Last updated: April 23, 2026
This is the short version: we store the minimum needed to run the product, we don't sell it, and we don't track you across the rest of the web. The long version is below.
CYPHER is operated from cyphertheculture.com. If you need to reach us about privacy, email privacy@cyphertheculture.com.
Our infrastructure providers (Vercel for hosting, Cloudflare for DNS) receive your IP address and user agent string as part of any normal web request. We use these transiently for rate-limiting (to stop abuse) and for serving the page. We don't build a long-term log of your visits.
We store your email address. That's it. We don't ask for your name, phone, address, or birthday. Authentication is passwordless — we email you a one-time magic link, and Supabase (our auth provider) holds the session token.
If you run a Deep Rabbit Search, we log that it happened (timestamp, user id, and a counter) so we can enforce the free-tier 1-per-day limit. We don't log the text of your query against your account in a way that's queryable by us — search inputs are used to answer the request and flushed.
If you pick a preferred listening platform (YouTube, Apple Podcasts, Spotify, Overcast) we save that choice on your account so the "Listen On" buttons work how you want.
Stripe handles payment. We never see your card number. We store the Stripe customer id and subscription status so we know who has Pass access. Stripe has its own privacy policy that governs the payment data itself — see stripe.com/privacy.
No third-party analytics cookies. No Google Analytics. No Facebook pixel. No advertising trackers. No browser fingerprinting for ad targeting. No session replay.
We share data only with the service providers needed to run CYPHER:
We do not sell, rent, or trade your data. We do not share it with advertisers. We will share it with law enforcement only when compelled by valid legal process and only the minimum that the process requires.
We use one category of cookie: the session cookie set by Supabase Auth after you sign in. It is HttpOnly and Secure, it lets us know you're signed in on return visits, and it expires when you sign out or after a defined period. No advertising cookies. No cross-site tracking cookies.
You can:
If you're in the EU/UK, these map to your GDPR rights (access, rectification, erasure, portability, objection). If you're in California, these satisfy your CCPA rights.
CYPHER is not directed at children under 13 and we don't knowingly collect data from them. If you believe a child has created an account, email privacy@cyphertheculture.com and we'll remove it.
Passwords don't exist here — we only use magic-link sign-in, so there's no password to leak. All data in transit is TLS encrypted. Database access is restricted with row-level security policies (you can't read another user's data, even if the app had a bug). Payment data is handled entirely by Stripe and never touches our servers.
If we ever have a data incident that affects you, we'll notify you by email within 72 hours of becoming aware of it.
Our infrastructure is primarily in the United States. By using CYPHER you consent to your data being processed in the US. We apply the same privacy standard to all users regardless of location.
If we make a meaningful change we'll post the new version here with an updated date, and if the change materially expands what we collect or who we share with, we'll notify signed-in users by email before the change takes effect.
Privacy questions: privacy@cyphertheculture.com
General support: support@cyphertheculture.com