Privacy Policy

1. Who We Are

SammySam ("we", "us", "our") is a European company that creates crochet kits with companion video instructions. This privacy policy explains how we collect, use, and protect your data when you use the SammySam web application at sammy-sam.com.

2. What Data We Collect

By default, we collect no personal data. SammySam is designed to work entirely on-device — your progress is stored in your browser's localStorage, not on our servers. If you opt in to push notifications, your device's anonymous push token is stored on our servers so we can deliver reminders.

• Crochet progress (steps completed, time spent)
• Earned minutes and streak data (wallet)
• App preferences (language, theme, notification settings)
• An anonymous device identifier (a randomly generated UUID, not linked to your identity — used only to de-duplicate analytics events if you opt in)

This data never leaves your device unless you explicitly choose to create an account. We do not collect names, addresses, phone numbers, or any other personally identifiable information (PII) by default.

3. Optional Account

You may optionally create an account to sync your progress across devices. If you choose to do so:

• We collect your email address only, used for magic link authentication
• Authentication is handled by Supabase (hosted on EU servers)
• No password is stored — we use passwordless magic link login
• Your progress data is synced to our Supabase database (EU servers)

4. Optional Analytics

Analytics are off by default. If you opt in via the Settings page or consent banner, we collect anonymous usage data through two channels:

PostHog (analytics, EU-hosted)

• Privacy-friendly, EU-hosted (eu.posthog.com), with cookieless mode enabled
• Collects aggregate event data: page views, kit progress, step completions, and session length
• Includes PostHog autocapture (clicks, form interactions, scroll depth) and session replay with all input fields masked (passwords, emails, anything tagged private). Admin pages are excluded.

App usage events (action-level)

• Only collected if you have consented to analytics
• Events tracked: QR scans, step starts/completions, kit completions, buy clicks, referral shares, video plays, and install prompts
• Each event includes: kit name, step ID, language, anonymous device ID, and any marketing parameters (utm_source, utm_medium, utm_campaign) from the URL that brought you to the app
• No personal data (name, email, IP) is included in these events
• Stored on EU-based Supabase servers

5. Third-Party Services

SammySam integrates with the following third-party services:

• Vimeo — hosts our instruction videos. Vimeo may set its own cookies when you watch embedded videos. See Vimeo's Privacy Policy. Vimeo Privacy Policy
• Shopify — handles kit purchases. When you click "Shop Now", you are redirected to our Shopify store, which is subject to Shopify's Privacy Policy. Shopify Privacy Policy
• Supabase (optional) — provides account authentication and data sync for users who create an account. Data is stored on EU servers. See Supabase's Privacy Policy. Supabase Privacy Policy
• Google Fonts — we use the Poppins font, which is loaded via Next.js and self-hosted where possible. Your browser may connect to Google servers (fonts.googleapis.com) to fetch font files. Google does not use this connection for tracking. See Google Fonts Privacy FAQ. Google Fonts Privacy FAQ
• Sentry (crash + error monitoring) — if enabled, Sentry automatically collects crash reports and error stack traces, browser type, and page URL when the app encounters a bug. No personal data is included. See Sentry's Privacy Policy. Sentry Privacy Policy
• Apple Push Notification service (APNs) and Firebase Cloud Messaging (FCM) — when you opt in to notifications, your device generates an anonymous push token which we store linked to your account. We use it to send re-engagement reminders, order updates, and habit nudges. The token is rotated by your OS and can be revoked by disabling notifications in your device settings.

6. Data Storage

By default: All data is stored locally on your device using your browser's localStorage. No data is sent to our servers.

With an account: If you create an account, your progress data and email address are stored on Supabase servers located in the European Union, in compliance with GDPR requirements.

7. Your Rights Under GDPR

Under the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:

• Right of access (Article 15) — You can request a copy of any personal data we hold about you.
• Right to rectification (Article 16) — You can request correction of inaccurate data.
• Right to erasure (Article 17) — You can request deletion of your personal data.
• Right to restriction (Article 18) — You can request that we limit the processing of your data.
• Right to data portability (Article 20) — You can request your data in a machine-readable format.
• Right to object (Article 21) — You can object to the processing of your data.
• Rights related to automated decision-making (Article 22) — We do not use automated decision-making or profiling.

8. How to Exercise Your Rights

You can exercise your rights in two ways:

• Delete local data: Go to Settings > Delete All Local Data to delete all locally stored data, cached content, and service worker data instantly.
• Delete your account: If you have an account, go to Settings > Account > Delete My Account to permanently remove all cloud data (progress, wallet, streaks, achievements) from our servers.
• Email: Contact us at hello@sammy-sam.com for any data-related request. We will respond within 30 days. hello@sammysam.eu

9. Data Retention

• Local data: Persists on your device until you delete it via Settings, clear your browser data, or uninstall the app.
• Cloud data (account users): Retained while your account is active. All cloud data is permanently deleted when you delete your account.

10. Children's Privacy

SammySam is not specifically targeted at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, please contact us at hello@sammy-sam.com and we will promptly delete it. hello@sammysam.eu

11. Changes to This Policy

We may update this privacy policy from time to time. The "Last updated" date at the top of this page will be revised accordingly. If we make significant changes, we will notify users through the app. We encourage you to review this policy periodically.

12. Related Policies

• Terms of Service — Rules for using the SammySam app
• Cookie Policy — How we handle cookies and localStorage
• Data Sharing Policy — How and when we share data with third parties

13. Contact Us

If you have any questions about this Privacy Policy, please contact us:

Email: hello@sammy-sam.com hello@sammysam.eu