Privacy Policy

Last updated: April 7, 2026

Acceptance

By creating an account or using Spiritus ("we," "us," "the Service"), you consent to the collection, use, and handling of your information as described in this Privacy Policy. If you do not agree with this policy, you should not use the Service. Continued use of the Service after any changes to this policy constitutes acceptance of those changes.

Overview

Spiritus is a web application for tracking personal spirits collections. We respect your privacy and are committed to protecting the personal information you share with us. This policy explains what data we collect, how we use it, and your rights regarding that data.

Information We Collect

Account Information

  • Email address (used for login, verification, and password recovery)
  • Password (hashed and salted — we never store or see your plain text password)
  • Display name (optional, visible to other users if you choose)

Collection Data

  • Bottle information you enter (names, distilleries, prices, ratings, tasting notes, images)
  • Wishlist items, trade proposals, cocktail recipes, and tasting event participation
  • Flavor tags, tasting flight scores, and community reviews
  • This data is yours — you can export or delete it at any time

Usage Data

  • Page views (path, timestamp, country derived from IP)
  • Security events (login attempts, password changes) for account protection
  • IP addresses (used for rate limiting and security monitoring)

Third-Party Connections (Optional)

  • Discord: If you connect your Discord account, we store your Discord username, avatar, and server list. Access tokens are encrypted at rest.
  • Push notifications: If you enable push notifications, we store your browser's push subscription endpoint.

How We Use Your Information

  • To provide and operate the Service (managing your collection, displaying stats, enabling social features)
  • To authenticate your identity and secure your account
  • To send transactional emails (verification, password reset, trade notifications, email changes)
  • To send push notifications you have opted into (followers, trades, events)
  • To generate personalized recommendations based on your collection and flavor preferences
  • To monitor and prevent abuse (rate limiting, ban enforcement, security logging)
  • To improve the Service (aggregate, anonymized usage analytics)

What We Don't Do

  • We do not sell, rent, or share your personal data with third parties for marketing purposes
  • We do not track you across other websites
  • We do not use your data for advertising or profiling beyond the Service

Third-Party Services

The Service relies on the following third-party providers to operate:

  • Cloudflare — hosting, database, object storage, CDN, DDoS protection, and Turnstile CAPTCHA
  • Resend — transactional email delivery
  • Bing Images — bottle image search (no personal data is shared)
  • UPCitemdb — barcode lookup (no personal data is shared)
  • Discord — optional OAuth integration (only if you connect your account)

These services have their own privacy policies. We are not responsible for the privacy practices of third-party services. We encourage you to review their policies.

Data Visibility

  • Collection value: Your purchase prices, market values, and collection totals are never visible to other users
  • Private collections: You can set your collection to private so no other users can see your bottles
  • Public collections: If your collection is public, other users can see your bottle names, types, and tasting notes — but never your prices or values
  • Wishlists: You can share your wishlist via a public link, or keep it private
  • Discord: You control which servers are visible on your profile

Data Storage & Security

  • Data is stored on Cloudflare's infrastructure (D1 database, R2 object storage) in the United States
  • Passwords are securely hashed and salted using PBKDF2 with 100,000 iterations
  • Session tokens are cryptographically hashed before storage
  • API keys are stored as SHA-256 hashes (plaintext shown once at creation)
  • Sensitive data (Discord tokens, recovery codes) is encrypted at rest using AES-256-GCM with per-encryption random salts
  • All connections use HTTPS with HSTS enforcement
  • Two-factor authentication (TOTP) is available for additional account security
  • Rate limiting is enforced on all authentication and API endpoints

Security Disclaimer

While we implement industry-standard security measures to protect your data, no method of electronic storage or transmission over the Internet is 100% secure. We cannot guarantee absolute security. In the unlikely event of a data breach, we will make reasonable efforts to notify affected users in accordance with applicable law. We are not liable for unauthorized access to your data that occurs despite our reasonable security measures.

Cookies

We use a single session cookie to keep you logged in. It is:

  • HttpOnly (not accessible to JavaScript)
  • Secure (only sent over HTTPS)
  • SameSite=Lax (not sent in cross-site requests)
  • Expires after 30 days of inactivity

We also use Cloudflare Turnstile for CAPTCHA verification, which may set its own cookies. We do not use any analytics or advertising cookies.

Your Rights

You have the right to:

  • Access your data — your collection, notes, and profile are always accessible to you
  • Export your data — use the CSV export feature to download your collection
  • Correct your data — edit any bottle, note, or profile information at any time
  • Delete your data — delete individual bottles, or delete your entire account from the Profile page. Account deletion removes all your data permanently.
  • Opt out of email and push notifications at any time from your Profile
  • Disconnect third-party services (Discord) at any time

Data Retention

Your account and collection data is retained as long as your account is active. Operational logs follow a tiered retention policy enforced by an automated nightly job:

  • Page views (path, your user ID if logged in, IP, country, user agent): 30 days
  • Security events — failed logins, rate-limit trips, honeypot trips, and other abuse signals: 180 days (forensic value)
  • Security events — routine successful logins and signups: 30 days
  • Security events — account changes (password change, 2FA enable/disable, account deletion): 365 days (audit trail)
  • Rate-limit counters: cleared 1 hour after each window closes
  • Sessions: expire after 30 days of inactivity
  • Activity feed events: 365 days
  • When you delete your account, all associated data is permanently removed via cascade deletion within 24 hours.

Children's Privacy

This Service is not intended for use by anyone under the age of 21. We do not knowingly collect personal information from anyone under 21. If we learn that we have collected information from someone under 21, we will delete that information promptly.

Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be reflected on this page with an updated "last updated" date. For material changes that significantly affect how we handle your data, we will make reasonable efforts to notify you via email or in-app notification. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

Contact

If you have questions about this Privacy Policy or your data, use the Feedback page to get in touch.