Privacy Policy

Last updated: June 19, 2026

Anonymity is the foundation of our platform. Your email, name and social-account photo are never visible to other users.

1. Data controller

The controller of your personal data is notmystuff.co, operated by its owner. For all privacy-related inquiries, contact us at privacy@notmystuff.co. We are based in Warsaw, Poland and process data in accordance with Regulation (EU) 2016/679 (GDPR).

2. What data we collect

We collect the following categories of data: (a) Authentication data — when you sign in with Google, Supabase Auth receives your email address and display name from Google. We store only the email address and the timestamp of account creation in our database; your Google profile photo is never stored. (b) Anonymous identifier — on first login we assign you a randomly generated handle (e.g. #GrayCoyote). This is your only visible identity on the platform. (c) Listing content — category, text description, approximate location hint, and any photos you voluntarily upload for a found or lost item report. (d) Messages — text content of conversations between anonymous users regarding a specific listing. (e) Security question answers — entered when creating a listing; stored exclusively as a one-way bcrypt hash. (f) Technical logs — IP address, browser user-agent, and request timestamps for a rolling 30-day window, used solely for abuse prevention.

3. What is publicly visible

The following information is visible to any visitor of the platform, including unauthenticated users: your randomly generated identifier (#XxxXxx), listing content (photo, category, location hint, description, and listing status). Nothing else is publicly visible. Your name, email address, Google profile photo, IP address, and the contents of private conversations are never shown to other users.

4. How we use your data

We use your data exclusively to operate the service: (a) Authentication — to verify your identity on login and maintain your session. (b) Matching — to help found-item reports reach the people who lost them. (c) Email notifications — to inform you when someone initiates a claim on your listing or when a new message arrives in a conversation you are part of. Emails are sent via Resend (see §6) using only your stored email address; no marketing emails are sent without explicit opt-in. (d) Abuse prevention — to detect and block automated scraping, brute-force attempts against security questions, spam listings, and harassment. (e) Platform improvement — aggregate, anonymised usage statistics (e.g. listing category distribution, geographic density) with no individual identifiers.

5. Legal basis for processing

We process your data on the following legal bases under GDPR Art. 6: (a) Performance of a contract (Art. 6(1)(b)) — authentication, session management, listing creation, and messaging are necessary to provide the service you requested. (b) Legitimate interests (Art. 6(1)(f)) — technical logs and abuse-prevention measures, where our interest in keeping the platform safe does not override your rights. (c) Compliance with legal obligations (Art. 6(1)(c)) — retention of data where required by applicable law.

6. Third-party processors

We share data with the following processors, each bound by a data processing agreement: (a) Supabase — provides authentication (Supabase Auth) and the PostgreSQL database that stores all application data. Supabase stores data in the EU region (Frankfurt, Germany). (b) Resend — transactional email delivery. We pass only the recipient email address and message content; Resend does not use this data for advertising. (c) Hosting infrastructure — the application runs on a self-hosted VPS or Vercel. Where Vercel is used, data may be processed in EU edge regions. We do not use Google Analytics, Meta Pixel, or any advertising networks. No data is sold to third parties.

7. Verification answers

Security question answers are hashed with bcrypt (cost factor ≥ 10) immediately on entry and the plaintext is discarded. We store only the hash. The hash is one-way: neither we nor any processor can read or reconstruct your original answer. This design means we cannot recover your answer if you forget it — only verify that a guess is correct. Hashes are deleted when the associated listing is permanently removed.

8. Data retention

We retain data for the minimum period necessary: (a) Listings — kept for 90 days after the listing is closed or resolved, then permanently deleted including all associated images and the security question hash. (b) Messages — kept for 30 days after the last message in a conversation, then permanently deleted. (c) Account data — kept until you delete your account. Deletion removes your email address, anonymous identifier, all listings, all messages, and all associated hashes within 24 hours. (d) Technical logs — rolling 30-day window; logs older than 30 days are automatically purged. (e) Backups — database backups are retained for up to 14 days; data deleted within the app is also purged from backups when the backup cycle completes.

9. Your GDPR rights

You have the following rights under GDPR, exercisable by contacting privacy@notmystuff.co or acting directly in the app: (a) Right of access — you may request a copy of all personal data we hold about you. (b) Right to rectification — you may correct inaccurate data. (c) Right to erasure ("right to be forgotten") — delete your account via Settings → Delete account; all your data is permanently erased within 24 hours. (d) Right to restriction of processing — you may request that we restrict processing while a dispute is resolved. (e) Right to data portability — you may request an export of your data in a machine-readable format. (f) Right to object — you may object to processing based on legitimate interests. (g) Right to lodge a complaint — you may complain to the Polish Data Protection Authority (UODO) at uodo.gov.pl. We will respond to all requests within 30 days.

10. Cookies

We use a single first-party session cookie set by Supabase Auth to maintain your login state. This cookie is strictly necessary for the service to function and is exempt from cookie-consent requirements under GDPR Recital 25. We do not use tracking cookies, analytics cookies, advertising cookies, or any third-party cookies. No cookie consent banner is shown because we set no non-essential cookies. The session cookie expires when you sign out or after 7 days of inactivity.

11. International transfers

All primary data storage is within the European Economic Area (EEA). Supabase stores data in Frankfurt, Germany. Where Resend routes email delivery through infrastructure outside the EEA, it does so under Standard Contractual Clauses (SCCs) approved by the European Commission. We do not otherwise transfer your data outside the EEA.

12. Children

The platform is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, contact privacy@notmystuff.co and we will delete it promptly.

13. Changes to this policy

We may update this Privacy Policy to reflect changes in the service or applicable law. We will update the "Last updated" date at the top of this page. For material changes, we will notify signed-in users by email at least 14 days before the change takes effect. Continued use of the platform after the effective date constitutes acceptance of the revised policy.

14. Contact

For all privacy-related requests, questions, or complaints: privacy@notmystuff.co. We aim to respond within 5 business days.