pornboxdBETA

Privacy Policy

Last updated April 10, 2026

pornboxd is a discovery, tracking, and review platform for adult content. This policy describes what we collect when you use the site, what we do with it, who we share it with, and the controls you have over your own data.

If anything here is unclear or you want to exercise a privacy right, email [email protected].

Who we are

pornboxd is operated from Ontario, Canada. You can reach the people behind the site at [email protected] for general inquiries, or at the addresses listed under each section below for specific requests.

What we collect

Account information

When you register, we store a username, a bcrypt hash of your password, and — if you choose to provide one — an email address used for password recovery only. You can optionally add a display name, bio, and avatar. Your username is public; your password hash and email are not.

Activity on the site

When you use pornboxd's core features, we store the resulting records so the site can show them back to you and other users: watch logs, ratings, reviews, review references, favorites, watchlist entries, lists and list entries, follows (of actors, studios, tags, and other users), and likes (on reviews and lists). Items you intend to be public — reviews, lists, and follows — are visible to other users of the site.

Product analytics

To understand how the site is used and improve discovery, we log first-party events through our own /api/v1/track endpoint into an events table. These events include page views, searches, video clicks, filter applications, affiliate clicks, and other interactions. Events are tied to a session identifier and, if you are logged in, your user ID. We never sell this data and we never share individually identifiable activity with studios.

Technical information

Our servers and our CDN (Cloudflare) receive standard request information: IP address, user-agent string, referring URL, and request timing. We use IP addresses for rate limiting, abuse prevention, and password-reset request logging, but we do not persist them alongside product analytics events.

Cookies and similar technologies

pornboxd uses a small number of cookies. We do not use advertising or cross-site tracking cookies.

  • Session token — an httpOnly JWT set when you log in. Used only to keep you signed in. Expires when you log out or when the token's lifetime ends.
  • Cloudflare Turnstile — challenge cookies set by Cloudflare's bot-protection widget during registration, login, password reset, and review submission. Essential for keeping bots out.
  • Plausible Analytics — cookieless. No identifiers are stored in your browser.
  • Cloudflare Web Analytics — cookieless. No identifiers are stored in your browser.

Because we rely only on essential cookies and cookieless analytics, pornboxd does not display a cookie consent banner.

How we use the data

  • To run your account and provide the core site functions (logging, reviewing, listing, following).
  • To prevent abuse, spam, and unauthorized access (rate limiting, bot protection, audit trails).
  • To understand aggregate usage patterns and improve discovery, navigation, and search.
  • To send the transactional emails you ask for, such as a password reset.
  • To measure affiliate performance in aggregate (see the Terms of Service for the affiliate disclosure).

Third parties we share with

pornboxd relies on a small set of well-known service providers. We share only what is strictly necessary for each one to do its job, and we never sell user data.

  • Cloudflare — CDN, DNS, SSL, bot protection (Turnstile), cookieless web analytics, object storage for images (R2), and inbound email routing for the addresses listed on our Contact page. Cloudflare sees standard request metadata as traffic passes through its network.
  • Resend — delivers transactional emails (currently: password reset). Resend receives the recipient email address and message contents for the email being sent.
  • Plausible Analytics — privacy-friendly, cookieless web analytics. Plausible receives anonymous page-view data and never receives personal identifiers.
  • Apify — runs the scrapers that import studio catalogs. Apify never receives user account data; it only sees public studio pages it crawls on our behalf.
  • NATS / Masturpay — our affiliate network. When you click a “Watch on [Studio]” link, tracking parameters travel with the outbound URL so any resulting sale can be attributed to pornboxd. NATS does not receive your account details.
  • Hosting (WHC) — our VPS provider in Canada, which operates the server the site runs on.

What we do not do

  • We do not display third-party ads and do not work with ad networks.
  • We do not sell, rent, or license user data.
  • We do not track you across unrelated websites.
  • We do not share individually identifiable viewing activity with studios.

Your rights

You can access, export, correct, or delete your account data at any time. Email [email protected] with the request and we will respond within 30 days. If you live somewhere that gives you additional rights under GDPR, UK GDPR, PIPEDA, CCPA/CPRA, or a similar framework, those rights apply and we will honor them.

Data retention

Account data (username, password hash, email, display name, bio, avatar) is kept for as long as your account is active. When you delete your account, we delete these records and the activity rows that belong to you (watch logs, ratings, reviews, lists, favorites, watchlist, follows, likes). Aggregate, de-identified analytics derived from events may be retained for longer for product and operational purposes. Raw product events are retained for up to 24 months and are then aggregated or deleted.

Age restriction

pornboxd is strictly for adults. You must be 18 or older (or the age of majority in your jurisdiction, whichever is greater) to use the site. If we learn that a user is under that age we will remove their account immediately. If you are a parent or guardian and believe a minor has created an account, email [email protected] and we will act on it urgently.

International transfers

Our servers are hosted in Canada. Cloudflare operates a global network, so traffic may transit through other regions on its way to and from our origin. By using pornboxd you acknowledge that request metadata may be processed outside your country of residence.

Security

Passwords are stored as bcrypt hashes. Authentication uses signed JWTs over HTTPS. Password reset tokens are stored as SHA-256 hashes, not in plaintext. Cloudflare Turnstile protects sensitive endpoints from automated abuse. No system is perfectly secure, but we take reasonable precautions and we continue to improve them.

Changes to this policy

We may update this Privacy Policy as the site evolves. When we do, we will update the “Last updated” date at the top. Material changes will be announced on the site.

Contact

Privacy questions and data rights requests: [email protected]
General inquiries: [email protected]