Privacy Policy
Last updated: 17 July 2026
This Policy explains how Patchwork Oddments (“we”, “us”) processes personal data when you use our website and tools. We aim to collect as little as needed. Controller details are in theImprint.
1. What we process
Account data
If you sign in: email address. Sign-in uses a one-time magic link emailed to you (and optionally a hashed password for older accounts). We store short-lived login tokens and session records tied to your account. Legal basis: contract (Art. 6(1)(b) GDPR) and security (Art. 6(1)(f)).
Session cookie
Cookie name session — HttpOnly, Secure, SameSite=Lax, about 30 days. Used only to keep you signed in. Strictly necessary for the account feature.
Usage / security signals
IP address (via Cloudflare) may be used briefly for rate limiting and abuse prevention. We do not run advertising analytics or sell data.
Cloud tool data (when you use those features)
- Post Gallery sync: a copy of your gallery library (not pasted blob images) may be stored in our database if you sync while signed in.
- Shared playlists: content you choose to publish is stored with a public ID and typically expires after about 90 days.
- Stream / overlays: posts and overlay tokens you configure may be stored so live overlays can work.
Data that stays in your browser
AI API keys and many tool preferences (grammar history, theme, local galleries, etc.) are kept in localStorage / IndexedDB on your device. We do not store your AI API key on our servers. Keys are sent only with AI requests so we can proxy to the provider you chose. You can export/import settings as a JSON file on the settings page to move them between devices.
2. AI processing
When you use AI tools, your browser sends your API key and prompt content to our servers so we can proxy the request to the provider you selected (for example Anthropic or an OpenAI-compatible endpoint). That content is processed by the provider under their terms. Do not submit secrets or others’ personal data unless you have a lawful reason.
3. Processors & third parties
- Cloudflare — hosting, D1 database, Durable Objects, rate limiting, and edge delivery.
- Google Fonts — fonts loaded from Google; Google may see your IP when fonts are fetched.
- Optional content helpers — depending on the tool: YouTube, Reddit, X/Twitter-related APIs, or general URL metadata fetches for links you provide.
- Your AI provider — when you enable AI features.
4. Retention
- Account and session data: while the account exists / session is valid.
- Shared gallery payloads: until expiry (about 90 days) or earlier removal.
- Synced gallery libraries and stream state: while you use those features or until deletion.
- Browser-stored data: until you clear site data or uninstall.
5. Your rights (GDPR)
If you are in the EEA/UK/Switzerland (or similar regimes), you may have rights to access, rectify, erase, restrict, port, or object to certain processing, and to withdraw consent where processing is consent-based. Contact us via theImprint. You may also lodge a complaint with your local supervisory authority (in Austria: Österreichische Datenschutzbehörde).
6. International transfers
Cloudflare and some third parties may process data outside Austria / the EEA. Where required, transfers rely on appropriate safeguards (for example Standard Contractual Clauses) provided by those vendors.
7. Children
The Service is not directed at children under 16. Do not create an account if you are under that age.
8. Changes
We may update this Policy; the “Last updated” date will change when we do. Significant changes may also be called out in the product where practical.