JUSTHUMAN

Privacy Policy

Last updated: March 2026

What we collect

When you use Just Human - whether on the website or through the Chrome extension on X.com - we record the keystrokes, timing, and edits you make while typing. This data is stored alongside the final text you produce. No account or personal information is required.

In addition to the basic keystroke and timing data, we collect the following signals to power our analysis and anti-bot defenses:

  • Dwell time - how long each key is held down before being released (in milliseconds)
  • Flight time - the gap between releasing one key and pressing the next (in milliseconds)
  • Physical key codes - which physical key was pressed (e.g. KeyH), not just the character produced. This enables analysis of finger movement patterns.
  • Session telemetry counts - the number of mouse movements (throttled to one count per 2 seconds), scroll events, touch events, textarea focus/blur events, and page visibility changes. We record only counts, never positions or content.
  • Browser environment signals - the navigator.webdriver flag, presence of Playwright-specific global variables, browser plugin count, configured language count, presence of the window.chrome object, and a timing-drift measurement between performance.now() and Date.now().
  • Hashed IP address - a SHA-256 hash of your IP address combined with a daily rotating salt is stored for rate limiting. We never store your raw IP address. The daily salt rotation means that hashes from different days cannot be linked to the same IP.
  • Server-side analysis results - an overall score (0–100), confidence level, per-metric breakdown, and any behavioral flags (e.g. “zero dwell detected”, “webdriver flag present”) are computed at submission time and stored alongside the recording.

We may also collect technical information automatically, such as your IP address, browser type, and referring URL, through server logs and analytics tools.

Chrome extension

The Just Human Chrome extension records keystroke timing data within X.com compose boxes (posts, replies, and quote tweets). The extension operates only on x.com and twitter.com. It does not record keystrokes on any other website.

The extension collects the same keystroke timing data as the website (event type, delta timing, cursor position). When you click Post on X.com, the extension intercepts the click, saves the recording to justhuman.app, appends a proof link to your tweet, and then submits the post. No data is sent without a user-initiated action (clicking Post or saving from the side panel).

The extension stores your wallet connection state (Cardano wallet address) locally via chrome.storage.local. This data remains on your device and is used only to enable automatic wallet signing on subsequent posts. No other data is stored locally by the extension.

Wallet signing

You may optionally sign your recordings with a Cardano wallet (such as Lace). When you choose to sign, we collect and store:

  • Wallet address - your Cardano address in hex format, used to identify the signer
  • Cryptographic signature - the CIP-30/CIP-8 signature produced by your wallet over a message containing the text you wrote
  • Public key - the public key corresponding to the signing address, used for independent verification
  • Signed message payload - a hex-encoded copy of the message that was signed, which includes the text of your recording

Wallet signing is entirely optional. No private keys are ever transmitted to or accessible by Just Human. The signing operation is performed entirely within your wallet application. We verify the signature server-side and store it alongside the recording. Once signed, your wallet address and verification status are publicly displayed on the replay page and social preview card.

Your recordings are public

Every recording you create generates a shareable link. Anyone with that link can view your full keystroke replay, including every character typed, deleted, and corrected. Do not include passwords, private messages, financial details, or any information you are not comfortable sharing publicly.

How we use the data

Recordings are stored to power the replay feature and the analysis panel. Specifically:

  • Keystroke events, dwell times, flight times, and key codes are used to replay your writing and to compute the human-likeness analysis score shown on the replay page.
  • Session telemetry (mouse, scroll, touch, focus, and visibility counts) contributes to the confidence level of the analysis.
  • Browser environment signals are used to detect automated browsers and contribute to the analysis score. They are not used for fingerprinting or cross-site tracking.
  • Hashed IP addresses are used solely for rate limiting (20 submissions per hour, 40 per day). Rate limit records are automatically deleted after 24 hours.
  • Wallet signatures, public keys, and addresses are used to display a verification badge on the replay page and social preview card. They are verified server-side using CIP-8 standards and stored alongside the recording. Wallet addresses are displayed publicly in truncated form.

We do not sell, share, or use your keystroke data for advertising, profiling, or training purposes.

Legal basis for processing

We process your data on the following legal grounds under applicable data-protection law (including the EU General Data Protection Regulation):

  • Recording data (keystrokes, timing, dwell times, flight times, key codes, final text): contract performance - processing is necessary to provide you with the service you requested (GDPR Art. 6(1)(b))
  • Session telemetry and browser environment signals (mouse/scroll/touch counts, focus/blur counts, visibility changes, webdriver flag, plugin count, language count): legitimate interest - necessary for detecting automated submissions and maintaining the integrity of the service (GDPR Art. 6(1)(f))
  • Hashed IP addresses and rate limit records: legitimate interest - necessary for abuse prevention and rate limiting (GDPR Art. 6(1)(f)). These are automatically deleted after 24 hours.
  • Server-side analysis results (score, confidence, flags, metrics): contract performance - integral to the service provided (GDPR Art. 6(1)(b))
  • Wallet signing data (wallet address, signature, public key, signed payload): consent - you explicitly initiate the signing action and approve it in your wallet application (GDPR Art. 6(1)(a))
  • Extension local storage (wallet connection state): consent - stored on your device only when you connect a wallet through the extension (GDPR Art. 6(1)(a))
  • Analytics data (page views, session duration, referral sources): consent - you consent to this collection by using the service (GDPR Art. 6(1)(a))
  • Server logs (IP address, browser type): legitimate interest - necessary for security and maintaining the service (GDPR Art. 6(1)(f))

Data retention

Recordings (including keystroke events, telemetry, environment signals, analysis results, and wallet signatures if present) are stored indefinitely to keep shared links working. You may request deletion of your recordings at any time - see the Data deletion section below. Deleting a recording also removes any associated wallet signature data. Please think carefully before submitting any text, as recordings are publicly accessible from the moment they are created.

Rate limit records (hashed IP addresses) are automatically deleted after 24 hours via a database TTL index. They cannot be linked to specific recordings after deletion.

Data deletion

You may request deletion of your recordings by reaching out to us via @dynamic_io on X. Please include the recording URL(s) you would like removed.

We will delete the requested recordings within thirty (30) days of receiving a verified request. In limited circumstances, we may retain data where required by law (for example, to comply with a legal obligation or to protect the rights, property, or safety of others, including freedom of expression).

Your rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Under the GDPR (EU/EEA residents):

  • Right of access -obtain a copy of your personal data
  • Right to rectification -correct inaccurate data
  • Right to erasure -request deletion of your data
  • Right to restriction -limit how we process your data
  • Right to data portability -receive your data in a structured format
  • Right to object -object to processing based on legitimate interest

Under the CCPA (California residents):

  • Right to know what personal information we collect and how it is used
  • Right to delete your personal information
  • Right to opt out of the sale or sharing of personal information
  • Right to non-discrimination for exercising your rights

To exercise any of these rights, contact us via @dynamic_io on X. We will respond within thirty (30) days for GDPR requests and forty-five (45) days for CCPA requests.

California residents (CCPA)

If you are a California resident, the California Consumer Privacy Act provides you with specific rights regarding your personal information.

Categories of personal information we collect: keystroke and timing data (including dwell times, flight times, and physical key codes), session telemetry counts (mouse, scroll, touch, focus, visibility), browser environment signals, final text content, hashed IP address (for rate limiting only; automatically deleted after 24 hours), server-side analysis results, analytics data (page views, session duration, referral sources), and - if you opt in to wallet signing - your Cardano wallet address, cryptographic signature, and public key.

We do not sell or share your personal information as defined under the CCPA. We do not use your personal information for targeted advertising.

Your rights under the CCPA are described in the Your rights section above. We will not discriminate against you for exercising any of your CCPA rights.

Cookies & analytics

We use Google Analytics to understand how visitors use Just Human. Google Analytics collects information such as how often you visit, which pages you view, and what site referred you. It uses cookies to distinguish between unique visitors and to track session information.

Google's ability to use and share information collected by Google Analytics is governed by the Google Analytics Terms of Service and the Google Privacy Policy. We also load typefaces from Google Fonts.

Third-party services

Just Human relies on third-party services to operate, including but not limited to MongoDB Atlas for data storage, Google Fonts for typography, and various hosting and infrastructure providers. The wallet signing feature interacts with the Lace wallet browser extension, which is developed and maintained by IOG (Input Output Global). Just Human does not control and is not affiliated with the Lace wallet. These services have their own privacy policies and data-handling practices over which we have no control. We are not responsible for the privacy practices, security measures, or data processing of any third-party service.

International data transfers

Your recording data is stored in MongoDB Atlas, which operates on cloud infrastructure that may be located in the United States or other countries. By using Just Human, you acknowledge that your data may be transferred to and processed in countries outside your own, which may have different data-protection laws than your jurisdiction.

Where required by applicable law, such transfers rely on appropriate safeguards, including standard contractual clauses approved by the relevant authorities.

Security

We take reasonable measures to protect the data stored on our systems. However, no method of electronic transmission or storage is completely secure, and we cannot guarantee the absolute security of your information. You acknowledge that you submit recordings at your own risk, and Just Human shall not be held liable for any unauthorised access to, or loss of, your data.

Children's privacy

Just Human is not intended for use by anyone under the age of 16. We do not knowingly collect data from children under 16. If you believe a child under 16 has used the service, please contact us via @dynamic_io on X and we will take steps to remove the relevant recordings.

No liability for disclosed content

Once a recording is created, it is accessible to anyone who has the link. We bear no responsibility for how others view, copy, redistribute, or otherwise use your publicly shared recordings. You are solely responsible for the content you choose to record and share through the service.

Contact for data protection

For all privacy and data-protection enquiries, including requests to exercise your rights, please reach out to us via @dynamic_io on X.

Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page. We encourage you to review this policy periodically. Your continued use of Just Human after any changes constitutes acceptance of the updated policy.

For questions about these terms, see our Terms & Conditions.

← Back to writing