Privacy Policy

Last updated: April 15, 2026

1. Introduction

BlackBook ("we," "us," or "our") operates the MyBlackBook.app website and progressive web application (the "Service"). Your privacy is not just a feature — it is the foundation of our architecture. This policy explains what data we collect, how we use it, and the measures we take to keep it secure.

2. Data We Collect

Account Data

When you create an account, we collect your email address and authentication credentials (or a token from your OAuth provider, such as Google). This is the minimum required to identify your account.

User-Generated Content

All partners, interactions, notes, locations, tags, and settings you create within BlackBook are stored in our database and associated with your account. This data belongs entirely to you.

What We Do NOT Collect

No third-party analytics or tracking scripts
No advertising identifiers
No data sold or shared with third parties
No usage telemetry beyond basic server logs

3. How Your Data Is Protected

Row-Level Security (RLS):Every database query is scoped to your authenticated user ID at the PostgreSQL level. It is structurally impossible for one user to access another user's data.
Encrypted Notes: The notes field is encrypted at the application layer before being stored. Even in the event of a database breach, note contents are not readable.
PIN Lock: An optional app-level PIN uses PBKDF2-SHA256 with 200,000 iterations — the same strength used by password managers.
HTTPS Everywhere: All connections are encrypted in transit via TLS. HSTS headers ensure browsers always use HTTPS.
Security Headers: X-Frame-Options DENY, X-Content-Type-Options nosniff, strict Referrer-Policy, and Permissions-Policy are enforced on every response.

4. Data Storage & Location

Your data is stored on Supabase (PostgreSQL) hosted infrastructure. Backups are encrypted at rest. We do not replicate your data to additional third-party services.

5. Third-Party Services

We use the following third-party services, each with a limited scope:

Supabase: Database hosting and authentication. Subject to Supabase's Privacy Policy.
Vercel: Application hosting and CDN. Subject to Vercel's Privacy Policy.
Mapbox: Map rendering and geocoding. Location searches are sent to Mapbox to return results. Subject to Mapbox's Privacy Policy.
Google OAuth: If you sign in with Google, Google provides us with your email and basic profile info per their OAuth scopes. We do not access your contacts, calendar, or other Google data.

6. Data Deletion

You can delete individual partners and interactions at any time. Deleted items are soft-deleted and recoverable from the Trash for 30 days, after which they are permanently removed.

You can request full account deletion from Settings. Account deletion has a 7-day grace period during which you can cancel the request. After 7 days, all your data is permanently and irreversibly deleted from our systems.

7. Sharing & Linked Accounts

BlackBook supports optional 1:1 account linking for couples. Sharing defaults to "nothing shared" and requires explicit opt-in per partner and per interaction. Notes are never shared, even when sharing is enabled. Sharing can be revoked silently at any time.

8. Cookies & Local Storage

We use essential cookies for authentication sessions only. We do not use tracking cookies, advertising cookies, or fingerprinting. PIN lock state is stored in sessionStorage and clears when you close the browser tab.

9. Children's Privacy

BlackBook is not intended for use by anyone under the age of 18. We do not knowingly collect data from minors. If we learn that a user is under 18, we will delete their account and data promptly.

10. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated through the app. Your continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact

For questions about this privacy policy or your data, contact us at privacy@myblackbook.app.