Privacy Policy
Last updated: February 18, 2026
Privacy at a Glance
- Minimal data collection: We collect your email address and your feed subscriptions. That's the core of it.
- Email hashing: Your email is hashed using SHA-256 for identification purposes.
- No data selling: We do not sell, trade, or rent your personal information to anyone.
- Analytics: We use a self-hosted, cookie-free analytics tool (Umami) for anonymous usage statistics. No data is sent to third parties.
- You control your data: Delete your account and all associated data at any time from Settings.
Introduction
SereneReader is a product of JonesLabs LLC ("we," "our," or "the Service"). We are committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our RSS feed reading service at serenereader.com.
By using SereneReader, you consent to the data practices described in this policy. If you do not agree with this policy, please do not use the Service.
Information We Collect
Information You Provide
- Email address: When you create an account, we collect your email address for authentication. We use a passwordless one-time code (OTP) login system—no passwords are stored.
- Feed subscriptions: The RSS/Atom feed URLs you subscribe to, along with any folders or organizational preferences you configure.
- Reading activity: Articles you star, mark as read, or save for later are stored in your account so you can access them across sessions.
- Preferences: Theme selection, display settings, and other customizations you configure.
Information Collected Automatically
- Analytics data: We use Umami, a self-hosted, cookie-free analytics tool, to collect anonymous usage data such as pages visited, referrer URLs, browser type, device type, and general geographic location (country/region level). This data is aggregated, stored on our own infrastructure, and cannot be used to identify individual users. No data is shared with third parties.
- Cloudflare Insights: We use Cloudflare's privacy-first analytics for basic performance monitoring. Cloudflare does not use cookies or track individual users.
- Server logs: Our servers may automatically log certain information such as IP addresses, request timestamps, and error messages. These logs are used for security monitoring and debugging and are retained for a limited period.
How We Use Information
We use the information we collect to:
- Provide the Service: Fetch and deliver RSS feeds, store your reading progress, and sync across devices
- Authenticate you: Send one-time login codes to your email address
- Improve the Service: Analyze aggregated usage patterns to understand how the Service is used
- Maintain security: Monitor for abuse, detect threats, and protect the integrity of the Service
- Communicate: Send transactional emails (login codes, account notifications) via our email provider
- Comply with legal obligations: Meet legal requirements and respond to lawful requests
Data Retention
- Articles: All feed articles are retained for 90 days regardless of plan. Articles you explicitly save (starred, read later, or placed in a folder) are retained longer based on your subscription tier: 90 days for Free, 180 days for Pro, and unlimited for Team plans. After the retention period, articles are automatically removed.
- Feed data: Feed metadata and subscription information is stored as long as your account is active.
- Sessions: Login sessions are stored in memory and automatically expire. You can have up to 5 active sessions across devices.
- Server logs: Retained for up to 30 days for security and debugging purposes.
- Analytics data: Anonymous analytics data is stored on our self-hosted Umami instance and retained indefinitely in aggregate form. No personally identifiable information is collected.
- Account data: All data associated with your account is retained until you delete your account from Settings.
Data Security
We implement appropriate technical and organizational measures to protect your data:
- Email hashing: Your email address is hashed using SHA-256 for secure identification
- HTTPS encryption: All data transmitted between your browser and our servers is encrypted using TLS
- Content Security Policy: Strict CSP headers prevent cross-site scripting (XSS) attacks
- Session management: Secure, server-side session handling with automatic expiration
- Infrastructure security: Our hosting provider (Railway) maintains SOC 2 Type II compliance and GDPR-compliant data handling
While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security but commit to promptly addressing any security incidents.
Your Privacy Rights
All Users
Regardless of your location, you have the right to:
- Delete your account and all associated data at any time from Settings
- Know what personal information we collect and how it is used
- Contact us with questions or concerns about your privacy
European Economic Area (GDPR)
If you are located in the EEA, you have additional rights under the General Data Protection Regulation:
- Right of access: Request information about the personal data we hold about you
- Right to rectification: Request correction of inaccurate personal data
- Right to erasure: Request deletion of your personal data
- Right to restrict processing: Request limitation of processing of your personal data
- Right to data portability: Request transfer of your data to another service
- Right to object: Object to processing of your personal data
Our legal basis for processing personal data is legitimate interest in providing and improving the Service.
California Residents (CCPA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act:
- Right to know: Request disclosure of the categories and specific pieces of personal information we have collected
- Right to delete: Request deletion of personal information we have collected
- Right to opt-out: Opt out of the sale of personal information (note: we do not sell personal information)
- Right to non-discrimination: Not receive discriminatory treatment for exercising your rights
To exercise your rights, contact us. We will respond to verified requests within the timeframes required by applicable law (typically 30 days for GDPR, 45 days for CCPA).
Children's Privacy
SereneReader is not intended for use by children under the age of 13. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us and we will take steps to delete such information.
International Data Transfers
SereneReader operates from the United States. If you are accessing the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States where our servers are located.
By using the Service, you consent to the transfer of your information to the United States and other jurisdictions where we or our service providers operate.
Changes to This Policy
We may update this Privacy Policy from time to time. When we make changes, we will update the "Last updated" date at the top of this policy. For material changes, we will provide prominent notice on the Service.
Your continued use of the Service after changes become effective constitutes your acceptance of the revised Privacy Policy.
Contact
If you have questions about this Privacy Policy or our data practices:
For EU residents: If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.