Privacy Policy

Last updated: 26 May 2026

Privacy by Design

Art of Feminization is built with privacy in mind, for both visitors and the creator. We collect as little data as possible. The Site is operated by an independent creator under a pseudonym.

Anonymous visitors can browse the Site without providing any personal information. Creating an account is optional and free.

What We Collect

Cookies

We use a small number of cookies, depending on how you use the Site.

  • age_verified, set when you confirm you are 18 or older on the site-wide age gate. Expires after 30 days. Present for all visitors.
  • Session cookie, set when you sign in. Identifies your authenticated session and is cleared when you sign out.
  • CSRF cookie, a short-lived security token used only during sign-in and authentication flows to prevent cross-site request forgery. Not used for tracking.

No analytics cookies. No advertising cookies. No third-party tracking cookies.

Server logs and audit records

Standard web server logs (IP address, timestamp, page requested) may be generated by the hosting infrastructure. We do not analyze these for behavioral tracking.

We keep an internal audit log of authentication events (signups, logins, password changes, ban actions) with timestamp, IP address, and device label. These records support security and abuse investigations and are not shared with anyone.

Each post has a view count that increments when the page is loaded. This counter is not linked to any individual visitor or account.

What We Do Not Collect

Anonymous visitors who do not create an account provide no personal information to us. Beyond that, we do not collect the following regardless of whether you have an account.

  • Real names or physical addresses
  • Payment or financial information of any kind
  • Cross-site browsing history or behavioral profiles
  • Device fingerprints or hardware identifiers
  • Data from third-party analytics or ad networks

Account Data

If you create a free account, we store the following on your account record.

  • Your email address and a bcrypt-hashed password (we never store your password in plain text)
  • An optional display name if you provide one
  • Your date of birth (month, day, year), collected at signup to verify you meet the age requirement
  • Account status flags (email verified, account active, whether a password reset is required)
  • Date of last login and failed login attempt count

We also store per-device session records when you sign in. Each session row includes IP address, device label (from your browser user-agent string), last activity time, and expiry. You can view and revoke any of your active sessions from your account page.

We maintain an authentication event log (see Server logs section above) that records significant account events. These records are linked to your account and may include IP address and device label.

If you change your email address, the new address must be verified before it takes effect. We do not process payments or store any financial data.

If your account is suspended by the operator, all your sessions are revoked and you will receive a notice by email. The operator may also initiate a forced password reset on your account following a security event.

Date of Birth

You provide your date of birth (month, day, year) once at signup. We store it on your account record to verify you are 18 or older at registration and to re-verify age if jurisdiction requirements change. Your date of birth is not shared with anyone and is not used for advertising or profiling.

Comments and Bookmarks

If you post a comment on a story, that comment is visible to other readers of the Site. Please do not include personal information in comments. We may remove any comment that is abusive, unlawful, or otherwise violates our Terms of Service.

Bookmarks you save are private to your account and are not visible to other users.

reCAPTCHA

Our sign-up, login, and password-reset forms use Google reCAPTCHA v3 to prevent automated abuse. When you submit one of these forms, Google receives your IP address and interaction signals (mouse movements, timing) in order to generate a risk score. This data is processed by Google under their own Privacy Policy and Terms of Service. We do not receive or store the raw signals Google collects.

Email Service

We send transactional emails through Resend, a US-based email delivery service. Your email address is passed to Resend for the sole purpose of delivering messages we initiate (email verification, password reset, password changed notice, account status notice). Resend does not use your address for its own marketing. We do not use any other outbound email service.

Data Sharing

Your data is not sold, rented, or shared with anyone, except as described in this policy (Resend for transactional email delivery, Google for reCAPTCHA scoring). The Site does not integrate with any analytics, advertising, or tracking services.

Account Deletion

You may request deletion of your account and associated personal data at any time via the contact form. We will hard-delete or anonymize your account record. Some authentication event log entries may be retained for a limited period for security and fraud-prevention purposes.

Your Options

  • Browse the Site without providing any personal information
  • Clear your browser cookies at any time to reset the age verification gate
  • Review and revoke your active sign-in sessions from your account page
  • Request account deletion via the contact form
  • Reach out via the contact form with any privacy-related questions

Security

The Site uses HTTPS throughout. Passwords are stored as bcrypt hashes (cost factor 12). Sessions are tracked in the database and can be revoked. Login attempts are rate-limited by IP and email address. Accounts are locked for 30 minutes after 5 consecutive failed login attempts. No system is perfectly secure, but we minimize the data at risk by keeping collection to a minimum.

Minors

This Site is for adults only (18 or older). You must provide your date of birth at signup, and accounts are only created when the date of birth indicates you meet the age requirement. Anyone who registers with a false date of birth to gain access will have their account terminated immediately.

If we discover that a minor has gained access to the Site, we will take immediate corrective action.

Changes

This policy may be updated. Changes take effect when posted. The "Last updated" date at the top of this page reflects when it was last revised.