Skip to main content
The Horror CodexBeta

Privacy Policy

Effective April 30, 2026

The Horror Codex (“the Codex,” “we,” “us”) is operated by Living Dead Co., a sole proprietorship based in Georgia, USA. This policy explains what information we collect about you, why we collect it, who we share it with, and how you can delete it.

This site is in beta. We’ll update this policy as the service evolves. Material changes will be announced with a banner on the site or by email if we have one for you.

1. What we collect

Information you provide

  • Account information: the email address you sign in with (via Google or magic link), and the username and display name you choose during onboarding.
  • Optional profile information: avatar image, bio, location, website, and links to your Letterboxd, Twitter/X, or Instagram profiles. All of these are optional and editable in /settings.
  • Content you create: ratings, films marked Seen or on your Watchlist, comments, lists, photos and stills you upload, genre and keyword tags you add, and films you mark as related.
  • Letterboxd imports: if you upload your Letterboxd CSV exports, we parse them to import your ratings, watched, or watchlist data into your Codex account. We don’t share this data back to Letterboxd or anywhere else.
  • Bug reports and film requests: the text you submit, plus any URL or screenshot URL you attach. Visible only to site administrators.

Information collected automatically

  • Server logs: our hosting provider (Fly.io) keeps standard request logs (IP address, user agent, timestamp, requested URL) for operational purposes. These are retained for a short period and used to diagnose problems.
  • Anonymous analytics: we use Fathom Analytics, a privacy-focused service that does not use cookies, does not track users across sites, and does not collect personal data. We see aggregate counts of pageviews, search queries, and event milestones (sign-ups, ratings, comments). We cannot identify individual users from this data.

2. Cookies

We aim to use as few cookies as possible. Currently the site sets only:

  • An authentication session cookie (only after you sign in), used to keep you logged in. It contains a signed token, no personal data, and is removed when you sign out or it expires.
  • A preference cookie or two set client-side via local storage (not sent to our servers): your dim-seen toggle, your country selector for streaming filters, your welcome-banner dismissal.
  • A bot-management cookie from Cloudflare (__cf_bm) may be set on some requests. This is a 30-minute session cookie used to distinguish humans from bots. We don’t control its lifecycle.

Because we don’t use any tracking, advertising, or third-party analytics cookies, we don’t show a cookie banner. Auth and bot-management cookies are considered “strictly necessary” under most data-protection regimes and don’t require consent.

3. How we use this information

  • To run the service: show you your account, your ratings, and the films you’ve marked.
  • To send you authentication emails (magic links) when you sign in by email.
  • To moderate user-submitted content (comments, photos, lists, edits, bug reports, film requests).
  • To prevent abuse: rate limiting, ban evasion, spam detection.
  • To diagnose problems and improve the service.

We do not sell your personal information. We do not run advertising on the site. We do not share your data with third-party data brokers.

4. Who we share data with

We use a small number of service providers to run the site. Each receives only the information needed for its narrow function:

  • Fly.io — hosts the application and database (your data lives on a persistent volume here).
  • Cloudflare — CDN, DNS, and bot/DDoS protection.
  • Resend — delivers our authentication emails. Your email address is sent to Resend for the purpose of sending you a magic link.
  • Google — if you sign in with Google, Google authenticates you and shares your name, email, and avatar with us. See Google’s privacy policy for what they do with that interaction.
  • Fathom Analytics — cookieless aggregate analytics. No personal data is sent.
  • TMDB — data source for film metadata. We read from TMDB; we don’t send your data to them.
  • Anthropic — we use Claude (an AI service) to assist with horror genre classification of films. No user data is sent — only the public film metadata we want classified.

We may disclose information if required by law (a valid subpoena, court order, or similar legal process), or if we believe in good faith that disclosure is necessary to prevent fraud, abuse, or harm.

5. Your rights and how to delete your data

You can:

  • Access and edit your data — everything we have about you is editable in /settings.
  • Delete your account — available in /settings under “Delete account.” The default flow hard-deletes your personal state (watchlist, seen, watchlist, ratings, recommendations, saved lists, photos, bug reports, film requests, Letterboxd imports) and anonymizes your contributions (comments, lists, edits, photo captions) so the community content stays useful but your name is removed. An optional “Also delete my contributions” checkbox additionally deletes those contributions and your community votes.
  • Request a copy of your data — email [email protected] and we’ll export what we have about you.
  • Object to processing or request restriction — if you’re in the EU/UK, you have the right to object to certain processing under the GDPR. Email us at the address above.

6. Data retention

We keep your account data for as long as your account exists. When you delete your account, the deletion is immediate and irrevocable: there is no “trash” or recovery period. Server logs are retained for a short period (typically less than 30 days) for operational purposes and then rotated out.

For audit and abuse-prevention purposes, we may retain a hashed reference to your email address in our admin moderation log when administrative actions are taken (e.g. removing a comment that violated the rules). This is to maintain integrity of the audit trail and cannot be used to identify you outside of that log.

7. International users

The Codex is hosted in the United States. If you access the site from the European Economic Area, the United Kingdom, or anywhere else with data-protection laws, your data is transferred to and processed in the US. By using the site, you consent to that transfer.

We process personal data on the legal basis of contract (running the account you asked us to create) and legitimate interest (security, spam prevention, improving the service). Where consent is the appropriate basis, we ask for it explicitly.

8. Children

The Codex is not directed at children under 13, and we do not knowingly collect personal information from anyone under 13. If you believe a child has signed up, email [email protected] and we will delete the account.

9. Security

We protect your data with industry-standard measures: HTTPS everywhere, encrypted credential storage, rate limiting on authentication, and bot protection at the edge. That said, no service is 100% secure. If you discover a vulnerability, please report it responsibly to [email protected] rather than disclosing it publicly.

10. Changes to this policy

We’ll update this page when our practices change. Material changes will be announced via a site banner. The “Effective” date at the top of this page tells you when the current version went into effect.

11. Contact

Questions, requests, or corrections? Email [email protected].

Living Dead Co.
Georgia, USA