TornHustler
TCT |
← Back to door

Privacy Policy

Last revised: April 15, 2026

The short version

  • We collect only what we need to run TornHustler — your email, the data you publish on the site, and the Torn API responses you authorize us to fetch.
  • Your Torn API key is stored encrypted and never displayed back to you in full.
  • We don't sell your personal data to anyone, ever.
  • We don't run third-party advertising or tracking pixels.
  • We use only essential cookies for login and session security — no analytics cookies, no tracking cookies, no advertising cookies.
  • If you're in the EU, UK, California, or another jurisdiction with privacy law protections, you have specific rights described below.

1. Who we are

TornHustler is operated by Tesseract Corporation, LLC, a Wyoming limited liability company. We are the data controller for personal data collected through the service.

Contact: admin@tornhustler.com

2. What data we collect

2.1 You give us directly

  • Email address — required for account creation, login, and transactional notifications.
  • Password — stored hashed (bcrypt). We never see or store your plaintext password.
  • Display name, bio, avatar — what you put on your profile.
  • Posts, comments, photos, chat messages — content you create on the platform.
  • Torn API key — encrypted at rest using AES-256, decrypted only in memory when making a Torn API call on your behalf.
  • Optional self-reported demographics (age range, country, time zone, etc.) — only if you choose to add them, used to power features like Spouse Finder, regional leaderboards, and aggregate community statistics. You can change or delete these any time.

2.2 We fetch from Torn (with your authorization)

  • The Torn data corresponding to the API selections you authorized when creating your TornHustler API key. Examples: your in-game name, level, faction membership, equipped items, display case contents, faction's roster.
  • We only fetch when you take an action on TornHustler that requires fresh data. We do not background-poll your key when you're not actively using the service.
  • We will never request your battle stats, cash, net worth, or private message contents. This is a permanent commitment — no feature we ever build will require those selections.

2.3 Automatically when you visit

  • IP address — for rate limiting, abuse prevention, and security audit logging.
  • Browser user agent — for compatibility and audit logging.
  • Login activity — timestamps, IP addresses, device fingerprints retained for security (so we can show you "your active sessions" and warn about new-device logins).
  • Server access logs — standard web server logs (URL, status code, timestamp). Retained 30 days, then auto-purged.

We do not use:

  • Google Analytics or any third-party analytics service
  • Advertising pixels (Facebook, Google Ads, etc.)
  • Behavioral retargeting cookies
  • Cross-site tracking of any kind

3. Cookies

TornHustler uses a small number of cookies, all classified as strictly necessary under the EU ePrivacy Directive. These do not require consent because the service cannot function without them.

CookiePurposeLifetime
tornhustler-sessionIdentifies your logged-in session2 hours, refreshed on activity
XSRF-TOKENPrevents cross-site request forgery on form submissions2 hours
cookie-notice-dismissed (localStorage)Remembers that you've seen the cookie noticeUntil you clear browser data

We do not use any cookies for tracking, analytics, or advertising.

4. How we use your data

  • To operate and maintain the service (authentication, content delivery, chat, notifications).
  • To fetch Torn data on your behalf when you take actions that require it.
  • To send you essential transactional emails (account verification, password reset, security alerts, recruit-code notifications, opt-in feature notifications).
  • To enforce the Terms of Service and protect against abuse.
  • To compute aggregated, anonymized community statistics that benefit all members (e.g., "average crime success rate at level 50") — only if you opt in and only with safeguards described below.
  • To comply with legal obligations.

5. Legal basis for processing (EU/UK GDPR users)

If you are in the European Economic Area, the United Kingdom, or another jurisdiction subject to GDPR-equivalent rules, we process your personal data on the following legal bases:

  • Performance of a contract — to provide the service you signed up for (account, profile, social features, etc.).
  • Consent — for any optional data sharing (demographic profile fields, opt-in features that fetch additional Torn data).
  • Legitimate interests — for security, abuse prevention, audit logging, and core service improvements that don't override your privacy interests.
  • Legal obligation — when required by applicable law.

6. Your rights

6.1 Everyone, regardless of jurisdiction

  • Access — request a copy of the personal data we hold about you.
  • Correct — fix any incorrect data via your account settings, or by emailing us if you can't change it yourself.
  • Delete — close your account at any time. We'll remove your personal data subject to the limits below (Section 7).
  • Revoke API key access — delete the TornHustler key in Torn's preferences page. We'll lose all access immediately and detect the revocation on your next visit.

6.2 EU/UK users (GDPR)

You additionally have the right to:

  • Restrict processing — ask us to stop processing your data while a dispute is being resolved.
  • Object to processing based on legitimate interests.
  • Data portability — receive your data in a machine-readable format (we'll provide a JSON export on request).
  • Withdraw consent at any time for any optional processing.
  • Lodge a complaint with your local data protection authority. (UK: ICO. Ireland: DPC. Etc.)

6.3 California residents (CCPA / CPRA)

You additionally have the right to:

  • Know what categories of personal information we collect, how we use it, and to whom we disclose it.
  • Request deletion of personal information.
  • Opt out of the sale or sharing of personal information. We do not sell or share personal information for cross-context behavioral advertising, so this right is automatically honored by default.
  • Non-discrimination for exercising your rights.

To exercise any of these rights, email admin@tornhustler.com from the email address associated with your account. We'll respond within 30 days.

7. Data retention

  • Account data — kept while your account is active. Deleted within 30 days of account closure (with the exceptions below).
  • Posts, comments, chat messages — kept while the surrounding context (group, conversation) exists. We preserve historical conversation context, which means your messages may remain in chat threads after account deletion (your name is replaced with "[deleted user]" — your identity is removed but the message text remains so the conversation makes sense).
  • API keys — purged immediately on account deletion or key revocation.
  • Server access logs — 30 days, then auto-purged.
  • Audit logs (login events, security events) — 12 months, then auto-purged.
  • Aggregated, anonymized community data — retained indefinitely, since it cannot be re-identified to you after aggregation.

8. How we share your data

We do not sell, rent, or trade your personal data to third parties for marketing.

We share data with the following service providers only as necessary to operate TornHustler:

  • Brevo (formerly Sendinblue) — sends transactional email on our behalf. They process your email address and the message content. Brevo's privacy policy: brevo.com/legal/privacypolicy
  • DigitalOcean — hosts our servers. They have access to data at the infrastructure level. digitalocean.com/legal/privacy-policy
  • Cloudflare — DNS and edge proxy. They see request metadata (IP, URL). cloudflare.com/privacypolicy
  • Anthropic — for AI-powered features (e.g., the future TornELSA assistant, optional). When you use AI features, the relevant context is sent to Anthropic's API. anthropic.com/legal/privacy
  • Bunny Fonts — serves our web fonts. GDPR-compliant Google Fonts alternative; no IP logging. fonts.bunny.net/about

We may also disclose data when legally required (court order, subpoena, valid government request), or to protect the rights, property, or safety of TornHustler users or the public. We will challenge overly broad requests where legally appropriate.

9. International data transfers

TornHustler is operated from the United States. If you access the service from outside the US, your data will be transferred to and processed in the United States. Where required (EU/UK users), we rely on the European Commission's Standard Contractual Clauses (SCCs) for data transfers to our service providers.

10. Security

We use industry-standard security measures, including:

  • HTTPS everywhere (Let's Encrypt TLS certificates)
  • Bcrypt password hashing
  • AES-256 encryption for stored Torn API keys
  • Rate limiting on authentication endpoints
  • Optional two-factor authentication (TOTP)
  • Audit logging of sensitive actions
  • Email alerts on suspicious activity (new device logins, key rotations)
  • Routine security updates and dependency patching

No system is perfectly secure. If you suspect a breach affecting your account, contact admin@tornhustler.com immediately.

11. Children

TornHustler is not directed at children under 13. We do not knowingly collect personal information from anyone under 13. EU/UK users must be 16 (or the local minimum age for digital consent) or have verified parental consent. If you believe we've collected information from someone under the applicable minimum age, contact us and we'll delete it.

12. Aggregated and anonymized data

We compute community-wide aggregates from member data (e.g., "average mug success rate at level 50"). Aggregates are only displayed when the underlying sample size meets a minimum threshold (currently 25 members) so that no individual can be identified from the result.

Aggregated, anonymized data is not personal data and may be retained indefinitely, used for service improvement, and shared (without re-identification) for research, transparency reporting, or community insights.

13. Changes to this Privacy Policy

If we make material changes, we'll notify registered users by email and post a notice on the site at least 14 days before they take effect. Material changes affecting your rights require your active acceptance.

14. Contact us

For any privacy questions, requests, or to exercise your rights:

Tesseract Corporation, LLC
admin@tornhustler.com

EU/UK users may also lodge a complaint with their local data protection authority.

TornHustler uses essential cookies for login and session security only. No analytics cookies, no third-party tracking, no ad targeting. Read our Privacy Policy.