Data & Compliance
Last updated: May 20, 2026
This page gives a transparent look at the data Tabletop Index collects, the third-party services we rely on, and your rights under applicable privacy laws. For general privacy information, see our Privacy Policy.
Your Data & Third-Party Services
Tabletop Index is a small, focused product. We don't use advertising networks, behavioral tracking, or data brokers. The services below are the only ones that have access to any part of your data.
All user data is stored with Supabase — your email, profile, show listings, ratings, and session tokens. Supabase runs on Amazon Web Services (AWS) infrastructure, primarily in the United States.
Supabase Privacy Policy →If you choose to sign in with Google, Google shares your email address and basic profile information (name, profile picture) with us at the time of sign-in. We use this only to create or identify your account. We do not receive your Google contacts, calendar, or any other Google data.
Google Privacy Policy →The Tabletop Index web application is served via a hosting platform (such as Vercel or Netlify). Standard server logs — including IP addresses and request metadata — may be retained by the host for operational and security purposes in accordance with their own privacy policies.
We do not use third-party analytics services, ad networks, error-tracking services, or payment processors. All usage data is collected directly into our own Supabase database and is never shared with third parties. No other third parties receive your data.
What We Track
We collect usage events directly into our own database (Supabase). No third-party analytics service receives this data. The table below describes what we record, and whether it requires you to be logged in.
| Event | Logged in required? | Data recorded |
|---|---|---|
| AP page view | No | Show ID, anonymous session ID, referrer URL, timestamp |
| Search query | No | Search terms, active filters, result count, timestamp |
| External link click | No | Show ID, timestamp |
| Heart (save) a show | Yes | Show ID, user ID, timestamp |
| Submit vibe rating | Yes | Show ID, user ID, timestamp |
Anonymous events use a temporary session identifier generated in your browser's sessionStorage. This identifier is not linked to any account and is cleared when you close your browser tab. It is used only to understand general navigation patterns.
GDPR — EU & EEA Users
If you are located in the European Union or European Economic Area, the General Data Protection Regulation (GDPR) applies to how we handle your data. Here's what that means in practice.
Lawful basis for processing
- Contract — we process your email and authentication data to provide the service you signed up for.
- Legitimate interests — we process show listings, ratings, profile data, and anonymous usage analytics to operate and improve the directory. You have the right to object to processing based on legitimate interests at any time.
- Consent — when you choose to sign in via Google, you consent to Google sharing your basic profile with us.
Your rights under GDPR
- Right of access — request a copy of the personal data we hold about you.
- Right to rectification — correct inaccurate data via your profile settings, or by contacting us.
- Right to erasure ("right to be forgotten") — request deletion of your account and all associated personal data.
- Right to restriction — ask us to limit how we process your data in certain circumstances.
- Right to data portability — receive your data in a structured, machine-readable format.
- Right to object — object to processing based on legitimate interests.
Data transfers
Your data is stored on Supabase infrastructure in the United States. Supabase participates in appropriate data transfer mechanisms for EU data. For more detail, refer to Supabase's privacy documentation.
To exercise any GDPR right, email tabletopindex@gmail.com. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority (e.g. the ICO in the UK, CNIL in France).
CCPA — California Users
If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) give you specific rights regarding your personal information.
Categories of personal information we collect
- Identifiers — email address, username.
- Internet activity — session tokens, show ratings, hearted shows, anonymous usage events (page views, searches, external link clicks).
- Profile data — bio, avatar URL, show listings you create.
We do not sell your personal information
Tabletop Index does not sell, share for cross-context behavioral advertising, or otherwise transfer your personal information to third parties for commercial gain.
Your rights under CCPA/CPRA
- Right to know — request disclosure of the categories and specific pieces of personal information we've collected about you.
- Right to delete — request deletion of your personal information.
- Right to correct — request correction of inaccurate personal information.
- Right to opt out of sale/sharing — we do not sell or share data, so this right is satisfied by default.
- Right to non-discrimination — we will not discriminate against you for exercising any of these rights.
To submit a request, email tabletopindex@gmail.com. We will respond within 45 days as required by law.
Data Retention
The table below describes how long we retain each category of data.
| Data category | Retention period |
|---|---|
| Account & profile data | Until you request account deletion |
| Show listings | Life of account; you may remove individual shows at any time |
| Heart & vibe rating data | Life of account, or until you delete them individually |
| Logged-in user analytics events | Life of account |
| Anonymous session analytics events | 12 months from collection |
| Search queries (anonymous) | 12 months from collection |
| Authentication session tokens | Expire automatically; cleared on log out |
| Server logs (hosting provider) | Typically 30–90 days per provider policy |
| Deleted account data | Purged within 30 days of deletion request |
Some anonymized aggregate data (e.g. total show count) may be retained indefinitely as it cannot be tied back to any individual.
Data Security
We take reasonable steps to protect your data, including:
- Encryption in transit — all data between your browser and our servers is transmitted over HTTPS/TLS.
- Encryption at rest — Supabase encrypts data at rest on AWS infrastructure.
- Row-level security — our database enforces row-level security policies so users can only read or modify their own data.
- No user-controlled code execution — we do not allow users to inject custom CSS, HTML, or scripts into any page.
- Authentication — passwords are hashed and never stored in plain text (handled by Supabase Auth). OAuth sign-ins never expose your Google password to us.
No system is perfectly secure. If you discover a security vulnerability, please disclose it responsibly by emailing tabletopindex@gmail.com.
Questions
For any questions about this page or to exercise your rights, contact us at tabletopindex@gmail.com.