Privacy Policy

Last updated: March 16, 2026

Hotmoan ("we", "us", "our") is committed to protecting your privacy. This policy explains what personal data we collect, why we collect it, how we use and store it, and your rights.

1. Data We Collect

When you use Hotmoan we may collect the following:

• Account data — username, email address, hashed password, profile photo, bio, country, city, Instagram handle
• Content data — recordings you create, comments you post, boards you create, statuses you share
• Usage data — pages visited, recordings liked or pinned, users followed, notifications, messages
• Technical data — IP address, browser user agent, referral URL, session tokens, registration IP, last login timestamp
• Cookies — a session cookie to keep you logged in, and an optional long-lived "remember me" token stored in the database

2. How We Use Your Data

• To create and manage your account
• To display your profile, photos, and activity to other users
• To send account-related notifications and email alerts (comments, follows, etc.)
• To detect and prevent fraud, spam, and policy violations
• To comply with legal obligations, including CSAM reporting requirements under 18 U.S.C. § 2258A
• To improve the platform and troubleshoot issues

3. Legal Logging

When our automated systems detect an attempt to post prohibited content (child sexual abuse material, rape content, etc.), we log the following data to a secure, access-restricted file:

• IP address (including proxy headers)
• Browser user agent
• Session ID and user account details
• The content that was blocked
• Timestamp

These logs may be provided to the NCMEC CyberTipline and/or law enforcement as required by law. Retention period is a minimum of 90 days or as required by applicable law.

4. VPN & Proxy Detection

To protect the platform, we use an IP intelligence service (ip-api.com) to detect VPN, proxy, and datacenter connections during account registration. This check is session-cached and results in blocking registration if a VPN or proxy is detected. The IP is sent to ip-api.com solely for this purpose.

5. Sharing Your Data

We do not sell your personal data. We may share data with:

• Service providers — email delivery (SparkPost), CDN (BunnyCDN), IP intelligence (ip-api.com), AI moderation (DeepSeek) — only to the extent necessary to provide the service
• Law enforcement / authorities — when required by law, court order, or to report illegal content such as CSAM
• Other users — your username, profile photo, bio, and public content are visible to other users and search engines

6. Cookies

We use the following cookies:

• Session cookie (PHP session) — keeps you logged in during your browser session. Deleted when you close your browser or log out.
• Remember-me cookie (user_token) — keeps you logged in across sessions for up to 10 years if you choose this option. You can delete it by logging out.
• Referral cookies — used to track referral credits and prevent duplicate referrals.

We do not use advertising or third-party tracking cookies.

7. Data Security

We take reasonable technical measures to protect your data including:

• Passwords stored as bcrypt hashes — never in plain text
• PHP error messages suppressed in production (no database or server details exposed to visitors)
• Security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy) on all responses
• Legal logs stored in an access-restricted directory blocked from public web access
• Prepared statements used throughout to prevent SQL injection

No method of transmission over the internet is 100% secure. We cannot guarantee absolute security.

8. Data Retention

• Your account data is retained for as long as your account is active
• When you delete your account, all personal data, photos, comments, messages, and activity are permanently deleted from the database
• Legal logs (blocked content attempts) are retained for a minimum of 90 days
• Backups may retain data for a short additional period

9. Your Rights

Depending on your location, you may have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your account and associated data
• Object to or restrict certain processing
• Data portability

To exercise any of these rights, contact us at legal@hotmoan.com. We will respond within 30 days.

10. Children's Privacy

Hotmoan is strictly for adults aged 18 and over. We do not knowingly collect data from minors. If you believe a minor has registered, please contact us immediately at legal@hotmoan.com and we will delete the account.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated date at the top of this page. Continued use of the Site after changes are posted constitutes acceptance of the updated policy.

12. Contact

For privacy-related questions or requests, contact us at legal@hotmoan.com.