Privacy Policy
Effective date: 2026-05-15. Operator: Skein Platform (Florida LLC formation pending; this notice is updated when the legal entity is named).
Skein is a serial-fantasy reading and writing platform. This page describes what data we collect, why we collect it, who we share it with, and how to remove it. It is written as plainly as we can.
Short version: we collect what we need to run accounts, deliver chapters, process payments, and keep continuity of canon between sessions. We don't sell data. We don't run ad networks. Third parties we use are listed below by name.
What we collect
Account data
- From your identity provider (Google today; Apple and email-magic-link planned): your Google subject ID (an opaque string), email address, display name, and profile picture URL. Apple's flow may also include a name on first sign-in only.
- Provider tag: which method you used to sign in (currently
google; later apple or magic).
- Account creation and update timestamps.
Session data
- An HttpOnly cookie named
skein_session holding a signed JWT (HS256) that proves you are signed in. The cookie expires 30 days after issue.
- A short-lived OAuth state cookie (
skein_oauth_state) used to prevent CSRF during sign-in. Expires after 10 minutes.
- Server logs from Netlify Functions may capture your IP address, user-agent, and the timestamp of each request. These are retained by Netlify per their data-retention policy and are not used by us for analytics.
Payment and wallet data
- Token balance, ledger of token movements, and a list of which chapters you have unlocked.
- Stripe Checkout Session IDs and metadata we attach to them (your user ID, the pack you bought).
- We do not store credit card numbers, expiration dates, or CVCs. Stripe handles all of that.
Reading and platform activity
- Which chapters you have unlocked or read (used to power "Continue Reading" and ratings).
- Ratings, comments, and theories you post.
- Audience-survey responses (when you fill one out).
- Uploaded covers or character art (where applicable; held in browser local storage until you submit, then server-side).
How we use it
- Run your account. Sign in, keep you signed in, show your wallet and library.
- Deliver chapters and content. Decide which chapters you have access to. Render the reader, the codex, the graph view.
- Process payments. When you buy a token pack, we send your user ID and pack details to Stripe and credit your wallet when Stripe confirms the charge.
- Send transactional email. Magic-link sign-in (when enabled). Receipt emails come from Stripe directly.
- Improve the platform. Aggregate counts (how many people unlocked a chapter, average rating, etc.) inform pricing and content decisions. We never sell or share individual-level data with outside analytics services.
Third parties we use
We rely on the following service providers to operate. Their use of your data is governed by their own privacy policies.
- Google: OAuth sign-in (openid, email, profile scopes). Domain registrar via Google Workspace mail (separate from sign-in). policies.google.com/privacy
- Stripe: payment processing. Card data is sent directly to Stripe; we never see it. stripe.com/privacy
- Netlify: hosting, serverless functions, and the Blobs storage that holds wallets and entitlements. netlify.com/privacy
- Apple (planned): Sign in with Apple. Apple may issue a relay email if you select "Hide my email". apple.com/legal/privacy
- Resend (planned): transactional email delivery for magic-link sign-in. resend.com/legal/privacy-policy
- Pollinations.ai: AI image generation for cover art and visual elements (when used). pollinations.ai
How long we keep data
- Account profile and wallet: while your account is active and for 90 days after closure, then deleted.
- Financial records (ledger of token movements, Stripe transactions): retained for 7 years per US tax-record best practice.
- Reading activity and unlocked chapters: retained while your account is active so you keep what you paid for. Deleted on account closure.
- Comments, ratings, theories: retained indefinitely so the public investigation record stays coherent; you can request deletion.
- Server logs: per Netlify's retention (typically 30 days).
Your choices
- Export your data. Profile menu → Export. Returns a JSON file with your local copy of profile, ledger snapshot, uploads, and survey responses.
- Delete your account. Email contactus@skein-platform.com from the address on your account. We confirm within 5 business days and complete deletion within 30 days, keeping only financial records required by law.
- Sign out. Profile menu → Sign out clears the session cookie immediately.
- Cookies. If you block our session cookie, sign-in does not work. We do not use tracking or advertising cookies.
Children
You must be 13 or older to create an account on Skein. We do not knowingly collect data from children under 13. If you believe a child has signed up, email contactus@skein-platform.com and we will delete the account.
Security
All connections to skein-platform.com use HTTPS (Let's Encrypt certificate, force-redirect from HTTP). Sign-in tokens are RS256-verified against Google's published JWKS. Sessions are HttpOnly cookies, Secure-flagged, SameSite=Lax. Payment card data never touches our servers; Stripe handles it directly.
International transfers
Skein is operated from the United States. If you are in the EU/UK/EEA, your data is processed in the US under standard contractual clauses where applicable. Our hosting and processor partners (Stripe, Netlify, Google) are GDPR-aware and operate their own SCC programs.
Changes to this policy
We update this policy as the platform changes. Material changes get a 30-day notice posted at the top of this page with the new effective date. Continued use after that date is acceptance of the new terms.
Contact
Questions, deletion requests, complaints: contactus@skein-platform.com.