Skip to content
ReadRats

Legal

Privacy policy

What we collect, why we collect it, and how to delete it. The plain-language privacy policy for the ReadRats reading club.

Last updated April 26, 2026

NOTE: Open items to confirm before App Store / Play Store submission:

  1. Contact email. This document uses privacy@readrats.app. Confirm the alias exists, is monitored daily, and resolves to the founder’s inbox. If a different address is preferred (for example luan@readrats.app), do a global find-and-replace before publish.
  2. Data controller legal name and country of residence. This document names “Luan Guimaraes” as the data controller, residing in Brazil. GDPR (EU users) and LGPD (Brazil users) both ask for this; Apple and Google do not display it, but reviewers occasionally read for it. Confirm the spelling, residency, and whether a business entity (rather than an individual) should be named.
  3. Children’s age threshold. ReadRats has no child-targeted features and is not intended for users under 13. Confirm the App Store age rating remains 4+ and the Play Store target audience remains “Everyone.” If either changes, the “Children” section below must change too.

ReadRats Privacy Policy

Effective date: 2026-04-25 Last updated: 2026-04-25

This is the privacy policy for ReadRats, a social reading app published by Luan Guimaraes (the “we” in this document; “you” is the person using the app). This policy explains what data ReadRats collects, why we collect it, where we keep it, who we share it with, and how you can ask us to delete it. It applies to the ReadRats mobile apps for iOS and Android, the web build at app.readrats.app, the marketing site at readrats.app, and the backend API at api.readrats.app.

We wrote this document to be readable. If anything is unclear, write to privacy@readrats.app and we will rewrite it.

1. Who is responsible for your data

The data controller is Luan Guimaraes, contactable at privacy@readrats.app. ReadRats is operated by an individual, not a company, during the Phase 0 launch period.

If you are in the European Union, the United Kingdom, or Brazil, you have the rights described in section 8. To exercise any of them, write to the address above.

2. What data we collect, and why

The list below is exhaustive. We collect nothing else. If we change it, we will update this page and bump the “Last updated” date at the top.

Account data

FieldWhy we collect itRequired
Email addressTo identify your account, sign you in, and contact you about your account if needed.Yes
Display nameTo show next to your sessions and on challenge leaderboards.Yes
Password (stored as a bcrypt hash)To authenticate your sign-ins. We never store the plaintext password.Yes

Reading activity

FieldWhy we collect itRequired
Reading session metadata (title, book reference, pages read, minutes read, finished flag, timestamps)To compute your progress and your position on challenge leaderboards.Yes for each session you log
Notes (free-text observations linked to a session or a book)To let you keep your own thoughts about what you read.Optional
Session photos (a single image per session, captured by camera or picked from your library)To let you share a moment from your session.Optional
Challenge memberships (which challenges you joined, when, and your role)To compute your leaderboard position and to show you the right challenges in your home screen.Yes when you join a challenge

Authentication state on your device

FieldWhy we collect itRequired
Authentication token (a JWT with a one-hour lifetime, stored in your device’s app preferences)To keep you signed in between app launches without asking for your password every time. The token is removed when you sign out or uninstall the app.Yes for signed-in sessions

Cached images on your device

The app caches book covers and other users’ avatars on your device so they load fast and use less of your data plan. The cache is built from publicly fetchable URLs and contains no information about you that is not already implied by the parts of the app you opened. Clearing the app’s cache or uninstalling the app removes it.

What we do not collect

ReadRats does not collect any of the following at Phase 0:

  • Advertising identifiers (IDFA on iOS, AAID on Android).
  • Device fingerprints beyond what the operating system itself reports to Apple and Google.
  • Your location.
  • Your contacts.
  • Microphone audio.
  • Health data.
  • Financial data.
  • Crash reports (we do not embed a crash-reporting SDK).
  • Analytics events (we do not embed an analytics SDK).
  • Browsing behavior on the marketing website at readrats.app. The marketing site sets no cookies and loads no third-party scripts.

We do not run any advertising. We do not sell your data. We do not share your data with data brokers.

3. Where your data is stored

Data typeStorage locationProvider
Account data, reading sessions, notes, challengesPostgreSQL database on a single virtual machine in AWS region us-east-1 (Northern Virginia, United States)Amazon Web Services
Session photosS3 object storage bucket readrats-prod-photos in AWS region us-east-1Amazon Web Services
Authentication tokenYour device’s local app-preferences storageYour device (Apple or Google)
Daily database backupsA separate S3 bucket in AWS region us-east-1, retained for 30 daysAmazon Web Services

Your data leaves your device only when you act in the app: when you sign in, log a session, upload a photo, join a challenge, or write a note. The connection is HTTPS in every direction.

If you are in the European Union or the United Kingdom, this means your data is transferred to the United States. We rely on the standard contractual clauses that AWS publishes for international transfers.

4. Who we share data with

We share data only with the providers that make the app work, and only the data each provider needs:

  • Amazon Web Services: hosts the database, the photo bucket, and the API server. Bound by the AWS Customer Agreement and Data Processing Addendum.
  • Apple App Store and Google Play Store: distribute the app binary. They receive no in-app data from us; they collect their own install and crash signals under their own policies, which you accepted when you installed the app.
  • GitHub Pages: serves the marketing site at readrats.app. Receives standard request metadata (IP address, user agent) for the pages you load. The site sets no cookies.
  • Google Books API: when you search for a book by title or author, we forward your search query to the Google Books API and use the result to populate your library. We never send your account identifier or any of your reading data to Google. The query itself is the only thing Google sees from your usage. Google’s own handling of that query is governed by the Google Privacy Policy at https://policies.google.com/privacy.

We do not share data with anyone else. We do not embed any third-party SDK that collects analytics, crash reports, or advertising signals.

5. How long we keep your data

Data typeRetention period
Account data (email, name, password hash)Until you ask us to delete your account.
Reading sessions and notesUntil you delete the session, until you delete your account, or until the parent challenge is deleted (whichever comes first).
Session photosSame as the parent session. Deleting a session deletes its photo from S3 within minutes.
Authentication tokenOne hour from issuance, then re-issued on next API call while you are signed in. Removed when you sign out.
Daily database backups30 days, then automatically rotated out by the bucket lifecycle policy. A deleted account remains in the most recent 30 days of backups until rotation completes.
Server access logsUp to 14 days, then rotated out. We use them only to debug failures and respond to abuse reports.

When you delete your account, your reading sessions, notes, and photos are deleted with it. Backups expire on the 30-day rolling schedule above.

6. How we protect your data

  • All connections between the app and the API use HTTPS with a certificate issued by AWS Certificate Manager.
  • Passwords are stored as bcrypt hashes, never as plaintext.
  • The database disk is encrypted at rest using AWS-managed AES-256 keys.
  • The photo bucket is encrypted at rest using AWS-managed AES-256 keys.
  • Photo URLs use UUIDv4 keys that cannot be guessed.
  • The API enforces that you can only read and modify your own data, with the single exception of your display name and your sessions appearing on leaderboards of challenges you joined.
  • Cloud secrets live only on the server and in a password manager. They are never committed to source control.

We do not claim end-to-end encryption. The server can read your sessions and your notes when it serves them back to you.

7. Children

ReadRats is not directed at children under 13 (United States COPPA) or under 16 (European Union GDPR). The app is rated 4+ on the App Store and Everyone on the Play Store, but it has no child-specific features and we do not knowingly collect data from children. If you believe a child has created an account, write to privacy@readrats.app and we will delete it.

8. Your rights

Under GDPR (European Union, United Kingdom) and LGPD (Brazil), and as a matter of policy for every other user, you have the following rights. Write to privacy@readrats.app to exercise any of them. We will reply within 30 days.

  • Access: ask us for a copy of the personal data we hold about you.
  • Rectification: ask us to correct data that is wrong. (You can also edit your display name in the Profile screen.)
  • Deletion: ask us to delete your account and the data attached to it. During Phase 0, deletion is processed by the founder by hand within five business days; in-app self-serve deletion is on the Phase 1 roadmap.
  • Portability: ask us for a machine-readable export of your account, sessions, and notes. We will send a JSON file.
  • Withdraw consent: ask us to stop processing data we hold about you for any reason. In practice, withdrawing consent for an account means deleting it, since every data point we hold is required for the app to function.
  • Object to processing or restrict it: tell us why and we will discuss with you.
  • Lodge a complaint with your local data-protection authority if you are unhappy with how we responded. In Brazil this is the ANPD (https://www.gov.br/anpd/); in the EU it is the supervisory authority of your country of residence.

We do not run automated decision-making or profiling.

9. Changes to this policy

If we change this policy, we will update the “Last updated” date at the top of the page and post a short note in the app’s Profile screen the next time you open it. For changes that materially expand what we collect or who we share with, we will ask for your consent before the change applies to your existing data.

A changelog of past versions of this policy lives at the bottom of this page.

10. Contact

For privacy questions or to exercise any of the rights in section 8:

Email: privacy@readrats.app Postal: Available on request to the email above.

For general support questions that are not about privacy, see the support page.

Changelog

DateChange
2026-04-25Initial publication for the Phase 0 launch.