← Vector+ Studio

Privacy

Hey, I'm Andy. I built Vector+ Studio (with Claude's help, of course) and the other Waving Cat apps you'll find here. This page tells you exactly what data the apps collect, why, and what you can do about it. Plain English, no dark patterns.

What lands when you sign in

When you sign in with Google, GitHub, email/password, or a magic link, here's what lands in my systems:

• Your email address — needed to identify you across sessions and to reach you if something breaks.
• Your name and avatar URL — only if your provider (Google, GitHub) passed those along. Used for the small avatar in the header.
• A session cookie — a token that says "this browser is signed in." Set on .project-you.app so future Waving Cat apps share the same sign-in. Lasts about 1 hour, refreshed automatically while you're using the site.

That's it for sign-in. No tracking pixels, no third-party ad scripts.

What lands when you use the apps

• Carts you build in your browser — these are computed locally and only leave your machine if you choose to upload them.
• Carts you upload to the public sandbox — live temporarily on the server for up to an hour, then auto-delete. While they're there, anyone with the link can search them.
• Carts you upload to your private library — only you can see them. Stay until you delete them.
• Search queries — logged with the cart you ran them against, for debugging. Not used for ads, profiling, or anything else.
• IP address — nginx access logs. Kept ~30 days. Used to investigate abuse if it happens.

Who I share data with

• Supabase handles auth. They see your email and provider IDs. Their privacy policy: supabase.com/privacy.
• Google / GitHub know you signed into Waving Cat. They don't see what you do inside.
• DigitalOcean hosts the servers and routes traffic. Their policy: digitalocean.com/legal/privacy-policy.
• No one else. No data brokers, no marketing platforms, no analytics consortiums. If that changes I'll update this page and prompt you to re-accept.

How long things stick around

• Profile info: until you ask me to delete it.
• Sandbox carts: ~1 hour TTL, then auto-deleted.
• Private carts: until you delete them or close your account.
• nginx access logs: ~30 days.
• Supabase audit logs: per their default retention (typically 90 days).

Your rights (GDPR list, plain English)

• Access — ask me what I have on you. I'll send it within 30 days.
• Correct — ask me to fix it if anything's wrong.
• Delete — ask me to delete it. Account plus all your carts. Within 30 days.
• Export — ask me for a downloadable copy of your data.
• Object — tell me to stop processing your data. For most things this just means closing your account.
• Complain — if you think I'm doing something wrong, your local data-protection authority is the right place. (UK: ICO. EU: your member-state DPA. California: AG's office.)

How to use those rights

Email me: andy@project-you.app. I read this address myself. Response within a few days, action within 30.

Children

This service isn't designed for people under 16. If you are under 16, please don't sign up.

If this page changes

If I change anything meaningful, I'll bump the version number above and prompt you to re-accept the next time you sign in. Cosmetic edits (typo fixes, clarification) won't trigger a re-prompt.