Privacy and data handling

Users can sign in with Google OAuth or with an email and password. Password-based accounts are stored as hashes on the server side rather than in plaintext.

The app uses Auth.js with JWT sessions so the signed-in state can be carried across requests without querying the database for every page load.

If AdSense is configured through environment variables, the app can load the Google AdSense script for non-premium users. If that environment variable is not set, the script is not injected.

The homepage newsletter form is currently a visual CTA only. There is no backend submission handler connected yet, so it does not store addresses by itself in this codebase state.