Privacy Policy

1. Who we are

AtomWords ("we", "the Operator") is the data controller for personal data collected through atomwords.com.

Privacy / data requests: [email protected] · General support: [email protected]

2. Scope

This Policy covers data we collect when you visit or register on atomwords.com. It does not cover third-party AI services we link to (each has its own policy), or sites you reach via "Share" buttons and affiliate links. This is the free-tier launch phase — we do not process payments or collect payment data. When paid subscriptions are introduced, this Policy will be updated and you'll be notified beforehand.

3. What we collect

DataPurposeEmail, a display name (your choice — a nickname is fine), password hash (bcrypt 12)AccountGoogle OAuth profile — name, avatar, email (if you choose Google login)AccountFavorites (the entries you save)Run the site, trendingIP address, User-AgentRate limiting (not persisted long-term)Search queriesAnonymous, not linked to your account

We do not collect: address, phone, date of birth, government IDs, biometric data, or any payment information. The display name you choose can be a nickname — we don't require your legal name.

4. Cookies

Only strictly necessary cookies — a login session cookie when you sign in. Because we run behind Cloudflare for security, Cloudflare may also set its own strictly-necessary cookies (bot-management / anti-abuse, e.g. __cf_bm) while protecting the Service. No advertising cookies, no marketing pixels, no fingerprinting. Analytics uses Umami (cookieless, privacy-friendly analytics — no personal data is collected and visitors are never tracked across sites). Every cookie we use is strictly necessary, so no consent banner is required.

5. How we use your data

To run your account, send transactional email (verification, password reset), protect against abuse, and rank trending content. We do not sell your data, share it with ad networks, profile you for behavioral targeting, or use it to train AI models. No marketing email today; any future newsletter will be explicit opt-in.

Ads and affiliate links. We may show native ads, sponsored content, and affiliate links. Ads are contextual (based on page content), not your personal data. Clicking an affiliate link sends you to a site governed by its own policy.

6. Sub-processors

Hostinger International Ltd.
Hosting + database
location: US

Cloudflare, Inc.
CDN, DDoS, Turnstile
Global edge

Cloudflare R2
Media storage
Global edge

Resend
Transactional email
US

Google LLC
OAuth (only if you choose Google sign-in)
US

Umami Software, Inc.
Privacy-friendly web analytics (cookieless)
US / EU

We do not transmit your activity to any AI generation service. We may disclose data when required by valid legal process, to protect rights and safety, or in a transfer of the Service (with notice to you).

7. Cross-border transfer

Application data is stored in the United States (Hostinger). The Operator administers the Service from mainland China.

• EU / UK users: registering = explicit consent (GDPR Art. 49(1)(a)) for US transfer, also necessary for the contract (Art. 49(1)(b)).

• Mainland China users: registering = separate consent under PIPL Art. 38–39. If the Service grows past PIPL outbound-transfer thresholds, we will complete CAC standard-contract filing or security assessment as required.

Withdraw consent anytime by deleting your account.

8. Your rights

Wherever you are — GDPR, CCPA / CPRA, PIPL, or elsewhere — you may access, correct, delete, export, restrict, and object to processing, and withdraw consent. Email [email protected]; we respond within 30 days. We do not sell or share personal information for cross-context behavioral advertising.

9. Retention

DataRetentionActive account data (email, display name, favorites, settings)While your account existsYour account after you delete itPermanently and immediately deleted — see Account deletion belowDownload history (keyed to an anonymized user-id or IP, for fair-use limits)90 days, then automatically prunedSearch queriesStored as anonymous strings, not linked to your account or IP; retained to improve searchAggregate content counts (views, favorites, downloads per entry)Anonymous totals, kept while the content existsSecurity & operational logs (server, email, abuse / audit records)Retained for a limited period for security and abuse prevention, then purged

10. Account deletion

When you delete your account from /settings, your account and all data linked to it — your email, display name, favorites, saved login sessions, any connected Google sign-in, and any API keys — are permanently and immediately deleted from our database. Deletion is irreversible; we cannot recover a deleted account. For security and abuse-prevention, a minimal record of the deletion (including the email address) may remain in our server logs for a short period before it is purged.

11. Children

For users 16+. We don't knowingly collect data from under-16s; if we learn we have, we delete it.

12. Security

bcrypt (12 rounds), HTTPS + HSTS, strict CSP, rate limiting, Cloudflare Turnstile. In a breach affecting your rights, we notify the supervisory authority within 72 hours where GDPR requires and affected users without undue delay.

13. AI-generated content

Sample media is generated by us beforehand using paid subscriptions; your activity does not flow to any AI provider. Trademarks, brand names, and identifiable persons are kept out of prompts via deny-list + human review. Generative AI is probabilistic, so incidental similarity may occur — see Terms takedown.

14. Changes to this Policy

We may update this Policy from time to time. Material changes will be posted here with a new "Last updated" date and, where required by law, notified to you in advance.