Privacy Policy
How we collect, use, and protect your data.
Last updated: 18 March 2026
1. Data Controller
True Colours is operated by By Ylfa, Azuriet 33, 3831 VV Leusden, Netherlands. For privacy questions, contact us at support@truecolours.app.
2. Data We Collect
Account data
When you create an account, we collect your email address, display name, and avatar image. You can sign up with email and password or through Google OAuth.
Profile data
Content you create on the platform: uploaded images, colour codes, results, your collection/library, and custom titles.
Technical data
Standard server logs collected by our hosting provider (Vercel): IP address, browser type, and device information.
Local storage
We store UI preferences (sidebar state, sort preference) in your browser's local storage. These are not tracking cookies and are never sent to third parties.
3. How We Use Your Data
| Purpose | Legal Basis |
|---|---|
| Account management and authentication | Contract performance (GDPR Art. 6(1)(b)) |
| Displaying your content in the community | Contract performance |
| UI preferences (sidebar, sort order) | Legitimate interest (Art. 6(1)(f)) — strictly necessary for the service |
| Processing payments | Contract performance (via Paddle) |
| Platform security and abuse prevention | Legitimate interest |
4. Third-Party Processors
Supabase Inc. (United States) — Database hosting, authentication, and file storage. Your data is stored in the eu-north-1 (Stockholm) region. Supabase's Data Processing Agreement and Standard Contractual Clauses apply.
Vercel Inc. (United States) — Application hosting, edge network, and server logs. Vercel's Data Processing Agreement applies.
Paddle.com Market Ltd (United Kingdom) — Payment processing as Merchant of Record. Paddle processes payment data directly; True Colours does not store your payment card details. See Paddle's Privacy Policy at https://www.paddle.com/legal/privacy.
Google LLC (United States) — OAuth authentication provider, only if you choose to sign in with Google. See Google's Privacy Policy at https://policies.google.com/privacy.
5. International Data Transfers
Your data may be transferred to the United States (Supabase, Vercel, Google) and the United Kingdom (Paddle). These transfers are protected by the EU-US Data Privacy Framework, Standard Contractual Clauses, and adequacy decisions where applicable.
6. Data Retention
We keep your data while your account is active. When you delete your account, all personal information (email, name, avatar, profile) is removed within 30 days. Colour codes and results you shared with the community remain visible but are no longer linked to your identity. Private data (drafts, collection, preferences) is deleted entirely. We may retain anonymised, aggregate statistics (such as total number of codes created) but no data that could identify you. Server logs are retained according to Vercel's standard retention policy.
7. Your Rights
Under GDPR (Articles 15-22), you have the right to:
- Access — Request a copy of your personal data
- Rectification — Correct inaccurate data
- Erasure — Delete your account and data
- Restrict processing — Limit how we use your data
- Data portability — Receive your data in a structured, machine-readable format
- Object — Object to processing based on legitimate interest
- Withdraw consent — Where consent is the legal basis for processing
To exercise any of these rights, email support@truecolours.app or delete your account from your account settings.
You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at https://autoriteitpersoonsgegevens.nl.
8. Cookies and Local Storage
True Colours uses only functional local storage for UI state (sidebar position, sort preference). We do not use analytics cookies, advertising cookies, or third-party tracking of any kind. Because we only use strictly functional storage, no cookie consent banner is required.
9. Children
True Colours is not intended for children under 16, which is the age of digital consent in the Netherlands. We do not knowingly collect data from children under 16. If we discover that we have, the data will be deleted promptly.
10. Changes to This Policy
If we make changes to this policy, we will notify you by email or through an in-app notice at least 30 days before the changes take effect. The "Last updated" date at the top of this page will be revised. If you disagree with the changes, you can close your account and export your data during that notice period.