Privacy Policy

Last updated: May 12, 2026.

This Privacy Policy explains how Stumble (“we”, “us”) collects, uses, shares, and protects information when you use our mobile app and website. By using Stumble you agree to the practices described here.

1. Information we collect

Information you give us

• Account data: email address, phone number (if you choose phone sign-in), birthdate (used solely to enforce the age gate), country, username, display name, optional bio, optional profile link, optional avatar.
• Content you create: posts, comments, reactions, saves, boards, follows, blocks, reports.

Information collected automatically

• Behavioral events: which posts you viewed in Stumble Mode, save / reaction events, session boundaries, search queries. Event records never contain your email, phone number, or full name — only a stable internal user_id.
• Device + IP: IP address, device fingerprint, user agent, app version. Used for security, rate-limiting, and abuse mitigation. Stored for up to 90 days.

2. How we use it

• Operate the service: account creation, sign-in, ranking, moderation.
• Recommend content based on your selected interests + engagement.
• Detect spam and abuse using per-user trust score + per-IP signals.
• Send transactional messages: sign-in codes, account notifications, the limited in-app notification types listed in our Terms of Service.
• Aggregate analytics — daily and weekly rollups that are never tied back to identifiable individuals after aggregation.

3. SMS / Mobile messaging

If you sign in or sign up using a phone number, you consent to receive SMS messages from Stumble for the purpose of verifying your identity (one-time sign-in codes) and account-related alerts.

No mobile information collected for SMS messaging is shared with third parties or affiliates for their marketing or promotional purposes. Phone numbers and SMS opt-in data are passed only to the messaging provider (Twilio) strictly to deliver the message you requested. They are never sold, traded, or licensed.

• Opt-out: reply STOP to any Stumble SMS to immediately stop all messages. You can also remove your phone number from your account at any time in Settings → Email.
• Help: reply HELP to any Stumble SMS for support, or email hello@getstumble.com.
• Standard rates: message and data rates may apply depending on your wireless carrier. Frequency depends on your activity (typically one verification code per sign-in attempt).

4. Who we share it with

• Service providers we use to run the platform: Vercel (hosting), Neon (database), Cloudflare (CDN + storage), Resend (email), Twilio (SMS), Anthropic (content classification), and similar infrastructure. Each is bound by a data-processing agreement and uses your data only to provide their service to us.
• Law enforcement on a valid legal request — with notice to you where legally permitted.
• NCMEC for any apparent CSAM, as required by 18 U.S.C. § 2258A.

We do not sell your personal information. We do not share it for cross-context behavioral advertising. We do not run third-party ad tracking.

5. Your rights

• Access / portability: request an export of everything we have on you in app, or by emailing hello@getstumble.com (GDPR Art. 20).
• Deletion: delete your account in app at Settings → Delete my account. We drop your account row, cascade-delete your linked content (posts, comments, boards), and anonymize behavioral events (GDPR Art. 17 + recital 26).
• Correction: edit your profile in app at /profile.
• CCPA “Do Not Sell or Share”: we do not sell or share your personal information for advertising. This opt-out is therefore a no-op, but you may submit a request to hello@getstumble.com and we will confirm in writing.

6. Children

Stumble is for users 13 and older (16 and older in the EU). We enforce a hard birthdate gate at signup. If you believe a child under 13 has created an account, contact hello@getstumble.com and we will delete the account within 7 days.

7. Data retention

Account data is kept as long as your account is active. After deletion, anonymized event data may be retained for aggregate analysis. Moderation decisions are recorded in an immutable audit log retained for 7 years for legal-compliance purposes; personal identifiers inside moderator notes are redacted at deletion time.

8. Security

Data in transit is encrypted with TLS 1.2+. Data at rest is encrypted in our managed database (Neon) and object storage (Cloudflare R2). Session tokens are HMAC-signed and rotate every 30 days. We do not store SMS verification codes in plaintext — only a SHA-256 hash with a short TTL.

9. Changes to this policy

Material changes will be notified by email and an in-app banner at least 30 days before they take effect. The “Last updated” date at the top of this page reflects the most recent revision.

10. Contact

Privacy questions and rights requests: hello@getstumble.com.
DMCA notices: /legal/dmca.

This document is provided for transparency and operational compliance (including U.S. carrier A2P 10DLC requirements). It is not legal advice. Stumble recommends users with specific legal questions consult an attorney.