Data Sharing Policy

Last updated: March 2026

1. Our Approach to Data Sharing

SammySam is built on a simple principle: your data belongs to you. By default, all your data stays on your device. We do not sell, rent, trade, or share your personal data with advertisers, data brokers, or any other third parties for marketing or profiling purposes.

2. When Data Stays on Your Device

If you use SammySam without creating an account, no data leaves your device. The following is stored exclusively in your browser's localStorage:

Crochet progress and step completion
Earned minutes, streaks, and achievements
App preferences (language, theme)
An anonymous device identifier (randomly generated UUID)
Consent preferences

This data is never transmitted to our servers or any third party.

3. When Data Is Shared with Third Parties

Data is only shared with third-party services when you take a specific action that requires it. Below is a complete list of when and how data flows to third parties:

Supabase (Account & Sync)

Trigger: Only when you create an account

Data shared: Email address, crochet progress, wallet balance, streaks, achievements

Purpose: Authentication and cross-device sync

Location: EU servers (GDPR-compliant)

Policy: Supabase Privacy Policy

Shopify (Purchases)

Trigger: Only when you click "Shop Now" or "Buy Kit"

Data shared: Affiliate/referral code (if present), selected product

Purpose: Process your purchase and attribute referrals

Affiliate codes: If you arrived via a referral link (?ref=CODE), the code is stored in your browser's localStorage and included with your purchase so the referrer can be credited. The code persists until you clear your data.

Note: You are redirected to Shopify's checkout — any data you enter there (name, address, payment) is handled directly by Shopify, not by SammySam

Policy: Shopify Privacy Policy

Vimeo (Video Player)

Trigger: When you watch instruction videos

Data shared: Standard browser request data (IP address, user agent)

Purpose: Video streaming and playback

Note: Vimeo may set its own cookies for video functionality

Policy: Vimeo Privacy Policy

Analytics (PostHog + App Events)

Trigger: Only if you opt in via Settings or consent banner

PostHog (product-level): Anonymous page views, clicks, scroll depth, device type, country. PostHog is hosted on EU servers.

App events (action-level): QR scans, step starts/completions, kit completions, buy clicks, referral shares, video plays, and install prompts. Each event includes the kit name, step ID, language, and anonymous device ID.

Marketing parameters: If you arrive via a marketing link with UTM parameters (e.g. ?utm_source=instagram), these are captured from the URL and included with analytics events. They are not stored on your device.

Purpose: Understand how the app is used and which marketing channels are effective (aggregate only, no personal identification)

Storage: App events stored on EU-based Supabase servers. PostHog data stored on PostHog EU servers (eu.i.posthog.com).

Policy: PostHog Privacy Policy

Google Fonts (Typography)

Trigger: Automatically on page load

Data shared: Standard browser request data (IP address, user agent)

Purpose: Load the Poppins font for app typography

Note: Next.js self-hosts fonts where possible. Google states it does not use font requests for tracking or profiling.

Policy: Google Fonts Privacy FAQ

Sentry (Error Monitoring)

Trigger: Automatically when an app error occurs

Data shared: Error details, browser type, device type, page URL (no personal data)

Purpose: Identify and fix bugs to improve the app

Policy: Sentry Privacy Policy

4. What We Never Do

We never sell your data to anyone
We never share data with advertisers or ad networks
We never share data with data brokers
We never use your data for profiling or automated decision-making
We never share data for cross-site tracking
We never transfer data outside the EU (all services use EU servers or are privacy-compliant by design)

5. International Data Transfers

We prioritize EU-based services for all data processing. Our primary data processor (Supabase) operates on EU servers. Vimeo and Sentry are US-based companies that comply with applicable EU-US data transfer frameworks. No personal data is transferred to countries without adequate data protection unless appropriate safeguards (such as Standard Contractual Clauses) are in place.

6. Your Control Over Data Sharing

You have full control over when data is shared:

Don't create an account — your data stays 100% on your device
Opt out of analytics — toggle off in Settings
Delete your account — removes all cloud data permanently
Clear local data — delete all locally stored data via Settings

7. Legal Basis for Data Sharing (GDPR)

Under the GDPR, we rely on the following legal bases for sharing data with third parties:

Consent (Art. 6(1)(a)) — For optional analytics (PostHog) and account creation (Supabase)
Contract performance (Art. 6(1)(b)) — For processing purchases (Shopify) and delivering video content (Vimeo)
Legitimate interest (Art. 6(1)(f)) — For error monitoring (Sentry) to maintain app quality and security

8. Changes to This Policy

If we add new third-party services or change how data is shared, we will update this policy and notify users through the app. We will never start sharing data with a new category of third party (e.g., advertisers) without obtaining explicit consent.

9. Related Policies

Privacy Policy — Full details on data collection and your GDPR rights
Terms of Service — Rules for using the SammySam app
Cookie Policy — How we handle cookies and localStorage

10. Contact Us

If you have any questions about how we share data, please contact us:

Email: hello@sammy-sam.com hello@sammysam.eu