive). If we receive a court order or similar legal demand for user information, we may need to process and share some data as required by law.
• Legal Claims & Enforcement (Legitimate Interests – Art. 6(1)(f)): If we need to establish, exercise, or defend against legal claims, we may process relevant personal data. For instance, keeping logs and records might be necessary to handle a dispute with a user or a third party. It’s in our legitimate interest to defend our legal rights and ensure our terms are enforced.

Whenever we rely on legitimate interests as a basis, we ensure that our interests are not overridden by your privacy rights by conducting balancing tests. You have the right to object to processing based on legitimate interests (see Section 9 on your GDPR rights).

RabbitHole uses some automated processes to provide and secure the service, but we do not use automated decision-making that produces legal effects or similarly significant effects on you without human involvement (as per GDPR Art. 22).

• Content Feeds and Recommendations: We may automatically rank or recommend content (for example, showing you popular posts, or ordering your home feed by an algorithm rather than strictly chronologically). These algorithms could be based on factors like content popularity, your past interactions, or quality and safety signals. These automated decisions do not have a significant adverse effect on you – they are meant to enhance your experience. You always have the option to sort content chronologically (if the feature is available) or opt out of certain personalized features. We aim to be transparent about the main parameters of any recommendation system in our user-facing help documentation.
• Spam/Abuse Detection: We use automated filters to detect spam (e.g., mass posting of the same comment) or certain rule-violating content (for example, known hash databases to detect child sexual abuse imagery, or algorithms that flag possible hate speech or AI-generated content). These tools may sometimes automatically prevent content from being posted or hide it pending review. However, final decisions (like permanently removing content or banning a user) are made with human review, especially for borderline cases. Our automated tools are there to assist human moderators and to keep the community safe, not to make irrevocable decisions on their own.
• Profiling: “Profiling” under GDPR means analyzing personal data to evaluate certain things about a person (like interests or behavior). RabbitHole might do limited profiling for purposes like recommending content or showing relevant artists to follow. For example, if you frequently like digital paintings, the system might suggest more digital painters to you. This kind of profiling is common in social media for personalization. You can influence it by your actions (and you can opt out of marketing profiling by not opting into marketing communications). We do not use profiling to make decisions that significantly affect your rights or that are discriminatory or sensitive.
• No Automated Legal Decisions: We do not, for instance, automatically terminate accounts or refuse service solely by an algorithm. Any such serious action involves human involvement and review of the context.
• Transparency: We will update you if we introduce any new automated decision systems that go beyond the scope described here, and if required, we will provide means for you to request human intervention or express your point of view.

We treat your personal data with care and do not sell it. However, we do share data in certain scenarios to run the Service effectively or when required by law:

• Service Providers (Processors): We use trusted third-party companies to help us operate RabbitHole. These providers process data on our behalf and are bound by contractual obligations under GDPR (Data Processing Agreements) to protect your information. Key processors include:
  • Hosting and Infrastructure: Cloud service providers that host our servers and databases, and Content Delivery Networks (CDNs) that distribute images and media globally. (For example, we might use a provider like Amazon Web Services, Google Cloud, or a European hosting company. The provider will have access to stored data for maintenance but cannot use it for any other purpose.)
  • Payment Processor: Stripe (or a similar payment platform) for handling subscriptions and payments. Stripe will receive your payment details and process transactions. We share with Stripe the necessary personal data for billing (such as your email, country, and payment info). Stripe is a PCI-DSS compliant entity and does not share your full card number with us.
  • Email Service: If we send emails (verification, notifications, newsletters), we might use an email delivery service (like SendGrid, Mailgun, or similar) which will process your email address and the content of the email.
  • Analytics and Logging: We might use services for analytics (like a self-hosted Matomo, or a privacy-friendly analytics service) and error tracking (like Sentry for crash reports). These may receive technical data (app errors, usage stats) but are generally configured without personal user identifiers whenever possible.
  • Moderation Tools: We could employ third-party tools for content moderation assistance – for example, automated image scanning for disallowed content, or text filters. These tools would process content and flag issues, but typically do not retain the data and only provide us alerts.
  • Other Processors: If we use other specialized services (e.g., a customer support ticketing system, or data backup storage), those providers might have incidental access to data. In all cases, processors are only allowed to use data as needed to provide their service to us and not for their own purposes.
• Other Users and Public: A core aspect of RabbitHole is sharing your content with others. Any User Content you post (art, comments, profile information) is visible to other users or the public according to the privacy settings of the platform. By default, art posts and comments are public to the community; your profile is public (unless we add settings to make certain fields private). Please be mindful that any information you share publicly can be viewed, saved, or shared by others (even after you remove it, others might have taken screenshots or re-shared it). We cannot control what other users do with information you make public.
• Legal and Law Enforcement: We may disclose personal data to third parties when required by law or necessary to protect rights. This includes:
  • Responding to lawful requests by public authorities, law enforcement, or courts. For example, if we receive a court order or a subpoena demanding certain user data, we will comply after verifying its validity. We will attempt to notify affected users if allowed (and if we have contact info), unless legally prohibited.
  • Sharing information to comply with applicable laws or regulations (e.g., filing required data with tax authorities for purchase records).
  • If necessary to enforce our Terms of Service or to protect the rights, property, or safety of RabbitHole, our users, or the public. For instance, exchanging information with other companies and organizations for fraud protection or to report a credible threat.
• Business Transfers: If Rabbit Tale & Company. LLC. is involved in a merger, acquisition, investment, reorganization, or sale of all or some of its assets, personal data may be transferred to the acquiring entity or merged with the successor’s data holdings. We will ensure the new owner has to respect your personal data in a manner consistent with this Privacy Policy. We will notify users (e.g., via email or a notice on the site) of any ownership change or data transfer along with any choices you may have.
• Independent Third-Party Services: Some third parties are not our “processors” but rather independent controllers of data you provide through our Service. For example:
  • If you link your RabbitHole profile to another service (say, you add a link to your Twitter or YouTube), those services might collect data through that link if clicked (their own cookies, etc.).
  • If in the future we support integration like sharing posts to other platforms or using a music API for profile songs, those external services might collect usage data when you interact with the integration. In such cases, your data is handled according to the third party’s terms, and we’ll only share data with those services at your direction (e.g., if you choose to connect accounts or share something).
• Aggregated or Anonymized Data: We may share aggregated information that does not identify you personally, for purposes like industry analysis, demographic profiling, or to show trends about our user base. For example, we might publish that “X% of RabbitHole users are from Europe” or “We have N monthly active users,” without revealing personal details.

We do not sell your personal data to any third-party for marketing or other purposes.

RabbitHole is operated from Poland, and we aim to store user data primarily on servers located in the European Economic Area (EEA). However, some of our service providers or content delivery networks may process data in other countries (for example, a CDN node that delivers images might be outside the EU to speed up access for users in that region).

When personal data is transferred outside the EEA (or the United Kingdom, if UK data is involved) to a country that the European Commission has not deemed to have an “adequate” level of data protection, we will ensure appropriate safeguards are in place:

• We typically use European Commission-approved Standard Contractual Clauses (SCCs) in contracts with such service providers, which legally oblige them to protect your data to EU standards.
• Where needed, we assess whether additional technical or contractual measures are required (following guidelines from EU authorities, e.g., encryption in transit and at rest, commitments to handle government data requests carefully, etc.).
• Some providers may rely on schemes like the EU-US Data Privacy Framework (if applicable and the provider is certified under it) or other legally recognized transfer mechanisms.
• You can contact us if you would like more information on the specific safeguards for transfers pertaining to your personal data or to request a copy of relevant contract terms (we may redact commercial terms).

By using RabbitHole, you understand that your personal data might be transferred to and processed in countries outside your own. Regardless of where data is processed, we take steps to ensure that your privacy rights continue to be protected as outlined in this policy.

We retain personal data only for as long as necessary to fulfill the purposes outlined in this policy, unless a longer retention is required or permitted by law. In practice, this means:

• Account Data: We keep your account information while your account is active. If you delete your account or if we close it, we will delete or anonymize your personal data within a reasonable period after account deletion. Inactive accounts may also be deleted after a very long period of dormancy (we would provide notice before this). Some minimal information may be kept to prevent fraud or if required for legal obligations (see below).
• User Content: Content you post is stored until you remove it or your account is deleted. If you delete specific content (e.g., delete a post or comment), it will no longer be visible to others, and we will purge it from our live databases. However, it may remain in backup systems or caches for a short duration. Those backups are cycled and older data is overwritten or deleted periodically. If content was subject to a report and a moderation decision, we might retain a record of the content (e.g., in a takedown log) for evidence, even if it’s no longer visible on the site.
• Direct Messages: If implemented, private messages might be retained until you delete them. If you delete a message or conversation, it will be deleted from our active systems, but could exist in backups for a time. Note that the person you communicated with will still have their copy of the messages unless they also delete it.
• Logs & Technical Data: Security logs (like records of IP addresses used to log in, or logs of actions taken) are typically retained for a limited time, such as 30 to 180 days, unless longer retention is justified for security analysis. For example, logs that show a pattern of abuse might be kept longer to track recurrences. General web server logs might be kept around 30 days by default. Analytics data may be retained in aggregate form (without personal identifiers) for a longer period to identify long-term trends.
• Billing Records: We retain financial transaction records as required by law. In Poland and under many tax laws, invoices and related records must be kept for a certain number of years (often 5 years or more from the end of the tax year). Therefore, even if you delete your account, we might need to keep invoice data (which could include your name, email, and transaction details) for the legally mandated period. These will be stored securely and only used for those compliance purposes.
• Support Communications: Emails or support tickets are typically retained for some years, so we have a history of what was communicated in case of follow-ups. If you want us to delete a support email that contains your personal data, you can request it, though we might redact personal data instead if we need to keep the core message for record-keeping.
• Moderation Records: If you were involved in a violation of our Terms, we may keep records of the incident (including reports and our responses) for a duration that helps us identify repeat offenders or to have context for any future issues. Typically, if an account is terminated, we might keep such data for a couple of years in case of appeals or attempts to rejoin, or as required to demonstrate our compliance with legal obligations (like the Digital Services Act’s requirement to handle illegal content).
• Anonymized Data: In some cases, rather than full deletion, we might anonymize data (so it can no longer be linked to you). For example, instead of deleting an entire analytics log entry, we might remove personal identifiers and keep aggregated info like “a user from X country did Y” that is no longer tied to any specific account.

When we no longer have a legitimate need to retain your personal data, we will ensure it is either securely deleted or anonymized.

As an individual in the European Union (or where GDPR applies), you have the following rights regarding your personal data that we hold:

• Right of Access: You have the right to request a copy of the personal data we hold about you, as well as information on how we process it. This is commonly known as a “Data Subject Access Request.” We will provide you with a copy of your data, usually within one month of verification of your identity (an extension is possible for complex requests, but we will inform you if that’s the case).
• Right to Rectification: If any of your personal data is inaccurate or incomplete, you have the right to request that we correct or update it. You can also correct some of your data directly through your account settings (e.g., you can change your display name or email).
• Right to Erasure (“Right to be Forgotten”): You have the right to request deletion of your personal data. This is not absolute – for example, if we have a legal obligation to keep certain data, we may deny the request for those specific pieces. However, we will honor deletion requests for data we no longer need. The easiest way to exercise this for most of your data is to delete your account through the settings, which removes personal info and content (subject to the retention policy above). If you want a specific piece of data deleted, you can ask us. We will also inform other parties to whom we’ve disclosed the data (if any, and if required by law) about your deletion request.
• Right to Restriction of Processing: You can ask us to restrict (pause) the processing of your data in certain circumstances. For example, if you contest the accuracy of data, you can request we restrict processing until we verify the accuracy; or if you object to our legitimate interest processing, you can request restriction while we consider your objection.
• Right to Object: You have the right to object to certain processing activities. In particular, you can object to processing based on legitimate interests. If you do, we must stop unless we have compelling legitimate grounds that override your rights or if we need to continue for legal claims. You also have an absolute right to object to your personal data being used for direct marketing purposes – if we were doing marketing, we would stop if you object or withdraw consent.
• Right to Data Portability: For data that you provided to us and that we process by automated means on the basis of your consent or a contract, you have the right to request a copy in a structured, commonly used, machine-readable format (for example, JSON or CSV file). You also have the right to ask that we transmit that data to another service where technically feasible. In practice, this applies to things like the content you posted or info you gave us, not to things we generated (like internal analytics). We are exploring tools to allow you to export your content easily.
• Right not to be subject to Automated Decision-Making: As noted, we do not subject you to decisions with legal or similar effects without human involvement. If you believe a purely automated decision is affecting you significantly, you can request human review.
• Withdrawal of Consent: If we rely on your consent for any processing (e.g., for sending marketing emails), you can withdraw that consent at any time. Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal. For example, you can unsubscribe from marketing emails, and we will stop sending them.
• How to Exercise Your Rights: To exercise any of your rights, please contact us at kris@rabbittale.co. Please clearly state what you are requesting. We may need to verify your identity before fulfilling the request (for instance, by confirming you have access to the email associated with your account, or asking for some identifying info).
• Response Time: We will respond to requests within one month. If your request is complex or if we receive many requests, we may extend this by up to two further months, but we will inform you within the first month if an extension is needed and why.
• Fees: In general, we will not charge a fee for exercising your rights. However, if a request is manifestly unfounded or excessive (for example, repetitive requests), we may either charge a reasonable fee or refuse to act on the request (per GDPR rules). We will explain our reasoning in such cases.

Please note that these rights may be subject to certain exemptions under applicable law. For instance, if fulfilling your request would adversely affect others’ rights or if we have to keep data for legal reasons, we might not be able to comply fully, but we will explain the situation to you.

RabbitHole uses cookies and similar technologies to provide and improve the Service. When you visit our website or use the app, we may place some cookies on your browser or device. Here’s an overview:

• Strictly Necessary Cookies: These cookies are essential for the Service to function. For example, they include login/session cookies that keep you logged in as you navigate the site, or preferences cookies that remember your settings (like language or theme). These do not require consent as they are necessary for providing the service you requested.
• Analytics Cookies: We may use cookies or local storage to understand how users engage with RabbitHole (e.g., which pages are popular, how users navigate). We use analytics in a privacy-respecting way – possibly first-party only or via a tool that doesn’t profile users across sites. If these cookies are not strictly necessary, we will ask for your consent before setting them. You might see a cookie banner or settings when you first use the site, allowing you to accept or reject non-essential cookies.
• Third-Party Cookies: At present, RabbitHole aims to minimize third-party tracking. We do not serve third-party ads that track you, and we don’t use social media “like” buttons that set their own cookies (unless we explicitly inform you). However, if we embed content from third-party sites (like a YouTube video or similar), those third parties might set cookies. We will endeavor to use “privacy-enhanced” modes if available (for example, YouTube’s nocookie domain).
• Cookie Choices: You can control cookies through your browser settings (e.g., blocking or deleting cookies) and through any consent banner we provide. Note that blocking cookies might affect the functionality of RabbitHole – for example, you might not be able to log in or maintain a session without the necessary cookies.
• Other Technologies: We might use local storage or similar on devices for certain features (functionally similar to cookies). We might also use “pixels” or image tags in emails to know if you opened an email (helps us gauge interest, etc.), but these are primarily for operational emails; marketing emails will include such tracking only if allowed by law and with your consent to receive them.
• Do-Not-Track: Currently, our Service may not respond to “DNT” headers sent by browsers, because there is no consensus on what that means. We instead provide you direct control via our cookie consent and settings.
• For more detailed information on cookies, we will maintain a cookie policy or list in our Help Center where you can see exactly which cookies we use and their purposes.

RabbitHole is not directed to children under the age of digital consent in their jurisdiction. In most EU countries, this means the Service is not intended for children under 16 years of age (in some countries this threshold may be lower, but RabbitHole has chosen 16 as a general rule, given Poland’s stance). We do not knowingly collect personal data from children under 16 without verifiable parental consent.

• If you are under 16: Please do not register or use RabbitHole without parental permission. If we learn that we have collected personal data from a child under 16 without consent, we will take steps to delete that information.
• Parental Consent: If in the future certain features are made available to younger teens (for example, if we allow 13+ with parental consent in a jurisdiction that allows it), we will implement mechanisms to obtain and verify parental consent as required by law. At this time, we prefer to restrict the platform to users 16 and older.
• Note on NSFW Content: Because the Service may contain adult content (behind warnings/tags), it is especially not appropriate for children. We have systems in place to try to prevent underage users from accessing mature content (such as requiring age confirmation for certain actions or filtering content), but these are not foolproof. The primary measure is that underage users should not be on the platform.
• If you are a parent or guardian and discover that your child under 16 has an account on RabbitHole, you can contact us at kris@rabbittale.co and we will address it (including deleting the account and any associated data, as appropriate).

We take the security of your personal data seriously and implement technical and organizational measures to protect it against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption: We use encryption to protect data in transit (HTTPS/TLS encryption on our website and app APIs, so that data transmitted between your device and our servers is encrypted). We also encrypt sensitive data at rest where appropriate (for example, passwords are stored as secure hashes, not plaintext).
• Access Controls: Only authorized personnel and contractors have access to personal data, and only on a need-to-know basis. We employ access control mechanisms such as authentication, role-based access, and key management to ensure only the right people and services can access data.
• Secure Development Practices: Our development process incorporates security reviews and testing. We keep our software and dependencies up-to-date to patch vulnerabilities. We may engage in periodic security audits or penetration testing by third parties.
• Network & Infrastructure Security: We use firewalls and monitoring to protect our network. Suspicious activity or repeated failed login attempts might trigger security measures (like IP blocking or additional verification).
• Backup and Recovery: We perform regular backups of data to prevent loss. Backups are secured and encrypted. We have disaster recovery plans to restore service in case of a major incident.
• Vulnerability Management: We actively monitor for vulnerabilities in our systems and respond promptly to security advisories. If an incident occurs that affects security, we will notify users and authorities as required by law (for example, GDPR’s breach notification requirements for serious breaches).
• User Responsibilities: It’s important to note that you also play a role in security. Choose a strong, unique password for RabbitHole and do not share it. Be cautious of phishing attempts – RabbitHole will never ask you for your password via email. If you enable two-factor authentication (2FA) when we offer it, that will add an extra layer of security to your account.
• Incident Reporting: If you discover any security vulnerabilities or have security concerns, please report them to us at kris@rabbittale.co. We appreciate the help of security researchers and will act promptly to investigate any reported issues.

No system is 100% secure, but we strive to protect your data. In the unfortunate event of a data breach that poses significant risks to your rights (such as identity theft or fraud), we will inform both you and the relevant supervisory authority (like the Polish UODO) in accordance with GDPR requirements.

We hope to resolve any privacy concerns you have directly. You can always reach out to us at kris@rabbittale.co, and we will do our best to address your issue or query.

If you are in the EU/EEA and believe we have infringed your data protection rights, you also have the right to lodge a complaint with a supervisory authority (data protection regulator). Since our main establishment is in Poland, our lead supervisory authority is:

President of the Personal Data Protection Office (UODO)

We do not have company yet, so I will not dox myself putting there my adress

Website: https://uodo.gov.pl (includes contact information and guidance on how to submit a complaint)

If you reside in another EU country, you may contact your local data protection authority. They will coordinate with UODO under the cooperation mechanism of GDPR. A list of authorities can be found on the European Data Protection Board website or via the EU Commission’s site.

We would, however, appreciate the chance to deal with your concerns before you approach a regulator or courts, so please consider reaching out to us first.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons.

• Notification of Changes: If we make material changes (those that significantly affect how your personal data is processed), we will notify you in advance. We may notify you by email (sent to the address associated with your account) or by posting a prominent notice on our website or within the app. For significant changes, we will provide at least a 15-day notice when possible, so you can review the changes. Minor changes (like clarifications, or typographical corrections) may take effect immediately, with the updated Policy posted on the site.
• Reviewing Changes: We encourage you to periodically review this Privacy Policy to stay informed about how we are protecting your information. The “Effective Date” at the top indicates when the latest changes were made.
• Consent to Changes: If you continue to use RabbitHole after those changes go into effect, you will be considered to have agreed to the updated policy. If you do not agree with the changes, you should discontinue use of the Service and you may request us to delete your data.
• Historical Versions: For transparency, we keep archives of previous versions of this Privacy Policy. You can request a copy of earlier versions by contacting us, or we may provide a change log summarizing updates.

By using RabbitHole, you acknowledge that you have read and understood this Privacy Policy and our Terms of Service. We thank you for entrusting us with your art and personal data, and we commit to handling it with care and respect.