Privacy

Last reviewed: 5 May 2026.

Like Me Like is an anonymous taste-recommendation service. There is no sign-up, no email, no name. Your identity is a cryptographic keypair generated in your browser the first time you visit. The server only sees the SHA-256 hash of your public key — never the private key, and never anything tied to your real-world identity.

Trust contract

The product rests on four promises, in plain English:

• No paid tips. No brand, publisher, label, or studio can pay to have an item appear in your recommendations. Picks are generated by the model from your own taste signal — not from a sponsor list.
• No ads. No fake rankings. The interface carries no advertising surface, no "trending" tiles wired to commercial deals, and no creator-side dashboard that could shape what you see.
• No account required. The anonymous keypair described above is the entire identity model. There is no email, password, name, or profile to fill in.
• Your profile stays yours. Your taste data is used to power your recommendations and your cohort matching. We do not sell it, do not share it with third parties, and do not surface it to creators or advertisers.

What we store

On our server, linked to your public-key hash:

• Account row — tier (free / paid), training-consent state, hourly + monthly request counters, account-creation timestamp.
• Device profile — form factor (mobile / tablet / desktop), screen dimensions, hardware concurrency, timezone, browser languages list, dark-mode preference, reduced-motion preference, your User-Agent string. Refreshed on every page load to the latest snapshot. Used to make recommendations feel right on the device you're using.
• First-visit context — the origin of the page that referred you to us (e.g. letterboxd.com), the path you first landed on within Like Me Like, and any UTM-style URL params (utm_source, utm_medium, etc). Captured ONCE on your first visit and never overwritten. Used as a starting hint for your taste profile while you have few ratings.
• Taste profile — the items you've liked or disliked (capped at 40 each, freshest first), an LLM-derived taste-summary paragraph generated from those, a vector embedding of that summary used to find users with similar taste, a cached list of the closest-taste cohort. Your taste-profile page is always public: anyone with the link can see your liked items and summary. There is no private mode — don't rate anything you wouldn't want shown publicly.
• Encrypted backup events (Track A) — every recommendation session you complete is encrypted in your browser (AES-256-GCM, key derived from your private key) and uploaded as opaque ciphertext. We cannot decrypt these — only your browser, holding your private key, can. We store them so that if you paste your recovery code on another device, your history follows.
• Per-thumb rating log — every up/down you give, with the source you searched, the item you rated, the alternatives you saw alongside, the locale you were in. Linked to your public-key hash. Used for cohort retrieval, model improvement, and as the canonical training corpus for any future fine-tuned recommendation model.
• LLM call log — every prompt the server sends to a recommendation model and the response it gets back. Linked to your public-key hash when you're authenticated. Used for debugging, quality monitoring, and as a training corpus.
• Anonymous training events (Track B) — your thumb-up / thumb-down events upload as payloads that include the items you saw and the signal you gave, but NOT linked to your public-key hash. This is part of the implicit service contract: the recommendation engine improves from these aggregate signals. To opt out, contact us at the address below — we keep an explicit "denied" flag honoured forever for users who request it.

In your browser, in IndexedDB and one HttpOnly cookie:

• Identity keypair (IndexedDB) — your ECDSA P-256 private + public key. Never leaves the browser.
• Local feed (IndexedDB) — your recommendation sessions, your thumbs, queued events waiting to upload. Mirrored to the encrypted backup events above; clearing browser data locally is reversible from the backup if you have a recovery code.
• lml-session cookie — HttpOnly, contains your public-key hash. Lets the server recognise you across requests without needing the keypair on every call.

What we do NOT store

• No email address, name, phone number, or any other personally-identifying field. The service is anonymous by design.
• No IP address logging beyond the platform default. Vercel (our hosting provider) keeps short-lived request logs that include the requesting IP for abuse prevention and operational debugging, per their standard retention. We do not write the IP into any of our own tables.
• No canvas hashes, font enumeration, WebGL renderer, or audio fingerprints. Those are deliberately excluded — they would push the privacy posture past what's needed to personalise recommendations.
• No third-party analytics SDK. No Google Analytics, Mixpanel, Segment, or similar. The only outgoing requests are to LLM providers (Google Gemini, OpenRouter) for generating recommendations, and to Wikipedia for thumbnail enrichment.

Cohort matching

Like Me Like is built on the idea of finding people with similar taste to you, so cohort matching is part of the core service — it's not optional. To find your closest cohort, the server reads other users' taste profiles (the public-key hash, liked items, summary embedding) and computes which ones are closest to yours. The recommendations you see are biased by what your cohort has liked.

What this means: your taste profile is visible to the matching algorithm. The algorithm only emits aggregate frequency counts ("N members of your cohort liked this") — never the specific identity of who liked what. But the underlying liked items are readable by the server.

The trust contract is: we use this data to power the service, full stop. No analytics SDK, no advertising, no creator dashboards looking at your taste, no sale to third parties.

Deleting your account

Settings → "Delete my account" wipes your row from users and all per-user tables (taste profile, backup events, rating log, LLM calls, training events) via foreign-key cascade. Your local browser state (IndexedDB) is also wiped on the same action. After deletion, the service has no record of you beyond aggregate counts that don't identify you.

Vercel's platform-level request logs retain IP addresses for a short window before rolling off; those are outside our direct control but Vercel's published retention policy applies.

Track B — anonymous training (implicit)

Anonymous, aggregate-shaped rating-events are stored without your public-key hash attached. This stream is part of the implicit service contract — using Like Me Like contributes these events by default so the recommendation engine can improve from real signal. There is no Settings toggle: the events are anonymous at upload time and untraceable back to you, so we treat them the same way we treat any other non-identifying telemetry.

If you want to be excluded from this stream entirely, email the address below and we'll set a "denied" flag against your public-key hash. The flag is honoured forever and blocks all future Track B uploads from your browser. Already-uploaded events were anonymous at write time and cannot be retroactively retrieved or deleted — that's the privacy guarantee, but it also means past events stay in the aggregate.

Children

Like Me Like is not directed at children under 16 and we do not intentionally collect data about them. If you believe a minor has used the service and you would like data deleted, please use the contact below; an account-deletion will remove everything tied to the keypair.

Cookies

We set one functional cookie, lml-session, that contains your public-key hash. It's HttpOnly (not readable by JavaScript) and Secure (HTTPS only) and SameSite=Strict (not sent cross-site). It is required for the service to function — we do not consider it a tracking cookie under GDPR's standard definition.

Updates to this policy

Material changes will be reflected in the "Last reviewed" date at the top of this page. Because the service is anonymous we cannot email you about updates; the date is your sentinel.

Contact

For privacy questions or data-subject requests beyond account-deletion: hi@likemelike.com.

Company details

Like Me Like is a trade name operated by:

• Operator (eenmanszaak): Yme Bosma h.o.d.n. Like Me Like
• Chamber of Commerce (KvK) number: to be added after registration on 4 June 2026
• VAT (BTW) number: to be added once issued
• Registered address: to be added after registration
• E-mail: hi@likemelike.com

Governing law

This service is operated from the Netherlands. Dutch law applies to the processing of personal data, in line with the EU GDPR.

← Back to Like Me Like