Back to Cobwebs

Privacy Policy

Last updated · May 22, 2026

Cobwebs is a web app for tracking how long it's been since you did something. This policy explains what we collect, why, who we share it with, and what you can do about it. We've kept it short on purpose.

Who we are

Cobwebs is operated by Wayflare OÜ, a company registered in Estonia.

  • Address: Pärnu mnt 141, 11314 Tallinn, Estonia
  • Registry number: 17495514
  • Contact for privacy questions: support@cobwebs.app

Wayflare OÜ is the data controller for personal data processed through Cobwebs.

What we collect

If you use Cobwebs anonymously(without an account), we collect nothing on our servers. Your activities live entirely in your browser's local storage (IndexedDB). Nothing leaves your device until you sign in.

If you create an account or sign in, we collect:

  • Your email address (always)
  • If you sign in with Google: your Google account ID, email address, and display name — only for the purpose of authenticating you. We do not request access to your contacts, calendar, files, or any other Google data.
  • The activities you create (name, emoji, dates) and when you mark them done
  • Your preferences (theme, email reminder settings)

If you start a Plus trial or become a Plus subscriber, our payment processor Stripe collects your payment information directly at the start of your trial. We never see or store your card details. No charge is taken during the 14-day trial. We receive only your subscription status (including “trialing”), Stripe customer ID, and the email used at checkout.

Automatic technical data:standard server logs (IP address, user agent, request timestamps) for security and debugging, retained for up to 30 days. We also use anonymous crash diagnostics (Sentry) and, for signed-in users, an upgrade-funnel analytics tally (PostHog) — both gated by your consent. The first time you open Cobwebs, you'll see a banner asking before anything non-essential loads.

Why we collect it

We process your data to:

  • Run the app for you and sync your activities across your devices
  • Send you the emails you opted into (magic link sign-in, the check-in email if enabled, overdue reminders for Plus users if enabled, payment receipts)
  • Process your subscription and meet our tax obligations
  • Investigate bugs, abuse, and security incidents
  • Comply with legal obligations (such as keeping payment records for tax law)

We do not sell your data. We do not use it for advertising. We do not train AI models on it. We don't profile you or make automated decisions about you.

Lawful basis (for EU/EEA/UK users)

Under GDPR, our lawful basis for processing is:

  • Performance of a contract for everything required to run the service (account, sync, payments)
  • Legitimate interest for security logs, fraud prevention, and the check-in email (which you can disable)
  • Consent for non-essential cookies, crash diagnostics (Sentry), and upgrade-funnel analytics (PostHog)
  • Legal obligation for retaining payment and tax records

Who we share it with

We use a small number of service providers (“subprocessors”) to run Cobwebs. They process data on our instructions and under contracts that meet GDPR requirements.

ProviderWhat they doRegion
SupabaseDatabase, authenticationEU
VercelWeb hostingGlobal edge network
StripePayment processingGlobal
ResendTransactional email (sign-in, reminders, receipts)EU (sending), US (account data, under SCCs)
CloudflareDNSGlobal
SentryCrash diagnostics (only with your consent)EU
PostHogUpgrade-funnel analytics (signed-in users, only with your consent)EU
GoogleSign-in (only if you choose Google sign-in)Global

Where data is transferred outside the EU/EEA, those transfers are protected by Standard Contractual Clauses, the EU-U.S. Data Privacy Framework where the recipient is certified, or equivalent safeguards.

We do not share your data with anyone else, except where required by law (for example, in response to a valid legal request from a competent authority).

How long we keep it

  • Your activities and account data: for as long as your account exists.
  • Anonymous local data: stays in your browser until you clear it. We have no copy.
  • Account deletion:when you delete your account from Settings, we delete your data immediately and permanently. We do not keep a backup. (You'll see a brief confirmation step first.)
  • Payment records: 7 years, as required by Estonian tax law.
  • Server logs: 30 days.
  • Email send logs: 90 days, used to prevent duplicate sends and debug delivery issues.
  • Crash diagnostics & analytics: only if you opt in; processed in the EU by Sentry and PostHog and kept per their retention policies. Withdraw anytime in Settings → Privacy.

Your rights

If you're in the EU, EEA, or UK, GDPR gives you the right to:

  • Access the data we hold about you
  • Correct inaccurate data
  • Delete your data (right to erasure)
  • Export your data in a portable format
  • Object to or restrict how we process it
  • Withdraw consent at any time, where consent is the basis
  • Lodge a complaint with the Estonian Data Protection Inspectorate (aki.ee) or your local supervisory authority

Most of this is built directly into Cobwebs: Settings has a JSON export and an immediate account-deletion option. For anything else, email support@cobwebs.appand we'll respond within 30 days.

If you're in California, the CCPA (as amended by the CPRA) gives you similar rights to know, delete, correct, and opt out of any sale or sharing of personal information (we don't sell or share). Same email address.

Security

Your data is stored in Supabase with row-level security, meaning only your authenticated session can read or write your rows. Connections to the app are encrypted with HTTPS. Passwords are not stored — we use magic links and Google sign-in instead.

No system is perfectly secure. If we discover a data breach affecting you, we'll notify you and the relevant supervisory authority within 72 hours, as required by GDPR.

Cookies and similar technologies

Essential cookies, set without consent because they're strictly necessary to run the service:

  • An authentication cookie when you sign in (so you stay signed in)
  • Stripe's cookies during the checkout flow

Everything else is off until you say yes. The first time you open Cobwebs you'll see a banner asking to turn on:

  • Crash diagnostics (Sentry) — anonymous reports when something breaks, so we can fix it. Offered to everyone, signed in or not.
  • Upgrade-funnel analytics (PostHog) — a coarse, content-free tally of how the app and the Plus upgrade get used. Signed-in users only; never anonymous.

Nothing in either is loaded or sent until you choose “Allow.” They use a little local storage so we don't double-count you — never advertising or cross-site tracking cookies, and we never sell anything. If your browser sends Global Privacy Control or Do Not Track, we take that as a no and don't ask. You can change or withdraw your choice anytime in Settings → Privacy.

Children

Cobwebs is not directed at children. Under EU law, the age of digital consent is 16, lowered to 13 in some countries (including Estonia). We don't knowingly collect data from children below the applicable age. If you believe a child has given us their data, email support@cobwebs.appand we'll delete it.

Changes to this policy

If we change this policy, we'll update the date at the top. For material changes, we'll email signed-in users before the change takes effect.

Contact

For any privacy question, request, or complaint:

support@cobwebs.app
Wayflare OÜ
Pärnu mnt 141, 11314 Tallinn, Estonia