Privacy Policy

Last updated: 2026-04-25

This Privacy Policy describes how Persona.bio ("we", "us") collects, uses, and protects information when you use the Service.

What we collect

When you sign in with Google we receive your email address, name, Google profile picture URL, and the Google identifier needed to sign you in next time. We store these on your user record so we can identify you and display your name on your persona.

When you answer questions, your answers are stored along with whether each answer should appear on your published persona. We sanitize submitted text to strip HTML before storage.

When you configure share rules or request access to another persona we store share rule rows (who you've granted access to) and share request rows (who has asked to see your persona).

We log routine request metadata (timestamp, IP address, user agent) to operate the Service and investigate abuse. We do not use this for advertising or sell it.

We use a single session cookie to keep you signed in. We do not use analytics or third-party trackers in the application.

How we use it

We use your information to:

  • Sign you in and identify you in the Service.
  • Display your persona to viewers you've granted access to.
  • Surface incoming share requests on your My Profile page.
  • Operate and protect the Service (debugging, abuse investigation).

Who we share it with

Persona.bio is single-tenant and we do not sell, rent, or share your personal information with third parties for marketing. Limited sharing happens in three cases:

  • Hosting and infrastructure providers that store and serve your data on our behalf (currently Fly.io for compute and Tigris for backups). They process data only as necessary to provide their services.
  • Identity providers when you sign in (currently Google). Sign-in data flows to and from those providers under their terms.
  • Legal requirements when we are required to disclose information by law, subpoena, or to protect the rights, property, or safety of users or the public.

Where we store it

Your data lives in a SQLite database on a Fly.io volume in the United States, with continuous replication to Tigris (S3-compatible) for disaster recovery. We retain backups for 24 hours.

How long we keep it

We keep your data for as long as your account exists. Deleting your account (see Account Deletion below) removes your user row, answers, share rules, and pending share requests from the live database immediately. Backup snapshots expire on their own retention schedule (24 hours for Litestream).

Your rights

You can:

  • Access your data at any time on My Profile and via your published persona page.
  • Correct any data by editing your answers or your name on the authentication provider.
  • Delete your account from the Danger Zone on My Profile. Deletion is immediate and irreversible.
  • Contact us at feedback@persona.bio with any privacy question or request not covered above.

Cookies

We use one cookie, persona-session, to keep you signed in. It is HTTP-only, SameSite=Lax, and marked Secure in production. Clearing this cookie signs you out. We do not use third-party advertising cookies.

Children

The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact us and we will delete it.

Changes to this Policy

We may update this Policy from time to time. Material changes will be announced via email to active users (when transactional email is enabled) or via a visible in-app banner. The "Last updated" date above always reflects the current version.

Contact

feedback@persona.bio