PRIVACY POLICY

Thinned — Miniature Painting Journal

Last updated: 17 April 2026

The short version: Thinned is a local-first app. Your painting projects, sessions, and photos are stored on your device. The only data that reaches our servers is what you explicitly share — your account email if you create one, and any recipes you choose to share via a share code. We collect the minimum data needed to run the service. We never sell your data.

1. Who We Are

Thinned is operated by Yggdrasil Ventures Limited, a company registered in England and Wales.

Yggdrasil Ventures Limited
124 City Road
London EC1V 2NX
United Kingdom

For privacy enquiries: support@thinned.app

Yggdrasil Ventures Limited is the data controller for the personal data described in this policy. We do not have a Data Protection Officer because we are a small organisation that does not carry out large-scale processing of special-category data. You can direct all privacy requests to the email address above.

2. Local-First by Design

Thinned is built around a local-first architecture. This means:

No account required. You can use all core features without creating an account or connecting to the internet.
Data stays on your device. Projects, painting sessions, recipes, photos, and paint inventory are stored locally on your device by default.
You control what leaves your device. Data is only sent to our servers if you create an account, and only for features you actively use (such as sharing a recipe via a share code).
Uninstalling the app removes local data. If you uninstall Thinned, all locally stored data is deleted by your operating system.

3. What Data We Collect

The data we collect depends on how you use Thinned. The table below lists every category of personal data we process.

Data	When	Legal Basis (UK GDPR)
Email address & password	When you create an account	Contract performance (Art. 6(1)(b))
Name (if provided via OAuth)	When you sign in with Google or Apple	Contract performance (Art. 6(1)(b))
Recipe content (steps, paints, notes, images)	Only for recipes you choose to share via a share code	Contract performance (Art. 6(1)(b))
Purchase history (anonymous transaction data)	When you make an in-app purchase	Contract performance (Art. 6(1)(b))
Crash reports (stack traces, device model, OS version, app version)	When the app encounters an error	Legitimate interest (Art. 6(1)(f)) — improving app stability

What we do NOT collect

We do not collect your location or GPS data.
We do not collect advertising identifiers.
We do not read your contacts, calendar, or other apps.
We do not use cookies or web tracking on our website.
We do not use any analytics or behavioural tracking SDKs.

A note on photo metadata

Photos you take within Thinned may contain EXIF metadata (including location data embedded by your device's camera). This metadata is stored locally on your device with the photo. If you share a recipe that includes photos, those images are uploaded as-is, including any embedded metadata. You can disable location services for the Thinned app in your device settings to prevent location data being embedded in new photos.

4. How We Use Your Data

Providing the service — authenticating your account and processing purchases.
Improving stability — crash reports help us identify and fix bugs.
Recipe sharing — when you share a recipe via a share code, the recipe content is made accessible to other Thinned users who enter that code.
Account communications — password reset emails and essential service notices (e.g., changes to these terms). We do not send marketing emails.

5. Third-Party Services

We use a small number of trusted third-party services to operate Thinned. Each acts as a data processor under our instruction.

Service	Purpose	Data Shared	Location
Supabase	Authentication, database, file storage	Account data, shared recipe content and images	EU (Frankfurt). Some sub-processors in the US (see Section 6).
Sentry	Crash reporting & error monitoring	Crash logs, device model, OS version, app version	EU (Frankfurt)
RevenueCat	In-app purchase management	Anonymous user ID, purchase transactions, device platform	US
Apple (App Store)	App distribution, payment processing	Payment info (processed directly by Apple)	US / Ireland
Google (Play Store)	App distribution, payment processing	Payment info (processed directly by Google)	US / Ireland
Google Sign-In	OAuth authentication	Name, email address	US
Apple Sign-In	OAuth authentication	Name, email (or relay email if you choose “Hide My Email”)	US / Ireland

We do not sell, rent, or trade your personal data to any third party. Data is shared with the services above only as necessary to provide Thinned's features.

Links to third-party privacy policies: Supabase, Sentry, RevenueCat, Apple, Google.

6. International Data Transfers

Your database and files are hosted on Supabase servers in the EU (Frankfurt, Germany). Crash reports are processed by Sentry in the EU (Frankfurt).

However, some of our service providers are based in or have sub-processors in the United States. Specifically:

Supabase sub-processors — include Amazon Web Services, Google (BigQuery for logs), Fly.io, and Cloudflare. While your database is in the EU, some operational data may transit US infrastructure.
RevenueCat — processes anonymous purchase data in US-based AWS data centres.
Google Sign-In & Apple Sign-In — authentication requests are processed by Google and Apple infrastructure globally.

Where personal data is transferred outside the UK or EU, these transfers are protected by:

Standard Contractual Clauses (SCCs) approved by the European Commission, and/or
The UK International Data Transfer Addendum issued by the ICO, and/or
Adequacy decisions where applicable.

We have requested and will sign Supabase's Data Processing Addendum (DPA), which incorporates these safeguards.

7. Data Retention

We keep your data only as long as necessary for the purposes described in this policy.

Data	Retention Period
Account data (email, name, auth records)	Retained while your account is active. Deleted within 30 days of an account deletion request.
Shared recipes	Recipes you share via a share code are stored on our servers until you delete the recipe or your account. Recipes that other users have already saved via a share code will remain in those users' local data even after you delete the original recipe or your account.
Crash reports	Retained for 90 days, then automatically deleted.
Purchase records	Anonymous transaction records are retained by RevenueCat for as long as needed to manage your entitlements. Apple and Google retain their own purchase records per their policies.
Database backups	Our database provider (Supabase) may retain backups for up to 7 days. Deleted data may persist in backups during this window, after which it is permanently removed.
Inactive accounts	Accounts with no activity for 2 years may be deleted. We will send a warning email at least 30 days before deletion.

8. Your Rights

Under the UK GDPR, you have the following rights in relation to your personal data:

Right	What This Means
Access	Request a copy of the personal data we hold about you.
Rectification	Ask us to correct inaccurate or incomplete data.
Erasure	Ask us to delete your personal data (“right to be forgotten”).
Restriction	Ask us to temporarily stop processing your data.
Data portability	Receive your data in a structured, commonly used format (JSON).
Objection	Object to processing based on legitimate interests (e.g., crash reporting).
Withdraw consent	Where processing is based on consent, withdraw it at any time.

To exercise any of these rights, email support@thinned.app. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: ico.org.uk
Helpline: 0303 123 1113

9. How to Delete Your Account and Data

You can delete your account at any time using either method:

In the app: Profile > Delete Account
On the web: thinned.app account deletion page

Deleting your account permanently removes the following from our servers:

Your authentication record and profile information
Any recipes you have shared via share codes, along with any associated images
Entitlement and purchase records (from our database; Apple/Google retain their own records)

Deletion is permanent and cannot be undone. Local data on your device is not affected by account deletion — you can continue using Thinned offline.

10. Children's Privacy

Thinned is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you are under 13, please do not create an account or send us any personal data.

If we become aware that we have collected personal data from a child under 13, we will delete that data promptly. If you believe a child under 13 has provided us with personal data, please contact us at support@thinned.app.

11. Data Security

We take reasonable measures to protect your personal data, including:

Encryption in transit — all data sent between the app and our servers is encrypted using TLS (HTTPS).
Encrypted storage — our database provider encrypts data at rest.
Password hashing — passwords are hashed using industry-standard algorithms and are never stored in plain text.
Row-Level Security — database access policies ensure users can only access their own data.
Least-privilege access — our backend uses scoped API keys with the minimum permissions necessary.

No system is 100% secure. If you discover a security vulnerability, please report it to support@thinned.app.

12. Additional Disclosures for California Residents

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:

Right to know — you may request the categories and specific pieces of personal information we have collected about you in the last 12 months.
Right to delete — you may request deletion of your personal information.
Right to opt out of sale — we do not sell or share your personal information for cross-context behavioural advertising.
Non-discrimination — we will not discriminate against you for exercising your CCPA rights.

To exercise these rights, email support@thinned.app or use the account deletion tools described in Section 9.

13. Changes to This Policy

We may update this privacy policy from time to time. When we make material changes, we will:

Update the “Last updated” date at the top of this page.
Notify you via email (if you have an account) or through a notice in the app.

We encourage you to review this policy periodically. Your continued use of Thinned after changes are posted constitutes your acceptance of the updated policy.

14. Contact Us

If you have any questions about this privacy policy or our data practices, contact us at:

Yggdrasil Ventures Limited
124 City Road
London EC1V 2NX
United Kingdom
support@thinned.app