Privacy Policy
Last updated: May 19, 2026
This is an interim policy. Tableread is in alpha and this page is a working summary of how we handle data today. A full, lawyer-reviewed policy will replace it before public launch. The substance below accurately describes our current practices — we've expanded the structure to make it easier to find what you're looking for. Questions in the meantime go to contact.
What this policy covers
This policy describes the personal information Tableread collects when you visit tableread.com or use a Tableread account, why we collect it, how we use it, who we share it with, and the controls and rights you have over it.
We try to keep the language plain. When we link to a third party, that company has its own privacy policy — we're telling you what we share with them and what they handle on our behalf, not speaking for them.
What we collect
Things you create or provide
- Account. Email, chosen username, display name, and a hashed password (we never see your raw password). If you sign in with Google or Discord, we receive the email and account ID from those providers — no password.
- Profile. Anything you choose to add — bio, avatar, social links, interest areas, location text, achievements. These fields are optional and editable from settings.
- Content you post. Reviews, lists, descriptors, helpfulness votes, comments, messages, video uploads, marketplace listings, proposals, applications, follows, blocks, and similar interactions.
- Identity verification (optional). If you opt into identity verification, Stripe Identity collects government ID and selfie data on our behalf. We never receive or store those documents — we only learn whether the verification passed.
- Payment information (optional). If you subscribe, buy from the marketplace, or set up creator payouts, Stripe collects and stores card or bank data. We see only a Stripe customer ID and high-level transaction metadata. We never see or store credit card numbers or bank account numbers.
- Tax information. Creators who earn above IRS reporting thresholds provide tax info (W-9, address) to Stripe so we can issue 1099-K forms. Users who redeem platform Reels above the IRS Tier 2 threshold similarly provide tax info for 1099-B forms. Stripe handles collection and storage.
Information we collect automatically
- Server logs. Standard request logs from Vercel and Supabase — IP address, user agent, timestamp, request path, response code. Used for debugging, abuse detection, and security incident response. Typically retained for 30 days.
- Session cookies. Supabase sets HttpOnly session cookies (
sb-access-token,sb-refresh-token) so we can keep you signed in. - Browser storage. Your browser's localStorage holds non-sensitive UI preferences (chosen format on the reviews page, etc.). Cleared when you clear browser data.
Things we do not collect
We do not collect or use:
- Precise device location (GPS, Wi-Fi, Bluetooth).
- Cross-site browsing history or activity on other sites.
- Advertising identifiers, marketing cookies, or analytics trackers (no Google Analytics, no Meta Pixel, no similar).
- Biometric data, health data, or political/religious data.
- Contacts, calendar, or files from your device.
From third parties
- OAuth providers (Google, Discord, and similar if you use them to sign in) — verified email and provider account ID.
- Stripe — customer ID, subscription status, payout status, and pass/fail result of identity verification.
- Cloudflare Turnstile — a token confirming you passed the human-verification check on signup. We don't receive your interaction data; only the verification result.
- IGDB and similar catalogs — public metadata about games, films, podcasts, etc. This is data about content, not about you.
What's public by default
Tableread is a public-facing creative community. The following are visible to anyone on the internet by default, unless you change visibility settings:
- Your username, display name, avatar, bio, and profile fields you fill in.
- Your reviews, lists, comments, helpfulness votes, and other content you post.
- Who you follow and who follows you.
- Your reviewer tier and earned badges.
- Marketplace listings and creator pages.
You control per-review and per-list visibility (sitewide, followers, friends, private). You can change messaging privacy (open inbox, friend groups only, or off) from settings. Once content is public, search engines (Google, Bing, etc.) may index it.
Some data is private regardless of settings: your email, password, payment information, identity-verification result, Spots/Reels balance, block list, friend-group membership, and direct messages.
How we use it
We use your information to:
- Run the service. Authenticate you, render pages, deliver messages, process payments, render videos, run search.
- Enforce community standards. Detect spam, abuse, copyright infringement, and policy violations; act on flags; ban abusive accounts.
- Improve the service. Diagnose bugs, monitor performance, fix outages. We don't use your content to train AI models.
- Communicate with you. Account confirmations, password resets, security alerts, and (if you opt in) product updates.
- Meet legal obligations. Tax reporting, financial record-keeping, lawful requests from authorities.
We do not sell your data. We do not share it with advertisers. We do not use it to target ads.
AI and your content
We do not use your reviews, lists, messages, profile content, or any other content you post on Tableread to train AI models — ours or anyone else's. We do not sell or license your content to AI training datasets.
If we add AI-assisted features in the future (for example, a writing helper or recommendation engine), we'll describe in this policy exactly what data the feature uses and whether it's opt-in or opt-out. We won't change this policy quietly.
Your public content (public reviews, public lists, public profile) is accessible to anyone on the internet, which means external parties — including AI companies that scrape the public web — may collect it without our cooperation. We publish a robots.txt requesting that AI crawlers respect a no-train signal, but compliance is voluntary on their end.
Messaging confidentiality
Direct messages on Tableread are not end-to-end encrypted. Messages are encrypted in transit and at rest at the storage layer, but Tableread (as the service operator) has the technical ability to read message contents. We don't make a habit of doing so — staff access to messages is restricted to abuse-response and legal-compliance contexts, and logged.
If a conversation requires confidentiality from Tableread itself (e.g. sensitive personal or legal matters), use a tool designed for it (Signal, ProtonMail, etc.) instead of Tableread DMs.
Children
Tableread is not for children under 16. We don't knowingly collect personal information from anyone under 16. If we learn we've received data from someone under 16, we'll delete the account and associated data.
If you believe a child under 16 has created an account, please tell us via contact.
Cookies and similar storage
Tableread uses only the cookies and browser storage strictly necessary to run the service. We do not use advertising, marketing, analytics, or cross-site tracking cookies, and we don't embed third-party trackers like Google Analytics, Meta Pixel, or similar services.
What we do set:
- Authentication — Supabase sets HttpOnly session cookies (
sb-access-token,sb-refresh-token) so we can keep you signed in. Without these, login doesn't work. - Bot protection — Cloudflare sets cookies (
cf_clearance,_cfuvid) to distinguish humans from automated traffic during signup and high-risk actions. - Payment / video features — Stripe and Mux set their own cookies on the specific pages where their checkout or video player is embedded. They're only present when you use those features.
- Local preferences — your browser's localStorage holds non-sensitive UI preferences (e.g., chosen content format on the reviews page) so the site remembers your selections. Cleared when you clear browser data.
Each of these is required for the service to function. EU GDPR / ePrivacy and California CCPA don't require consent banners for strictly-necessary cookies, so Tableread doesn't show one. The day we add anything non-essential — analytics, advertising, tracking — we'll add the banner and ask before setting it.
Who we share with
Service providers we depend on, in their own scope only. Each operates under its own privacy policy:
- Supabase — auth, database, and file storage
- Stripe — payments, identity verification, marketplace payouts, tax form generation
- Mux — video hosting and streaming
- Resend — transactional email delivery
- Vercel — application hosting and image handling
- Vercel Blob — storage for attachments (avatars, message media)
- Cloudflare — DNS, network security, bot protection
- IGDB / TMDB / similar catalogs — outbound metadata lookups only; we don't send them your identity
We disclose information beyond the above only when legally compelled or to protect the platform and its users from harm. If Tableread is ever acquired or merged into another company, we'll give affected users notice before personal information is transferred or becomes subject to a different privacy policy.
Where your data is processed
Tableread's servers and the service providers above are based in the United States. If you're using Tableread from outside the US — including the EU/UK — your data is processed on US-based infrastructure. Data-protection laws vary between countries; we apply the protections described in this policy regardless of where your data is processed.
Security
How we protect your data in practice:
- In transit — all traffic between you and Tableread runs over TLS (HTTPS). Internal service-to-service traffic between our providers is encrypted.
- At rest — Supabase encrypts database storage at rest. Passwords are stored as bcrypt hashes, not plaintext. We never see your raw password.
- Payment data — never touches our servers. Stripe handles card numbers and bank details in their PCI-DSS-compliant vault.
- Access control — Supabase row-level security policies enforce who can read and write what. Service-role access (which bypasses RLS) is restricted to webhook handlers and admin operations and is audited.
- Staff access — restricted to operators (currently a small founding team) and used only for support, abuse response, or legal compliance.
No system is perfectly secure. If we discover a breach affecting your account, we'll notify you and the appropriate regulators within the timeframes the law requires (typically 72 hours under GDPR).
How long we keep it
- Account data — kept while your account is active.
- Content you post (reviews, lists, comments) — kept until you delete it or your account. Deleted content may persist in backups for up to 30 days before being purged.
- Direct messages — kept until you or the other participant deletes the conversation. Soft-deleted conversations are purged after 90 days.
- Server logs — typically retained for 30 days.
- Financial records (subscription invoices, marketplace transactions, payout records, 1099 forms) — kept as long as US tax law requires, typically 7 years. Stripe holds the canonical records.
- Deleted accounts — account and associated data are removed within 30 days of a confirmed deletion request, subject to the financial-records exception above and any data we're required to preserve under an active legal hold.
Your rights
Wherever you live, you can edit or delete most of your data from your settings. For full account deletion, email us through contact and we will remove your account within 30 days, subject to the legal retention exceptions above.
If you're in the EU, UK, or another GDPR jurisdiction
You have the right to:
- Access a copy of your personal data.
- Rectify inaccurate data.
- Erase your data (the "right to be forgotten").
- Restrict processing in certain cases.
- Port your data to another service in a machine-readable format.
- Object to processing.
- Lodge a complaint with your local data protection authority if you believe we've mishandled your data.
Our legal basis for processing is, depending on the data: contract performance (running the service you signed up for), legitimate interest (security, fraud prevention, service improvement), consent (optional features you opt into), and legal obligation (tax records, lawful requests).
If you're a California resident (CCPA / CPRA)
You have the right to:
- Know what personal information we collect about you, how we use it, and who we share it with.
- Access a copy of that information.
- Delete it.
- Correct inaccuracies.
- Opt out of "sale" or "sharing" of personal information. We do not sell or share your personal information as those terms are defined in the CCPA.
- Non-discrimination — we won't treat you worse for exercising any of these rights.
You can exercise any of these rights through contact. We'll verify your identity by confirming you're signed in to the account in question (or by other reasonable means if you can't sign in).
Other US states
Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states with comprehensive consumer-privacy laws have substantially similar rights to California residents. Use the same contact process and we'll handle the request under the appropriate law.
You can opt out of product-update emails at any time. Transactional emails (signup, password reset, security, payment receipts, legal notices) are required and can't be disabled while your account is active.
Categories of information (for U.S. state-law disclosures)
Some U.S. state privacy laws ask us to organize disclosures by category. The categories we collect, the purposes, and the parties we share with are:
- Identifiers — name, username, email, account ID, IP address. Purpose: account management, service delivery, security. Shared with: Supabase, Vercel, Cloudflare, Resend (email).
- Commercial information — subscription status, purchase history, payout history. Purpose: processing payments and tax reporting. Shared with: Stripe.
- Internet / network activity — request logs, server-side activity records. Purpose: security, debugging, abuse response. Shared with: Vercel, Cloudflare.
- Audio, electronic, visual — uploaded videos, avatars, photos, message attachments. Purpose: displaying the content you uploaded. Shared with: Mux (video), Vercel Blob (other media).
- Communications — direct messages, comments. Purpose: delivering messages, abuse response. Shared with: Supabase (storage).
- Professional / creative — bio, portfolio links, marketplace listings, reviewer applications. Purpose: running the community and marketplace. Shared with: Supabase. Public profile fields visible per the "public by default" section above.
- Inferences — reviewer tier, helpful-vote ratio, Spots balance. Purpose: reputation and gating features. Shared with: nobody outside Tableread.
We do not collect biometric data, precise geolocation, health data, or sensitive personal information categories under the CCPA.
Tax reporting
When you earn money on Tableread above certain thresholds, US tax law requires us to issue you a form and report the income to the IRS:
- Marketplace creators — Stripe issues a 1099-K at the IRS-required threshold (the threshold changes year-to-year; Stripe applies the current rule).
- Reels redemption (Tier 2) — if your cash-out from platform redemptions exceeds the IRS Tier 2 threshold ($600/year as of this policy), Stripe issues a 1099-B.
To issue these forms, Stripe collects tax information (name, address, taxpayer ID) directly from you when you cross the threshold. Tableread doesn't store this tax information; Stripe does.
Changes
When this policy changes meaningfully, we'll update the date at the top and notify active users by email. Minor clarifications (typo fixes, vendor-name updates) update the date without an email. Continued use after a change means you accept the updated terms.
Contact
Questions, deletion requests, GDPR/CCPA-rights requests, or concerns: tableread.com/contact.