Privacy Policy
Last Updated: 2026
1. Data Controller
The data controller for your personal data is [COMPANY NAME] ("we", "us", or "our"). If you have any questions about this privacy policy or our data practices, please contact us at:
- Email: [DATA_PROTECTION_EMAIL]
- Address: [COMPANY_ADDRESS]
2. Legal Basis and Purpose for Processing
We process your personal data under the following legal bases as set out in the UK GDPR and Data Protection Act 2018:
| Processing Activity | Legal Basis | Purpose |
|---|---|---|
| User Authentication & Account Management | Contract (Art 6(1)(b)) | To create and manage your account, authenticate your identity, and provide our services |
| Email Delivery | Contract (Art 6(1)(b)) | To send you service-related emails (account confirmation, password resets, etc.) |
| Payment Processing | Contract (Art 6(1)(b)) | To process payments and manage subscriptions (if applicable) |
| Security Logging & Error Tracking | Legitimate Interest (Art 6(1)(f)) | To protect the security of our services, prevent fraud, and monitor for errors and security threats |
3. Categories of Personal Data We Collect
We collect and process the following categories of personal data:
- Identity Data: User IDs (UUIDs), email addresses
- Authentication Data: Passwords (hashed and stored securely)
- Profile Data: User metadata including first name, avatar URLs, and full name (from OAuth providers)
- Session Data: Access tokens and refresh tokens stored in encrypted cookies
- Technical Data: IP addresses and user agent strings (collected for security logging purposes)
- Usage Data: Authentication events (login, logout, signup) and account modification events (password changes, email changes, account deletions)
4. Recipients of Your Personal Data
We use the following third-party service providers to help us operate our services. These providers process your personal data on our behalf as data processors:
- Supabase (EU-based): Provides user authentication services and database storage for your account data
- Sentry (US-based): Provides error tracking and security logging services
- Resend (US-based): Provides email delivery services
- Stripe (US-based): Provides payment processing services (if you use payment features)
- Google Fonts/Material Symbols (US-based): Provides web fonts and icons via CDN
All our data processors are contractually bound to protect your personal data and only process it in accordance with our instructions.
5. International Data Transfers
Some of our service providers are located outside the UK and European Economic Area (EEA). When we transfer your personal data to these providers, we ensure appropriate safeguards are in place:
- Sentry (US): Transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission. Sentry processes security logs containing IP addresses, user agents, and user identifiers for security monitoring purposes.
- Resend (US): Transfers are protected by Standard Contractual Clauses (SCCs). Resend processes email addresses and email content for email delivery purposes.
- Stripe (US): Transfers are protected by Standard Contractual Clauses (SCCs). Stripe processes payment information if you use payment features.
- Google Fonts/Material Symbols (US): These CDN resources may collect IP addresses. Consider self-hosting fonts to avoid this transfer if desired.
Note: Your primary user data (email, user ID, authentication credentials) is stored in Supabase, which is EU-based. Therefore, there is no international transfer for your core account data.
6. Data Retention
We retain your personal data for the following periods:
- Account Data: We retain your account data (email, user ID, profile information) until you delete your account. You can delete your account at any time through your account settings.
- Session Cookies: Session cookies are stored for 7 days or until you log out, whichever is sooner.
- Flash Message Cookies: Flash message cookies are stored for 60 seconds.
- Security Logs: Security and error logs are retained according to our service provider's retention policies (typically 90 days for error logs).
After you delete your account, we will delete or anonymize your personal data, except where we are required to retain it for legal purposes (e.g., fraud prevention, legal obligations).
7. Your Data Protection Rights
Under the UK GDPR and Data Protection Act 2018, you have the following rights regarding your personal data:
Right of Access (Article 15)
You have the right to request a copy of the personal data we hold about you. To exercise this right, please contact us using the contact information provided in Section 1.
Right to Rectification (Article 16)
You have the right to request correction of inaccurate or incomplete personal data. You can update your email address and password directly through your account settings.
Right to Erasure (Article 17)
You have the right to request deletion of your personal data. You can delete your account at any time through your account settings, which will permanently delete your account and associated data.
Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, and machine-readable format. To request your data export, please contact us using the contact information provided in Section 1.
Right to Object (Article 21)
You have the right to object to processing of your personal data based on legitimate interests. Please contact us if you wish to object to any processing.
Right to Restrict Processing (Article 18)
You have the right to request restriction of processing of your personal data in certain circumstances. Please contact us if you wish to restrict processing.
To exercise any of these rights, please contact us using the contact information provided in Section 1. We will respond to your request within one month.
8. Cookies
We use essential cookies that are necessary for the operation of our website. These cookies do not require your consent as they are strictly necessary for the service to function:
| Cookie Name | Purpose | Duration |
|---|---|---|
session |
Stores encrypted session data (access tokens, user information) to maintain your authentication state | 7 days |
flash |
Stores temporary flash messages to display notifications after page redirects | 60 seconds |
All cookies are first-party cookies (set by our domain), are encrypted, and are marked as HttpOnly and Secure (in production) to protect against cross-site scripting attacks.
9. Right to Lodge a Complaint
If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's data protection supervisory authority:
- Website: https://ico.org.uk
- Telephone: 0303 123 1113
- Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
We would appreciate the opportunity to address your concerns first, so please contact us before lodging a complaint with the ICO.
10. Contact Us
If you have any questions about this privacy policy or wish to exercise any of your data protection rights, please contact us:
- Email: [DATA_PROTECTION_EMAIL]
- Address: [COMPANY_ADDRESS]
11. Changes to This Privacy Policy
We may update this privacy policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. We will notify you of any material changes by posting the new privacy policy on this page and updating the "Last Updated" date. We encourage you to review this privacy policy periodically.