Privacy policy

Last updated 2026-05-23

This policy describes what HzArt collects, why, and the choices you have. We keep it brief because the product is small and intentionally collects little.

Who runs HzArt

HzArt is a small independent project. For any privacy question, or to exercise the rights described below, write to privacy@hzart.app.

What we collect

Account data

If you create an account: your email address, a password hash, and any profile fields you fill in. Content you create in the app (presets, projects, breathing techniques) is stored against your account.

Product analytics

If you opt in to analytics, we record pseudonymous events about which pages and features you use, via PostHog. We do not record what you type, draw, or hear.

Technical data

A small amount of technical data is needed to make the site work: your IP address while a page loads, your browser's user-agent string, and a few cookies covered below.

How we use it

Account data is used to authenticate you and store your work. Analytics is used in aggregate to decide which features to improve. Technical data is used for security, debugging, and to remember your preferences. We do not sell data and do not use it for advertising.

Legal basis

For account data we rely on performance of a contract (GDPR Art. 6(1)(b)) — we cannot run an account for you without it. For analytics and any future marketing cookies we rely on your consent (Art. 6(1)(a)), which you give in the cookie banner and can withdraw at any time. For strictly-necessary cookies and basic security logging we rely on legitimate interests (Art. 6(1)(f)).

Who processes data on our behalf

We use a small number of well-known processors, each bound by their own data-processing terms: • Supabase — database and authentication. • Vercel — application hosting and edge network. • PostHog — product analytics, only after you opt in.

How long we keep it

Account data is kept while your account exists. If you delete your account from /account → Settings, our deletion path removes the records we hold across every table that references you. Analytics events are retained on PostHog under their default retention. Server access logs are kept for a short period for security and debugging.

Cookies and similar technologies

We use a small number of cookies and equivalent browser storage in three groups. Strictly-necessary entries keep you signed in and remember your cookie choice — they are always on. Analytics is set only after you opt in. Marketing is not used today; the category appears in the banner only so we can ask again before introducing any such tool.

You can change your cookie choice at any time:

Your rights

Under the GDPR you have the right to access, rectify, erase, restrict, port and object to the processing of your personal data, and to lodge a complaint with your local data-protection authority. The simplest way to exercise the right to erasure is to delete your account from /account → Settings, which removes the data we hold about you. For anything else, email privacy@hzart.app.

International transfers

Some of our processors (notably Vercel and PostHog) are based outside the EEA. Where data leaves the EEA it is covered by the Standard Contractual Clauses or equivalent safeguards published by each processor.

Changes to this policy

When this policy changes materially we update the version above and, for cookie-related changes, re-show the consent banner so you can review your choice. Older versions are not separately archived — this page is the current and canonical version.

Contact

Email privacy@hzart.app with any privacy question. We try to reply promptly; the GDPR allows up to one month to respond formally, and we will tell you if we need that long.