Privacy Policy

Last updated: 19 April 2026

The privacy of your data is important to us. Your data belongs to you, not to us. In this policy, we set out what data we collect and why, how your data is handled, and your rights with respect to your data. We do not sell your data and never have.

This policy applies to the CozyGrids application at cozygrids.com and all related services. CozyGrids is operated from the United Kingdom. We refer to you (site visitors, free users, and paying subscribers) collectively as “you” throughout this policy.

What we collect and why

Our guiding principle is to collect only what we need. Here is what that means in practice:

Identity and access

When you sign up for CozyGrids, we collect your email address. We use a one-time-password (OTP) flow for authentication; no passwords are stored. Your email lets us send you login codes, essential account notifications, and, with your consent, occasional product updates.

We will never sell your personal information to third parties, and we will not use your name or email in marketing statements without your permission.

Billing information

If you subscribe to CozyGrids Pro, payment is processed entirely by Stripe. Your card details are submitted directly to Stripe and never touch our servers. We store only a Stripe customer ID and subscription status so we can manage your account and generate invoices.

How we process your images

Our lawful basis for processing your uploaded images is Article 6(1)(b) of UK GDPR: processing is necessary for the performance of our contract with you. You upload an image for the specific purpose of generating a craft pattern, and we process it solely for that purpose.

Source images are processed on our servers and deleted immediately after your pattern has been generated. We do not retain copies of your uploaded images beyond the processing session.

Generated patterns are stored locally in your browser. If you are a signed-in user, patterns may optionally be stored in our database for cross-device access until you delete them or close your account.

Images containing identifiable persons

If you upload a photograph containing identifiable individuals, that image constitutes personal data under UK GDPR. We process it solely to generate your pattern and delete it immediately afterwards. We do not perform facial recognition, biometric analysis, or any form of identity processing on uploaded images.

Analytics

With your consent, we use PostHog (EU region) to understand how the app is used — for example, which features are popular, where people drop off in the pattern-generation flow, and how our Pro conversion funnel performs. Analytics are opt-out by default; nothing is collected until you accept the cookie banner.

When you are signed in, you are identified to PostHog by a one-way SHA-256 hash of your email address. PostHog never sees your raw email, your uploaded photos, or your generated patterns. If session replays are ever enabled, all text inputs (including email fields and pattern names) are masked before anything leaves your browser.

We also collect a lightweight anonymous session heartbeat on our own servers (MongoDB) to measure uptime and broad usage. This contains no personally identifiable information. We do not run advertising trackers or retargeting pixels.

Cookies and local storage

We use a minimal set of cookies and browser storage:

• Session cookie: an httpOnly JWT cookie used for authentication. It identifies your logged-in session and expires when you sign out or after a set period.
• localStorage: used to store your user preferences (e.g. dark mode, last-used settings) and saved craft patterns. This data never leaves your browser unless you are authenticated and choose to sync.
• Consent preference: we store your analytics consent choice so we do not ask you repeatedly.
• PostHog keys (prefixed ph_): set only if you accept the cookie banner. PostHog uses them to identify returning sessions and to remember your opt-out preference if you later decline.

We do not use advertising cookies or cross-site tracking cookies.

Voluntary correspondence

When you email us with a question or support request, we keep that correspondence, including your email address, so that we have a history of past correspondence to reference if you contact us in the future.

When we access or disclose your information

To provide the service you have requested. We use the following third-party subprocessors to help run CozyGrids:

• MongoDB Atlas: database hosting (user accounts, saved patterns, anonymous analytics)
• Stripe: payment processing for Pro subscriptions
• Vercel: application hosting and serverless functions
• Resend: transactional email delivery (login codes, account notifications)
• PostHog (EU): product analytics — feature usage and conversion-funnel events, hosted in the European Union

To help you troubleshoot or fix a bug, with your permission. If we ever need to access your account data to help with a support case, we will ask for your explicit consent before proceeding.

Aggregated and de-identified data. We may aggregate and/or de-identify information collected through the service. We may use de-identified or aggregated data for any purpose, including understanding usage trends.

When required under applicable law. CozyGrids is a UK-based service. If UK law enforcement authorities have the necessary warrant, court order, or legal process requiring us to disclose data, we must comply. It is our policy to notify affected users before we disclose data unless we are legally prohibited from doing so.

Your rights with respect to your information

Under the UK GDPR and Data Protection Act 2018, you have the following rights. We apply these rights to all users, regardless of location:

• Right of Access. You have the right to access the personal information we hold about you, and to obtain information about how it is processed.
• Right to Correction. You have the right to request correction of your personal information if it is inaccurate or incomplete.
• Right to Erasure. You have the right to request that your personal information be erased from our systems. Fulfilling this request will result in closing your account and deleting all associated data.
• Right to Restrict Processing. You have the right to request restriction of how and why your personal information is used or processed, including opting out of analytics.
• Right to Object. You have the right, in certain situations, to object to how or why your personal information is processed.
• Right to Portability. You have the right to receive the personal information we hold about you in a structured, commonly used format, and to transmit it to another party.
• Right to Not Be Subject to Automated Decision-Making. You have the right to object to and prevent any decision that could have a legal or similarly significant effect on you from being made solely based on automated processes.
• Right to Complain. You have the right to make a complaint regarding our handling of your personal information with the UK Information Commissioner's Office (ICO). You can contact the ICO at ico.org.uk.

To exercise any of these rights, please contact us. We may need to verify your identity before processing your request.

How we secure your data

All data is encrypted via SSL/TLS when transmitted between our servers and your browser. Our database is hosted on MongoDB Atlas with encryption at rest enabled. Access to production systems is restricted and protected by multi-factor authentication.

What happens when you delete your data

You can delete individual saved patterns at any time from within the app. If you delete your account entirely, all associated data (your email, Stripe customer ID, saved patterns, and any analytics records) will be permanently removed from our systems within 30 days.

Data retention

We keep your information for the time necessary to provide the service. Specifically:

• Account data (email, Stripe ID): retained while your account is active, deleted within 30 days of account closure.
• Saved patterns: retained while your account is active or until you delete them.
• Uploaded photos: deleted immediately after pattern generation is complete. No copies are retained beyond the processing session.
• Anonymous analytics: retained for up to 12 months, then aggregated or deleted.
• Support correspondence: retained for as long as needed to provide support and for our records.

Location of data

CozyGrids is operated from the United Kingdom. Our infrastructure providers (Vercel, MongoDB Atlas) may process data in the United States or European Economic Area. PostHog is hosted in the European Union. By using CozyGrids, you acknowledge that your data may be transferred to and stored in these regions, always subject to appropriate safeguards under UK GDPR.

Complaints

If you wish to make a complaint about how we handle your personal data, please contact us. We will acknowledge your complaint within 30 days and investigate without undue delay, in accordance with the Data (Use and Access) Act 2025. You also have the right to lodge a complaint with the Information Commissioner's Office ( ico.org.uk).

Changes and questions

We may update this policy as needed to comply with relevant regulations and reflect any new practices. Whenever we make a significant change, we will update the date at the top of this page and take appropriate steps to notify users.

If you have any questions, comments, or concerns about this privacy policy, your data, or your rights, please contact us and we will be pleased to assist you.

Originally inspired by Basecamp's open-source policies (github.com/basecamp/policies, archived December 2023), published under CC BY 4.0. Adapted and updated for CozyGrids in March 2026 to reflect United Kingdom law, our specific services, and current data protection requirements.