Privacy Policy

Last updated: [DATE]. This policy explains how [COMPANY NAME], [legal form], Lithuania processes personal data as a controller under the EU General Data Protection Regulation (GDPR).

1. Data we process

  • Account data: name, email, password hash, avatar (via Google sign-in where used).
  • Usage data: projects, tasks completed, XP, streaks, bookmarks, notes, comments, ratings, onboarding answers.
  • Billing data: subscription status and Stripe customer reference. Card details are processed by Stripe and never touch our servers.
  • Technical data: IP address, device and log data required to operate and secure the Service; product analytics events where enabled.

2. Purposes and legal bases

  • Providing the Service and your account — contract performance (Art. 6(1)(b)).
  • Billing, tax and accounting — legal obligation (Art. 6(1)(c)).
  • Service emails (receipts, security, essential notices) — contract performance.
  • Product emails and digests — consent or legitimate interest with opt-out in Settings (Art. 6(1)(a)/(f)).
  • Analytics and error monitoring — legitimate interest in improving and securing the Service (Art. 6(1)(f)).

3. Processors

We use vetted processors under data processing agreements: Supabase (database and authentication), Vercel (hosting), Stripe (payments), Resend (email), and analytics/error-monitoring providers named in the Cookie Policy. Some providers may process data outside the EEA under Standard Contractual Clauses.

4. Retention

Account data is kept while your account is active and deleted or anonymized within 30 days of a deletion request, except billing records retained as required by Lithuanian accounting law (generally 10 years).

5. Your rights

You have the right to access, rectify, erase, restrict, port, and object to processing of your data, and to withdraw consent at any time. Contact privacy@[domain]. You may lodge a complaint with the Lithuanian State Data Protection Inspectorate (vdai.lrv.lt) or your local authority.

6. Security

Data is encrypted in transit, access is restricted by row-level security and least-privilege keys, and payment data is handled entirely by Stripe (PCI DSS Level 1).

Draft for launch — have a lawyer review before public release.

Privacy Policy · DrasaHUB