The short version, then the rest.

If you join the waitlist: your email address, name, the source you picked (TikTok, Instagram, X, friend, search, other), and any UTM parameters your link carried.

If you have an account: your handle, display name, optional bio, social links, and the brand collaborations you've listed for verification.

Quietly, on every request: a hash of your IP combined with the day and a server-side salt. We never store the raw IP. The hash rotates daily so a returning visitor on day two looks like a new one. We use it only for rate-limiting and de-duplicating analytics events.

Your browser's user-agent string — the standard short header that identifies the browser family. Same dedup purpose.

Database: Supabase, hosted in Ireland (eu-west-1). Row-level security gates everything; nothing is publicly readable except verified collaborations and their public profile pages.

Email delivery: Resend (US-based provider). We send waitlist confirmations, verification requests to brand contacts, and reminder emails. Resend processes the recipient address on our behalf and is bound by their privacy policy.

Brand logos: Brandfetch and Clearbit's public logo APIs. We send the brand domain you typed (e.g. nike.com) and they return a logo URL. No personal data leaves the system in this call.

Payments: Polar (polar.sh) is our Merchant of Record. When you upgrade to Pro, Polar processes the payment and your card details — we never see or store your card. Polar receives your email and an account identifier to run the subscription, and is bound by their privacy policy.

Marketing pixels (only after you consent): Meta Pixel, TikTok Pixel, and (later) X Ads Pixel. They each receive an event ping when you complete the waitlist, with a hashed email so the platforms can match you to their own logged-in users for ad-attribution.

Ads (free profiles, only after you consent): Google AdSense serves ads on free creator profiles. AdSense’s script loads only once you accept marketing cookies, and Pro profiles are ad-free.

Necessary: our authentication session cookie, plus cc_cookie which remembers your consent choice. Always on — the site can't function without them.

Analytics: none today. Our analytics are server-side and based on the rotating IP-day hash described above. Toggling this category off has no third-party impact yet but reserves space for a future privacy- preserving analytics SDK.

Marketing: the Meta, TikTok, and X pixels listed above. Off by default; loaded only when you click Accept all or check the category in Cookie preferences.

Under the GDPR (EU) and equivalent regimes you can ask us to: confirm what we have on you, give you a copy, correct it, delete it, restrict processing, or object to it. The DPA at the moment is just one of us in Lisbon, so the response is fast: email email us and we'll handle it within a few days.

You can export all your data, or delete your account, yourself at any time from Settings. Deleting cancels any subscription immediately and schedules everything for permanent erasure after a 30-day grace period — you can undo it until then.

Waitlist signups are kept until launch + 12 months, then auto-purged if you never converted into an account. Account data is kept while your account is active and deleted on request.