Legal

Privacy Policy

Last updated: 2026-04-13

What we collect

Account data.When you sign in with GitHub, we receive your GitHub ID, display name, and avatar URL through Supabase Auth. We don't receive or store your GitHub password.
Content you submit. Tools, screenshots, descriptions, comments, lists, upvotes, follows, pitch deck URLs.
View counts and upvotes. We store aggregated view counts per tool (deduped per session) and per-user upvotes.
Minimal request logs. Supabase and our hosting provider log basic request metadata (IP, user agent, timestamp) for abuse prevention. These logs are retained by those providers per their own policies.

What we don't collect

No tracking cookies beyond the Supabase auth session cookie.
No third-party analytics like Google Analytics.
No data from inside embedded tools. Embedded tools run in a cross-origin sandbox; we can't see what you type into them.
No payment data — tip jars go directly to the creator's platform.

Third parties we share data with

Supabase. Our database and auth provider. All data listed above lives on Supabase servers.
GitHub. If you choose to sign in with GitHub, we authenticate you via GitHub OAuth and receive your GitHub ID, display name, and avatar URL.
Google. If you choose to sign in with Google, we authenticate you via Google OAuth and receive your Google ID, name, email, and profile picture URL. Google sees your IP address as part of the OAuth handshake.
Magic links. If you sign in with a one-time email link, we ask Supabase to send the email through its transactional email pipeline. The email contains a single-use token that expires after a short window.
Anthropic (optional).If a submitter clicks “Suggest with AI” on the submit form, we send the tool title and description to Anthropic's Claude API for classification and moderation triage. Anthropic's data handling policy applies to those calls.
Voyage AI. We use Voyage AI to generate search embeddings so you can find tools by meaning, not just keywords. Tool titles, descriptions, categories, and tags are sent to Voyage AI for vectorisation. No personal data is included.
thum.io. When a tool is submitted via URL, we send the URL to thum.io to auto-generate a preview screenshot. No personal data is shared — only the public URL of the tool.
Stripe.If you subscribe to the Pro tier, Stripe processes your payment. We store only your Stripe customer ID and subscription ID — never your card number or billing address. Stripe's privacy policy governs their handling of payment data.
Discord (admin only). When a tool is submitted, we send the tool title and creator display name to a private Discord channel for admin review. No email addresses or other personal contact information are shared.
Vercel.Our hosting provider. Vercel processes HTTP requests (IP address, user agent, headers) as part of serving the site. Vercel's privacy policy applies.
Font and icon CDNs. Google Fonts serves Inter, JetBrains Mono, and Material Symbols. These providers see your IP as part of loading the site.

Your rights

You have the right to access, correct, export, and delete your personal data. The fastest path:

Delete your account from your profile page (a one-click button at the bottom of your profile while signed in). This cascades through every table — tools, comments, upvotes, lists, follows, scores, event memberships — and removes uploaded HTML / bundle files and screenshots from storage. Some entries may persist for up to 7 days in operational backups, after which they are permanently overwritten.
For access, export, or correction requests, email clementine.pouille@yahoo.com. We respond within 30 days.

Data retention

We keep your data for as long as your account is active. When you delete your account, the cascading delete runs immediately; operational backups containing the data are rotated out within 7 days. Aggregate, non-identifying data (e.g. total tool counts) may be retained indefinitely.

Legal basis (GDPR)

For users in the EU/EEA/UK: we process your data on the basis of (a) contract — to operate the service you signed up for, and (b) legitimate interest — to keep the platform safe and prevent abuse. You can object to processing or withdraw consent at any time by deleting your account.

Contact

Privacy questions, data requests, or complaints? Email clementine.pouille@yahoo.com. If you're in the EU and want to file a complaint with a supervisory authority, you have the right to do so under GDPR Article 77.

Children

tinytools is not directed at children under 13. If you're under 13, don't submit content. If you're a guardian and believe a child submitted content, contact us to remove it.

If you subscribe to the weekly tinytools digest, we store your email address for that purpose only. We do not share your email with third parties. You can unsubscribe at any time by emailing us or clicking the unsubscribe link in the digest.

Cookies

We set one cookie strictly necessary for the site to function: the Supabase authentication session. No marketing, analytics, or tracking cookies are used. This cookie is exempt from consent requirements under GDPR Article 5(3) and the ePrivacy Directive, as it is essential for the service to operate. For transparency, a notice is displayed on first visit.

Data sub-processors

The following services process data on our behalf. Each has its own privacy policy and, where applicable, a Data Processing Agreement (DPA) with us.

Supabase (database, auth, storage) — EU/US
Vercel (hosting, CDN) — US
Anthropic (AI classification, moderation) — US
Voyage AI (search embeddings) — US
thum.io (screenshot generation) — EU
Stripe (payment processing) — US
GitHub / Google (OAuth authentication) — US
Google Fonts (font delivery) — US
Discord (admin notifications) — US

Changes

If we change what we collect or how we use it, we'll update this page and the “Last updated” date above. Material changes will be flagged in-product.