Privacy Policy

We collect the information you provide when you create an account or use the platform — your email address, username, password (stored as an argon2id hash), and any profile details you choose to publish such as your name, photos, contact methods, and biography.

We also receive limited technical information automatically when you visit the site, including your IP address, browser and device identifiers, and pages viewed. Some of this is necessary to deliver the service; some is used for abuse prevention.

If you complete identity or advertiser verification, we collect the documents you submit and a record of the review outcome. We do not store payment card numbers — payments are processed by our PCI-compliant payment partner.

We use what we collect to operate the platform: to authenticate you, present your profile to other members, deliver messages, process payments and billing, and to investigate reports of abuse or fraud.

We use anonymised aggregate data to understand which features are used and to make the service better. We do not sell your personal information to advertisers.

Information you choose to make public on your profile is visible to anyone with the link. Information sent in private messages is visible to the participants of that thread and to our moderation team when investigating a report.

We use a small number of trusted vendors to run the service — for hosting, email delivery, payment processing, and abuse detection. They process data on our behalf under written contracts and only for the purposes we instruct.

We disclose information to law enforcement only when we are legally required to do so or when we believe in good faith that disclosure is necessary to prevent serious harm.

We use a single HTTP-only cookie (ns2_session) to keep you signed in. Short-lived cookies are also issued during multi-step flows such as MFA, password reset, and passkey registration; these expire on completion or within minutes.

We do not use third-party advertising trackers. We do not implement cross-site behavioural profiling.

Active account data is kept for as long as the account exists. If you delete your account, we remove your profile and photos from public view immediately and purge the underlying records within thirty days, except where retention is required by law, by an ongoing investigation, or by our financial-reporting obligations.

Verification documents are retained for the minimum period required to demonstrate compliance with applicable regulations.

Depending on where you live, you may have the right to request a copy of the personal information we hold about you, to correct it, to delete it, or to restrict its use. EU/EEA residents can additionally object to certain processing and lodge a complaint with their local data protection authority. California residents have rights under the CCPA including the right to opt out of any "sale" or "sharing" of personal information — we do neither.

To exercise any of these rights, email privacy@afternine.com. We respond within thirty days.

We protect accounts with argon2id password hashing, optional TOTP MFA, and optional WebAuthn passkeys. Sessions are signed with rotating HMAC keys and bound to short cookies. Transport is TLS-only in production.

No system is perfectly secure. If you suspect your account has been compromised, change your password and email security@afternine.com immediately.

Questions about this policy? Write to us.