What Anansi does with your data.

Everything you write into Anansi — goals, tasks, weekly retrospectives, people you reflect on, appreciation notes, “my needs” entries, legacy messages, self-reflection prompts, the Self page's living portrait, bucket-list items, group tags, and any files you attach to a weekly sync.

We don't look at it. There is no human review of your content, no model training on your content, and no advertising or recommendation system built on top of it.

• Account identity — your name, email address, and a hashed password (stored and verified by our authentication provider, Supabase Auth; we never see the plaintext).
• Session cookies — HttpOnly cookies that keep you signed in. Strictly necessary for the app to work.
• Server logs — request paths, status codes, and approximate timing. We do not log request bodies or response bodies. Logs are retained for operational debugging and rotated.
• Aggregate analytics — page-view counts and rough performance metrics via Vercel Web Analytics and Vercel Speed Insights. Both are cookieless. Neither identifies you personally to us.

• Database — Postgres managed by Supabase, in the region selected for our project.
• File uploads — your avatar, photos of people, and weekly-sync attachments live in Supabase Storage in the same region. Avatars and people photos are stored in public buckets behind unguessable URLs scoped to your user id; sync attachments live in a private bucket and are served via short-lived signed URLs (1 hour).
• Hosting — the Anansi web app is served by Vercel.
• Email— sign-up confirmations, password resets, and email-change confirmations are sent through Supabase's email provider.

Encryption: traffic to and from Anansi uses TLS. Data at rest in Supabase and Vercel is encrypted by those providers under their default policies.

The list of parties with access to your data is short and listed above: Supabase (database, auth, storage, email) and Vercel (hosting, analytics). We do not sell your data, share it with advertisers, or send it to third parties for profiling.

If we are ever legally compelled to disclose data — a court order, a valid subpoena — we will comply and, where the law allows, notify the affected user.

Anansi sets only cookies that are strictly necessary to operate the service: the HttpOnly session cookies issued by Supabase Auth, and a small cookie remembering your interface language preference. We do not use cookies for analytics, advertising, or profiling. Because all of our cookies are essential, no consent banner is shown.

• Export — Profile → Backups exports every row we hold about you, plus your binary attachments, as a single JSON file. No request needed.
• Correct or update — every field you can read on a screen is editable on that screen.
• Delete — you can delete individual entries at any time. To delete your entire account and all associated data, contact us (see below). Account deletion is irreversible and removes your database rows and storage objects within a few days of the request.

Depending on where you live (the EU, the UK, California, and others), you may have additional rights — including the right to object, the right to data portability, and the right to lodge a complaint with your local data protection authority. The export and delete paths above are intended to satisfy portability and erasure requests; for anything else, contact us.

Anansi is not intended for children under 16. If you believe a child has signed up, contact us and we'll remove the account.

Material changes will be announced inside the product before they take effect, and the “Last updated” date at the top of this page will move. Continued use after that date means you accept the change. If you don't, you can export and delete your account first.

Privacy questions, deletion requests, data subject access requests: privacy@anansi.app (replace once a real address is in place).