//legalprivacy notice

Privacy notice.

Short version: LookBook is a frontend on top of yourSupabase. The only telemetry is Vercel's cookieless pageview counter, and the only personal data I see is what you send me in an email.

01 — TL;DR

LookBook has no backend of its own. The webApp is a static page that talks directly from your browser to your Supabase. The only telemetry is Vercel Web Analytics — an aggregate pageview counter that uses no cookies, sets no identifier, and cannot follow you across sites. There is no advertising and no third-party SDK beyond that. I do not see your captures, your screenshots, or your tags. The only personal data I process directly is what you voluntarily send me — an email, a bug report, a feature request — and the standard server logs from the static host where this site is served.

02 — Who's responsible

The data controller in the sense of Art. 4(7) GDPR is:

benxenb
Berlin · Germany

03 — What data exists, and where it lives

Both the marketing site and the webApp are publicly hosted by me at lookbook.daes.app — they are not self-hosted by you. The surfaces and what each handles:

SurfaceWhat it storesWhere
LookBook Website (lookbook.daes.app)Theme preferenceYour browser (localStorage) — never sent to me
webApp (lookbook.daes.app/app)Invite code + themeYour browser (localStorage) — never sent to me
webApp ↔ databaseCaptures, tags, screenshotsYour Supabase project
Figma pluginSupabase URL + service_role keyYour Figma client (clientStorage)
EmailWhatever you write to meMy email inbox

Even though I host the surfaces, I never receive a copy of your captures, screenshots, or workspace data. The connection goes browser → your Supabase, scoped by Row-Level Security policies you control.

04 — This marketing site

The pages you're reading now (lookbook.daes.app) are static HTML. There is no server-side rendering, no application code, no database. The host (currently Vercel) writes standard HTTP access logs: IP address, user agent, requested path, response code, timestamp. These are retained by the host for ~30 days for abuse / security purposes under Art. 6(1)(f) GDPR (legitimate interest in operating the site).

The site also includes Vercel Web Analytics, an aggregate pageview counter. It is cookieless, sets no client-side identifier, and does not use localStorage or browser fingerprinting. Visitors are de-duplicated for the day via a hash of IP and user-agent with a daily-rotating salt that Vercel discards; after rotation the hash is unrecoverable. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in basic reach measurement). The only other browser storage on this site is the localStorage entry that remembers your light/dark preference, which is not transmitted anywhere.

05 — The webApp

The webApp is a single-page application. When you paste an invite code, the browser decodes it locally, stores it in localStorage, and uses the included anon key to talk to the Supabase project the code points to. Your data — captures, tags, screenshots — never traverses my servers.

Disconnecting clears the invite from localStorage. There is no sign-up, no email-on-file, no recovery flow on my side — you simply paste the code again, or ask your workspace admin to regenerate one.

06 — The Figma plugin

The plugin runs inside Figma's plugin sandbox. When you set it up, you enter your Supabase URL and (for admins creating workspaces) the service_rolekey. These values are stored in Figma's clientStorage, scoped to the plugin. They never leave your machine and are not transmitted to me.

Captures (title, description, tags, screenshot PNG, file/page/node IDs) are uploaded directly from the plugin to your Supabase Storage bucket and database. The plugin does not phone home.

07 — Cookies, localStorage, etc.

The only client-side storage used by these surfaces is:

  • lookbook.landing.theme“dark” or “light”. Site-wide.
  • lookbook.credentials.v1 — the invite code, in the webApp only. Removed on disconnect.
  • Figma clientStorage — plugin Supabase configuration. Plugin only.

None of these are cookies in the HTTP-header sense, and none are transmitted to me. Vercel Web Analytics (see § 04 and § 08) sends an aggregate pageview ping but does not read or write cookies or localStorage. No consent banner is shown because no consent-requiring processing happens.

08 — Third parties

The following third parties are involved, either directly or as your choice:

ProviderWhyWhere data lives
VercelHosting + cookieless Web Analytics (aggregate pageviews, no identifiers, no cookies)EU region
Google FontsGeist / Geist MonoServed via Google CDN
unpkgLucide icon fontCloudflare CDN
SupabaseYou connect this — not meYour project's region
FigmaPlugin runtimeFigma's infrastructure

Google Fonts and unpkg are content-delivery networks. When your browser loads this site, it fetches the font files and icon library from them, which means those providers see your IP address as part of standard HTTP traffic. If this concerns you, your browser's font-blocker / content-blocker will prevent it; the site degrades gracefully.

09 — Your rights under GDPR

To the limited extent I process your personal data, you have the right to:

  • Request access (Art. 15)
  • Request correction (Art. 16)
  • Request deletion (Art. 17)
  • Restrict processing (Art. 18)
  • Data portability (Art. 20)
  • Object to processing (Art. 21)
  • Lodge a complaint with a supervisory authority — for Berlin, that's the Berliner Beauftragte für Datenschutz und Informationsfreiheit

For data inside your Supabase, those rights are between you and Supabase as your data processor — I have no access to act on them.

10 — Contact

Privacy questions, deletion requests, or anything else: benxenb@mailbox.org. I'm one person, replies usually take ~24 hours on a weekday.

11 — Changes to this notice

If this notice changes, the version and effective date at the top get bumped. Material changes will be called out in the changelog on this site. The current version is 1.1, effective May 26, 2026.