Privacy Policy
Handmadev.com
1. Introduction
This Privacy Policy describes how Handmadev.com ("Platform", "we") collects, uses, stores, protects, and shares your personal information when you use our services.
We are committed to protecting your privacy and complying with applicable personal data protection regulations in Vietnam, including the Cybersecurity Law 2018, Decree 13/2023/ND-CP on personal data protection, and related documents.
2. Information We Collect
2.1 Information You Provide Directly
| Type of information | Details | Required / Optional |
|---|---|---|
| Registration info | Display name, email address, password | Required |
| Profile info | Avatar, bio, personal website, social media links | Optional |
| Additional personal info | Gender, date of birth, phone number, location (city/country) | Optional |
| User content | Posts (pins), images, comments, collections, violation reports | User-created |
2.2 Information Collected Automatically
When you use the Platform, we automatically collect some technical information:
| Type of information | Details | Purpose |
|---|---|---|
| Device info | Device type, operating system, browser, screen resolution | Display optimization |
| IP Address | Connection IP address | Security, fraud prevention |
| Access data | Pages viewed, access time, session duration, referrer URL | Analysis and service improvement |
| Cookies & similar tech | Session cookies, authentication cookies, CSRF tokens | Service operation, security |
| Interaction data | Likes, saves, comments, follows, post views | Content personalization |
2.3 Information from Third Parties
| Source | Type of information | Purpose |
|---|---|---|
| Google reCAPTCHA | Trust score, interaction behavior | Anti-bot and spam prevention |
| Have I Been Pwned | Leaked password check results (hash-only check, passwords not stored) | Account security |
3. How We Use Information
3.1 Operating and Providing the Service
- Create and manage user accounts.
- Display content, manage collections, process social interactions.
- Send notifications related to account activity (new comments, new followers, etc.).
3.2 Security and Safety
- Authenticate identity and protect accounts (including 2-step authentication — 2FA).
- Detect, prevent, and handle fraud, spam, abuse, and illegal activities.
- Monitor suspicious behavior (login from unknown IP, unusual password changes, bot activity).
- Enforce access rate limiting (rate limiting) to protect the system.
3.3 Improvement and Development
- Analyze how users use the Platform to improve the experience.
- Collect internal statistics (post views, content trends) — internal statistics are not publicly displayed to users.
- Develop new features based on user needs and behavior.
3.4 Communication
- Send important security emails (password change, enable/disable 2FA, login from unknown device).
- Send notifications about changes to Terms of Service or Privacy Policy.
- Respond to your support requests or complaints.
3.5 Legal Compliance
- Respond to requirements from competent state agencies as required by law.
- Protect the rights, property, and safety of Handmadev.com, users, and the public.
4. How We Share Information
4.1 Public Information
The following information is publicly displayed on your profile (depending on privacy settings):
- Display name, avatar, bio, website.
- Content you upload (posts, comments).
- Public collections.
- List of people you follow and your followers.
4.2 Information NOT Shared Publicly
The following information is always kept confidential:
- Email address.
- Password (stored as a one-way hash — cannot be decrypted).
- Phone number.
- Date of birth (hidden by default, can be toggled in privacy settings).
- IP address and device information.
- 2-step authentication data (secret key, recovery codes).
- Security audit logs.
4.3 Sharing with Third Parties
We do not sell, rent, or exchange your personal information with third parties for commercial purposes.
However, we may share information in the following cases:
| Case | Type of information | Recipient |
|---|---|---|
| Legal requirements | Information requested by court order or competent authority decision | State agencies |
| Safety protection | Information necessary to prevent serious harm or crime | Law enforcement |
| Security services | reCAPTCHA token, interaction behavior | Google (reCAPTCHA v3) |
| Business transfer | All user data (in case of merger, acquisition) | Buyer/acquirer — advance notice will be given |
5. Cookies and Tracking Technologies
| Cookie type | Purpose | Duration | Required |
|---|---|---|---|
| Session cookie | Maintain login state | Until browser closes or session expires | ✅ |
| Authentication cookie | Remember login ("Remember me") | Up to 30 days | Optional |
| CSRF cookie | Protect against cross-site request forgery attacks | Per session | ✅ |
| Trusted device cookie | Skip 2FA on trusted devices | 30 days | Optional |
| Language cookie | Save UI language preference | Long-term | ✅ |
We use Google reCAPTCHA v3 to protect forms (registration, violation reports) from bots and spam. reCAPTCHA may collect information about your interaction behavior, cookies, and IP address. Use of reCAPTCHA is subject to Google's Privacy Policy and Terms of Service.
6. Data Security
6.1 Technical Measures
| Measure | Details |
|---|---|
| Password encryption | Passwords are hashed using bcrypt algorithm (one-way, cannot be decrypted) |
| CSRF protection | CSRF tokens applied to all data-submitting forms |
| 2-step authentication (2FA) | Supports TOTP (Google Authenticator/Authy) with recovery codes |
| Rate limiting | Rate limiting to prevent brute-force and API abuse |
| Input filtering | Sanitization and validation of all input data (anti-XSS, SQL Injection) |
| Strong password policy | Requires ≥ 8 characters, uppercase/lowercase, numbers, special characters; checks for leaked passwords |
| Anomaly detection | Monitoring login from unknown IP/device, unusual security changes |
| Upload security | Uploaded images are MIME type checked, re-encoded, and saved with random filenames |
6.2 Organizational Measures
- Only authorized personnel can access user personal data.
- Security audit logs record all important changes to accounts.
- Real-time alert system notifies administrators when suspicious activity is detected.
Although we make our best effort to protect your data, no method of electronic transmission or storage is 100% absolutely secure. You are also responsible for protecting your login information, enabling 2-step authentication, and using strong passwords.
7. Data Storage and Retention
| Data type | Retention period |
|---|---|
| Account data | Throughout the account's active period + 30 days after deletion (for recovery support if requested) |
| User content | Until you delete it or the account is deactivated |
| Security logs | Up to 12 months |
| Access logs | Up to 6 months |
| Violation report data | Up to 24 months |
| Backup data | Up to 90 days from backup date |
8. Your Rights
You have the following rights regarding your personal data, in accordance with Vietnamese law:
8.1 Right of Access
You have the right to request to view the personal information we are holding about you.
8.2 Right to Rectification
You have the right to update or correct inaccurate or incomplete personal information via the Edit Profile page.
8.3 Right to Deletion
- You have the right to request deletion of your account and personal data.
- After account deletion, personal data will be removed or anonymized within 30 days, unless the law requires longer retention.
- Content you shared publicly may still exist if it has been copied, stored, or shared by other users before you deleted your account.
8.4 Right to Control Privacy
You can manage privacy settings for some information:
| Information | Options | Default |
|---|---|---|
| Date of birth | Show / Hide on public profile | Hidden |
| Phone number | Always hidden (internal use for 2FA only) | Hidden |
| Location | Show / Hide on public profile | Shown |
| Always hidden | Hidden |
8.5 Right to Object
You have the right to object to the processing of personal data in certain cases as prescribed by law.
8.6 Right to Complain
You have the right to complain to the competent state authority if you believe your personal data protection rights have been violated.
8.7 How to Exercise Your Rights
To exercise any of the above rights, please contact us via the information in the Contact section (Section 11). We will respond to requests within 15 business days and may require identity verification before processing.
9. Children's Protection
- Handmadev.com is not intended for children under 13 years old.
- We do not intentionally collect personal information from children under 13.
- If you are a parent or guardian and discover that your child under 13 has used the Service, please contact us immediately. We will delete the account and related data as soon as possible.
- For users aged 13 to 17, we recommend that parents supervise their children's activities on the Platform.
10. Changes to Privacy Policy
- We may update this Privacy Policy from time to time to reflect changes in operations, technology, or legal requirements.
- Important changes will be notified via email and/or notification on the Platform at least 14 days before taking effect.
- The latest version of the Privacy Policy is always available on our website.
- The effective date will be clearly indicated at the top of the document.
11. Contact
If you have any questions, requests, or complaints regarding this Privacy Policy, please contact:
| Platform | Handmadev.com |
|---|---|
| Website | https://handmadev.com |
| handmadevcom@gmail.com |
Note: By using Handmadev.com, you confirm that you have read, understood, and agree to all Privacy Policy stated in this document.