The short version, then the rest.

If you join the waitlist: your email address, name, the source you picked (TikTok, Instagram, X, friend, search, other), and any UTM parameters your link carried.

If you have an account: your handle, display name, optional bio, social links, and the brand collaborations you've listed for verification.

Quietly, on every request: a hash of your IP combined with the day and a server-side salt. We never store the raw IP. The hash rotates daily so a returning visitor on day two looks like a new one. We use it only for rate-limiting and de-duplicating analytics events.

Your browser's user-agent string — the standard short header that identifies the browser family. Same dedup purpose.

Database: Supabase, hosted in Ireland (eu-west-1). Row-level security gates everything; nothing is publicly readable except verified collaborations and their public profile pages.

Email delivery: Resend (US-based provider). We send waitlist confirmations, verification requests to brand contacts, and reminder emails. Resend processes the recipient address on our behalf and is bound by their privacy policy.

Brand logos: Brandfetch and Clearbit's public logo APIs. We send the brand domain you typed (e.g. nike.com) and they return a logo URL. No personal data leaves the system in this call.

Marketing pixels (only after you consent): Meta Pixel, TikTok Pixel, and (later) X Ads Pixel. They each receive an event ping when you complete the waitlist, with a hashed email so the platforms can match you to their own logged-in users for ad-attribution.

Necessary: our authentication session cookie, plus cc_cookie which remembers your consent choice. Always on — the site can't function without them.

Analytics: none today. Our analytics are server-side and based on the rotating IP-day hash described above. Toggling this category off has no third-party impact yet but reserves space for a future privacy- preserving analytics SDK.

Marketing: the Meta, TikTok, and X pixels listed above. Off by default; loaded only when you click Accept all or check the category in Cookie preferences.

Under the GDPR (EU) and equivalent regimes you can ask us to: confirm what we have on you, give you a copy, correct it, delete it, restrict processing, or object to it. The DPA at the moment is just one of us in Lisbon, so the response is fast: email leomeque@gmail.com and we'll handle it within a few days.

Waitlist signups are kept until launch + 12 months, then auto-purged if you never converted into an account. Account data is kept while your account is active and deleted on request.