Privacy

What we collect

• From Google sign-in: your email address, full name (first and last), profile photo, and a Google account identifier — we use these to create your account and to pre-fill your profile.
• What you add to your profile: a profile photo (uploaded to our storage), your name, and any contact links you add (email addresses, phone numbers, social handles, websites, payment handles, etc.).
• Default share message: an optional note that goes out with each share.
• Per-share snapshots: when you generate a QR or share link, we save a small record containing the unique token, the IDs of the links you chose to include, the optional message, your account ID, and the time it was created.
• Standard server logs: our hosting providers (Vercel and Supabase) keep operational logs, e.g. request times and IP addresses. We don't use these for tracking or analytics.

We do not use third-party analytics, advertising trackers, or session-recording tools.

How sharing works

Cheers does not have a public profile page. Every time you tap Share QR Code, we generate a fresh, unguessable token (16 characters of random data) and create a one-off share link atcheers.cards/s/<token>that contains only the links you toggled on for that share.

Every share link expires 24 hours after it's created. After that the database refuses to return it; the link returns a “not found” page even if someone still has the URL.

Where it's stored

Your data lives in our Supabase project (Postgres database + object storage for your avatar). Data is encrypted in transit (HTTPS) and at rest. The Cheers app itself runs on Vercel. Both are subject to their own privacy and security policies.

Database row-level security ensures only you can read or modify your own profile and links. The only thing exposed publicly is a share record while it's active — and only to someone who already has the secret token.

Your account and your data

You can delete your account at any time. Tap delete account at the bottom of your profile and confirm. This action:

• removes your authentication record from Supabase,
• cascades to delete your profile, your links, and every share you've generated,
• removes your uploaded avatar files from storage.

All of this happens immediately and cannot be undone. If you'd rather request a manual deletion, email us at anna.elizglass@gmail.com.

Data retention

• Profile, links, and uploaded avatar: kept until you delete them or delete your account.
• Share records: become unreachable 24 hours after they are created — the database refuses to return them. We may purge expired records periodically. Deleting your account also removes any shares you've generated.
• Authentication records: kept while your account is active. Removed within minutes of you deleting your account.
• Operational logs(Vercel and Supabase): retained per their providers' standard retention periods (typically 30–90 days) for security and debugging.

California privacy rights

If you live in California, the California Consumer Privacy Act (CCPA), as amended by the CPRA, gives you specific rights about your personal information.

Categories of personal information we collect

• Identifiers: email address, name, profile photo, Google account identifier, IP address (in operational logs).
• Customer records: any contact details you choose to add as links — phone numbers, email addresses, social handles, websites, payment handles.
• Internet or electronic activity: standard request logs from our hosting providers.
• Visual information: profile photo you upload.
• Professional information: only if you choose to add a LinkedIn or similar link.

Sources: directly from you, or from Google when you sign in.

Purposes: to operate the service — create and authenticate your account, render your card, generate share links, and provide support.

We share personal information only with our service providers (Supabase for storage and authentication, Vercel for hosting, Google for sign-in) to operate the service on our behalf, and only for that purpose.

We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We have no advertising trackers and have not done so in the previous 12 months.

Your rights

• Right to know what personal information we have collected about you.
• Right to delete — use the delete account button on your profile, or email us. Deletion is immediate and complete.
• Right to correct inaccurate personal information.
• Right to opt out of sale or sharing — not applicable because we do neither.
• Right to limit use of sensitive personal information — not applicable; we do not use any of your information for secondary purposes.
• Right to non-discrimination: you will receive equal service and pricing regardless of whether you exercise these rights.

To exercise any of these rights, email anna.elizglass@gmail.com from the email address associated with your account, or have an authorized agent contact us on your behalf with written permission. We'll verify your identity and respond within 45 days as required by law.

Cookies

We use a single first-party cookie set by Supabase to keep you signed in. We don't use cookies for analytics or advertising.

Children

Cheers is not directed at children under 13 and we do not knowingly collect data from them.

Changes

If we make material changes to this policy we'll update the “Last updated” date above. For substantial changes affecting existing users we'll do our best to notify you in-app or by email.

Contact

Questions, requests, or anything else — reach out to anna.elizglass@gmail.com.