Privacy Practices and Information
We may update this document in the future, and will provide a site notice when we do.
The short version
We collect only the bare minimum amount of information that is necessary to protect the service against abuse. We do not sell your information to third parties, and we only use it as this document describes. We aim to be compliant with the EU GDPR.
Rights of users and data subjects
Depending on from where you access this website, you have a number of rights that you can assert from us on legal grounds alone. Unfortunately, these are a bit dry to read, but an important achievement in the struggle for the sovereignty of your data and firmly anchored by the GDPR in the European Economic Area or by the CCPA in California USA, or by the LGPD in Brazil. You have the right
- on confirmation whether data relating to you are processed, information about the processed data, further information about the data processing process and to receive copies of this data relating to you after user verification (see article 15 of GDPR);
- to correct or complete incorrect or incomplete data about you (see also article 16 of GDPR);
- to the immediate deletion of the data relating to you (see also article 17 of GDPR) or, if further processing is required in accordance with article 17 Paragraph 3 of GDPR, to limit the processing in accordance with article 18 of GDPR;
- on receipt of the data concerning you and provided by you and on the transmission of this data to other providers / responsible persons (see also article 20 of GDPR);
- on complaint to the supervisory authority if you believe that the data concerning you will be or have been processed by us in violation of data protection regulations (see also article 77 of GDPR).
In addition, we are obliged to inform all recipients to who data has been disclosed by us about any correction or deletion of data or the restriction of processing that takes place on the basis of articles 16, 17 paragraph 1, 18 of GDPR. However, this obligation does not exist if this communication is impossible or requires disproportionate effort. Notwithstanding this, every user has the right to information about these recipients. Likewise, as a user and all those concerned, you have the right to object to future processing of your data in accordance with Article 21 GDPR, provided that the data is processed by us in accordance with article 6 (1) lit. f) of GDPR.
How we secure your information
Manebooru takes all measures reasonably necessary to protect account information from unauthorized access, alteration, or destruction.
While in transit, your data is always protected by the latest version of Transport Layer Security (TLS) our software supports. Between our data processor Cloudflare and our service, we use HTTPS with an elliptic P-384 key. To protect user data on our servers, we strictly limit their access, and require the use of elliptic Ed25519 or 4096-bit RSA keys for server login.
HTTPS is required for all connections to our service. Our cookies use a "secure" setting and may only be transmitted privately to Manebooru. We use a restrictive content security policy to protect against page hijacking and information leakage to third parties, a cross-origin resource sharing (CORS) policy to restrict third-party usage, a strict referrer policy to prevent leaking data for external links, and a frame policy to prevent clickjacking.
Passwords are hashed using bcrypt at 2^10 iterations with a 128-bit per-user salt.
As far as we know, so far no method of transmission, or method of electronic storage, or their implementation are proven to be 100% secure. Therefore, we cannot guarantee its absolute security; we only make a best effort to reduce risks as well as implement Privacy-by-Design and also using anonymisation or deletion of personal data once the data is not required any more.
What information Manebooru collects and why
Information from webserver logs
If unusual behaviour is detected, we collect and store the following information in webserver logs from every visitor. Additionally, this data is always processed by the webserver to answer the users webbrowser request and return the desired webpage.
- The visitor Internet Protocol (IP) address
- The date and time of the request
- The page that was requested
- The browser user agent string including webbrowser name, version and used operating system.
- The HTTP request parameters and meta data. These can contain privacy related data if for example the user uploads such data or creates a new account.
These items are collected to ensure the security of the service, and are deleted after a maximum of 14 days to balance our "legitimate interest" of security with user privacy as well as allowing operation of the user-requested services. After a maximum of 14 days, any privacy related data which is stored in problem reports will either be deleted or anonymized for further processing.
Information in cookies
Our cookies for any users of the service may contain this information:
- The unique session token for the website
- User preference for loading high-resolution images
- User preference for loading video previews of animated images
- User preference for website layout customization
- User preference for filtering settings
- One or more "flash" messages (temporary notifications of an action's success or failure, to be displayed at the top of the next page load and then deleted)
- A browser fingerprint (see below)
Additionally, cookies of users that are logged into the service will contain this information:
- An encrypted authentication secret unique to the user to persist their login
We might add to this list in the future as needed.
Information in user-submitted content
User-submitted content is considered by Manebooru to collectively refer to any content that you may submit to the site after registering and loggin in, which includes, but is not limited to, comments, images, messsages, posts, reports, source changes, tag changes, and votes.
User-submitted content by users (authenticated or not) may contain any or all the following information:
- The IP address at the time of submission
- The browser fingerprint at the time of submission (see below)
- The browser user agent string
- The page on Manebooru that initiated the submission
- The username
These items are only used for the "legitimate interests" of identifying and controlling abuse of the service and are not shared with any external party. This privacy related data automatically gets anonymized after a maximum of 14 days with one exception: The username of the submitting user does not get deleted unless deletion or the user provided content or of the users account is requested.
Browser fingerprints are a tool used to identify users of the service in such a way that administrators will have no knowledge of the individual components of a fingerprint (pseudonymisation). They are irretrievably hashed (by a browser script and before transmission to the server) from the following attributes:
- Browser version
- Screen width, height, and color depth
- Timezone offset
- Browser support for storage API
- Browser plugins
Information from users with accounts
If you create an account we require some basic information at the time of account creation. You will be asked to provide:
- a username, shown on your profile and non-anonymous user-submitted content
- a password, stored only as a cryptographic hash
- an email address, used only for sending password resets or account unlocking instructions
We also store your IP address whenever you log in for security reasons to detect and protect fraudulent misuse of user accounts or offered services. The users IP address is automatically deleted or anonymized after a maximum of 14 days.
Information that Manebooru does not collect
We do not intentionally collect personal information except as mentioned in this document here, but users may include it in user-submitted content. We will remove privacy related information if it violated a users rights or if we deem it too sensitive to be published on this website. Please inform us if you believe shared information is too sensitive or is published without the affected persons consent.
This is especially important because information shared in public user-submitted content can be indexed by search engines or used by third parties without your consent. We use the robots.txt file to tell search engines and similar robots not to browse the API or the users profiles. However, we have no technical means to enforce this. We require any third-parties to comply with laws, copyright and data protection laws, as well as our Site rules.
Information that may potentially be shared with third parties
We do not in any way share individual account information with third parties except in response to court orders or for lawful interception if legally strictly required by law. We publish certain statistics about how users use Manebooru (for example, about uploads), without personally-identifying information.
Most of Manebooru is public-facing, and third parties can access and use it. We require any third-parties to comply with laws, copyright and data protection laws, as well as our Site rules.
User accounts may be deactivated — with all personally identifiable information wiped — by contacting [email protected]. This is also the contact address for exercising any of your other rights as mentioned in the section Rights of users and data subjects and for compliance with GDPR, CCPA and LGPD.