Privacy Policy

Last updated: May 20, 2026

Gimmie-Five is a front-end for Ko-fi. We never touch money — every actual payment happens on Ko-fi's platform. We only keep what's needed to show your profile, match a Ko-fi webhook to a give, and remember you between visits.

What we keep

Account: your email and a one-way hash of your password (bcrypt — we cannot read your password, ever).
Public profile: display name, handle, avatar, your "desire" / story, category, goal label, and your Ko-fi payout URL. This is what other people see.
Activity: gives you've sent, thank-yous you've received, points, streaks, badges. Used to drive your in-app stats.
Ko-fi webhook payloads when someone tips you: amount, optional message, the supporter's display name. Used to confirm a give and award points.

What we don't do

We do not sell your data. To anyone. Ever.
We do not share your data with advertisers, brokers, or analytics platforms.
We do not run third-party trackers, ad networks, or marketing pixels.
We do not email you marketing. Email is only used for sign-up verification and password reset.
We do not read your password — we only check a hash of it.

Cookies and browser storage

Gimmie-Five uses only strictly necessary browser storage: your login token (so you stay signed in) and your biometric-lock preference. No tracking cookies, no analytics, no third-party scripts. Because nothing we store is for tracking or marketing, no cookie consent banner is required under EU ePrivacy / GDPR rules. If we ever add analytics, we'll add a banner first and ask.

Who can see what

Public: everything on your profile (avatar, name, handle, story, goal, Ko-fi link, give count, badges).
Only you: your email, your password hash, your full give history, your points balance.
Nobody else: your IP address and request logs are kept briefly for abuse prevention and then discarded.

How long we keep it

For as long as your account exists. Tap Settings → Delete account and your account row, profile, and personal data are removed from the database. Public actions (a gift event tied to another user) may persist in their history with your name stripped.

Your rights

See what we have: open the app — your profile is what we have.
Change it: Edit Profile, any time.
Delete it: Settings → Delete account. Permanent.
EU/UK (GDPR), California (CCPA/CPRA), and similar: the rights above already cover access, correction, deletion, and the right to opt out of sale (we never sell). Email us for anything else.

Security

Self-hosted on a single VPS. Passwords are bcrypt-hashed. Sessions use short-lived JWTs. The database is SQLite on the same machine — no cloud database, no third-party SaaS, no analytics vendor with a copy.

Children

Gimmie-Five is not directed at children under 13. If you believe a child has signed up, email us and we'll remove the account.

Changes

If this policy changes in a way that affects what we collect or share, we'll update the date above and post a notice on the home screen before the change takes effect.

Contact

Questions, deletion requests, or anything else: [email shown when JavaScript is on].