Back home

Privacy Policy

Last updated: 30 April 2026

In one sentence

We collect the minimum we need to run the platform, never sell your data, and design for anonymity by default — even your IP is hashed with a secret salt before it ever lands in our database.

What we collect

If you don't sign up: nothing personal. We use a hashed IP for de-duplicating reactions.

If you sign up for an account:

  • Your email address (so you can log back in and reset your password)
  • A salted hash of your password — we never see or store the password itself
  • An anonymous display name and optional emoji avatar you choose
  • Stories, comments, and reactions you create
  • Messages you send in group chats and direct messages (private 1:1 conversations)
  • Which groups you join and when

If you apply as a professional: the credentials and contact details you submit. These are reviewed by a human moderator and stored only to support verification and listing.

What we don't collect

  • Your real name (unless you put it in a story — please don't)
  • Your phone number, ID number, or address
  • Your raw IP address — only a salted hash is stored
  • Browser fingerprints, third-party trackers, or ad-network identifiers

How we use it

  • To run the platform — show you stories, post comments, send verification email
  • To prevent abuse — rate-limit, detect duplicate reactions, hide reported comments
  • To send transactional email (verification, password reset). We do not send marketing email

Who we share with

We only share what's strictly necessary to run the service, with these processors:

  • Resend — to deliver transactional emails (your address only)
  • Railway / Supabase — to host the database and application
  • PayNow / PayPal — only if you donate, and only for that transaction

We never sell your data, ever. We do not run ads.

How long we keep it

  • Stories and comments: until you delete them or your account
  • Direct messages and group messages: until you delete your account. Either participant in a direct conversation can delete the conversation from their view.
  • Account data: until you delete the account
  • IP hashes on reactions: 90 days, then purged
  • Donation records: 5 years, for tax and accounting purposes

Your rights under Zimbabwe's Data Protection Act (2021)

You have the right to:

  • Access the personal data we hold on you
  • Correct inaccurate data
  • Delete your account and all linked data
  • Object to processing or withdraw consent
  • Lodge a complaint with the Postal & Telecommunications Regulatory Authority of Zimbabwe (POTRAZ)

To exercise any of these, email hello@ptal.co.zw from the address on your account.

Cookies & local storage

We use browser local storage to keep you signed in and to remember things like your saved stories and mood log. We don't use third-party cookies or tracking pixels. Your mood log never leaves your device.

Direct messages and group chats

Direct messages are private between you and the other person — they are not shown in any public feed and are not indexed or searchable. Group chat messages are visible to all members of that group.

Important: messages are stored in our database in readable form so that both parties can retrieve the conversation history. We do not read your messages unless required to investigate a reported safety concern. We do not use message content for advertising or profiling.

Security

All traffic is encrypted with HTTPS. Passwords are hashed with bcrypt. Database access is restricted and logged. If we ever discover a breach affecting you, we will notify you within 72 hours.

Contact

Privacy questions or requests: hello@ptal.co.zw.