Legal

Privacy

Last updated: June 2026

What we collect

  • Account: email, display name (your choice), auth provider ID.
  • Vault: the LTDs and subscriptions you add. We never see the contents of any of these tools.
  • Email forwarding: emails you forward to your unique alias. We parse the sender, subject, body, and amount. We keep them for 30 days for debugging, then delete.
  • Click tracking: which deal pages you view, which affiliate links you click, which partner's URL we redirected to. Used to compute conversion rates and improve the catalog.
  • Cookies: essential (auth) only by default. Analytics cookies (PostHog and Google Analytics) only if you opt in via the cookie banner.

What we do NOT collect

  • No advertising trackers across sites.
  • No third-party data brokers. No selling your data. Ever.
  • No fingerprinting. No device IDs beyond a session cookie.

Your rights (GDPR)

You can: export everything we have on you, request deletion (7-day grace period), opt out of analytics cookies, opt out of marketing emails, and rotate your email alias at any time. Visit /settings to exercise any of these.

Where your data is stored

Postgres database hosted on Supabase (US region). Backups retained for 7 days. Email-forwarding data is held in the same database.

Sub-processors

We share the minimum data necessary with a small number of vetted service providers who process it on our behalf:

  • Supabase — database, authentication, and file storage (hosts account and vault data).
  • Resend — transactional and forwarded email delivery (processes your email address and message contents).
  • Stripe — partner/creator payouts only. Used for Connect accounts of partners; regular members' data is not sent to Stripe.
  • PostHog — product analytics, loaded only if you opt in to analytics cookies via the banner.
  • Google Analytics — aggregate traffic and audience analytics, loaded only if you opt in to analytics cookies via the banner.

We do not sell your data and use no other third-party processors.

Reviews you write

If you delete your account, any reviews you posted are deleted along with it. We do not retain anonymized copies.

Public deal & maker information

Our catalog includes publicly available information about software deals and their makers (for example, a maker's public social handle or a product's public listing). We process this under our legitimate interest in maintaining an accurate software catalog. If you are a maker and want your public information corrected or removed, email us and we will action it.

Who has access

Internally, access to user data is limited to the GrabLTD operator(s) on a need-to-know basis. Service-role credentials are stored in a password manager and rotated every 90 days. Beyond the sub-processors listed above, no third-party contractors have access to user data.

Contact

Privacy questions: privacy@grabltd.com. Response time: within 7 days.

Privacy policy — GrabLTD · GrabLTD