Privacy Policy

Last updated: April 2026. This policy describes information practices typical for applications built from this boilerplate. Customize it for your product, jurisdiction, and vendors.

1. Introduction

This Privacy Policy explains how we collect, use, disclose, and safeguard information when you visit our website or use our applications (the "Service"). By using the Service, you agree to this policy. If you do not agree, please do not use the Service.

2. Who is responsible

The "data controller" or business responsible for processing is the organization operating this deployment. You should replace generic references with your legal name, registered address, and data protection contact (including any EU/UK representative if required).

3. Information we may collect

3.1 You provide directly

  • Account details such as name, email address, and profile fields you choose to submit.
  • Authentication events (for example sign-in timestamps) processed by our auth provider.
  • Content you post where the product allows it (such as public feedback or support messages).

3.2 Collected automatically

  • Device and browser type, IP address, and general location derived from IP.
  • Usage diagnostics, performance metrics, and error logs to keep the Service reliable and secure.
  • Cookies and similar technologies where we or our analytics partners use them—see Section 6.

4. How we use information

We use information to:

  • Provide, maintain, and improve the Service and its security.
  • Authenticate users, prevent fraud, and enforce our terms.
  • Communicate about updates, incidents, or (where permitted) marketing—honoring your preferences and law.
  • Comply with legal obligations and respond to lawful requests.

5. Legal bases (where GDPR/UK GDPR applies)

Depending on context, we may rely on one or more of the following:

  • Contract — processing necessary to deliver the Service you requested.
  • Legitimate interests — for example securing our systems, understanding aggregate usage, and improving reliability, balanced against your rights.
  • Legal obligation — where the law requires us to retain or disclose information.
  • Consent — where required for optional cookies or marketing; you may withdraw consent without affecting the lawfulness of processing before withdrawal.

6. Cookies and analytics

We may use strictly necessary cookies for authentication and security. Where we use analytics or marketing cookies, we will present choices as required by your region (for example a consent banner). Review your analytics vendor configuration (for example Vercel Analytics) and update this section to list specific cookies, purposes, and retention.

7. Sharing and subprocessors

We may share information with:

  • Infrastructure and hosting providers that run the website and API.
  • Authentication and database providers (for example Supabase) that process account and application data under their agreements.
  • Professional advisers where required (for example auditors or lawyers under confidentiality).
  • Authorities when we believe disclosure is necessary to comply with the law or protect rights, safety, and security.

Maintain a current subprocessor list if you owe that to customers under a Data Processing Agreement (DPA).

8. International transfers

If data is processed in countries other than your own, describe the safeguards (for example Standard Contractual Clauses, adequacy decisions, or other mechanisms) after you confirm where your vendors store and process data.

9. Retention

We retain information only as long as needed for the purposes above, including legal, accounting, and reporting requirements. Technical logs may be kept for shorter rolling periods. Define concrete retention periods for your product categories (accounts, billing, logs, marketing).

10. Security

We implement administrative, technical, and organizational measures appropriate to the risk. No method of transmission or storage is completely secure; we encourage strong passwords, MFA where available, and prompt reporting of suspected incidents.

11. Your rights

Depending on your location, you may have rights to access, correct, delete, or export personal data, to restrict or object to certain processing, and to lodge a complaint with a supervisory authority. To exercise rights, contact us using the details you publish for your deployment. We will verify requests as permitted by law.

12. Children

The Service is not directed to children under the age where parental consent is required in their jurisdiction. We do not knowingly collect personal information from children. If you believe we have, contact us and we will take appropriate steps to delete it.

13. Changes to this policy

We may update this Privacy Policy from time to time. We will post the revised policy with an updated date and, where appropriate, provide additional notice. Please review the policy periodically.

14. Contact

For privacy inquiries, use the contact methods shown in the contact section after you configure them for your organization.

Read the terms of service or return to home.