Privacy Policy

Last updated: 2026-06-18

1. Who we are

EloLin is an identity platform operated by EloLin (sole proprietor). We provide single sign-on for accounts.elolin.com and the apps hosted at *.elolin.com. Our contact email is hello@elolin.com.

2. What we collect

When you sign in or use EloLin, we collect only what is necessary:

• Email address — provided by your OAuth provider (Google or GitHub) or entered directly for Magic Link sign-in.
• Display name — pulled from your OAuth provider or edited by you in your profile.
• Bio — optional, entered by you.
• Locale preference — en or zh, set by you.
• SHA-256 hashed IP address — a one-way cryptographic hash of your IP at login time, used only for security auditing. We never store your raw IP address.
• User-Agent string and device label — browser and operating system metadata parsed at login, used to display your active sessions.
• Login / logout timestamps — stored as part of your audit log for security purposes.

We do not collect passwords (we are passwordless), raw IP addresses, profile images, or behavioral analytics beyond the cookieless statistics described below.

3. How we use your data

• Authentication — to sign you in and issue a secure session across EloLin products.
• Session management — to display your active devices and let you revoke sessions from your profile.
• Security and abuse prevention — hashed IP and User-Agent help detect suspicious login patterns.
• Service improvement — aggregated, cookieless page view statistics via Cloudflare Web Analytics (no personal data involved).

We do not sell, rent, or share your personal data for advertising.

4. Legal bases (GDPR)

If you are located in the European Economic Area, we process your data under:

• Contract performance (Art. 6(1)(b)) — authentication and session management are necessary to provide the service you requested.
• Legitimate interest (Art. 6(1)(f)) — security logging, abuse prevention, and service stability.
• Consent (Art. 6(1)(a)) — where we ask for it, such as optional profile fields.

5. Subprocessors

We share the minimum necessary data with trusted third-party processors. See our full Subprocessors list for details. Key processors include:

• Supabase Inc. — database and authentication hosting (Singapore region).
• Cloudflare Inc. — CDN, Workers, and Pages hosting (global edge).
• Google LLC — OAuth provider when you choose “Sign in with Google”.
• GitHub Inc. — OAuth provider when you choose “Sign in with GitHub”.

6. Data retention

• Profile data — kept until you delete your account. Account deletion (via /profile) is planned and will cascade-delete all associated data.
• Audit logs — retained indefinitely until you delete your account, at which point they are removed.
• Sessions — stored until you revoke them or the token expires naturally.

7. Your rights

Depending on your location, you may have the right to:

• Access — request a copy of the data we hold about you.
• Correction — update your display name, bio, or locale directly in your profile.
• Deletion — delete your account and all associated data (feature in progress; email us in the meantime).
• Data portability — export your data (planned feature).
• Withdraw consent — where processing is based on consent, you may withdraw it at any time.
• Lodge a complaint — with the supervisory authority in your jurisdiction.

To exercise any of these rights, email hello@elolin.com.

8. International transfers

Your data is stored on Supabase servers located in Singapore (ap-southeast-1). When you access EloLin, requests may pass through Cloudflare's global edge network. Where personal data is transferred outside your country, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) or equivalent mechanisms.

9. Children

EloLin is not directed to children under 13 (or under 16 in the EU/EEA). We do not knowingly collect personal data from children. If you believe a child has provided data to us, please contact us and we will delete it.

10. Security

We apply multiple layers of protection:

• Session cookies are HttpOnly, Secure, and SameSite=Lax.
• JWTs are signed and validated server-side on every request.
• Database rows are protected by Supabase Row Level Security (RLS).
• IP addresses are hashed with SHA-256 before storage.
• No passwords or profile images are ever stored.

11. Cookies

We use a small number of strictly necessary cookies to enable sign-in. We do not use advertising or tracking cookies. See our Cookie Policy for the full list.

12. Changes to this policy

When we make material changes, we will notify you within the app. The updated policy is effective immediately upon posting. Your continued use of EloLin after that date constitutes acceptance.

13. Contact us

Questions or requests regarding this policy: hello@elolin.com.