Privacy Policy

Featherlist is a habit-tracking application (“we”, “us”, “our”). You can reach us at privacy@featherlist.xyz.

We collect only what is necessary to provide the service:

• Account data — your email address and display name, obtained when you sign up with email/password or via Google OAuth.
• Usage data — habits you create, their titles, schedules, and completion records. This data is stored to provide the core functionality of the app.
• Behavioral data — lifecycle events for each item you create (created, completed, reopened, deleted, converted). This data is used for internal analytics and product improvement. Events are deleted when the associated item is deleted and when your account is deleted.
• Onboarding survey responses — on your first visit after signing up, we ask two optional questions: how you heard about Featherlist and which tools you currently use. Your responses are stored in your account profile and used to understand how people discover and choose Featherlist. You can skip these questions.
• Technical data — standard server logs (IP address, browser type, timestamps) retained briefly for security and debugging purposes.

We do not collect payment information, location data, or any sensitive personal data.

Encryption at rest — your habit titles, notes, task content, inbox entries, and related text are encrypted using AES-256-GCM with a unique encryption key per account before being stored in the database. This means that the content of your habits and notes is unreadable in the database without decryption.

• To authenticate you and maintain your session.
• To store and display your habits and completion history.
• To send emails related to your account and product usage — see Section 5 (Email communications) for a full description of what we send and how to opt out.
• To diagnose errors and improve the service.

We do not sell, rent, or share your personal data with third parties for marketing purposes.

We rely on the following services to operate Featherlist:

• Supabase — database and authentication infrastructure. Your data is stored on Supabase servers. See Supabase’s Privacy Policy.
• Resend — email delivery service. Your email address is transmitted to Resend to send account and product emails on our behalf. Resend may log delivery metadata (delivery status, timestamps). See Resend’s Privacy Policy.
• Google OAuth — optional sign-in method. If you choose to sign in with Google, Google shares your email and name with us. See Google’s Privacy Policy.
• Cloudflare Turnstile — CAPTCHA service used during sign-up and login to prevent automated abuse. Turnstile processes your IP address and browser signals. See Cloudflare’s Privacy Policy.
• Vercel — hosting and deployment. See Vercel’s Privacy Policy.
• Sentry — error monitoring. When an unexpected error occurs, Sentry may capture a stack trace along with your user ID (but not your email or personal content) to help us diagnose and fix the issue. See Sentry’s Privacy Policy.

By creating an account, you agree to receive the following emails from Featherlist:

• Transactional emails — email address verification, password reset, and security notices. These are required for account operation and cannot be unsubscribed from.
• Onboarding emails — a sequence of up to 6 emails sent over the first 30 days after sign-up, designed to help you get started. These are only sent if you have not yet created any habits.
• Daily check-in reminders — one email per day with your next pending habit and a one-tap check-in link. Sent at a fixed time each day while you have active habits.

How to unsubscribe: every marketing email (onboarding and daily reminders) includes an unsubscribe link in the footer. Clicking it immediately stops that category of emails. You can also manage your email preferences from your account settings. We process unsubscribe requests immediately — you will not receive further emails of that type after opting out.

Unsubscribing from marketing emails does not affect transactional emails (account verification, password reset).

We retain your data for as long as your account is active. If you delete your account, your personal data and habits will be permanently deleted within 30 days. To request account deletion, contact us at privacy@featherlist.xyz.

Behavioral events (item lifecycle data) are deleted automatically when the associated item is deleted, and are fully purged when your account is deleted.

You have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your account and data.
• Export your data.

To exercise any of these rights, email us at privacy@featherlist.xyz.

Featherlist uses cookies and localStorage solely for functional purposes. We do not use advertising or tracking cookies. Specifically:

• Session cookies — managed by Supabase for authentication and keeping you logged in.
• Preference storage — store UI settings such as sidebar state locally in your browser, and store some account display preferences server-side so they sync across devices.
• Landing variant cookie — a first-party cookie that determines which landing page version you see. It contains no personal information.
• Cloudflare Turnstile — used on authentication forms to prevent abuse. Turnstile may set cookies as part of its challenge process. See Cloudflare’s Turnstile privacy policy for details.

• Encryption in transit — all data is transmitted over HTTPS (TLS 1.2+).
• Encryption at rest — your habit titles, notes, task content, and inbox entries are encrypted using AES-256-GCM with a unique encryption key per account. We use envelope encryption: each account’s key is itself encrypted with a server-side master key. AES-256 is the industry standard and we prefer transparency over vague claims.
• What this protects — if our database were ever accessed without authorization (breach, backup leak, or infrastructure access), your content would be unreadable without the encryption keys.
• What this does not protect — this is server-side encryption, not end-to-end (E2E). The server decrypts your data to serve the application. E2E encryption would prevent server-side features like email reminders and AI inbox. We may explore E2E options in the future.
• Authentication — tokens are managed by Supabase using industry-standard practices. Passwords are never stored in plain text.

We may update this policy from time to time. We will notify users of significant changes via email or an in-app notice. The “Last updated” date at the top reflects the most recent revision.

For any privacy-related questions, contact us at privacy@featherlist.xyz.