HushWorkOpen App

Privacy Policy

Last updated: February 17, 2026

Overview

HushWork is built with privacy as a core principle. We collect the minimum amount of data necessary to provide the Service and never sell your personal information to third parties.

1. Data We Collect

Free Users (No Account)

If you use HushWork without creating an account, we collect no personal data. All your data (notes, focus sessions, preferences) is stored locally in your browser using IndexedDB and localStorage. Nothing is sent to our servers.

Authenticated Users

If you sign in, we store:

  • Email address — used for authentication (magic link login) and account recovery
  • Profile data — subscription status, Stripe customer ID for payment processing

Pro Users (Cloud Sync)

If you enable cloud sync as a Pro subscriber, we additionally store:

  • Notes content — encrypted in transit (TLS) and stored in our Supabase database
  • Background images — if you upload a custom background, it is stored in Supabase Storage

2. Analytics

We use Plausible Analytics, a privacy-friendly analytics service. Plausible does not use cookies, does not collect personal data, and is fully compliant with GDPR, CCPA, and PECR. Analytics data is aggregated and cannot be used to identify individual users. We use it solely to understand overall usage patterns (e.g., page views, most popular features).

3. Payment Processing

Pro subscriptions are processed by Stripe. We do not store your payment card details. Stripe handles all payment information in accordance with PCI-DSS standards. We only receive and store your Stripe customer ID to manage your subscription.

4. Data Storage and Security

  • Local data is stored in your browser's IndexedDB and localStorage. Clearing browser data will erase this information.
  • Cloud data is stored in Supabase (hosted on AWS) with row-level security policies ensuring you can only access your own data.
  • All data in transit is encrypted via TLS (HTTPS).
  • Background images are stored in Supabase Storage with access controlled by authenticated policies.

5. Third-Party Services

HushWork uses the following third-party services:

  • Supabase — authentication, database, and file storage
  • Stripe — payment processing for Pro subscriptions
  • Plausible — privacy-friendly website analytics
  • Vercel — hosting and deployment

6. Cookies

HushWork uses only essential cookies required for authentication (Supabase session tokens). We do not use tracking cookies, advertising cookies, or any third-party cookies. Plausible Analytics is cookie-free.

7. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), we process your personal data on the following legal bases:

  • Contract performance — processing your email, profile, and subscription data is necessary to provide the Service and fulfill your Pro subscription
  • Legitimate interest — aggregated, anonymous analytics (via Plausible) help us understand usage patterns and improve the Service
  • Consent — by creating an account and opting into cloud sync, you consent to the storage and processing of your notes and uploaded images

8. Your Rights

Under GDPR and other applicable privacy laws, you have the right to:

  • Access your data — all your cloud data is visible within the app
  • Rectification — update your notes and profile data directly in the app
  • Deletion — delete individual notes and images from the app, or permanently delete your entire account using the "Delete account" option in Settings. This removes all your data from our servers
  • Data portability — export your notes by copying them from the app
  • Withdraw consent — sign out to stop cloud sync; delete your account to remove all data
  • Lodge a complaint — you have the right to lodge a complaint with your local data protection supervisory authority if you believe your data is being processed unlawfully

To exercise any of these rights, use the in-app controls or email us at piotr@gebski.cloud. We will respond within 30 days.

9. International Data Transfers

Your data may be processed and stored outside your country of residence. Our infrastructure providers operate in the following regions:

  • Supabase — hosted on AWS (data stored in the region selected for your project)
  • Stripe — processes payments globally with data stored primarily in the United States
  • Vercel — serves content from edge locations worldwide

These providers maintain appropriate safeguards for international data transfers, including Standard Contractual Clauses (SCCs) where applicable.

10. Data Retention

  • Account data — retained for as long as your account is active. Deleted within 30 days of account deletion
  • Cloud notes and images — retained until you delete them or delete your account
  • Payment records — Stripe retains transaction data as required by financial regulations (typically 7 years)
  • Analytics data — Plausible retains aggregated, anonymous data indefinitely (no personal data is collected)
  • Local data — stored in your browser until you clear it. Not controlled by us

11. Children's Privacy

HushWork is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated date. We encourage you to review this page periodically.

13. Contact

For privacy-related questions or data deletion requests, contact us at piotr@gebski.cloud.