Privacy Policy

Effective date: 28 April 2026 · Controller: Plotit

This policy explains what personal data Plotit collects, how it is used, and what rights you have. Questions? Email us at privacy@plotit.me.

1. What we collect

We collect the following categories of personal data:

Account data — email address, hashed password (managed by Supabase Auth), user ID.
Profile data — first name, username, bio, profile picture URL, age.
Content data — achievements you create or receive, team memberships, event participation.
Preferences — theme mode and interface language, stored in your browser's localStorage.
Technical data — authentication timestamps, approximate region from IP address, browser type.
Integration data — if you connect Strava or Notion, we store an OAuth token and the records you authorise.

2. Browser storage (localStorage, not cookies)

Plotit uses localStorage and sessionStorage — not HTTP cookies — to store preferences and session state locally in your browser.

3. Third-party services

Supabase — database, authentication, and file storage. Your data is stored on Supabase infrastructure. See Supabase's privacy policy.
DiceBear (api.dicebear.com) — used to generate preset avatar images on the profile setup screen. Your browser contacts their CDN directly, making your IP address visible to DiceBear. See DiceBear's privacy policy.
Strava / Notion — only if you explicitly connect these apps. You may disconnect them at any time in Settings → Integrations.

4. How we use your data

To provide and operate the Plotit service.
To personalise your feed and achievement recommendations.
To send transactional emails (password reset, email confirmation).
To enforce safety, detect fraud, and comply with legal obligations.
To improve reliability using anonymised usage patterns.

We do not sell your personal data.

5. Legal basis (GDPR)

Contract — processing necessary to provide the service you registered for (Art. 6(1)(b)).
Legitimate interests — security, fraud prevention, and service improvement (Art. 6(1)(f)).
Consent — optional marketing communications where you opt in (Art. 6(1)(a)).

6. Data retention

We retain your data while your account is active. After account deletion we may keep certain records for up to 90 days to resolve disputes, prevent fraud, and meet legal obligations. Backups may persist for a limited additional period.

7. Your rights

Under GDPR and equivalent laws you have the right to:

Access the personal data we hold about you.
Correct inaccurate data — edit your profile in-app.
Request deletion of your account and associated data.
Data portability — request a machine-readable export.
Object to or restrict processing in certain circumstances.
Withdraw consent at any time where processing is based on consent.

Exercise your rights via Settings → Data in-app, or by emailing privacy@plotit.me.

8. Children

Plotit is not directed to children under 13. Users aged 13 to the age of majority in their jurisdiction should obtain parental consent where required by local law. We do not knowingly collect data from children under 13.

9. International transfers

Your data may be processed in countries outside your own. Where required we rely on appropriate safeguards (such as Standard Contractual Clauses) offered by our infrastructure providers.

10. Changes to this policy

We may update this policy. Material changes will be communicated via email or an in-app notice at least 7 days before they take effect. Continued use after that date constitutes acceptance.

11. Contact

Questions or complaints: privacy@plotit.me. You also have the right to lodge a complaint with your local data protection authority.