Privacy Policy

Last updated: May 13, 2026

Dear Quad is a small student project. It’s a web app that lets verified UChicago students, faculty, and staff anonymously drop short text memories on a campus map. This policy explains what we collect, how we use it, and what your rights are. We keep things simple; this isn’t a corporation, it’s one student behind a laptop.

What we collect

When you sign in.

We use Google OAuth (via Firebase Authentication) to confirm you have a UChicago account. Google sends us your name, email address, profile picture URL, and a Google account ID. We never see your password, Google handles that.

When you drop a pin.

The pin you create is not linked to your account in our database. We store the text you wrote the location, and the month and year. We do not store your name, email, or user ID alongside the pin. Other users cannot identify you from your pin, and we can’t easily either.

When you report a pin.

We log a one-way hash of your account ID (we can’t reverse it back to your real identity), the pin you reported, and any optional text you wrote. We use this only for moderation and to detect abuse of the report system.

When you vote on a daily question.

We log a one-way hash of your account ID scoped to that day’s question and the question you voted on. We use this only to make sure each person votes once per question.

Automatic info from your visit.

Like every website, our infrastructure records standard technical info each time your browser loads a page: IP address, URL, browser, operating system, and an approximate country derived from your IP.

How we use it

  • To sign you in and confirm you’re part of UChicago.
  • To show pins on the map to other verified users.
  • To moderate reported pins and remove anything that violates our community guidelines.
  • To rate-limit accounts that try to spam or abuse the platform.
  • To keep the site running reliably and securely.
  • To respond to you if you contact us.

We do not use your data for advertising, profiling, or marketing. There are no ads on this site.

Who we share data with

We do not sell your data and we do not share it for advertising. The only third parties we use are the infrastructure providers we need to run the site:

  • Google (Firebase Authentication / Google Sign-In) — handles authentication and stores your account record. Subject to Google’s Privacy Policy and the Google API Services User Data Policy.
  • Cloudflare — DNS, CDN, and security layer. Sees your IP address and request headers.
  • Railway — hosts the app and our PostgreSQL database (which contains anonymous pins and reports).

We may also disclose information if required by law (for example, in response to a valid subpoena), or to protect the safety of users.

Cookies

We only use the cookies the site needs to function:

  • A Firebase sign-in cookie so you stay logged in between visits.
  • A couple of Cloudflare cookies that help block automated bot traffic and abusive requests. If you peek at your browser’s cookie list, they show up as __cf_bm and cf_clearance.

We do not use advertising, marketing, social media, or third-party tracking cookies.

Anonymous by design

The most important part of this policy is what we don’t do:

  • Pins are stored without your account ID. The map is anonymous.
  • Pin coordinates are snapped to a grid before being saved, so the exact spot is never recorded.
  • Pin timestamps are coarsened to month and year before being shown publicly.
  • Reports are tagged with a scrambled stand-in for your account, never the real one. We can spot patterns of abuse without being able to trace any single report back to a specific person.

Privacy isn’t a clause we tacked on at the end. It’s how the system was built.

How long we keep data

  • Account data (name, email, profile photo URL, Google ID): kept in Firebase Authentication for as long as your account exists.
  • Pins: kept indefinitely (or until removed for guideline violations). Pins are not tied to your account, so they remain on the map even if you delete your account.
  • Reports: kept indefinitely with hashed reporter IDs, for abuse prevention.
  • Server logs: kept for short windows by our infrastructure providers (typically days to a few weeks).

Your rights

You can:

  • Ask what data we hold about you.
  • Ask us to correct or delete your account data.
  • Ask us to remove a specific pin you remember dropping. Because pins aren’t linked to your account, you’d need to describe enough about the pin (location, content, approximate date) for us to find it.
  • Sign out at any time from the Settings menu in the app.
  • Revoke Dear Quad’s access to your Google account at myaccount.google.com/permissions.

To exercise any of these rights, email us using the address at the bottom of this page.

Updates

We may update this policy as the app evolves. If we change anything material, we’ll update the “Last updated” date above.

Contact

Questions, requests, takedown notices, or anything else — email us at [email protected].

-Eli

← Back to home