True Colours logo
True Colours
PricingFAQHelp
Sign In
HomeLibraryCode Maker
Sign In
HomeLibraryMatch Pens & Markers

Privacy Policy

How we collect, use, and protect your data.

Last updated: 21 May 2026

1. Data Controller

True Colours is operated by By Ylfa, Azuriet 33, 3831 VV Leusden, Netherlands. For privacy questions, contact us at help@truecolours.app.

2. Data We Collect

Account data

When you create an account, we collect your email address, display name, and avatar image. You can sign up with email and password or through Google OAuth.

Profile data

Content you create on the platform: uploaded images, colour codes, results, your collection/library, and custom titles.

Technical data

Standard server logs collected by our hosting provider (Vercel): IP address, browser type, and device information.

Local storage

We store UI preferences (sidebar state, sort preference, theme) in your browser's local storage. These are functional, not tracking cookies, and are never sent to third parties.

Usage analytics

We use a privacy-first product-analytics tool (PostHog, EU) to understand which features people use, so we can improve the service. It records a small set of product events (such as page views and key actions like starting a trial or completing a purchase) and a random analytics identifier stored in your browser's local storage. We do not enable automatic click tracking or session recording, we do not use it for advertising, and the only personal identifier we attach is your account ID — never your email or other personal details.

Beta waitlist email

If you submit your email through any of our closed-beta waitlist forms (on the sign-in page, the home feed strip, the page detail strip, the pricing card, the closed-beta info modal, or a locked feature), we store your email address along with which surface it came from and the date you submitted. We use this single piece of data for one purpose only: to notify you when public signups open. No promotions, no newsletters, no marketing follow-up — that's the promise. Submitting an email address that already belongs to an existing True Colours account is a silent no-op — no row is stored, no email is sent — to avoid sending the wrong message to people already inside the product.

3. How We Use Your Data

PurposeLegal Basis
Account management and authenticationContract performance (GDPR Art. 6(1)(b))
Displaying your content in the communityContract performance
UI preferences (sidebar, sort order)Legitimate interest (Art. 6(1)(f)), strictly necessary for the service
Processing paymentsContract performance (via Paddle)
Platform security and abuse preventionLegitimate interest
Understanding feature usage to improve the service (privacy-first product analytics)Legitimate interest (Art. 6(1)(f))
Notifying beta waitlist subscribers when public signups open (launch announcement only — no promotions)Consent (Art. 6(1)(a)) — withdraw via the unsubscribe link in any email

4. Third-Party Processors

Supabase Inc.(United States): database hosting, authentication, and file storage. Your data is stored in the eu-north-1 (Stockholm) region. Supabase's Data Processing Agreement and Standard Contractual Clauses apply.

Vercel Inc.(United States): application hosting, edge network, and server logs. Vercel's Data Processing Agreement applies.

Paddle.com Market Ltd(United Kingdom): payment processing as Merchant of Record. Paddle processes payment data directly; True Colours does not store your payment card details. See Paddle's Privacy Policy at https://www.paddle.com/legal/privacy.

Google LLC(United States): OAuth authentication provider, only if you choose to sign in with Google. See Google's Privacy Policy at https://policies.google.com/privacy.

Functional Software, Inc. (Sentry)(Germany, EU data residency): error monitoring and session replay. Captures error stack traces, the URL where the error occurred, browser type, and a redacted recording of the page state at the moment of the error. Personal identifiers (IP addresses, cookies, request bodies) are not sent. See Sentry's Privacy Policy at https://sentry.io/privacy/.

PostHog, Inc.(United States company; EU data residency): privacy-first product analytics. Processes a small set of product events and a random analytics identifier to help us understand feature usage. Data is stored in the European Union. We disable automatic click tracking and session recording, and the only identifier attached is your account ID — no email, IP-based profiling, or advertising use. See PostHog's Privacy Policy at https://posthog.com/privacy.

Resend, Inc.(United States): transactional email delivery (password resets, account verification, trial check-ins) and beta waitlist emails (confirmation when you join + one launch notification when public signups open). Resend processes your email address and the contents of the message we send you. See Resend's Privacy Policy at https://resend.com/legal/privacy-policy.

Cloudflare, Inc.(United States): bot-protection challenges on sign-up and sign-in (Cloudflare Turnstile). Turnstile processes your IP address and browser fingerprint to distinguish humans from automated traffic, without third-party tracking cookies. See Cloudflare's Privacy Policy at https://www.cloudflare.com/privacypolicy/.

5. International Data Transfers

Your data may be transferred to the United States (Supabase, Vercel, Google, Resend, Cloudflare) and the United Kingdom (Paddle). Sentry processes error data in Germany (EU) and PostHog processes product-analytics data within the European Union. These transfers are protected by the EU-US Data Privacy Framework, Standard Contractual Clauses, and adequacy decisions where applicable.

6. Data Retention

We keep your data while your account is active. When you delete your account, all personal information (email, name, avatar, profile) is removed within 30 days. Colour codes and results you shared with the community remain visible but are no longer linked to your identity. Private data (drafts, collection, preferences) is deleted entirely. We may retain anonymised, aggregate statistics (such as total number of codes created) but no data that could identify you. Server logs are retained according to Vercel's standard retention policy.

Beta waitlist: if you joined our waitlist, your email stays on the list until you unsubscribe. Every email we send to the waitlist contains a one-click unsubscribe link that immediately deletes your row. No further action is required on your part to be forgotten.

7. Your Rights

Under GDPR (Articles 15-22), you have the right to:

  • Access: request a copy of your personal data
  • Rectification: correct inaccurate data
  • Erasure: delete your account and data
  • Restrict processing: limit how we use your data
  • Data portability: receive your data in a structured, machine-readable format
  • Object: object to processing based on legitimate interest
  • Withdraw consent: where consent is the legal basis for processing

To exercise any of these rights, email help@truecolours.app or delete your account from your account settings.

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at https://autoriteitpersoonsgegevens.nl.

8. Cookies and Local Storage

True Colours uses functional local storage for UI state (sidebar position, sort preference, theme) and an essential authentication cookie issued by Supabase to keep you signed in. Our privacy-first product analytics (PostHog, EU) stores a random analytics identifier in local storage as well — it uses no cookies, no cross-site or advertising tracking, and no session recording. Vercel Speed Insights collects anonymised performance metrics (Core Web Vitals) so we can keep the site fast — no identifier is stored against your visit. Because we set no advertising or cross-site tracking cookies, you will not see a cookie-consent banner.

9. Children

True Colours is not intended for children under 16, which is the age of digital consent in the Netherlands. We do not knowingly collect data from children under 16. If we discover that we have, the data will be deleted promptly.

10. Changes to This Policy

If we make changes to this policy, we will notify you by email or through an in-app notice at least 30 days before the changes take effect. The "Last updated" date at the top of this page will be revised. If you disagree with the changes, you can close your account and export your data during that notice period.

Questions? Visit our support page · Read our FAQ

FAQHelpPricingTermsPrivacyRefunds