This Privacy Policy explains how Overlume (“we”, “us”, “the platform”) collects and processes your personal data when you use our website. It is provided in accordance with Articles 13 and 14 of the EU General Data Protection Regulation (GDPR). Overlume is operated from the European Union and your data is hosted within the EU.
1. Who we are (Data Controller)
The data controller responsible for your personal data is the operator of Overlume. A dedicated privacy contact channel, together with the full company name, registered address, and (where applicable) the details of any appointed representative or Data Protection Officer, will be published here before launch.
2. What data we collect
We collect only the data needed to run the directory and let you submit and discover apps:
- Account / authentication data. If you sign in with a magic link, we store your email address. If you sign in with GitHub, we receive and store your GitHub profile data: your username, display name, and avatar image URL.
- Submitted app metadata. When you submit an app, we store the information you provide, including the app name, tagline, description, category, external link, and related details.
- Uploaded screenshots. Any images you upload to illustrate a submitted app.
- Profile details. Any optional fields you add to your public profile: display name, bio, organization, location, pronouns, a short quote, and links you choose to share (website, GitHub, X).
- Activity data. Records of actions you take on the platform: upvotes you cast, who you follow and who follows you, and comments and star ratings you post.
- Reports you file. When you report an app, profile, or comment, we store the report, including the free-text reason you write, linked to your account so our moderators can review it and prevent abuse.
- Notifications.In-app notifications we generate for you (for example, a new upvote, a new follower’s launch, or a comment on your app).
- Trust and moderation signals. To keep the directory safe we maintain internal signals about each account, such as a trust score and tier, verification and notable badges, and moderation status (including whether an account is frozen and, for our moderators only, internal review notes). These internal signals are not shown publicly; only the verified and notable badges are public.
3. Why we use your data and our legal basis
- To create and secure your account and authenticate you (email / GitHub profile). Legal basis: performance of a contract (GDPR Art. 6(1)(b)).
- To publish your app submissions and screenshots and attribute them to you. Legal basis: performance of a contract (Art. 6(1)(b)) and our legitimate interest in operating a public directory (Art. 6(1)(f)).
- To record votes and prevent abuse, and to keep the platform safe and functional. Legal basis: legitimate interest (Art. 6(1)(f)).
We do not sell your personal data, and we do not use it for automated decision-making or profiling.
4. Where your data is stored (Processors)
Your data is stored and processed using Supabase, our database, authentication, and file-storage provider. Our Supabase project is hosted in the EU (Frankfurt, Germany) region. Supabase acts as a data processor on our behalf under a data processing agreement. Uploaded screenshots are stored in Supabase Storage.
5. How long we keep your data, and what happens when you delete
We retain your account data and submissions for as long as your account exists. You can delete your account at any time from your dashboard. When you do:
- Your account, profile, votes, follows, and notifications are permanently removed.
- Apps and comments you posted are taken down from public view, but are retained in our records in a removed (soft-deleted) state, with an audit history of changes. We keep these because they may be needed to enforce our Terms, handle reports and disputes, and preserve the integrity of the directory and any related moderation record. This retention relies on the exemption in Article 17(3) of the GDPR, which allows us to keep data where necessary to establish, exercise, or defend legal claims and to comply with our obligations.
We therefore do not promise unconditional erasure of content you published. Where we are not legally required to retain something, we remove it within a reasonable period.
6. Your rights
Under the GDPR you have the right to:
- Access the personal data we hold about you;
- Request correction of inaccurate or incomplete data;
- Request erasure of your data (“right to be forgotten”);
- Restrict or object to certain processing;
- Receive your data in a portable, machine-readable format (data portability);
- Withdraw consent at any time, where processing is based on consent.
To exercise any of these rights, use the contact channel that will be published here before launch. You also have the right to lodge a complaint with your local data protection supervisory authority.
7. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be reflected by updating the date at the top of this page.
8. Contact
Questions about this policy or your data? A contact channel will be published here before launch.