Kinkiris
Your privacy isour priority.
Kink data is intimate. We built Kinkiris to ask for as little as possible, store it carefully, and let you take it back any time.
- Anonymous by default
- No ads, no trackers
- Full account deletion
Our privacy principles
Three commitments that shape how we build.
Anonymous by default
You can take the full BDSM test without an email or a name. An account is only needed to save the result or share a private link with a partner.
No ads, no third party trackers
We use Plausible Analytics, which is cookie free and GDPR compliant. No Google, no Meta pixel, no advertiser ever sees your visit to Kinkiris.
Zero data resale
We never sell, rent or share your personal data with third parties. There is no business model that depends on it, and there will not be one.
How we handle your data
Full transparency on what we ask, store and discard.
What we collect
- Email, only for login and recovery. Stored hashed when used as a primary key, never published.
- Pseudonym, freely chosen, can be a random name. Never linked to your legal identity.
- Quiz answers and rated practices, encrypted in transit, stored in our database to draw your visual result.
- Optional profile photo, only visible to partners you explicitly share with.
- Match invitation links you created, with their expiry.
What we never collect
- Your real name, gender, or any government identification.
- Photos or videos of intimate activities.
- Location data or GPS.
- Contact lists, phone numbers, social media accounts.
- Financial information (no payments processed on Kinkiris).
How we protect what we store
Argon2id password hashing
Passwords are hashed with Argon2id, the algorithm currently recommended by OWASP. Legacy bcrypt hashes are silently migrated on next login.
HTTPS everywhere
All traffic is encrypted in transit with TLS. HSTS preload is enabled. No HTTP fallback.
Strict security headers
Content Security Policy, X-Frame-Options DENY, Referrer-Policy strict-origin-when-cross-origin, Permissions-Policy locking camera, mic and geolocation off.
Rate limiting on sensitive endpoints
Login, password reset, signup, upload and friend acceptance are rate limited to slow brute force and enumeration.
Server side input validation
Every API route validates its input with a strict schema before touching the database. No unknown fields, no surprise queries.
Cascade deletion
When you delete your account, every related row (profile, answers, matches, friendships, swipes) is cascaded out in a single transaction.
Your controls
Everything is at your fingertips.
Export your data
Download a complete JSON copy of everything we hold about you, at any time, from your settings.
Go to settingsDisconnect a partner
Remove a friend or a match without deleting your account. Their access to your iris stops immediately.
Manage friendsDelete everything
Permanently erase your account and all associated data. Cascades through every table. No backup retention beyond 30 days.
Delete account
What we are working on
We are not done. Currently in active development, not yet shipped to production: column level encryption (AES-256-GCM) for the most sensitive fields (quiz answers, body map, safewords, aftercare notes, match analysis), end to end encrypted partner messages, public bug bounty program, third party security audit. We will update this page as each one is published.
Privacy questions?
Reach the team directly. We answer privacy and security mail within 72 hours.
Ready to explore safely?
Take the BDSM test. We will only ask what we need, never more.
Take the BDSM test