Privacy Policy

When you create a Hollahoop account or interact with a project, we collect:

• Account identifiers— email address, display name, optional username, and an optional avatar image you upload.
• Authentication data— a hashed password (only if you sign up with email/password) and identifiers issued by any OAuth provider you choose to sign in with (GitHub, Google, or Microsoft Azure AD). See section 2 for the Google-specific breakdown.
• Product content— the feedback posts, comments, votes, roadmap items, changelog entries, and documentation pages you (or members of organisations you belong to) create through Hollahoop.
• Usage and operational data— basic request logs (IP address, user agent, timestamp, response status) used for rate-limiting, abuse prevention, and incident response. These logs are retained for up to 30 days and are not used for advertising.
• Optional integrations— if you connect a third-party integration (e.g. Slack or Discord webhooks), the webhook URL or credential you provide.

When you choose Continue with Google, Hollahoop initiates a standard OAuth 2.0 / OpenID Connect sign-in flow. We request only the following non-sensitive scopes from Google. We do not request access to Gmail, Drive, Calendar, Contacts, Photos, or any other Google Workspace API.

What we receive. After you approve the sign-in prompt, Google sends us:

• your Google account email address (verified flag included);
• your Google profile name (full, given, and family name where available);
• your Google profile picture URL (we do not copy the image to our servers unless you explicitly upload it as your Hollahoop avatar);
• your Google account’s opaque user identifier (the OpenIDsubclaim) and the email’s preferred locale, both used by our authentication provider to link the Google identity to a single Hollahoop account.

How we use this data. We use the Google data exclusively for the following narrowly-scoped purposes:

• Authentication. Verify your identity, create or sign you into your Hollahoop account, and keep you signed in via first-party session cookies.
• Account hydration.Pre-fill your Hollahoop display name and avatar from your Google profile so you don’t have to re-enter them. You can change these at any time on/app/account/profile.
• Transactional notifications. Send you product-related emails such as comment replies, roadmap status changes, and changelog announcements you opt into. We never use Google data for marketing emails.

Where it’s stored. We store this data in the authentication and profile tables of our self-hosted Supabase instance, located on infrastructure under our direct control inside the European Economic Area. Data is encrypted at rest by the storage layer and in transit via TLS. Email addresses and OAuth provider identifiers are never published outside your account.

What we don’t do with it.

• We do not sell, rent, or trade Google user data to third parties.
• We do not transfer Google user data to anyone other than the processors strictly needed to operate the service (see section 6).
• We do not use Google user data for advertising, profiling, or behavioural targeting.
• We do not use Google user data, in whole or in part, to develop, improve, or train any generalised or third-party AI/ML model. If you opt in to a Hollahoop AI feature with a Bring-Your-Own-Key provider (e.g. OpenAI), only the content you explicitly route through that feature is sent — never your raw Google profile or email.
• We do not allow human review of Google user data unless: (a) you give us explicit consent for a specific support case, (b) it is required to investigate a security incident, or (c) we are compelled by law.

Hollahoop’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. The disclosures in section 2 above (purposes, no advertising, no AI/ML training, no human review, no resale) are the operative implementation of those requirements.

Outside of Google sign-in data, we use the information we collect to:

• operate the Hollahoop service, including showing you and your organisation members the project content you create;
• send transactional notifications you opt into (comment replies, status changes, changelog publications);
• protect Hollahoop and its users from abuse, spam, and security incidents;
• diagnose bugs and improve performance, using aggregated and de-identified metrics where possible;
• comply with legal obligations and lawful requests.

We do not sell personal data.

Hollahoop uses first-party cookies for authentication (Supabase session cookies and a short-lived OAuth PKCE verifier) and a small amount of localStorage for UI preferences (theme, sidebar collapse state). We do not use third-party tracking cookies and we do not deploy advertising or analytics SDKs that fingerprint visitors.

Hollahoop is operated on infrastructure under our direct control. The service relies on the following processors:

• Self-hosted Supabase / PostgreSQL— database, authentication, storage, and realtime services. Hosted in the EEA.
• Cloudflare— edge network, TLS termination, and DDoS protection.
• Email delivery provider— transactional email only (sign-in links, notifications, password resets). No marketing campaigns are run through this channel.
• OAuth identity providers— GitHub, Google, Microsoft Azure AD — only when you choose them at sign-in.

These providers act as data processors and only handle the data strictly required to deliver the service.

We keep your account data for as long as your account is active. Request logs are kept for up to 30 days. When you delete your Hollahoop account from/app/account/settingsthe corresponding rows (profile, authored content authorship link, auth identity, votes, comments) are removed within seven days. Some cryptographic backups may persist for up to 30 days before they roll off.

You can review and edit your profile, change your avatar, manage connected OAuth identities, and permanently delete your account from theaccount settingspage. You can also revoke Hollahoop’s access to your Google account at any time from your Google account permissions page. If you are in the EEA / UK you also have the rights granted by the GDPR (access, rectification, erasure, restriction, portability, and objection); please contact us using the address below to exercise them.

Hollahoop is not directed to children under 16 and we do not knowingly collect personal information from children under that age. If you become aware that a child has provided us with personal information, please contact us so we can delete it.

We may update this policy from time to time. The “Last updated” date at the top of this page reflects the most recent change. Material changes that affect how we use Google user data will be highlighted with a banner inside the application before they take effect.

For privacy questions, data deletion requests, or to exercise the rights described above, contact us at [email protected].