How we handle your data.

There are two things, and that’s it.

• The contents of your Letterboxd export. That’s the .zip you download from your Letterboxd settings page — a small pile of CSV files containing your ratings, your diary entries, your watchlist, and the films you’ve marked watched. You hand it to us; we read it.
• The email you sign up with. Stored by Supabase as part of authentication. We use it to log you in and to reach you about your account if we have to.

We run a privacy-respecting product analytics tool (PostHog) to measure which features get used and where the picker breaks. The full disclosure is in the Analytics section below — TL;DR: no PII, opt-out from /settings, we honor Do-Not-Track. We don’t embed third-party trackers beyond PostHog. There are no advertising IDs on this site.

Since 2026-05-12 we send a small, opt-out-able stream of product events to PostHog so we can answer questions like “does anyone use the director filter?”, “how often does the picker land an unwatched film?”, and “what proportion of new installs accept the install prompt?” PostHog is hosted in the US (us.i.posthog.com).

What gets sent:

• Page views (URL path and referrer, no query parameters).
• Picker actions: filter changes, spins, picks selected, picks dismissed. The film TMDB id and your active filters travel with the event; your other ratings do not.
• Theme changes, install-prompt outcomes.
• Letterboxd import lifecycle (started, succeeded, failed).
• Daily-digest email opens (only if you opt into the digest), via a server-side webhook from our email provider. No tracking pixels.

What does not get sent:

• Your email address.
• Your individual ratings or watchlist contents.
• Anything you type into a form.
• Free-text searches.

Events are keyed by your Supabase user id (an opaque uuid), which lets us count distinct users without ever attaching your email or name to a session. Session recording is disabled. Autocapture is disabled — only events we explicitly emit get sent.

To opt out: visit /settings and uncheck “Share anonymous usage data”. We also honor browser Do-Not-Track signals — if your browser sends DNT, no events are sent regardless of the toggle.

We build you a per-user taste profile. The model trains on the films you’ve already rated to predict what you’d rate the films you haven’t seen yet. That’s how the predicted star scores on your dashboard, your re-ranked watchlist, and the taste-DNA visualizations on /stats get generated.

The model is yours. It trains on your ratings to predict your ratings. It doesn’t surface you to other users, and other users’ data isn’t used to predict your scores.

A short list, because the negatives matter as much as the positives.

• We don’t sell your data.
• We don’t share it with third parties for their own use.
• We don’t train a global model that other users can query against your ratings.
• We don’t use your data for advertising.
• We don’t pass your email to a marketing list.
• We don’t show ads.

• Raw Letterboxd .zip uploads — deleted within 24 hours via the Supabase Storage bucket’s lifecycle rule. Once we’ve parsed the CSVs into your account, we don’t need the zip anymore.
• Your predictions and taste profile — kept as long as your account exists. Re-syncing your Letterboxd export updates them.
• Your account, on deletion — every per-user row in user_films, taste_profiles, and processing_jobs is purged, and your storage prefix is cleared. The shared film catalog (titles, posters, cast — TMDB-enriched data) is unaffected, because none of it is personal to you.

If you live in the EU, the UK, or California (and increasingly elsewhere), you have a set of rights over the data we hold about you. The short version is: you can ask us anything about it, and we’ll respond within 30 days.

• Access. See what we have on you. Email palette@palette.film.
• Rectification. Fix anything that’s wrong. Same email.
• Erasure. Delete it all. Same email.
• Portability. Export your data. We’ll hand back JSON. Same email.
• Object or restrict. Tell us to stop processing for a specific reason. Same email.

We hand small slices of your data to a few well-known infrastructure providers. None of them see your ratings or your watchlist as such — they see what you’d expect their part of the stack to see.

• TMDB. We fetch film metadata — titles, posters, cast, runtime — from The Movie Database. TMDB doesn’t see your ratings or watchlist; they see TMDB IDs we’re asking about. Their privacy policy applies to that fetch.
• Letterboxd. We read the .zip you exported yourself. We don’t talk to Letterboxd’s servers — nothing is sent back, nothing is scraped. The .zip itself is data you generated on Letterboxd’s platform; their terms of service still apply to the original data over there.
• Supabase. Hosts authentication, the Postgres database, and the storage bucket your .zip lands in. Their privacy policy applies to the storage layer.
• Vercel. Hosts the frontend you’re reading right now. Their access logs see IP addresses and user-agent strings, the way every web host does. Their privacy policy applies.
• Railway. Hosts the backend that runs the model. Their privacy policy applies to backend access logs.
• PostHog. Product analytics. Receives events keyed by your Supabase user id (uuid). See the Analytics section above for the full event list. Their privacy policy applies.

We set a small number of first-party cookies. Two categories:

• Auth. Supabase auth cookies keep you logged in.
• Preferences. palette-theme mirrors your selected theme; palette-analytics mirrors your analytics opt-in choice. Both let the page server-render with the right values before any JavaScript runs, so you don’t see a flash on first paint.

If analytics is enabled, PostHog also sets its own cookie under this domain to track the same anonymous user across visits. It is disabled when you opt out and when your browser sends Do-Not-Track. There are no third-party advertising cookies.

palette.film isn’t directed at children under 13. If you’re under 13, please don’t sign up.

We may update this page. Material changes — anything that affects what we collect, who we share it with, or how long we keep it — get a notice on the dashboard the next time you log in. Minor edits (typos, clearer wording) just get the new last-updated date at the top.

Questions, requests, or anything else — email palette@palette.film.