Privacy policy

Scope

bin is a closed-beta Warehouse Management System operated by Hernie (herniet06@gmail.com). This page describes what personal data the application collects, why it is collected, how it is stored, and how to request its deletion. Final review by a qualified lawyer is pending before any public launch.

Data collected

• Account data — email address, display name, avatar URL, hashed password (Supabase Auth). Email is required for invitations + transactional mail.
• Inventory content — bins, items, locations, tags, attachments, and HOTO event logs you create or are invited to. Stored under Row Level Security; only members of an inventory can read its rows.
• Audit trail — every insert/update/delete on inventories, memberships, invites, and item attachments is logged to audit_events with the actor id.
• Operational telemetry — server and client errors are forwarded to Sentry when a DSN is configured. Sentry receives a minimal stack trace and request URL but not request bodies.
• Bot detection — Vercel BotID issues a passive challenge on the sign-in and sign-up forms.

Storage + region

Data lives in Supabase Postgres in ap-southeast-1(Singapore). Files attached to items live in Supabase Storage in the same region. Backups are subject to Supabase's standard retention.

Email

Transactional email (invitations, welcome, owner transfer) is sent via Resend from invites@bin.hernie.me. No marketing email is sent.

Data retention

• Account data — kept for the lifetime of the account; removed on request (see Your rights).
• Inventory data — soft-deleted rows are purged 30 days after deletion by a daily cron (/api/cron/purge-soft-deleted).
• Audit trail — currently retained for the lifetime of the inventory; a 90-day rolling window is on the roadmap before public launch.
• Operational telemetry — Sentry retention is 30 days on the project tier in use; logs older than that are aggregated or discarded.

Third-party processors

The application relies on the following sub-processors. Each handles personal data strictly within its declared region.

• Supabase — Postgres, Storage, Auth (ap-southeast-1, Singapore).
• Vercel — application hosting, BotID detection (global edge).
• Resend — transactional email delivery (United States).
• Google— OAuth identity provider (only when you choose "Sign in with Google").
• Sentry — error reporting (only when a DSN is configured; currently disabled in production).

Your rights

You may request access to, rectification of, erasure of, or a machine-readable export of your personal data. Email herniet06@gmail.com from the address on the account. Requests are acknowledged within 7 days and resolved within 30 days. We will not retaliate for any privacy request.

Deletion

Delete-your-account is not yet self-serve. To delete your account and all data you own, email herniet06@gmail.com from the address on the account. Soft-deleted rows are hard-deleted by cron 30 days after deletion.

Jurisdiction + governing law

Personal data is hosted in Singapore. This policy is governed by the laws of Singapore. Where local data-protection law (e.g. EU/UK GDPR, CCPA) grants rights stricter than those described above, those rights apply to data you submit from those jurisdictions.