Privacy at qub
Effective date: 15 April 2026
1. What qub Is
qub is a timed commitment and publication platform. You write a message, choose a future reveal date, and qub seals it using timelock encryption. The sealed content is stored on the Arweave network — a decentralised, permanent storage layer. After the reveal date, anyone with the link can decrypt and read the content.
This privacy policy explains what data we collect, what we do not collect, and the privacy implications of using permanent public storage.
2. Data We Collect
2.1 Content You Seal
When you seal a qub, your content is encrypted on your device before it leaves your browser. We never receive, store, or have access to your plaintext content. The encrypted payload is uploaded to the Arweave network, not to servers we control.
After the reveal date, the content becomes publicly decryptable by anyone who has the Arweave transaction ID (which is embedded in the qub link you share).
2.2 Device Identifier
On first use, qub generates a random device identifier and stores it in your browser's local storage (IndexedDB). This identifier is used to track your free-tier usage quota and to link paid entitlements to your device. It is not derived from hardware fingerprinting or cross-site tracking.
The device identifier may be lost if you clear browser data, switch devices, or use private browsing. It is not a persistent identity — it is a convenience binding.
2.3 Email Address
We collect your email address only when you use a feature that requires it. Each use is limited to the stated purpose. We do not send marketing emails and do not build profiles from email addresses.
| Feature | When collected | What we send | Retention |
|---|---|---|---|
| Paid tier purchase | At Stripe checkout | Purchase confirmation (via Stripe) | Stored with your entitlement record for restoration support |
| Magic-link sign-in | When you request a sign-in link | A one-time sign-in link | Stored on your identity record for future sign-in and locale preferences |
| Identity attestation | When you verify your email against a signing key | A 6-digit verification code | Stored on your attestation record; revocable at any time |
| Notify-me | When you subscribe to a qub's reveal | A single notification on reveal day | Stored until the notification is delivered, then deleted |
| Pact counter-party invite | When you stage a pact against a counter-party's email address | A one-time pact review / co-sign link | The counter-party's email is stored on the staged pact record and, once co-signed, becomes part of the permanent Arweave body; the recipient may be rate-limited (three invites per address per day) |
| Pact co-sign email binding | When a counter-party follows a pact invite and verifies their email | A one-time sign-in link with a pact binding | A short-lived (15-minute) verification marker keyed to the staged pact; no additional email retention beyond §2.3 magic-link |
We share email addresses only with Stripe (for purchases) and our transactional email provider (for every other email listed above — see §8 for the current provider). Neither party receives addresses collected by the other.
2.4 Signing Keys
If you generate a signing key, the key pair is created and stored entirely on your device. Only your public key is transmitted to our server — when you sign a qub or verify your identity via email attestation. Your private key never leaves your browser. Public keys and attestation records are stored in our metadata store.
2.5 Payment Information
Payments are processed entirely by Stripe. We do not receive or store your credit card number, expiry date, or CVC. Stripe may collect additional information during checkout, including your name, billing address, and device information, for the purposes of fraud prevention and payment processing. Stripe's privacy policy governs the handling of your payment details: https://stripe.com/privacy
Stripe may begin collecting information (such as data entered into the checkout form) before you complete a purchase. This is standard Stripe behaviour for fraud prevention and is governed by Stripe's privacy policy, not ours.
2.6 Telemetry
qub collects minimal, anonymous product telemetry to understand how the product is used and to diagnose errors. Telemetry events include actions such as "seal completed", "viewer loaded", and "decryption succeeded", along with timing data.
What telemetry does not include:
- Your device identifier
- Your IP address (the telemetry endpoint does not log client IPs)
- Your content or any preview of your content
- Any information that identifies you personally
Telemetry events are buffered in memory and flushed periodically. If a flush fails, events are discarded — telemetry never retries or persists to local storage. Telemetry must never interfere with the product experience.
The qub embed iframe fires the same kind of anonymous events back to qub.social — viewer_arrival when the embed loads, and share_clicked when a viewer taps the embed's footer CTA. These events have the same shape as the in-app telemetry above: no IP, no device identifier, no content preview, and no third-party tracker is involved.
2.7 Bot Detection
qub uses a privacy-preserving CAPTCHA alternative to prevent automated abuse of the seal flow. The challenge does not use cookies for tracking and does not fingerprint your device for advertising purposes. The upstream provider and its privacy policy are listed in §8.
2.8 Abuse Reports
If you report a qub, we collect the report reason and optional explanatory text you provide. We store a one-way hash of your IP address with the report — not your IP address in the clear. This hash is used only for rate-limiting report abuse.
2.9 Server Logs
Our infrastructure provider (Cloudflare) may log request metadata (IP addresses, request paths, timestamps) as part of standard service operation. These logs are governed by Cloudflare's privacy policy and are subject to their retention periods. We do not enrich or cross-reference these logs with your identity.
2.10 Embedded qubs
Publishers may embed sealed qubs on third-party pages (blogs, Notion pages, Substack posts, and so on) using the qub embed snippet. The embed renders inside an iframe that is loaded same-origin from qub.social, so it uses the same encryption, the same Arweave and drand fetches, and the same anonymous telemetry described above. The host page cannot read the embed iframe's DOM — browser sandbox isolation enforces this — and the embed introduces no new collection or third-party processor.
3. Data We Do Not Collect
- We do not read, scan, or moderate your content before it is sealed. We cannot — it is encrypted on your device.
- We do not use advertising trackers, analytics pixels, or third-party marketing scripts.
- We do not sell, rent, or trade any data to third parties. Under the California Consumer Privacy Act (CCPA), we do not "sell" or "share" your personal information for cross-context behavioural advertising.
- We do not use your data to train machine learning models.
- We do not build user profiles or behavioural graphs.
4. Lawful Basis for Processing
Where data protection law requires a lawful basis for processing personal data, ours are as follows:
| Data | Lawful basis | Purpose |
|---|---|---|
| Encrypted content (Arweave payload) | Your explicit action (sealing a qub) | Delivering the core service |
| Device identifier | Legitimate interest | Managing free-tier quotas and paid entitlements |
| Email address (purchase via Stripe) | Contractual necessity | Fulfilling your purchase and enabling entitlement restoration |
| Email address (magic-link sign-in) | Contractual necessity | Authenticating you and linking your device to your identity |
| Email address (identity attestation) | Your explicit action | Verifying your email against your signing key at your request |
| Email address (notify-me) | Your explicit action | Sending a one-time reveal notification at your request |
| Counter-party email address (pact invite) | Your explicit action (staging a pact against that address) | Delivering the pact review / co-sign link |
| Public signing key | Your explicit action | Enabling authorship verification on your qubs |
| IP hash (abuse reports) | Legitimate interest | Rate-limiting report abuse and platform security |
| Telemetry events | Legitimate interest | Product improvement and error diagnosis (no personal identifiers collected) |
| Bot-detection signals | Legitimate interest | Preventing automated abuse |
5. Permanent Storage — Important Disclosure
This is the most important section of this policy. Please read it carefully.
qub stores sealed content on the Arweave network. Arweave is designed to be permanent and immutable. Once your content is uploaded to Arweave, it cannot be deleted, modified, or recalled — by you, by us, or by anyone.
What this means in practice:
- Before the reveal date: Your content is encrypted and unreadable. No one — including us — can access it.
- After the reveal date: Your content becomes publicly decryptable. Anyone with the Arweave transaction ID (contained in the qub link) can decrypt and read it.
- If you change your mind: We cannot delete or alter content stored on Arweave. We can add the qub to a denylist so that qub's viewer refuses to display it, but the underlying data remains on the Arweave network and may be accessible through other means.
The denylist model provides practical removal from qub's product surface. It does not provide deletion from the internet.
You should only seal content that you are comfortable being permanently and publicly available after the reveal date. Consider carefully before sealing content that includes personal information about yourself or others.
Pacts. A pact body records both parties' names and contact details (including email addresses) inside the signed CBOR body. Once both parties co-sign and the sealed pact is uploaded to Arweave, those identifiers become part of the permanent record and are publicly decryptable after the reveal date. Only commit a pact against a counter-party who has consented to their identifier appearing in the sealed body.
6. Your Rights and Choices
6.1 Access and Portability
Your sealed qubs are stored on the public Arweave network. You already have direct access to them via the transaction IDs in your qub links. No data-access request to us is needed.
6.2 Deletion and Erasure
Due to the permanent nature of Arweave storage, we cannot delete sealed content. If you request erasure of a qub, we will add it to our denylist so that qub's viewer and cache no longer serve it. This is the maximum extent of erasure that our architecture permits, and we are transparent about this limitation.
For data that we hold directly (your email address, device identifier, entitlement records, identity and attestation records), you may request deletion by contacting us at support@qub.social with the subject prefix [PRIVACY]. We will action these requests within 30 days.
6.3 Correction
If any information we hold about you is incorrect (for example, the email associated with your purchase), contact us and we will correct it.
6.4 Objection to Processing
You may object to telemetry collection. Because our telemetry contains no personal identifiers, it is not practically possible to identify and remove individual telemetry events. However, we respect your preference: contact us and we can discuss your concern.
7. Cookies and Local Storage
qub does not use cookies for tracking or advertising.
qub uses browser local storage (IndexedDB) to store:
- Your device identifier (for entitlement binding)
- Draft content (saved locally on your device, never transmitted unless you seal it)
- Application state
This data stays on your device and is not transmitted to us except as described in this policy (the device identifier is sent with seal requests for entitlement verification).
8. Third-Party Services
| Service | Purpose | Data shared | Their privacy policy |
|---|---|---|---|
| Arweave | Permanent storage of sealed content | Encrypted qub payloads only | https://www.arweave.org/legal-policies |
| Cloudflare | Hosting, CDN, bot detection (Turnstile), Workers | Request metadata, Turnstile signals | https://www.cloudflare.com/privacypolicy/ and Turnstile Addendum |
| Stripe | Payment processing | Email, payment details (not shared with us) | https://stripe.com/privacy |
| SendGrid (Twilio) | Transactional email delivery | Email address, message content | https://www.twilio.com/legal/privacy |
| drand | Public timelock beacon (randomness network) | None — we only fetch public beacon signatures | Public network; no personal data collected — see https://drand.love |
9. Children and Age of Consent
qub is not directed at children under 13. We do not knowingly collect personal information from children under 13. If local law in your jurisdiction requires a higher minimum age for digital consent (for example, 16 under the GDPR in some EU member states), you must meet that higher age to use qub. If you believe a child under the applicable minimum age has used qub, contact us at support@qub.social with the subject prefix [PRIVACY] and we will take appropriate action.
10. Data Security
Content is encrypted on your device using timelock encryption before transmission. We operate no servers that hold or process plaintext content. Our operational infrastructure handles metadata only: entitlement records, denylist entries, telemetry counters, and abuse reports.
For security concerns, see our security policy at https://qub.social/security or email support@qub.social with the subject prefix [SECURITY].
11. International Users and Regional Privacy Rights
11.1 Cross-Border Data Transfers
qub is operated from Australia. Your encrypted content is stored on the global Arweave network, and metadata may be processed by Cloudflare's global infrastructure (including in the United States). If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, your data may be transferred outside those regions. These transfers rely on the safeguards provided by our infrastructure partners, including Standard Contractual Clauses and applicable adequacy decisions.
11.2 European Users (GDPR and UK GDPR)
If you are in the EEA or UK, you have the right to access, correct, delete, restrict, or port your personal data, and to object to processing based on legitimate interest. To exercise any of these rights, email support@qub.social with the subject prefix [PRIVACY].
For sealed content on Arweave: deletion is technically impossible due to the immutable nature of the storage layer. This falls within the recognised limitation under Article 17(3) of the GDPR. We will denylist any qub upon request, which removes it from qub's product surface. We are transparent that this does not delete the underlying data from the Arweave network.
If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection supervisory authority.
11.3 California Users (CCPA/CPRA)
If you are a California resident, the CCPA provides you with specific rights regarding your personal information. In the preceding 12 months, we have collected the following categories of personal information:
- Identifiers: email address (collected during purchases, sign-in, identity attestation, or notify-me subscriptions) and device identifier (randomly generated, stored locally).
- Commercial information: purchase history and entitlement records.
We do not sell or share your personal information. We do not use or disclose sensitive personal information for purposes beyond those permitted by the CCPA. You have the right to request access to, deletion of, and information about the personal information we collect. To exercise these rights, email support@qub.social with the subject prefix [PRIVACY].
12. Changes to This Policy
We may update this policy from time to time. Material changes will be noted with a revised effective date at the top of this page. If we make changes that significantly affect your rights, we will make reasonable efforts to notify you (for example, via a notice in the app).