Privacy Policy

Effective date: 7 April 2026

This Privacy Policy describes how Bobble Designs ("Bobble", "we", "us", or "our") collects, uses, and protects information when you access or use the Bobble web application and related services (collectively, the "Service") available at bobbledesigns.com.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, please discontinue use of the Service.

1. Information We Collect

1.1 Account Information

When you choose to sign in via Google OAuth, we receive the following from your Google account:

• Email address
• Display name
• Profile photograph URL (where available)

We do not receive or store your Google password.

1.2 Project Data

When you use the Service, we may store:

• Crochet chart data, colour palettes, and project settings created within the application
• Images you upload for chart conversion (processed in-browser; only a compressed thumbnail is stored server-side for Pro users)

1.3 Subscription and Billing Data

If you subscribe to Bobble Pro, payment processing is handled entirely by Stripe, Inc. We store only your subscription status (active, cancelled, etc.) and plan type. We do not receive, process, or store credit card numbers, bank account details, or other payment instrument data.

1.4 Usage Analytics

To understand how the Service is used and to improve it over time, we record a small set of product analytics events. These are collected first-party (directly by our own Supabase backend — no third-party analytics service, no Google Analytics, no Facebook Pixel, no advertising trackers) and are limited to:

• Feature use events — such as which view you are on, which template you clicked, when you create a project, when you export a chart, and when an upgrade prompt is shown. These let us see whether features are being used and where people drop off.
• Session metadata — the referring URL (if any), the path segment within bobbledesigns.com, and your browser viewport size. Recorded once per session to provide context to the feature events above.
• Authentication lifecycle events — sign-in, sign-out, session restoration, and token refresh. Used for diagnosing login issues and basic fraud monitoring.

Each event is stored with a random session identifier (see section 8) and, if you are signed in, your account user ID, so we can distinguish repeat visitors from new ones and measure retention. Events are kept for no longer than 180 days before being deleted or aggregated.

We do not use advertising pixels, third-party analytics services, cross-site trackers, or any form of device fingerprinting. Analytics data is never shared with any third party.

Supabase (our backend host) automatically logs the IP address of incoming API requests as part of its platform infrastructure. We do not query, export, or analyse these logs ourselves, and they are retained according to Supabase's own retention policies.

If you would rather not have your activity included in our analytics, email us at hello@bobbledesigns.com and we will exclude your account from future event recording and delete any existing events linked to your account.

2. How We Use Your Information

We use the information collected for the following purposes:

• To provide, operate, and maintain the Service
• To authenticate your identity and manage your account
• To synchronise your projects across devices (Pro plan)
• To process and manage your subscription via Stripe
• To respond to support enquiries and service-related communications
• To comply with applicable legal obligations

3. Legal Basis for Processing (GDPR)

Where the General Data Protection Regulation applies, we process your personal data on the following bases:

• Performance of a contract — to provide the Service you have requested
• Legitimate interests — to maintain and improve the Service, and to ensure its security
• Consent — where you have given explicit consent (e.g. signing in with Google)
• Legal obligation — where required to comply with applicable law

4. Third-Party Services

The Service integrates with the following third-party providers, each of which operates under its own privacy policy:

• Supabase, Inc. — database hosting and authentication infrastructure (Privacy Policy)
• Stripe, Inc. — payment processing and subscription management (Privacy Policy)
• Google LLC — OAuth sign-in (Privacy Policy)
• Cloudflare, Inc. — hosting, content delivery, and DNS (Privacy Policy)

We do not sell, rent, or share your personal data with any parties other than those listed above, and only to the extent necessary to operate the Service.

5. Data Storage and Security

Project, account, and analytics data is stored on Supabase-managed infrastructure. The specific hosting region is configured within our Supabase project settings; if you would like to know the current region, please contact us at hello@bobbledesigns.com. All data in transit is encrypted using TLS/HTTPS. Access to user project data is restricted by row-level security policies at the database level, ensuring that only you can access your own projects and account information. Analytics events are not readable by end users: they are only visible to the site operator via a dedicated, email-gated admin view.

While we implement commercially reasonable security measures, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security of your data.

6. Data Retention

We retain your personal data only for as long as necessary to provide the Service and fulfil the purposes described in this policy. Specifically:

• Account data — retained until you delete your account
• Project data — retained until you delete individual projects or your account. Projects created by signed-in users (free or Pro) are synchronised to the cloud and stored on our servers.
• Subscription records — retained as required for financial record-keeping obligations
• Analytics events — retained for a maximum of 180 days, after which they are deleted or aggregated into anonymous totals

Users who continue without an account have their project data stored only in their browser's local storage, subject to their own device's retention policies. Analytics events from anonymous visitors are stored on our servers under a random session identifier (see section 8), which is not linked to any account or personal identifier.

7. Your Rights

Subject to applicable law, you have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you
• Portability — download your data in a machine-readable format (JSON) via Account settings
• Rectification — request correction of inaccurate data
• Erasure — delete your account and all associated data via the "Delete my account" function in Account settings
• Restriction — request that we restrict the processing of your data in certain circumstances
• Objection — object to processing based on legitimate interests

To exercise any of these rights, contact us at hello@bobbledesigns.com. We will respond to all requests within 30 days.

8. Cookies and Local Storage

The Service does not set traditional HTTP cookies for tracking. It does, however, use your browser's localStorage for the following purposes:

• Authentication (strictly necessary) — Supabase stores your session tokens so you remain signed in between visits and so short-lived access tokens can be refreshed in the background.
• Project storage (strictly necessary for local-only users) — if you choose "Continue without account", your projects are saved in an IndexedDB database local to your browser.
• Analytics session identifier — a random value (bobble_sid) generated on your first visit, used to group your activity into sessions for the analytics described in section 1.4. A first-visit timestamp (bobble_first_seen) is also recorded so we can tell whether a session is a returning or new visitor. Neither value identifies you personally; neither is shared with any third party.

Clearing your browser's site data for bobbledesigns.com will remove all of the above and sign you out.

We do not deploy advertising cookies, cross-site trackers, or any form of third-party tracking technology.

9. Children's Privacy

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected such data, we will take steps to delete it promptly. If you believe a child under 16 has provided us with personal data, please contact us at hello@bobbledesigns.com.

10. International Data Transfers

Your data may be processed in jurisdictions outside your country of residence, including within the European Union. Where applicable, we rely on adequacy decisions, standard contractual clauses, or other lawful transfer mechanisms to ensure appropriate safeguards are in place.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. The revised policy will be posted on this page with an updated effective date. For material changes, we will make reasonable efforts to notify you via the email address associated with your account.

Your continued use of the Service following the posting of changes constitutes your acceptance of such changes.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: hello@bobbledesigns.com