Privacy Policy
Last updated: May 20, 2026
This Privacy Policy explains what information Steeped ("Steeped", "we", "us", or "our") collects from users of steepednews.com (the "Service"), how we use it, and the choices you have. We try to collect as little personal data as possible — only what is needed to make the Service work for you.
1. Information We Collect
1.1 Information you provide
- Native Account. If you sign up with an email and password, we store your email address, a salted hash of your password (we never store the plain-text password), and a one-time email verification token.
- Google Account. If you sign in with Google, we receive and store your email address, your display name, your profile picture URL, and a stable Google-issued user identifier ("sub"). We do not receive your Google password.
- Portfolio. If you save an article, we store the article's headline, source, URL, lean (left/center/right), the time you saved it, and your associated account ID.
- Correspondence. If you email us, we keep that correspondence so we can respond and follow up.
1.2 Information collected automatically
-
Session cookie. When you sign in, we set a single
signed session cookie containing your user ID. It is marked
Secure,HttpOnly, andSameSite=Lax. - Sign-in timestamps. We record the timestamp of your account creation and your last successful sign-in.
- Server logs. Our hosting provider records standard web-server logs (IP address, user agent, request path, response status, timestamp) that are used for operational, security, and abuse-prevention purposes and are retained for a limited period.
- Bot-protection signals. Cloudflare Turnstile may receive limited browser context (such as user agent and challenge response) when you submit the sign-up form, in order to score the request as human or bot.
1.3 What we do not collect
- We do not run third-party advertising or analytics trackers.
- We do not record which articles you read inside the Service.
- We do not sell your data, ever.
2. How We Use Information
We use the information described above only to:
- provide and operate the Service (sign-in, account management, Portfolio);
- send transactional emails (welcome, email verification, account-deletion confirmation);
- protect the Service from abuse and fraud (rate limiting, bot challenge);
- respond to your support requests; and
- comply with legal obligations.
We do not use your personal information for marketing emails or advertising. The legal basis for our processing under applicable law (where required) is the performance of the contract you enter into by using the Service, our legitimate interest in operating and securing the Service, and your consent where you have provided it.
3. Third-Party Service Providers
We rely on a small number of service providers ("processors") to run the Service. Each processes only the information needed for its function, under our instructions:
- Railway hosts the application and our PostgreSQL database (server logs, account records, Portfolio).
- Cloudflare Turnstile provides CAPTCHA-style bot protection on the sign-up form.
- Resend delivers our transactional emails. Resend receives the recipient email address, the message content, and delivery metadata.
- Google handles authentication if you choose "Sign in with Google".
- Anthropic processes the public news headlines we send to its Claude API to generate the "Homebrew" summary. No user personal data is included in those requests.
4. Cookies
The only cookie set by Steeped itself is the signed session cookie described above. We do not use third-party advertising cookies. Some of our service providers (such as Cloudflare and Google) may set their own cookies as part of their bot-protection or sign-in flows; please refer to those providers' privacy policies for details.
5. Data Retention
Account data is retained for as long as your account exists. When you delete your account, your profile and Portfolio are removed from our active database promptly. Residual copies may persist in routine encrypted backups for up to 30 days and in Resend's email-delivery logs in accordance with that provider's retention policy. Server logs are typically retained for up to 30 days.
6. Security
All traffic to the Service is served over HTTPS with HSTS enabled.
Passwords are stored as salted hashes using a slow KDF
(pbkdf2:sha256); we never see or store your plain-text
password. We apply a strict Content Security Policy and standard
web-application defenses (rate limiting, CSRF protection, secure
session cookies). No system is perfectly secure, but we treat account
data with reasonable industry-standard care.
7. Your Rights and Choices
- Access & export. You can request a copy of the personal data we hold about you by emailing [email protected].
- Correction. Update your name or email by signing in and editing your account, or email us.
- Deletion. Delete your account at any time from the account menu. This permanently removes your profile and Portfolio.
- EU / UK users. If you are in the European Economic Area, the United Kingdom, or Switzerland, you have additional rights under GDPR/UK GDPR including the right to object to or restrict processing and to lodge a complaint with your local data-protection authority.
- California users. If you are a California resident, you have rights under the CCPA/CPRA to know what personal information we hold about you, to request deletion, and to not be discriminated against for exercising those rights. We do not "sell" or "share" personal information as those terms are defined under California law.
8. Children
The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, email [email protected] and we will delete it.
9. International Transfers
Steeped is operated from the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States and other countries where our service providers operate. By using the Service you consent to such transfers.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date above, and for material changes we will provide reasonable notice via the Service or by email.
11. Contact
Questions about this Privacy Policy or your data? Email [email protected].