Privacy
Wallflower is a client, not a service. It runs in your browser and talks directly to your Mastodon server. We don't operate a database, an analytics pipeline, or a tracker network.
What Wallflower stores on your device
- Your OAuth access token — issued by your Mastodon
server when you sign in. Kept in
localStorageso you don't have to re-authorize on every visit. Never sent to anyone but your own server. - A "has been here" cookie (
wallflower-seen) — one bit. Lets the server tell whether to show you the Landing page or the timeline shell on first paint. No credentials, no identifier. - Your column layout, theme preference, and read marker —
small JSON blobs in
localStorage. Stay on your device.
What Wallflower sends
- Every API call goes directly from your browser to your Mastodon server. Wallflower's frontend is the only piece you load from us. We don't proxy or log your requests.
- Avatars, banners, and media attachments load from the URLs your server returns — which usually means the originating server. Wallflower never re-hosts them.
What Wallflower does not collect
- No analytics. No event tracking. No tag managers, no third-party scripts.
- No advertising network. None of your activity is sold or shared.
- No emails or notifications from us — your Mastodon server handles those if you've opted in.
Signing out
Clicking Sign out in the rail clears your token from localStorage and revokes nothing on your server's side
(because we can't — that's between you and your server). You can also
revoke Wallflower from the apps list inside your Mastodon server's
settings.