UniThread

Privacy Policy

Effective July 5, 2026

This Privacy Policy explains what data UniThread ("we," "us") collects, why, and how it's protected. UniThread is an independent student project built for International University of Sarajevo (IUS) students and is not operated by the university.

1. What we collect

  • Account data: your university email address, username, display name, password (stored only as a salted bcrypt hash — we never store or can see your actual password), and optionally a bio, faculty, and program.
  • Content you create: posts, replies, votes, poll answers, direct messages, club chat messages, uploaded photos and files, and bookmarks.
  • Anonymous Q&A authorship: when you post anonymously, your identity is stored in a separate, access-restricted record — not in the post itself. See Section 3.
  • Technical data: your IP address, used transiently to enforce rate limits (e.g. blocking repeated failed logins) and is not permanently linked to your profile or used for tracking/advertising.
  • Push notification data: if you enable browser push notifications, we store the subscription endpoint your browser gives us, only for delivering notifications you'd otherwise see in-app.
  • Cookies: a single essential session cookie (httpOnly, so JavaScript can never read it) that keeps you logged in. We do not use advertising or analytics-tracking cookies.

2. How we use it

  • To operate the Service: show your posts, deliver messages, run club chat, rank the feed.
  • To verify you're an eligible student and to secure your account (email verification, password reset).
  • To send you transactional email (verification, password reset) and, if you opt in, push notifications. We do not send marketing email.
  • To enforce these policies: reviewing reports, moderating abusive content, applying rate limits.
  • To keep the Service secure and investigate misuse.

3. Anonymous Q&A — the privacy design

When you post or answer anonymously, the post itself is stored with no author field at all — not hidden in the interface, but genuinely absent from the data returned to any user-facing part of the app. The only place your identity is recorded is a separate, restricted table that ordinary application code never reads from.

That record exists so we can act on abuse reports, remove content you posted if you ask us to, and comply with legal obligations. It is not shown to other users under any normal use of the Service. It may be accessed by the operator, or disclosed, only in the circumstances described in Section 5 of the Terms of Use (legal process, safety, or investigating a Terms violation).

4. Who we share data with

We don't sell your data, and we don't share it with advertisers. We use a small number of service providers who process data only on our behalf, to run the Service:

  • Hosting provider (Railway) — runs the application, database, and stores uploaded files.
  • Email provider (Resend) — delivers verification and password-reset emails; sees the recipient address and email content, not your password.

These providers may operate servers outside Bosnia and Herzegovina, including in the European Union and/or United States. We choose providers that maintain reasonable security and data-protection standards. We may also disclose data where required by law, legal process, or to protect someone's safety, as described in the Terms of Use.

5. How we protect it

  • Passwords are hashed with bcrypt; we never store plaintext passwords.
  • Sessions use httpOnly, secure cookies — inaccessible to JavaScript, sent only over HTTPS in production.
  • Uploaded files are validated (not just by file extension) before being stored, and served only to logged-in users.
  • Access to moderation tools and the anonymous-authorship record requires a separate administrator credential.
  • Rate limiting protects against brute-force login attempts and abuse.

6. Data retention & deletion

You can delete your own posts and messages, and delete your entire account, at any time from your profile settings. Deleting your account removes your ability to log in and removes your profile from view; some content moderation records (e.g. that a since-deleted post was previously reported or removed for a Terms violation) may be retained for a limited period to maintain an audit trail and to prevent abuse of the deletion feature to escape accountability. We don't keep personal data longer than necessary for these purposes.

7. Your rights

You can access and correct most of your data directly in the app (profile, posts, messages). You can request a copy of your data, or ask us to delete data we hold about you beyond what account deletion already removes, by emailing [email protected]. If you believe your data has been mishandled, you may also contact Bosnia and Herzegovina's Personal Data Protection Agency (Agencija za zaštitu ličnih podataka u BiH).

8. Children's privacy

The Service is intended for university students and is not directed at children. We don't knowingly collect data from anyone under 16.

9. Changes to this policy

If we make a material change to how we handle your data, we'll make reasonable efforts to let active users know, such as an in-app notice.

10. Contact

Questions about this Privacy Policy or your data: [email protected].

See also our Terms of Use.