Wallflower Privacy

Privacy

Wallflower is mostly a client: it runs in your browser (or as a native app) and talks directly to your Mastodon and Bluesky accounts. It also has a small backend of its own — for the reading room, cross-device settings, and article extraction — described in full below. We don't run an advertising network, sell data, or embed third-party trackers.

What stays on your device

  • Your account tokens — the OAuth access token from your Mastodon server, and your Bluesky session (OAuth tokens or app password). Kept locally (localStorage on the web, the system keychain in the native app) so you don't re-authorize every visit.
  • Your column layout, theme, drafts, and read marker — small JSON blobs kept locally. The layout, read position, and correspondents also sync (see below) if you use the reading room.
  • A "has been here" cookie (wallflower-seen) — one bit, so the server knows whether to show the Landing page or the timeline shell on first paint. No credentials, no identifier.

What goes directly to your servers

  • Reading and posting — timelines, threads, profiles, likes, boosts, posts — go directly from your browser or device to your Mastodon and Bluesky servers. Wallflower doesn't proxy or log that traffic.
  • Avatars, banners, and media load from the URLs your servers return — usually the originating server. Wallflower doesn't re-host them.

What Wallflower's backend stores

Some features need a server of our own (thewallflower.app). When you use them, data is stored on that backend, keyed to a one-way hash of your verified account identity (your Bluesky DID or Mastodon handle) — not to your name or email.

  • The Commonplace reading room. Articles and passages you keep, your notebooks, correspondents, and cross-device settings (column layout and read position) are stored so they follow you between devices. Citation pages you choose to publish are, by design, public at a shareable link.
  • Your session, to act on your behalf. To derive that identity and fetch on your behalf, the app sends your account details — including access tokens — to the backend, which seals them in an encrypted, HTTP-only cookie (it can read them to make those requests). The cookie lasts up to a year unless you sign out.
  • Article extraction and link previews. When you open an article in the reader or a post shows a link card, the backend fetches that URL server-side (guarded against internal-network abuse) and returns the cleaned result. The URL is fetched, not retained as browsing history.

What Wallflower measures

We keep the smallest picture we can of whether the app is healthy and being read. It is first-party, uses no cookies, and is never tied to your identity.

  • A daily count of unique readers. When a real, non-demo timeline first shows content that day, the server records a one-way hash of your IP and client signature, salted with a value that rotates every day, plus whether you are using the web, iPhone/iPad, or Mac app. We can count distinct active clients on a day; we can't identify you, link you across days, recover your IP, or know which account or posts you used. It expires within about a day.
  • Anonymous product-health counters. The app counts a few coarse milestones — for example, opening sign-in, choosing a provider, reaching a first timeline, or a broad sign-in failure category. These are stored only as daily totals for up to 30 days, not as a per-reader trail.
  • Anonymous error reports. If the app crashes or stalls, it sends a short note — an event name and a sanitized error message, query strings stripped — so we can fix it. No identity and no record of what you read.

What Wallflower does not do

  • No third-party analytics, tag managers, advertising, or tracking scripts.
  • No tracking cookies — only the functional session and "seen" cookies above.
  • No cross-site tracking, no advertising profiles, no selling or sharing.
  • No emails or notifications from us — your Mastodon and Bluesky servers handle those if you've opted in.

Signing out and deleting your data

Signing out clears your local tokens and the backend session cookie. It doesn't revoke the app on your Mastodon or Bluesky server — do that from that server's connected-apps settings. To delete the reading-room and settings data the backend holds for you, use Delete your data in Settings — it removes everything at once and can't be undone. You can also email andrew@leahey.org if you can't reach the button.

A correction

Until June 2026, this page said “no third-party scripts” — but the site was quietly loading Cloudflare’s Web Analytics beacon (static.cloudflareinsights.com), which is a third-party script. That contradicted what we told you here, and a reader rightly caught it. We’ve removed the beacon. This page was rewritten again in July 2026 to describe the reading-room backend and Bluesky support accurately.