Vulnerability Disclosure Policy
CloakShell welcomes reports from security researchers who help us protect our community. This policy describes what we ask for, what you can expect in return, and how we work together when a vulnerability is found. We do not collect, sell, or mine user data, and we take reports that touch user privacy especially seriously.
In scope
- cloakshell.com and api.cloakshell.com
- The public-facing CloakShell backend
Out of scope
- Third-party services we depend on, including Supabase, Cloudflare, Resend, and Stripe
- Social engineering of CloakShell employees, contractors, or vendors
- Physical attacks against CloakShell staff, offices, or infrastructure
- Denial-of-service attacks, including volumetric, application-layer, and resource exhaustion
- Automated scanner output without manual verification or a working proof of concept
- Self-XSS that requires the victim to paste attacker-controlled input into their own browser
Safe harbor
Researchers acting in good faith under this policy will not face legal action from CloakShell. Do not access data belonging to other users beyond what is necessary to demonstrate the issue. Stop testing and report as soon as a vulnerability is identified. Make a good-faith effort to avoid privacy violations, service disruption, and destruction of data while you work. If you are unsure whether a specific action is covered, email us first.
How to report
Email security@cloakshell.com with the subject prefix [Security Disclosure]. A good report includes:
- Clear, numbered reproduction steps
- An impact assessment describing what an attacker could achieve
- Any affected accounts or data, referenced by opaque IDs only, never user content
- Suggested remediation or mitigations, if you have them
- Your preferred name or handle for credit, if you want to be credited publicly
Please do not post vulnerability details on social media, public forums, or issue trackers before we have had a chance to investigate and deploy a fix.
Response expectations
- Initial acknowledgment: within 5 business days of your report
- Triage and severity assessment: within 10 business days
- Status updates: at least every 15 business days until the issue is resolved
- Credit: we will credit disclosers in release notes if they want recognition
Ground rules
- No public disclosure until a fix is deployed or 90 days have elapsed from your initial report, whichever comes first
- Coordinated disclosure is encouraged. Reach out if you need more time
- Do not exfiltrate user data. Demonstrate impact with the minimum data required
- Do not use automated tools that generate excessive traffic against production
- Use test accounts you control whenever possible
How CloakShell handles your data
The rest of this page answers common questions about CloakShell's data practices in plain language. The short version: we collect very little, we keep it only as long as needed, and we never sell it.
What does CloakShell collect?
CloakShell collects the minimum needed to run an account: an email address, a date of birth, and a username. No real name is required, no phone number, no government ID, and no face scans.
- Email address: used for login and account emails. It is never shown to other users and never written to logs.
- Date of birth: collected once at registration for legal compliance. It is never shown to other users, never written to logs, and cannot be changed after registration.
- Username and optional display name: the identity other users see. Neither needs to be your real name.
What does CloakShell never do?
CloakShell never shows ads, never sells user data, and never mines your messages. There is no advertising business attached to this platform; it is funded by an optional paid subscription.
- No ads and no ad targeting
- No selling user data
- No data mining of your messages, posts, or files
- No training AI models on your content. The only automated analysis is safety scanning of uploads (malware and image safety checks), run under a no-retention, no-training policy.
- No tracking pixels in messages: user content cannot embed third-party images, and link previews are fetched by CloakShell's own servers so outside sites never see your IP address.
- No cross-site tracking: analytics on public pages are anonymous, with no cookies and no user identifiers.
What is never written to logs?
Email addresses, dates of birth, passwords, authentication tokens, and the content of messages and direct messages never appear in CloakShell's logs. This is an enforced engineering rule, not a best effort.
IP addresses are treated as ephemeral: they are never persisted in application logs, and any short-lived anti-abuse data tied to a connection is erased automatically within minutes. Error reports are scrubbed of personal data before they are stored. Operational logs carry only opaque identifiers such as request IDs, status codes, and timings.
How long is data kept?
Account data is kept only while the account is active, and deleted data is erased on fixed schedules by automated purge jobs, not by manual cleanup.
- Deleted messages, including direct messages, are permanently erased 90 days after deletion.
- Deleted accounts are permanently purged 30 days after the deletion request.
- Personal data export archives expire 7 days after creation.
- Moderation audit logs are kept for 2 years and contain only entity IDs and action metadata, never message content.
- Failed registration attempts have zero retention: nothing is written to the database or to logs.
Can I delete everything?
Yes. You can delete your account from your settings, and all personal data is permanently purged after a 30-day grace period. You can also export a copy of your data first.
- Deletion takes effect immediately: you can no longer log in, and unique identifiers such as your friend code are randomized right away so nothing links back to the deleted account.
- You choose what happens to your content: keep it visible with the author shown as "Deleted User", or remove it entirely.
- During the 30-day grace period you can ask to reactivate. After it ends, your data is permanently deleted from the database, your uploaded files are deleted from storage, and your login record is removed.
- One exception: our payment processor retains billing records as required for tax and legal compliance.
Is CloakShell end-to-end encrypted?
No. CloakShell does not offer end-to-end encryption, and we will not pretend otherwise.
Our privacy model is built on minimizing data instead: all traffic is encrypted in transit with TLS, we collect as little as possible, we never sell or mine what you share, sensitive fields are banned from logs, and deleted data is purged on fixed schedules. Keeping server-side access to content is also what lets us scan uploads for malware and enforce platform safety rules. If end-to-end encryption is a hard requirement for your threat model, we would rather say so plainly than overclaim.