Privacy Policy

Last updated: April 24, 2026

1. Controller

The controller responsible for the processing of personal data within the meaning of the General Data Protection Regulation (GDPR) is:

[TODO: Your Name / Company Name]
[TODO: Street, House Number]
[TODO: Postal Code, City, Country]
Email: support@hedgo.app

2. Data We Collect

When you use Hedgo, we may collect the following data:

  • Account data: email address and password (stored via Supabase Auth with bcrypt hashing).
  • Activity data: activity ideas, bucket names, ratings, completion dates, and notes you create within the app.
  • Location data (optional): if you grant permission, we use your device location to display activities near you. Location is processed on-device and only transmitted when you explicitly pin an activity to a map location.
  • Calendar data (optional): if you grant permission, we read and write calendar events to add activities to your device calendar. Calendar data is not stored on our servers.
  • Profile photo (optional): an avatar image you choose from your photo library, stored in Supabase Storage.
  • Usage data: anonymized, aggregated usage statistics to improve the app. No personal identifiers are linked to these statistics.

3. Legal Basis for Processing

We process your data on the following legal bases (Art. 6 GDPR):

  • Contract performance (Art. 6(1)(b)): account and activity data are necessary to provide the service you signed up for.
  • Consent (Art. 6(1)(a)): location and calendar access are granted by you explicitly via system permission dialogs and can be revoked at any time in your device settings.
  • Legitimate interests (Art. 6(1)(f)): anonymized analytics to improve product quality.

4. Data Processors

We use the following third-party services to operate Hedgo:

  • Supabase Inc. (supabase.com) — database, authentication, and file storage. Data is hosted within the European Union. Supabase acts as a data processor under a Data Processing Agreement (DPA).
  • Google Maps Platform— map display for location-based activity views. Subject to Google's Privacy Policy.

5. Data Retention

Your personal data is retained for as long as your account is active. When you delete your account, all associated data (activities, buckets, ratings, profile photo) is permanently and irreversibly deleted within 30 days. Backups may retain data for up to 7 additional days before being purged.

6. Your Rights (GDPR)

Under the GDPR, you have the following rights:

  • Right of access (Art. 15) — request a copy of your data.
  • Right to rectification (Art. 16) — correct inaccurate data.
  • Right to erasure (Art. 17) — delete your account and all data.
  • Right to restriction (Art. 18) — limit processing in certain cases.
  • Right to data portability (Art. 20) — receive your data in a machine-readable format.
  • Right to object (Art. 21) — object to processing based on legitimate interests.
  • Right to lodge a complaint — you may contact your local supervisory authority. In Austria: Datenschutzbehörde (dsb.gv.at).

To exercise any of these rights, email us at support@hedgo.app.

7. Account Deletion

You can delete your account directly within the Hedgo app under Settings → Account → Delete Account. Alternatively, follow the instructions on our Account Deletion page or email us at support@hedgo.app.

8. Children's Privacy

Hedgo is not directed at children under the age of 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via in-app notification or email. Continued use of Hedgo after changes constitutes acceptance of the updated policy.

10. Contact

For privacy-related inquiries, contact us at support@hedgo.app.