The honest version: what Lipwalk collects, what it deliberately does not, and the controls readers get without having to email anyone.
Last updated: June 2026
When you comment, react, or rate through a Lipwalk widget on someone's site, Lipwalk stores the content you submit, the display name you choose (or "Anonymous"), an optional email if you provide one for reply notifications, and the time it happened.
For spam defense and vote integrity, Lipwalk computes a salted, irreversible hash of your IP address and discards the raw IP; the hash cannot be reversed into your address. The widget may also derive a browser fingerprint signal as a secondary abuse signal.
Because spammers and abusive actors move between sites, Lipwalk correlates these hashed signals across the sites that use Lipwalk to detect and stop coordinated abuse (its Fleet Shield protection). This is a security function on a legitimate-interest basis (see section 5): the hashed signals are used only to rate-limit, challenge, or block abuse, never for advertising, profiling, building a marketing picture of you, or sale. Signals decay over time and are deleted on a fixed retention schedule, and a site owner can disable fleet-wide enforcement for their own site.
Comments pass through automated spam and safety checks. The routine checks run on Lipwalk's own servers, so your words are not sent to any outside service for ordinary moderation. In the rare case content is genuinely borderline, only the text needed for that one decision may be sent to a cloud provider for a second opinion.
If a site owner turns on image attachments, images you upload are stored to show alongside your comment. Each image is re-encoded to strip embedded metadata (including location data) before it is served, and is screened for known illegal material. The site owner can remove any image you post, and you can delete your own content with the tools in section 4.
Site owners can subscribe to webhooks about activity on their own sites; those deliveries contain comment excerpts and identifiers and go to endpoints the site owner controls.
On plans that include it, site owners can enable session replay to understand how pages are used. Recordings are streams of DOM events (clicks, scrolls, page mutations), not video and not screenshots. Every input field is masked by default before data leaves the browser, and site owners can additionally mask or block any element.
Replay honors your browser's Do-Not-Track setting automatically: if it's on, nothing records. Site owners can also disable recording per page. The recorder script only loads in sessions that are actually being recorded.
Recordings expire automatically on the site's plan schedule: 30 days (Growth), 90 days (Business), or 180 days (Enterprise). A cleanup job permanently deletes expired recordings.
The widget sets no advertising, analytics, or third-party tracking cookies. This is the complete inventory:
| Name | Where | Purpose | Lifetime |
|---|---|---|---|
| lw_commenter_<site> | Browser localStorage | Keeps a reader signed in to the widget on that one site. Scoped per site; never shared across sites. | Until sign-out or token expiry |
| lw_commenter | Cookie | Commenter session for widget requests. | Session-scoped |
| lw_refresh | Cookie (httpOnly) | Set only if a reader creates or signs in to a Lipwalk account; refreshes their session. | Until expiry or sign-out |
| lipwalk-theme | Browser localStorage | Light/dark preference on this website. | Until changed |
No advertising cookies. No analytics cookies. No third-party cookies.
If you've commented through Lipwalk, you can act on your data directly from the widget, no support ticket required:
For anything these tools don't cover, email [email protected].
For data collected through widgets embedded on a customer's site, the site owner is the data controller and Lipwalk is the data processor, acting on their configuration (moderation settings, replay on/off, anonymous commenting on/off). For dashboard accounts and billing, Lipwalk is the controller.
Legal bases: performance of a contract (providing the commenting service), legitimate interest (abuse prevention, including the cross-site correlation of salted, irreversible hashes described in section 1; a Legitimate Interest Assessment is documented), and consent where a site's own policy requires it. Billing runs through Stripe; Lipwalk never sees or stores full card numbers.
Lipwalk runs on a short list of sub-processors, each used only for what it says: Amazon Web Services (hosting and storage), Cloudflare (content delivery and abuse protection), Stripe (billing), Amazon SES (transactional email), and, only for the rare borderline moderation check above, a cloud AI provider. None of them receive data for advertising, and none are sold or rented your readers' data.
Traffic is encrypted in transit. Secrets live in a managed secrets store, not in code. Webhook deliveries are HMAC-signed so receivers can verify origin. Access to production data is limited to what operating the service requires, and Lipwalk maintains a written security posture with a deployment checklist re-walked on every release.
If you find a vulnerability, email [email protected] and Lipwalk will respond quickly and credit you if you want.
When this policy changes materially, Lipwalk will update the date at the top and notify site owners by email before the change takes effect.