Privacy policy

Last updated: 2026-05-24

Summary

Reading reactions is fully anonymous — no account, no email, no identifier of any kind is required to see counts. To submit your own reaction you sign in once with your email; we send a one-time code, verify it, and immediately discard the email. Only an irreversible salted hash of the lowercased email is persisted as your account identifier. You can delete that record at any time from the extension settings.

Website analytics (this site only). On webreactions.app — the marketing site you are reading right now — we use two complementary analytics layers: Google Analytics (loaded through Google Tag Manager, cookie-based, off by default, opt-in via banner) and Cloudflare Web Analytics (cookieless, aggregated traffic counts only, no user identifiers). Decline the cookie banner and the site works exactly the same. This entire analytics setup applies only to the website; the browser extension itself does not load Google Analytics, Cloudflare Web Analytics, or any other tracker and does not phone home for analytics.

For the plain-English reasoning behind this choice — and why a device ID or a "Sign in with Google" button would have made the reaction counts less trustworthy — see Why Web Reactions asks for an email.

What we collect

• Your email address — only transiently. When you sign in, your email is sent over TLS to our server, used to deliver a one-time code, and then discarded. It is never written to a database. The only long-lived value derived from it is an irreversible salted hash (sha256(server_salt || lowercase(email))), which becomes your account identifier.
• The reactions you submit and the public target you reacted to (e.g. a Facebook post URL or a GitHub repo). Aggregate counts are kept indefinitely; per-user reaction records are kept long enough to prevent double-voting and are then deleted.
• A short-lived session token stored only in your extension's local storage. Signed by us, valid for 30 days. Lets you react without re-entering a code each time.
• A salted, day-rotated hash of your IP address — used only to rate-limit abuse against the OTP request, report, and read endpoints. The hash is irreversible and rotates every UTC midnight.

What we do not collect

• No real name.
• No persisted email. Your raw email exists in memory only long enough to send the one-time code, then it is discarded. The long-lived value is an irreversible hash.
• No raw IP address on the reactions backend.
• No high-entropy browser fingerprint, hardware identifiers, or cross-site advertising profiles.
• No advertising cookies, no remarketing pixels, no ad-network SDKs. Google Analytics is loaded on this website only, with consent, for first-party traffic measurement; nothing is shared with the Google Ads ecosystem and ad personalization is disabled.
• No data from pages you visit that you have not explicitly reacted to.
• No password. We deliberately don't operate a password database — the one-time code is the authenticator.

Website analytics and cookies

Where this applies: only the marketing website webreactions.app. The browser extension itself does not load Google Analytics, Google Tag Manager, or any analytics SDK; the extension's privacy story is unchanged.

We use Google Tag Manager to load Google Analytics 4 on the website. We use it to understand how many people land on the install page, which articles get read, which referrers send the most traffic, and a country-level breakdown of visitors. We do not run ads, we do not use Google Signals (cross-device audiences), and we do not run remarketing.

Cookies are set only after you click Accept on the consent banner. Until then, Google Consent Mode v2 keeps every storage type denied — page views are counted in an anonymized, cookieless mode and the user identifier is reset every 24 hours. If you decline, that anonymized mode persists for the rest of the session.

For the full cookie inventory (names, lifetimes, providers, and the cookieless layer) see the dedicated cookie policy. In short: two first-party GA4 cookies (_ga, _ga_KXHJ8RR7) set only with consent, plus one localStorage key (bl-consent-v1) that stores your banner decision.

To change your decision later, clear your browser's cookies and localStorage for webreactions.app — the consent banner will reappear on next visit. The cookie policy has step-by-step instructions.

Cloudflare Web Analytics (cookieless)

In addition to Google Analytics, we also use Cloudflare Web Analytics, which runs alongside GA but works completely differently. It is cookieless, sets no localStorage, does not assign user identifiers, and produces only aggregated, anonymous traffic numbers (visits, top pages, referrer source, country, browser).

Because no information is stored on your device by Cloudflare Web Analytics, it is not gated behind the cookie banner — it processes server-side aggregates under our legitimate interest (Art. 6(1)(f) GDPR) in keeping the site healthy and understanding its traffic. There is nothing to opt out of at the cookie level because nothing is set on your device. If you would prefer that we exclude your visits entirely, a browser-level "Do Not Track" or a Cloudflare-blocking extension (uBlock, AdGuard, Privacy Badger) will hide your visit from this layer as well.

Where data lives

• Your account record and reactions are stored in a managed database, encrypted at rest, located in either the EU or the US depending on the region you were assigned at sign-in.
• Short-lived items — the one-time sign-in code, replay-protection tokens, and per-email lockout markers — live only in ephemeral edge storage that auto-deletes them within minutes. They are never written to the long-term database.
• All traffic between your browser and our servers is encrypted in transit.
• Aggregate per-target counts are kept indefinitely so the extension can keep displaying them. Your per-user reaction record is kept only long enough to prevent double-voting and is then deleted. Deleting your account removes everything immediately and adjusts the aggregate counters accordingly.

Subprocessors

We rely on a small number of third-party providers, each acting as a data processor under GDPR and similar regimes:

• Cloudflare — infrastructure provider for our backend services and this site. Additionally provides cookieless first-party Web Analytics (aggregated traffic numbers; no cookies, no user identifiers, no consent banner required — see the dedicated section above).
• Neon — managed database provider for the data we persist.
• Resend — transactional email delivery for the one-time sign-in code. Your email passes through their systems exactly once per sign-in and is not retained for any other purpose.
• Google (Tag Manager and Analytics 4) — first-party website analytics on webreactions.app, loaded only after consent. Data processed includes the page URL, referrer, screen size, browser/OS, and a coarse country derived from IP. The browser extension does not use Google's services.

We will update this list before adding a new subprocessor, and the change will be reflected on this page.

International data transfers

Cloudflare, Resend, and Google are US-headquartered and may route or process data on US infrastructure. Neon stores the long-lived database in the EU or the US region you were assigned at sign-in. Where personal data originating in the EEA, UK, or Switzerland is transferred outside those regions, the transfer relies on the European Commission's Standard Contractual Clauses (and the UK Addendum / Swiss equivalents where applicable) in our agreements with those providers. The data we transfer is minimal — chiefly the salted-hash account identifier, your reaction records, transiently your email at the moment a sign-in code is sent, (only with consent, only on the website) the standard Google Analytics first-party measurement payload, and (without identifying you, only on the website) the Cloudflare Web Analytics aggregated traffic beacon.

Security

All traffic between your browser and our servers is encrypted in transit with TLS 1.2 or higher. Long-lived account data is encrypted at rest by the managed database provider. Personal identifiers we keep are irreversible salted hashes, not raw values. Sign-in codes and rate-limit markers live only in ephemeral edge storage that auto-expires within minutes. We do not run a password database, so there is no password store to leak. Source code for the extension is open and auditable on GitHub.

That said, no method of transmission over the internet or method of electronic storage is 100% secure. While we use commercially reasonable measures to protect the limited data we hold, we cannot guarantee absolute security. If we become aware of a security incident affecting your personal data, we will notify the relevant supervisory authority within 72 hours where required by law, and notify affected users directly when the incident is likely to result in a high risk to their rights and freedoms.

Marketing communications

We do not send marketing emails, newsletters, product announcements, or promotional content. The only message you will ever receive from Web Reactions at the email you sign in with is a one-time sign-in code, sent at the moment you ask for one. There is nothing to opt out of because there is nothing to opt into.

Legal bases for processing (GDPR)

For users in the EEA, UK, and Switzerland, the legal bases under Article 6 GDPR are:

• Performance of a contract (Art. 6(1)(b)) — processing your hashed account identifier, your reactions, and your session token so we can deliver the signed-in features you asked for.
• Legitimate interest (Art. 6(1)(f)) — short-lived, day-rotated salted hashes of IP addresses, OTP delivery, and per-email lockout counters, used to keep the service available and resistant to abuse; and Cloudflare Web Analytics on the website, which produces aggregated cookieless traffic numbers without identifying individual visitors. We have weighed these interests against your rights and consider the hashed, ephemeral, aggregated nature of the data proportionate.
• Consent (Art. 6(1)(a)) — implicit in initiating the OTP sign-in flow with your email address, which is used once to deliver the code and is not retained. Explicit consent (via the cookie banner) for Google Analytics on the website; we do not set analytics cookies unless you click Accept, and you can withdraw consent by clearing site data.

Automated decision-making

We do not make decisions about you using solely automated means that produce legal or similarly significant effects. Rate limits and anti-abuse checks are technical safeguards on the API, not profiling.

Your rights

You can permanently delete your account and all data we hold about you from the extension settings ("Delete account"). Deletion is immediate: your user row is removed, your reaction records are removed, and the aggregate counters for every reaction you previously submitted are decremented by one. We do not queue, review, or delay erasure requests.

Because we don't store the raw email — only its salted hash — we can only locate your record when you authenticate with the same email. We cannot enumerate accounts by email, and neither can anyone else who gains read access to our database.

In addition to deletion, you have the rights of access, rectification, restriction, portability, and objection over the limited data we hold. Because we don't retain raw identifiers, an access request typically resolves to a confirmation that the hash of the address you authenticate with is (or is not) on file, along with the reactions associated with it. If you believe we are processing your data unlawfully, you have the right to lodge a complaint with your local data protection supervisory authority. California residents have additional rights under the CCPA, including the right to know, the right to delete, and the right to opt out of sale or sharing — we do not sell or share personal information for cross-context behavioural advertising and never have.

Acceptable use

The rules that apply to signed-in accounts and to API callers — one account per person, no automation, no circumvention of anti-abuse measures, no reactions on illegal targets — live on the acceptable use policy page.

Children

Web Reactions is not directed at children under 13. We do not knowingly collect data from children.

Contact

For privacy questions or formal requests under GDPR, the UK GDPR, the CCPA, or similar regimes, open an issue on GitHub with the "privacy" label, or use the extension's Report tab and include the word "privacy" in the message. Both routes reach the maintainer; we do not operate a separate legal-inquiries inbox.

Changes

We may revise this policy from time to time. The "Last updated" date at the top of this page reflects the most recent change. If a change materially affects what we collect, how we use it, or who processes it, we will surface a notice in the extension settings on next launch. Your continued use of the extension after that point counts as acceptance of the revised policy; if you disagree, you can delete your account from the extension settings in one click.

A note on the numbers

Every reaction here is a real vote from a verified person. Read the counts as the voice of the people who showed up — not as a measure of those who didn't.