Privacy Policy
How Bytes handles your data. Plain language, no dark patterns.
Last updated:
Overview
Bytes is an AI-curated news reader. This policy explains what personal data we collect, how we use it, who we share it with, and your rights. It applies to anyone who visits bytes.news or uses the Bytes service.
What we collect
Account data
When you create an account, we collect:
- Email address — for authentication and security notifications
- Display name — optional, shown to you in the app
- Password hash — never stored in plain text; computed with bcrypt (12 rounds) and stored in our own database
- OAuth provider ID — if you sign in with Google, we receive your Google ID and profile picture
Preference data
Settings you explicitly configure:
- Selected news topics (categories)
- Reading style (Ultra Quick, Brief, Deep Dives)
- Tone preference (Straight Facts, More Explanation, Context & Opinion)
- Content filters (no clickbait, safe mode, etc.)
Engagement data
Actions you take in the app:
- Articles you like or bookmark
- Timestamps of likes/bookmarks
Technical data
- IP address — never stored in raw form. We compute a salted SHA-256 hash and keep only the truncated hash for rate limiting and abuse prevention. The raw IP is discarded after the hash is computed.
- Session cookies — required for authentication
- Error reports — when the app crashes in your browser, the error message, a truncated stack trace, the page path, and a per-request correlation ID are sent to our own server-side log. We never send these to a third-party monitoring provider, and the report contains no personal identifiers beyond the salted IP hash.
- Request IDs — every API response carries an
x-request-idheader so a single user-facing bug can be traced through our server logs. The ID is a random UUID that is not linkable to your identity. - Performance metrics — when you load a page, the browser reports Core Web Vitals (LCP, CLS, INP, FCP, TTFB) to our monitoring endpoint. Each report includes the metric name, value, the page path (without query string or fragment), a coarse user-agent string (platform + form factor when your browser supports User-Agent Client Hints; the truncated UA string otherwise), and the salted IP hash described above. No personal identifiers, no cross-site tracking, and the report is dropped if your browser is in a sampled-out session.
How we use your data
- Deliver the service — fetch news matching your topics, save your bookmarks, sync preferences across devices
- Security — detect abuse, rate-limit API usage, protect against attacks
- Improve the product — aggregate usage patterns (e.g., which topics are popular) in a way that cannot be linked back to individuals
We do not use your data for advertising, do not sell it to third parties, and do not share individual usage patterns with anyone.
Third-party services
Bytes uses the following processors:
- MongoDB Atlas (database) — stores your account, preferences, bookmarks, and likes. SOC 2 + GDPR-compliant; data is encrypted at rest and in transit.
- Google (OAuth sign-in only) — when you sign in with Google, we receive your Google account ID, email, and profile picture. We do not receive any other data and do not write back to your Google account. Authentication tokens are issued and validated by our own server (Auth.js); Google sees only the OAuth handshake.
- Public RSS feeds (news source) — Bytes fetches headlines and summaries from a curated list of public RSS feeds (BBC, NPR, The Verge, Ars Technica, TechCrunch, Hacker News, ESPN, CoinDesk, Variety). These requests originate from our servers and do not include your identity, IP, or topic selections.
- Vercel (hosting) — serves the application. Logs IP addresses temporarily for abuse prevention.
Performance metrics (Core Web Vitals) and client-side error reports are stored in the same MongoDB database that holds your account data. We do not send RUM data to Google Analytics, Sentry, Datadog, or any other third-party analytics processor.
Cookies
We use only strictly necessary cookies for authentication sessions. We do not use analytics cookies, advertising cookies, or third-party tracking pixels. See our Cookie Policy for details.
Your rights
Depending on your jurisdiction, you may have the right to:
- Access & Portability (GDPR Articles 15 + 20) — download a complete JSON copy of your profile, preferences, bookmarks, and likes from Settings → Your data. The download is generated on demand and is not stored on our servers.
- Correction — update inaccurate data directly from Settings
- Deletion (GDPR Article 17) — permanently delete your account, profile, bookmarks, likes, and preferences in one click from Settings → Your data. The deletion is immediate and irreversible. (Articles you helped surface remain in the public feed for other users — they are not personal data.)
- Objection — object to certain types of processing by writing to us via our contact page
For anything the self-service tools above don’t cover, contact us at our contact page. We respond within 30 days.
GDPR (EU/UK residents)
Lawful basis: contract performance (to deliver the service you signed up for) and legitimate interests (security and abuse prevention). Data controller: the entity operating Bytes (see contact).
CCPA (California residents)
Categories of personal information collected: identifiers (email), commercial information (service preferences), internet activity (session logs). We do not sell personal information as defined by the CCPA.
Data retention
- Account data — retained while your account is active, plus 30 days after deletion request
- Engagement logs — retained up to 180 days, then anonymized
- Performance metric rows — auto-purged after 30 days by a scheduled database job. Aggregates persist longer in dashboards but cannot be linked back to a specific session or device.
- Contact form submissions — retained up to 365 days so we can answer late follow-ups, then auto-purged
- IP hashes — retained as part of the rows above (rate-limit + RUM); the original raw IP is never written to disk
Security
We use industry-standard measures: encrypted connections (HTTPS), passwords hashed with bcrypt (12 rounds), JSON-Schema validators on every database collection, and principle-of-least-privilege access for service accounts. No system is perfectly secure, but we treat your data as if it were our own.
Children's privacy
Bytes is not intended for users under 13 (or the minimum age in your jurisdiction). We do not knowingly collect data from children. If you believe a child has created an account, please contact us for removal.
Changes to this policy
We'll update this policy as the service evolves. Material changes will be announced in-app and via email at least 30 days before taking effect. The “Last updated” date at the top reflects the latest revision.
Contact
Questions? Reach out via our contact page.