Sign in Join

Wizard Skin Legal

Privacy Policy

Effective May 31, 2026 · Last updated May 31, 2026

Wizard Skin is experimental software. Use it at your own risk, and do not upload, collect, or share information unless you have the rights and consent needed to do so.

Wizard Skin Privacy Policy

Effective date: May 31, 2026 Last updated: May 31, 2026

This Privacy Policy explains how Wizard Skin ("Wizard Skin," "we," "us," or "our") collects, uses, stores, shares, and protects information when you access or use the Wizard Skin website, web app, progressive web app, APIs, messaging features, media tools, forms, business tools, loyalty/promotional tools, Pocket storage features, AI-assisted features, and related services (together, the "Service").

Wizard Skin is experimental software. Features, privacy controls, security settings, encryption modes, third-party integrations, and data handling may change as the Service evolves. We take reasonable measures to build and operate the Service in a privacy-conscious and compliant way, but actual privacy and compliance also depend on how users configure their accounts, what users upload, what users share, who users communicate with, and whether users have the legal right to submit or disclose particular information.

By using the Service, you acknowledge that online services can never be completely private, secure, uninterrupted, or error-free. Do not use Wizard Skin for information or communications that you cannot risk being exposed, lost, delayed, misdelivered, reviewed for safety/legal reasons, or processed by third-party providers when you choose or enable features that require them.

1. Scope of this Policy

This Policy applies to information handled through Wizard Skin, including:

  • account registration and login;
  • profiles, follows, blocks, posts, comments, stories, spaces, likes, reports, and moderation tools;
  • direct and group messaging, message reactions, read receipts, GIFs, voice/media messages, calls, and related encryption metadata;
  • uploaded images, video, files, post media, Pocket notes/files, share links, and media-processing events;
  • forms, campaigns, recipients, submissions, signatures, reminders, and related records;
  • business accounts, customer/loyalty records, promotions, QR scans, and points features;
  • notifications, web push subscriptions, support/admin tools, invite codes, and security settings;
  • AI-assisted drafting, cleanup, post improvement, image/video description, or form-generation features when enabled;
  • integrations such as object storage, email, web push, maps, weather, news feeds, GIF providers, video embeds, content delivery networks, and AI providers.

This Policy does not control privacy practices of third-party websites, apps, services, embeds, APIs, storage providers, payment processors, AI providers, social platforms, maps/weather/news/GIF providers, or content you reach through external links. Their own policies apply.

2. Information we collect

The information we collect depends on the features you use, your settings, and what you choose to provide.

2.1 Account and authentication information

We may collect and store:

  • username, email address, password hash, email-confirmation status, account type, account roles, and account status;
  • invite code metadata, registration policy status, login policy status, and account eligibility checks;
  • password-reset requirements, two-factor authentication status, TOTP secrets or related authentication metadata when enabled;
  • signup IP address, IP hash, signup timestamp, login timestamps, login location records, user agent strings, and other security/account records;
  • moderator, administrator, super-admin, global-ops, paid/AI-access, business-account, subscription, or role metadata when applicable;
  • support-mode or impersonation-session audit records when an authorized administrator assists or investigates an account.

Passwords are intended to be stored as hashes rather than plaintext. You are responsible for keeping your credentials, devices, recovery channels, and sessions secure.

2.2 Profile, social, and public content information

We may collect and store information you add to your profile or publish through social features, including:

  • display name, avatar URL or uploaded avatar, bio, headline, pronouns, custom profile fields, contact handles, external profile links, visibility settings, and discovery settings;
  • posts, comments, stories, spaces, replies, links, media captions, tags, reactions, likes, follows, blocks, and other social graph records;
  • visibility choices such as public, private, discoverable, non-discoverable, blocked, deleted, hidden, or archived states;
  • reports, report reasons, report metadata, appeal/contest text, moderation status, and moderation audit history.

Public or discoverable content may be visible to other users, visitors, search tools, shared links, screenshots, caches, or third parties. Even if content is deleted, copied content may remain outside our control.

2.3 Messages, calls, and private communications

When you use messaging or call features, we may collect and store:

  • thread membership, thread names, avatars, message sender, timestamps, message type, read receipts, hidden-message records, reactions, expiry settings, and encryption metadata;
  • message content, GIF metadata, voice/media attachments, uploaded files, location attachments, and per-recipient encrypted payload packages depending on the security mode and feature used;
  • call-session metadata such as initiator, receiver, thread, state, started/accepted/ended timestamps, media mode, and WebRTC configuration data;
  • push-notification metadata, notification payloads, unread states, and delivery status.

Wizard Skin may support more than one message security mode. In a top-down or server-managed encryption mode, content may be encrypted at rest while the Service still controls or can access decryption keys. In an end-to-end encryption mode, some message payloads may be encrypted for recipients, but metadata, delivery records, abuse reports, device/session information, media records, and some attachments or legacy content may remain available to the Service. E2E and encryption features are experimental and should not be treated as a guarantee that content is unreadable to the Service, administrators, infrastructure providers, recipients, compromised devices, or third parties.

Private communications may be reviewed, preserved, disclosed, or acted on if necessary for safety, abuse prevention, troubleshooting, legal compliance, security incidents, account support, or enforcement of the Terms of Use.

2.4 Media, files, Pocket, and storage information

When you upload or store media, files, or Pocket items, we may collect and store:

  • file names, stored file names, MIME/media type, size, checksums, storage keys, URLs, thumbnails, transcoding profile, processing status, processing errors, and timestamps;
  • uploaded images, videos, audio, voice notes, documents, message attachments, post media, profile media, story media, Pocket notes, Pocket files, folders, tags, categories, previews, encrypted envelopes, locked payloads, share links, and share-recipient records;
  • view counts, download counts, share-token hashes, share hints, expiration settings, revoked status, and share-event metadata;
  • audit events and storage events related to creation, access, sharing, downloads, deletion, encryption, and storage usage.

Some media may be stored locally, in object storage, or through third-party storage providers depending on configuration. Media may be compressed, transcoded, resized, scanned, cached, signed, encrypted, or otherwise processed to provide the Service. You are responsible for ensuring that you have the right to upload and share any media or files.

2.5 Forms, campaigns, signatures, and submissions

If you use forms or campaign features, we may collect and store:

  • form template titles, rich text, field labels, field types, required-field settings, option values, and campaign configuration;
  • sender and recipient information, recipient email addresses, recipient-user links, viewed/submitted/reminded timestamps, reminder counts, status values, and delivery metadata;
  • submitted form payloads, signer names, signature text, signature blobs, signed timestamps, payment status flags, and related records.

Forms and signatures are experimental. You are responsible for deciding what personal information to request from others, obtaining any required consent, providing required notices, and complying with laws that apply to your forms, campaigns, signatures, reminders, and records.

2.6 Business, promotions, ads, and loyalty information

If you use business, ads, customer, promo, or points features, we may collect and store:

  • business name, legal name, category, descriptions, business contact details, business settings, promo configuration, issued codes, redemption status, QR-scan activity, customer identity records, points balances, points adjustments, and audit records;
  • ad preferences, ad placement preferences, and records needed to show, suppress, or manage app-level promotional or ad features.

Business users are responsible for their own customer notices, consents, redemption terms, tax obligations, consumer-protection compliance, and any privacy obligations created by their campaigns or customer interactions.

2.7 AI-assisted feature information

If AI-assisted features are enabled and you use them, we may process prompts, drafts, message context, form instructions, post content, media descriptions, image/video frames or derived descriptions, and other inputs or outputs needed to provide those features.

AI features may send information to third-party AI providers or infrastructure providers. Do not submit secrets, sensitive personal information, health information, financial information, legal strategy, credentials, private keys, confidential business information, or information about other people unless you have the right to do so and accept the risk. AI outputs may be wrong, incomplete, biased, unsafe, or unsuitable. Review AI output before using, posting, sending, or relying on it.

2.8 Device, usage, log, and security information

We may automatically collect or generate:

  • IP address, user agent, browser/device type, operating system, request path, referrer, origin, timestamps, request IDs, error logs, diagnostic data, upload diagnostics, CSRF failure data, rate-limit data, abuse-prevention data, session events, and security audit records;
  • cookie, session, local-storage, cache, service-worker, and PWA-related data;
  • web push subscription endpoints, keys, browser push identifiers, notification activity, and related delivery metadata;
  • approximate location derived from IP address, precise location you choose to share, map/weather location queries, and login-location records.

We use this information to operate, debug, secure, improve, and enforce the Service.

2.9 Information from third parties

We may receive information from or send information to third parties when you use integrated features, such as:

  • hosting, database, object-storage, CDN, email, web push, and infrastructure providers;
  • AI providers used for enabled AI features;
  • GIF, media, video embed, weather, maps, news feed, calendar/iCal, and link-preview providers;
  • payment, commerce, customer, promo, business, or analytics providers if configured;
  • other users who tag you, message you, report you, invite you, share with you, add you to a thread, send you a form, or interact with your content.

Third-party providers may collect information under their own terms and privacy policies.

3. How we use information

We use information to:

  • create, authenticate, secure, and administer accounts;
  • provide profiles, feeds, discovery, posts, comments, stories, spaces, messages, calls, forms, Pocket, business tools, promotions, points, AI features, notifications, and other app functionality;
  • store, display, transmit, process, transcode, encrypt, decrypt, cache, sign, or deliver content and media;
  • personalize your experience based on your settings, visibility choices, follows, blocks, notification preferences, and app configuration;
  • send service messages, notifications, reminders, account alerts, security notices, support replies, and administrative communications;
  • detect, prevent, investigate, and respond to spam, fraud, abuse, malware, security incidents, policy violations, unauthorized access, and illegal activity;
  • moderate content, review reports, enforce the Terms of Use, suspend/freeze/delete accounts, and preserve audit trails;
  • troubleshoot errors, monitor uptime, debug media uploads, maintain logs, perform backups, test features, and improve the Service;
  • provide AI-assisted drafting, cleanup, generation, summarization, description, or improvement when you request or enable those features;
  • comply with legal obligations, lawful requests, dispute-resolution needs, tax/accounting requirements, and safety obligations;
  • protect rights, privacy, safety, security, property, users, the public, and the integrity of the Service.

4. How information is shared or disclosed

We may share or disclose information in the following ways.

4.1 With other users and visitors

Your posts, profile details, stories, spaces, comments, likes, follows, public media, shared Pocket items, business listings, promo/points interactions, and other content may be visible to others according to the feature and your settings. Direct messages, forms, share links, and thread content are visible to intended recipients and may be copied, saved, reported, or disclosed by them.

4.2 With service providers

We may share information with vendors and service providers who help us host, store, secure, operate, debug, moderate, transmit, process, or improve the Service. This may include infrastructure providers, databases, object storage, CDNs, email providers, push-notification services, media processors, AI providers, maps/weather/news/GIF/video providers, payment or commerce providers if configured, and support tools.

4.3 For safety, security, and moderation

We may disclose information to administrators, moderators, support personnel, affected users, law enforcement, legal advisors, security researchers, or relevant third parties if we believe disclosure is reasonably necessary to enforce rules, prevent harm, investigate abuse, protect the Service, respond to reports, or comply with law.

4.4 For legal compliance and business changes

We may disclose information if required or permitted by law, subpoena, court order, legal process, regulatory request, public authority request, emergency request, rights enforcement, merger, acquisition, financing, reorganization, bankruptcy, asset transfer, or similar transaction.

4.5 Sale or sharing of personal information

As currently designed, we do not knowingly sell personal information or share personal information for cross-context behavioral advertising as those terms are used under the California Consumer Privacy Act, unless we update this Policy and provide any legally required notices and opt-out methods. Some third-party embeds, links, media providers, CDNs, maps, weather, GIF providers, video providers, or external sites may collect information independently when you interact with them.

5. Cookies, sessions, local storage, and push notifications

We use cookies, session storage, local storage, service workers, caches, CSRF tokens, remember-me cookies, and similar technologies to keep you signed in, protect forms, remember settings, support PWA behavior, detect abuse, secure requests, and improve usability. You can control some cookies through your browser, but blocking cookies or local storage may break login, security, uploads, messaging, notifications, or app features.

If you enable web push notifications, your browser may provide us a push subscription endpoint and cryptographic keys. You can revoke push permissions through your browser or device settings.

6. Location information

Wizard Skin may process location-related information in several ways:

  • approximate location from IP address or login diagnostics;
  • login-location records generated for security or account visibility;
  • precise latitude/longitude if you send or share a location in a message or through a location feature;
  • map, weather, city/state, calendar, or local-news settings if you configure them;
  • location sharing permissions that allow another user to view certain login-location records.

Only share precise location if you accept the risk. Recipients may copy, screenshot, save, or disclose it. Maps, weather, and location providers may process your queries under their own policies.

7. User responsibilities and user-controlled disclosure

Wizard Skin gives users tools to post, message, upload, share, report, invite, create forms, collect submissions, run business promotions, and manage files. Those tools can be used responsibly or irresponsibly. You are responsible for:

  • deciding what information to provide, upload, store, post, request, or share;
  • obtaining consent before uploading, posting, tagging, sending, recording, collecting, or disclosing someone else's information;
  • choosing appropriate visibility settings;
  • complying with laws that apply to your content, business, forms, campaigns, ads, promotions, points, communications, and customer records;
  • protecting your credentials, devices, sessions, private keys, recovery methods, and share links;
  • not using Wizard Skin for regulated, high-risk, unlawful, abusive, exploitative, or privacy-invasive activity.

Our compliance efforts cannot make user-submitted content lawful or safe if a user uploads, posts, collects, or shares information without rights, consent, or proper safeguards.

8. Retention and deletion

We retain information for as long as reasonably necessary to provide the Service, maintain accounts, support app features, comply with law, enforce policies, resolve disputes, protect safety/security, maintain backups, audit admin actions, prevent abuse, and operate business records.

Retention periods vary by feature and configuration. For example:

  • account and profile records may remain while an account is active;
  • posts, comments, messages, media, forms, Pocket items, business records, promo/points records, and shares may remain until deleted, expired, revoked, hidden, archived, or removed under policy;
  • messages may have expiry settings, but expiry is not a guarantee that all copies, backups, recipient copies, logs, reports, or cached copies disappear immediately;
  • moderation, security, report, abuse, admin, support, and audit records may be retained longer to protect users and the Service;
  • backups and disaster-recovery copies may persist for a limited period before being overwritten;
  • legal holds may require longer retention.

You may request deletion or correction of certain information by contacting us. Some information may be retained where allowed or required by law, for security, for moderation records, for dispute resolution, or because another user independently controls a copy.

9. Security

We use reasonable technical, administrative, and organizational measures designed to protect information. Depending on configuration and feature, these measures may include password hashing, HTTPS, secure/HTTP-only/SameSite cookies, CSRF protection, security headers, upload limits, signed URLs, object-storage controls, encryption at rest for some content, message encryption modes, audit logs, access controls, rate limits, admin role controls, and abuse-detection tools.

No system is perfectly secure. Experimental features may fail. Encryption may be incomplete, misconfigured, or unavailable for some data. Users, recipients, administrators, devices, browsers, extensions, third-party providers, infrastructure, and attackers may create risks outside our control. You use the Service at your own risk.

10. International processing

Wizard Skin may process and store information in the United States or other locations where we or our providers operate. If you access the Service from outside the United States, you understand that your information may be transferred to and processed in jurisdictions that may have privacy laws different from those in your location.

11. Children and minors

Wizard Skin is not directed to children under 13. You may not use the Service if you are under 13. If we learn that we collected personal information from a child under 13 without legally valid parental consent, we will take reasonable steps to delete it.

If you are 13 or older but under the age of majority where you live, you may use the Service only with permission and supervision from a parent or legal guardian. Parents or guardians may contact us about a minor's account.

12. Regional privacy rights

Depending on where you live and whether applicable legal thresholds are met, you may have rights to request access, portability, correction, deletion, restriction, objection, withdrawal of consent, appeal of a privacy-rights decision, or information about how your personal information is used and disclosed. You may also have the right not to be discriminated against for exercising privacy rights.

To make a privacy request, contact us at support@wizard.skin. We may need to verify your identity and authority before fulfilling a request. We may deny, limit, or delay requests where allowed by law, such as when information is needed for security, legal compliance, dispute resolution, another person's rights, or operation of the Service.

12.1 California privacy notice

This section is intended to supplement the rest of this Policy for California residents. The categories below describe personal information we may collect, depending on your use of the Service.

CategoryExamplesPurposesDisclosures
Identifiersusername, email, IP address, account IDs, device/session identifiers, invite-code recordsaccount, security, login, support, notifications, abuse preventionservice providers, other users where you choose, admins/moderators, legal/safety recipients
Customer recordsaccount contact details, business contact details, recipient emails, customer/points recordsaccount, forms, business tools, promotions, customer interactionsservice providers, business/customer participants, legal/safety recipients
Protected classification or sensitive profile data you choose to providepronouns or other profile details if you add themprofile display and user-directed sharingother users/visitors according to settings, service providers
Commercial informationpromo codes, points, business tools, purchases/subscription flags if enabledbusiness tools, loyalty, paid/AI access, fraud preventionservice providers, business participants, legal/safety recipients
Internet or network activitylogs, cookies, user agent, request paths, referrers, CSRF diagnostics, security eventssecurity, troubleshooting, analytics, abuse prevention, operationsservice providers, admins, legal/safety recipients
Geolocationlogin location, IP-derived location, precise location you choose to share, map/weather settingssecurity, location sharing, weather/maps, user-directed messagesrecipients you choose, service providers, legal/safety recipients
Audio/visual/electronic contentposts, images, videos, voice notes, messages, calls metadata, files, forms, signaturesService functionality, storage, sharing, moderation, AI features if requestedother users/recipients, service providers, moderators/admins, legal/safety recipients
Professional/business informationbusiness profile, legal name, business category, contact detailsbusiness listings, promotions, points, customer toolsother users/visitors according to settings, service providers
Inferencespreferences, discovery settings, follows/blocks, notification choices, content interactionspersonalization, safety, recommendations, app functionalityservice providers, other users where feature requires
Sensitive personal informationaccount credentials, precise location when shared, message contents, form submissions, signatures, private filesonly as reasonably necessary for Service functionality, security, legal/safety, user-directed sharing, and configured featuresservice providers, recipients you choose, admins/moderators when necessary, legal/safety recipients

We do not knowingly sell or share personal information for cross-context behavioral advertising as currently designed. We also do not knowingly sell or share personal information of users under 16. If our practices change, we will update this Policy and provide required choices.

12.2 Global Privacy Control and Do Not Track

Some browsers or extensions offer Global Privacy Control (GPC) or Do Not Track signals. Where legally required and technically feasible, we will treat a recognized GPC signal as an opt-out of sale/sharing for that browser or device. Because we do not currently sell or share personal information for cross-context behavioral advertising as currently designed, these signals may not change your experience. Standard Do Not Track signals are not uniformly defined, and we may not respond to them unless required by law.

12.3 EEA, UK, and similar jurisdictions

Where GDPR, UK GDPR, or similar laws apply, our legal bases may include performance of a contract, legitimate interests, consent, legal obligations, vital interests, and user-directed disclosure. Legitimate interests may include security, abuse prevention, service improvement, debugging, moderation, and operating the Service. You may have rights to access, correct, delete, restrict, object, transfer, or withdraw consent. You may also have the right to complain to a supervisory authority.

13. Changes to this Policy

We may update this Policy as the Service changes. The updated version will be posted with a new "Last updated" date. Material changes may be communicated through the Service, email, or another reasonable method. Your continued use of the Service after an update means you accept the updated Policy to the extent permitted by law.

14. Contact

For privacy requests, questions, security concerns, or deletion/correction requests, contact:

Wizard Skin Support Email: support@wizard.skin

If you are contacting us about a privacy request, include enough information for us to identify your account and verify your authority, but do not send passwords, private keys, government IDs, or unnecessary sensitive information unless we specifically request it through a secure method.