Privacy Policy

Last updated: May 9, 2026

This privacy policy informs you about the nature, scope, and purpose of the processing of personal data when using Goojo (goojo.io) in accordance with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and the California Consumer Privacy Act (CCPA/CPRA).

1. Data Controller

The party responsible for data processing under the GDPR is:

Martin Pham
Obertiefenbacher Straße 9
65589 Hadamar
Germany
Email: [email protected]
Phone: +49 152 23010 6593

Appointment of a Data Protection Officer is not legally required and has not been made.

2. General Information on Data Processing

2.1 Scope

We process personal data of our users only to the extent necessary to provide a functional website and our content and services, or where you have given consent.

2.2 Legal Bases

Where consent is obtained, Article 6(1)(a) GDPR serves as the legal basis. For processing necessary for the performance of a contract, Article 6(1)(b) GDPR applies. Where processing is necessary to comply with a legal obligation, Article 6(1)(c) GDPR applies. Processing based on legitimate interests relies on Article 6(1)(f) GDPR.

2.3 Data Erasure and Storage Period

Personal data is deleted as soon as the purpose of storage no longer applies. Storage may continue if mandated by law (e.g., commercial or tax retention obligations).

3. Provision of the Website and Server Logs

Each time the website is accessed, our hosting provider Cloudflare (see Section 7.1) automatically collects:

  • IP address of the requesting device (truncated/anonymized)
  • Date and time of access
  • HTTP status code and response size
  • Referrer URL
  • User agent (browser and operating system)

Legal basis: Article 6(1)(f) GDPR. Our legitimate interest is to ensure the functionality, security, and stability of our website and to defend against attacks.

Storage period: Server logs are typically deleted automatically after a maximum of 30 days.

4. Account and Authentication

You can try Goojo without an account. In that case, data is stored only locally in your browser and is not transmitted to our servers.

Synchronization across devices, multiple dashboards, and paid features require an account. Registration options:

  • Email + Password: we store your email address and a hashed password.
  • Magic Link: we send a one-time sign-in link to your email.
  • Sign in with Google (OAuth 2.0): Google transmits your email address, name, and optionally your profile picture to us.

Processor: Authentication is handled by Supabase (see Section 7.2). Data is stored in a database in Frankfurt am Main (EU).

Legal basis: Article 6(1)(b) GDPR (contract performance); for Google sign-in additionally Article 6(1)(a) GDPR (consent).

Storage period: Until you delete your account. You may delete your account at any time in the settings.

5. Usage Data / User Content

When using the service, we process the following content created by you:

  • Bookmarks (URLs, titles)
  • Dashboards, cards, folders, and subgroups
  • Notes (Notes widget)
  • Widget configurations (e.g., weather location, currency pair)
  • File attachments (Files widget — Pro feature)
  • Branding settings (custom logo / title — Pro feature)
  • Click counts on bookmarks (for the Top Links widget)

Storage location: Supabase database in Frankfurt am Main (EU). File attachments in Supabase Storage (EU).

Legal basis: Article 6(1)(b) GDPR (contract performance).

Storage period: Until deletion by the user or account deletion.

6. Payment Processing

For paid plans (Pro, Teams) we use Lemon Squeezy as Merchant of Record (see Section 7.3). Lemon Squeezy is the seller of the service and handles payment processing, invoicing, and tax compliance.

We receive only the following data from Lemon Squeezy:

  • Lemon Squeezy customer ID (to link with your account)
  • Subscription status (active, canceled, payment failed, trial)
  • Plan and billing cycle

Payment data (credit card, bank account, PayPal, etc.) is never stored or processed by us — it remains exclusively with Lemon Squeezy and its payment processors.

Legal basis: Article 6(1)(b) GDPR (contract performance).

7. Third-Party Services

7.1 Cloudflare (Hosting & CDN)

Provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA.

Purpose: Website hosting (Cloudflare Pages), content delivery network, DDoS protection, bot mitigation.

Data processed: IP address, request headers, user agent, referrer.

US transfer: Cloudflare is certified under the EU-US Data Privacy Framework. We have additionally entered into the EU Standard Contractual Clauses under Article 46 GDPR as a Data Processing Agreement.

Cloudflare privacy policy: cloudflare.com/privacypolicy

7.2 Supabase (Database, Authentication, Storage)

Provider: Supabase, Inc., 970 Toa Payoh North #07-04, Singapore 318992.

Purpose: Backend database, authentication, file storage, realtime synchronization.

Storage location: AWS region eu-central-1 (Frankfurt am Main, Germany).

Data processed: Account data (email, hashed password, profile), usage data (bookmarks, dashboards), file attachments.

Supabase privacy policy: supabase.com/privacy

7.3 Lemon Squeezy (Payment Processing)

Provider: Lemon Squeezy LLC, 17 Edgewater Street #214, Staten Island, NY 10305, USA.

Purpose: Sale, payment processing, invoicing, and tax compliance (Merchant of Record).

Data processed: Name, email address, billing address, payment data (transmitted directly to Lemon Squeezy — we do not receive it).

US transfer: Transfer is based on EU Standard Contractual Clauses under Article 46 GDPR or, where applicable, the EU-US Data Privacy Framework.

Lemon Squeezy privacy policy: lemonsqueezy.com/privacy

7.4 Google (Sign-In via OAuth — optional)

If you choose to sign in via Google, your authentication data is exchanged directly with Google. Google transmits to us: email address, name, and optionally profile picture.

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (for EU users).

Legal basis: Article 6(1)(a) GDPR (consent via clicking the Google sign-in button).

Google privacy policy: policies.google.com/privacy

7.5 Brandfetch (Logo API for bookmark creation)

Provider: Brandfetch SA, Switzerland.

Purpose: Auto-suggest brand logos and company names when creating new bookmarks.

Data processed: Search query you enter (e.g., a domain name) plus technical connection data (IP address).

Transfer: Switzerland is recognized by the European Commission as providing an adequate level of data protection (adequacy decision).

7.6 Iconify (Icon CDN)

Purpose: Delivery of icons used throughout the application.

Data processed: IP address, technical connection data when fetching icons.

7.7 Title Fetch (own Edge Function)

When you add a link, we fetch the target URL server-side to extract its page title and pre-fill the bookmark name. The request originates from our Supabase Edge Functions in Frankfurt, not from your browser. The request is not logged or stored.

8. Cookies and Local Storage

We use only strictly necessary cookies and local storage:

  • Authentication token (Supabase): required to keep you signed in across sessions.
  • Theme preference: stores your light/dark mode choice.
  • Language preference: stores your selected language.
  • Active dashboard: remembers your last opened dashboard.
  • Folder state: stores open/closed state of folders.
  • Onboarding status: remembers whether the tour has been completed.

We currently use no tracking, analytics, or advertising cookies. A cookie banner is therefore not required.

Legal basis: § 25(2)(2) TTDSG (strictly necessary) and Article 6(1)(b) GDPR.

9. Your Rights as a Data Subject

Where we process your personal data, you have the following rights under GDPR:

  • Right of access (Art. 15 GDPR): request information about the data we hold on you.
  • Right to rectification (Art. 16 GDPR): request correction or completion of your data.
  • Right to erasure (Art. 17 GDPR): request deletion of your data within legal limits.
  • Right to restriction (Art. 18 GDPR): request restriction of processing.
  • Right to data portability (Art. 20 GDPR): receive your data in a structured, machine-readable format.
  • Right to object (Art. 21 GDPR): object to processing based on Art. 6(1)(e) or (f) GDPR.
  • Right to withdraw consent (Art. 7(3) GDPR): withdraw consent at any time with effect for the future.
  • Right to lodge a complaint (Art. 77 GDPR): file a complaint with a supervisory authority. The competent authority for us is: Der Hessische Beauftragte für Datenschutz und Informationsfreiheit, Postfach 3163, 65021 Wiesbaden, Germany.

To exercise your rights, please contact [email protected].

10. International Data Transfers

As described in Section 7, some personal data is transferred to the United States (in particular to Cloudflare, Lemon Squeezy, and possibly Google). Where these providers are not certified under the EU-US Data Privacy Framework, we have entered into the EU Standard Contractual Clauses under Article 46(2)(c) GDPR to ensure an adequate level of data protection.

However, transfers to the US carry the risk that US authorities may, on the basis of US surveillance laws, gain access to the data without effective legal recourse for EU citizens.

11. Notice for California Residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant you additional rights:

  • Right to Know: request information about the personal data we collect about you.
  • Right to Delete: request deletion of your data.
  • Right to Correct: request correction of inaccurate data.
  • Right to Opt-Out of Sale or Sharing: we do not sell or share your personal data for cross-context behavioral advertising.
  • Right to Non-Discrimination: we will not discriminate against you for exercising your rights.

To exercise these rights, contact [email protected].

12. SSL / TLS Encryption

For security reasons and to protect the transmission of confidential content, this website uses SSL / TLS encryption. You can recognize an encrypted connection by the address bar switching from “http://” to “https://”.

13. Changes to This Privacy Policy

We reserve the right to amend this privacy policy so that it always meets current legal requirements or to reflect changes to our services. The current version applies on each subsequent visit.