Privacy Policy

Introduction

SeenWant respects your privacy. This Privacy Policy explains what personal information we collect, how we use and share it, and the rights you have. It applies to users worldwide and includes specific provisions for residents of California (CCPA/CPRA) and the European Economic Area (GDPR).

1. Data We Collect

• Google account data: email, name, profile photo (upon authentication)
• Library data: your lists of movies, TV shows, books, games, ratings, and statuses (Seen/Want)
• Comments and user-generated content posted on lists
• Feedback form data: name, Telegram (optional), message text
• Technical data: browser type, IP address, device information, approximate location derived from IP
• Usage data: pages viewed, swipe activity, interactions
• Analytics data: anonymous service usage statistics, session recordings (Microsoft Clarity)
• Cookies and localStorage data: theme, language, guest swipe preferences, consent state

2. Categories of Personal Information (CCPA/CPRA)

Under California law, we disclose the following categories of personal information collected in the past 12 months:

• Identifiers: email, name, IP address, account ID, Google OAuth subject
• Internet/electronic activity: pages viewed, swipe interactions, time spent, referring URL, session recordings
• Geolocation: approximate location derived from IP address (city/country level — we do not collect precise GPS)
• Inferences: media preferences inferred from your swipe activity for personalization
• Visual/audio (Microsoft Clarity): session recordings showing your interactions with the interface

We do NOT knowingly collect Sensitive Personal Information categories (precise geolocation, racial/ethnic origin, religious beliefs, health data, financial account numbers, government IDs, sexual orientation, biometric data, contents of private communications).

3. Sources of Personal Information

• Directly from you (authentication, swipes, comments, feedback form)
• From Google (when you sign in with Google OAuth)
• Automatically from your device (IP, browser, usage patterns)
• From analytics providers (Microsoft Clarity)

4. How We Use Data

• To provide and operate the service (authentication, library sync, recommendations)
• To process feedback submissions
• To analyze usage patterns and improve the service
• To detect and prevent fraud, abuse, and security incidents
• To enforce our Terms of Service
• To comply with legal obligations
• We do NOT use your data for advertising or behavioral targeting
• We do NOT sell your personal information to third parties

5. Data Sharing and Disclosure

We share personal information only with the following categories of recipients, for the purposes listed:

• Service providers (processors): Supabase (database/auth), Vercel (hosting), Microsoft Clarity (analytics), wsrv.nl (image proxy CDN), Google (OAuth) — solely to operate the service under contractual confidentiality and security obligations
• Third-party data sources: TMDB, RAWG, Google Books, Open Library — when fetching media data we may send your IP and request data, but not your account information
• Legal compliance: when required by law, subpoena, or to protect rights, safety, or property
• Business transfers: in case of merger, acquisition, or sale of assets, your data may be transferred (you will be notified)

We do NOT sell your personal information for monetary consideration. Note: under CCPA/CPRA, sharing data with analytics providers (Microsoft Clarity) for cross-context behavioral analysis may be classified as 'sharing'. You can opt out — see California Privacy Rights and /privacy/do-not-sell.

6. Data Storage and International Transfers

Your data is stored in Supabase (PostgreSQL) with encryption at rest and in transit. Servers are located in EU and US. If you access SeenWant from outside the US, your data may be transferred to and processed in the US. We rely on Standard Contractual Clauses (SCCs) for EU-to-US transfers where applicable. Microsoft Clarity processing occurs primarily in the United States.

7. Data Retention

We retain personal information only as long as necessary for the purposes described in this Policy:

• Account and library data: while your account is active; deleted within 30 days of account deletion request
• Comments and user-generated content: while your account is active; deleted within 30 days of account deletion (or sooner if you delete the comment)
• Feedback form submissions: up to 24 months for support and quality purposes
• Server logs (IP, request data): up to 90 days, then deleted or anonymized
• Analytics data (Microsoft Clarity): up to 13 months per Microsoft retention policy
• Backups: up to 30 days, then permanently deleted

8. Cookies and Similar Technologies

We use cookies and localStorage for: (a) Strictly necessary — authentication session, CSRF, consent state (cannot be disabled); (b) Functional — theme, language, guest swipe preferences (essential to your saved settings); (c) Analytics — Microsoft Clarity for session recordings and heatmaps (loaded only after you accept the cookie banner). We do NOT use advertising or tracking cookies. You can decline analytics by clicking 'Decline' in the cookie banner, in your browser settings, or by enabling Global Privacy Control (GPC) in your browser/extension. We honor GPC signals automatically as an opt-out of sharing.

9. Your California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know: request what personal information we collect, the sources, the purposes, and the categories of recipients
• Right to Access: request a copy of your personal information
• Right to Delete: request deletion of your personal information
• Right to Correct: request correction of inaccurate personal information
• Right to Opt Out of Sale or Sharing: we do not sell, but you can opt out of 'sharing' with analytics providers
• Right to Limit Use of Sensitive Personal Information: we do not knowingly collect sensitive PI, but you can confirm
• Right to Non-Discrimination: we will not deny service, charge different prices, or provide different quality if you exercise these rights
• Right to Designate an Authorized Agent to make a request on your behalf

To exercise these rights: submit a request via the feedback form in the website footer or by emailing the privacy contact. We will verify your identity by matching the email associated with your account. Response time: up to 45 days (extendable by another 45 days if needed, with notice). Free of charge unless requests are excessive or repetitive.

10. Do Not Sell or Share My Personal Information

You can opt out of the 'sharing' of your personal information with our analytics provider. Two ways: (1) visit our /privacy/do-not-sell page and submit the request; (2) enable Global Privacy Control (GPC) in your browser — we automatically honor GPC signals as an opt-out for visitors from California (and other applicable jurisdictions). Opting out does not affect your ability to use SeenWant.

11. Your EU/EEA Rights (GDPR)

If you are in the European Economic Area, UK, or Switzerland, you have the following rights under GDPR:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure / 'right to be forgotten' (Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object to processing (Article 21)
• Right to withdraw consent at any time
• Right to lodge a complaint with a supervisory authority

Legal bases for processing: Contract (account creation, library sync), Legitimate Interests (analytics, security, service improvement), Consent (cookies, marketing if any), Legal Obligation (compliance).

12. Security

We use: HTTPS for all connections, Row Level Security in the database, OAuth 2.0 for authorization, encrypted backups, security headers (CSP, HSTS, X-Content-Type-Options), rate limiting on API routes. No system is 100% secure — if a breach affecting your data is detected, we will notify you and applicable authorities within 72 hours where required by law (GDPR Art. 33-34, applicable US state breach notification laws).

13. Children's Privacy (COPPA)

SeenWant is not directed to children under 13. We do not knowingly collect personal information from children under 13 without verifiable parental consent, in compliance with the Children's Online Privacy Protection Act (COPPA). If you are a parent or guardian and believe your child under 13 has provided us personal information, contact us via the feedback form and we will delete it promptly. For California users 13-15: we do not sell or share personal information of minors under 16 without affirmative authorization.

14. Changes to This Policy

When we make material changes to this Privacy Policy, we will update the 'Last updated' date and provide notice via the service interface or email at least 14 days before changes take effect. We encourage periodic review.

15. Feedback Form

When you submit feedback, we collect your name, Telegram (if provided), and message text. This data is delivered to our internal Telegram channel for processing. We do not use feedback data for marketing. Retention: up to 24 months.

16. Contact and Privacy Officer

For privacy questions, CCPA/CPRA/GDPR requests, or to exercise your rights: use the feedback form in the website footer. Legal entity name, postal address, and dedicated privacy email will be provided once finalized. For DMCA notices: see /dmca.