Privacy Policy

ScrollLaunch is a launchpad for indie makers and SaaS founders. We try to collect the least amount of personal data required to run the Service, we do not sell your data, and we use privacy-friendly analytics that do not set tracking cookies.

• We use Google OAuth (via NextAuth) for sign-in — we never see your password.
• We use Datafa.st for cookie-free, GDPR-compliant analytics.
• We use Dodo Payments for payments — card details never touch our servers.
• Product content you publish (name, tagline, description, logo, website URL) is intentionally public — that is the whole point of the Service.

The data controller is ScrollLaunch, reachable at kalashvasaniya@gmail.com. For GDPR purposes you can use the same address for data-subject requests; we respond within 30 days.

Account data (from Google OAuth): your name, email address, profile picture URL, and a stable Google account identifier. We receive this from Google when you sign in; we do not receive your Google password.

Maker profile: display name, bio, and any social links you choose to add on your dashboard.

Product submissions: product name, tagline, description, logo, screenshots, website URL, categories, launch week, FAQ, "alternative-to" fields, and any other fields you fill in at submission or edit time.

Engagement signals: upvotes you cast, products you submit, and comments or reactions you leave. Upvotes and submission records are tied to your account.

Billing data: when you purchase Premium, Premium+, or an advertising placement, Dodo Payments processes the transaction and sends us a transaction ID, product ID, status, and billing email. Card numbers, CVV, and bank credentials are never received or stored by us.

Technical data: IP address, user-agent, timestamps, and pages requested — collected in server logs for security, abuse prevention, and debugging. Logs are retained for up to 30 days unless needed for an active investigation.

Analytics (aggregate only): Datafa.st gives us cookie-free, aggregated stats — page views, referrer, country, approximate device/browser. No cross-site tracking, no third-party ad networks, no fingerprinting.

• Operate your account and authenticate you on return visits.
• Publish your product listings, leaderboards, and maker profile — a core, user-requested function.
• Rank, moderate, and feature products (including anti-fraud checks on upvotes).
• Process payments, grant access to paid features, and send transactional emails (purchase receipts, launch-day confirmations).
• Generate AI-written launch blog posts when you explicitly opt in from your product edit page.
• Send the weekly "launched this week" digest only to users who have opted in (you can unsubscribe from any issue).
• Measure aggregate performance of the Service (traffic, conversion, feature usage).
• Comply with legal obligations and enforce our Terms of Service.

• Contract (Art. 6(1)(b)): operating the account, publishing listings you submitted, processing payments.
• Legitimate interest (Art. 6(1)(f)): security, abuse prevention, aggregate analytics, product improvement.
• Consent (Art. 6(1)(a)): the weekly digest newsletter and the opt-in AI blog generator.
• Legal obligation (Art. 6(1)(c)): tax records, fraud investigations, lawful requests.

We share data with a small set of vetted processors. We do not sell personal data, we do not share it with ad networks, and we do not allow our processors to use your data for their own marketing.

• Vercel Inc. — hosting and edge delivery (served from global PoPs).
• MongoDB Atlas — primary database (MongoDB Atlas).
• Cloudinary — image and logo storage/CDN.
• Dodo Payments — payment processing; they are an independent controller for card data.
• Google (NextAuth) — OAuth sign-in.
• Datafa.st — cookie-free aggregate analytics.
• OpenAI — only when you explicitly opt into AI blog generation or AI form prefill. Product details you submit are sent to OpenAI to produce the requested output.
• Law enforcement and courts — only when legally compelled, and we will challenge overbroad requests.
• Acquirer / successor — in the event of a merger, acquisition, or asset sale, your data may be transferred subject to equivalent protections.

Our processors operate globally, which means your data may be transferred to and processed in the United States, the European Union, and other jurisdictions. Where required, transfers rely on Standard Contractual Clauses or equivalent safeguards.

• Account data: kept while your account is active; deleted within 30 days after account closure, except where retention is required by law (e.g. tax records for up to 7 years).
• Product listings: if you delete a product, it is removed from live surfaces within 24 hours; backups purge within 30 days.
• Server logs: 30 days, longer only for active security incidents.
• Billing records: retained for the period required by applicable tax and accounting law.
• Published AI-written blog posts: remain published unless you request removal; the generation prompt/response pair is not retained once the post is stored.

Depending on where you live (EU/UK, California, India, and many other jurisdictions), you have some or all of the following rights:

• Access a copy of the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Delete your account and associated personal data ("right to be forgotten").
• Restrict or object to certain processing.
• Port your data to another service in a machine-readable format.
• Withdraw consent at any time for consent-based processing (e.g. newsletter).
• Lodge a complaint with your local supervisory authority (e.g. an EU DPA).

To exercise any right, email kalashvasaniya@gmail.com. We may ask you to verify ownership of the account.

We use a small number of strictly-necessary, first-party cookies for session management (NextAuth) and CSRF protection. We do not use advertising, cross-site tracking, or third-party analytics cookies. See our Cookie Policy for the full list.

We use TLS in transit, encrypted storage at rest with our infrastructure providers, least-privilege access control, and automated dependency scanning. No online service is perfectly secure; if you discover a vulnerability, please report it privately to kalashvasaniya@gmail.com.

The Service is not directed at children under 13. We do not knowingly collect personal data from anyone under 13. If you believe a child has given us data, please email kalashvasaniya@gmail.com and we will delete it.

We do not use tracking cookies or serve third-party ads, so DNT and GPC signals have no additional effect on our processing. We still honour deletion and opt-out requests on the merits, regardless of browser signal.

We may update this policy as the Service evolves. If changes are material, we will update the "Last updated" date at the top of this page and, where practical, notify registered users by email before the change takes effect.