Privacy Policy

Last updated: 2026-03-25

GemCities is a free Gemini capsule hosting service. This policy explains what information we collect, what we do not collect, and how your data is handled. We have tried to write this plainly.

What We Collect

When you create an account, we store:

• Email address — used to verify your account and send password reset messages. Nothing else.
• Username — becomes your capsule's subdomain (username.gemcities.com).
• Password hash — your password is hashed with bcrypt before storage. We never store your password in plain text and cannot recover it.
• Your capsule files — the gemtext files you create and edit through the editor.

That is everything. There is no profile, no bio field, no display name separate from your username, no avatar.

What We Do Not Collect

We are deliberate about this.

• No visitor tracking. We do not log IP addresses of people who read Gemini capsules. We do not record which capsules are visited, how long a visitor spends reading, or where they came from. Agate (the Gemini server) access logging is disabled.
• No analytics. No pageview counters, no session data, no heatmaps, no usage statistics tied to individuals.
• No tracking pixels or third-party scripts. The editor frontend loads no external resources of any kind.
• No advertising data. There are no ads. There is no ad network. There never will be.
• No reading behavior. We do not track what you read, what you search for, or how you use the editor beyond what is needed for the editor to function.

How We Use Your Data

Your email address is used for:

• Verifying your account when you register.
• Sending password reset emails when you request them.
• Contacting you if there is an issue with your account (e.g., a valid abuse report against content you posted).

Your email is never used for newsletters, promotional messages, or any communication you did not initiate. It is never shared with third parties.

Email Delivery

Transactional emails (verification, password reset) are sent directly from our own mail server (admin@gemcities.com). Your email address is not shared with any third-party email provider.

Data Retention

Your data is retained for as long as your account exists. When you delete your account:

• Your email address, username, and password hash are deleted from the database immediately.
• All capsule files are deleted from disk immediately.
• There is no grace period or soft-delete. Deletion is permanent.

Backups are retained for 30 days on a rolling basis. Your data may persist in backups for up to 30 days after account deletion before it is overwritten.

Third-Party Sharing

We do not sell, rent, trade, or share your personal data with any third party, except as required by law.

If we receive a legally valid demand for your data — such as a subpoena issued by a court of competent jurisdiction, a court order, or other lawful compulsory process — we will comply with applicable law. We review all such demands for legal sufficiency before complying and reserve the right to challenge demands that we believe are overbroad, legally deficient, or not properly authorized. We will notify you of any such demand prior to disclosure if we are legally permitted to do so and if we have sufficient contact information to reach you.

Security

Passwords are hashed with bcrypt (cost factor 12) before storage. All web traffic is served over HTTPS. Sessions use httpOnly cookies. Failed login attempts are rate-limited. The application logs errors and failed authentication attempts (IP address and timestamp only) for security purposes — these logs do not contain usernames and are not retained long-term.

Your Rights

You can:

• Export your data at any time from the editor — one click downloads all your capsule files as a ZIP archive.
• Delete your account from the account settings page. Deletion is immediate and permanent.
• Update your email or password from account settings at any time.

U.S. State Privacy Laws

Several U.S. states have enacted consumer privacy laws, including California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and others. These laws generally apply to businesses that exceed certain revenue or data-volume thresholds. GemCities is a small, free, donation-supported service. We do not sell personal data, do not share data for cross-context behavioral advertising, and do not meet the size thresholds that trigger most obligations under these statutes.

Regardless of whether these laws formally apply, the rights they describe are rights we already honor:

• Right to know what personal data we hold — covered in this policy.
• Right to delete your data — available from account settings.
• Right to correct your data — email and password are editable in account settings.
• Right to portability — export your capsule files at any time.
• Right to opt out of sale or sharing — we do not sell or share your data. There is nothing to opt out of.

To submit a privacy request under any applicable state law, contact abuse@gemcities.com.

International Users and GDPR

GemCities is operated from the United States and is primarily intended for U.S. users. If you are located in the European Union, European Economic Area, or United Kingdom, your data will be processed and stored in the United States, which may not provide the same level of data protection as your home jurisdiction.

If the General Data Protection Regulation (GDPR) applies to your use of GemCities:

• Data controller: Nick Burchett, operating GemCities (abuse@gemcities.com).
• Lawful basis for processing: Performance of a contract — we process your account data because it is necessary to provide the service you signed up for.
• Your GDPR rights: You have the right to access, rectify, erase, restrict, and port your personal data, and to object to processing. You may also lodge a complaint with your local supervisory authority.
• Data transfers: By creating an account, you acknowledge that your data will be transferred to and processed in the United States.

To exercise any of these rights, contact abuse@gemcities.com.

Children

GemCities is not directed at children under 13. We do not knowingly collect information from children under 13. If you believe a child under 13 has created an account, contact abuse@gemcities.com and we will delete the account.

Changes to This Policy

If we make material changes to this policy, we will update the date at the top of this page. We will not make this policy less protective of your data without clear notice.

Contact

Questions about this policy: abuse@gemcities.com