Listroh ("we", "us", "our") operates the Listroh mobile application and website (the "Service"). This Privacy Policy explains what personal data we collect, why we collect it, how it is stored, and what rights you have over it. It applies to all users worldwide, with additional provisions for users in the European Economic Area (EEA) and the United Kingdom (UK).
By accepting this policy on first launch and by using the Service, you confirm that you have read and understood it.
1. Who is responsible for your data
Listroh is the data controller for personal data collected through the app. If you have questions about how we handle your data, contact us at support@listroh.com .
2. What we collect and why
| Data type | Examples | Why we need it | Public? |
|---|---|---|---|
| Account | Email address, username, password (hashed) | Create and authenticate your account | Username only |
| Profile | Avatar image, bio, header colour | Display your public profile to other users | Yes |
| Contact | Phone number (optional) | Alternative account recovery | No — private |
| Content | Lists you create, titles, items, tags | Core app functionality | Published lists only |
| Social | Lists you save, users you follow, favourites | Social features | No — private |
| Consent | Timestamp and version of terms accepted | Legal record of your agreement (GDPR Art. 7) | No — private |
| Purchase | Play Store transaction record | Verify your paid download | No — handled by Google |
What we do NOT collect
- Precise or approximate location
- Contacts or call logs
- Device advertising identifiers (GAID, IDFA)
- Browsing history outside the app
- Biometric data
- Financial information (payments are handled entirely by Google Play)
3. Legal basis for processing (GDPR)
If you are in the EEA or UK, we process your personal data under the following legal bases:
- Contract (Art. 6(1)(b)): Processing necessary to provide the Service — authentication, account management, displaying your lists.
- Consent (Art. 6(1)(a)): Processing your avatar image and publishing your profile publicly. You gave explicit consent on first launch and can withdraw it by deleting your account.
- Legal obligation (Art. 6(1)(c)): Retaining your consent record as required by GDPR Article 7.
- Legitimate interest (Art. 6(1)(f)): Security monitoring and abuse prevention.
4. How we use your data
- To create, authenticate, and manage your account.
- To display your published lists on the global feed.
- To enable social features — following, saving, and favouriting lists.
- To send transactional emails: email verification and password reset.
- To store your avatar image and serve it to other users viewing your profile.
- To record your consent for legal compliance.
- To investigate and prevent abuse, spam, and violations of our Terms.
We do not use your data for advertising, sell it to third parties, or use it to build profiles for marketing purposes.
5. Where your data is stored
Your data is stored on Supabase, a cloud database provider hosted on Amazon Web Services (AWS) in the ap-south-1 (Mumbai, India) region. Supabase is SOC 2 Type II certified and encrypts all data at rest and in transit.
Avatar images are stored in Supabase Storage, an S3-compatible object store in the same AWS region. Uploaded images are served over a public CDN URL and are accessible to anyone with the link while your account is active.
If you are in the EEA or UK, please be aware that your data is transferred to India (a country outside the EEA). This transfer is made on the basis of Supabase's Standard Contractual Clauses with AWS. For more information, see Supabase's privacy page.
6. Who we share your data with
We share data only with the following sub-processors, all of which are necessary to operate the Service:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage | India (AWS ap-south-1) |
| Google Play | App distribution and payment processing | United States |
| Email provider (Resend / SMTP) | Transactional emails (verification, password reset) | United States |
We do not share your data with any other third parties. We do not use Google Analytics, Facebook SDK, or any advertising networks.
7. Public and private data
Visible to everyone
- Your username
- Your avatar image
- Your bio and header colour
- Lists you have published to the global feed
- Your follower and following counts
Visible only to you
- Your email address and phone number
- Draft and pending lists (not yet published)
- Lists you have saved from other users
- Your consent record and timestamp
8. Your consent record
When you accept this policy on first launch, we record the timestamp and version of the terms you agreed to. This record is stored in your profile on our server and is used solely to demonstrate compliance with GDPR Article 7. It is not shared with third parties.
If we materially update this policy, we will ask you to review and accept the new version on your next app launch.
9. Your rights
Depending on where you live, you may have the following rights over your personal data. To exercise any of them, email support@listroh.com .
- Access: Request a copy of all personal data we hold about you.
- Correction: Update inaccurate data via Settings → Edit Profile, or by contacting us.
- Deletion: Delete your account and all associated data via Settings → Delete Account. This is permanent. Alternatively, email us and we will delete it within 30 days.
- Portability: Request your data in a machine-readable format.
- Objection (EEA/UK): Object to processing based on legitimate interest.
- Withdraw consent (EEA/UK): Withdraw consent to data processing at any time by deleting your account. Withdrawal does not affect the lawfulness of processing before withdrawal.
- Lodge a complaint (EEA/UK): You have the right to lodge a complaint with your local data protection authority.
We will respond to all requests within 30 days. We may ask you to verify your identity before acting on a request.
10. Data retention
We keep your data for as long as your account is active. When you delete your account:
- Your profile, lists, saved items, follows, and favourites are deleted immediately from our active database.
- Avatar images are removed from Supabase Storage within 7 days.
- Supabase may retain database backups containing your data for up to 30 days before those backups are permanently purged.
- Your consent record is retained for 12 months after deletion as required by GDPR Article 7.
11. Security
- All data is transmitted over HTTPS/TLS.
- Passwords are hashed by Supabase Auth and are never stored in plaintext.
- Row-Level Security (RLS) policies ensure users can only access their own private data.
- The Supabase service role key (which bypasses RLS) is never included in the app — it is used only in server-side operations.
- Our app credentials are injected at build time and are not stored in source code or bundled as assets.
12. Payments
Listroh is a paid app distributed through Google Play. All payment processing is handled entirely by Google Play. We do not receive, store, or process your payment card details. For payment-related queries, refer to Google Play support.
13. Children
Listroh is not directed at children under 13 years of age. We do not knowingly collect personal data from children under 13. Users must confirm they are at least 13 years old before using the app. If you believe a child has registered an account, please contact us at support@listroh.com and we will delete the account promptly.
14. Changes to this policy
We may update this policy from time to time. When we make material changes, we will notify you via email (if you have one registered) and require you to review and accept the updated policy on your next app launch. The version number at the top of this page will be updated accordingly.
Non-material changes (such as fixing typos or clarifying existing descriptions) will be made without notice.
15. Governing law
This Privacy Policy is governed by the laws of India, including the Digital Personal Data Protection Act, 2023 (DPDPA). For users in the EEA or UK, the GDPR and UK GDPR apply in addition to Indian law where relevant.
16. Contact and complaints
For privacy-related questions, data requests, or complaints, contact our privacy team:
- Email: support@listroh.com
- Response time: within 30 days
If you are in the EEA or UK and are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority (e.g. the ICO in the UK, or your national data protection authority in the EU).