Privacy Policy
Last updated: April 19, 2026
BroadwayLog ("we", "us", the "Service") is a personal theatre attendance journal. This policy explains what data we collect, why we collect it, where it's stored, and the choices you have.
We aim to collect as little data as we can while running a useful service. Plain-language summaries appear at the start of each section; the full detail follows.
1. Who we are
BroadwayLog is operated by BroadwayLog, based in New York, USA. You can reach us at hello@broadwaylog.app.
2. What we collect, and why
Summary: We collect the information you give us (email, profile, journal entries) and a small amount of technical data needed to run the service (like your IP address for rate limiting).
Information you provide
| Data | When | Why |
|---|---|---|
| Account information (email, hashed password, username, display name, bio, avatar) | Signup and profile edits | Account identity and public profile |
| Content you add (journal entries, ratings, reviews, public-sharing toggles) | When you use the Service | Core product functionality |
| Google identity (email, name, profile picture URL) | If you sign in with Google OAuth | Create and link your BroadwayLog account |
Passwords are hashed by Supabase—we never see or store your plaintext password. If you sign in with Google, we do not receive or store your Google password.
Information collected automatically
| Data | Source | Why |
|---|---|---|
| IP address | Every request | Abuse prevention (rate limiting), geographic latency routing |
| Browser/device user-agent | Every request | Debugging, compatibility |
| Authentication cookies | Set by Supabase on login | Keep you logged in between visits. These are httpOnly—JavaScript on the page cannot read them. |
We do not use advertising trackers, analytics pixels, fingerprinting scripts, or cookie-based analytics at launch. If we add analytics later, we will update this policy.
3. Cookies
Summary: We set strictly-necessary cookies for login. We do not use advertising or tracking cookies.
Under the current setup, the only cookies we set are authentication cookies managed by Supabase. They are httpOnly, Secure, and SameSite=Lax. They keep you signed in and are deleted on logout. Because these are strictly necessary for the service to work, a cookie consent banner is not required under ePrivacy / GDPR guidance.
4. Third parties who process your data
Summary: We use a small set of infrastructure providers. We share data with them only as needed to run the service.
| Provider | Role | What they receive |
|---|---|---|
| Supabase (supabase.com/privacy) | Database + authentication hosting | Everything in §2, "Information you provide" |
| Cloudflare (cloudflare.com/privacypolicy) | Edge hosting (Workers) and avatar storage (R2) | Request metadata, IP addresses, uploaded avatars |
| Google (if you use OAuth sign-in) | Identity provider | Whatever Google shows on the consent screen—typically your email, name, and profile picture |
We do not sell your personal information to anyone. Ever. We do not share your information with marketing or data-broker services.
5. Where your data is stored
Summary: Data is stored in cloud infrastructure in the United States.
Our Supabase project and Cloudflare R2 bucket are hosted in the United States. If you are located outside the United States—for example, in the EU or UK—your data will be transferred to and processed in the United States.
Transfers to the United States are made in reliance on the Standard Contractual Clauses and other safeguards incorporated in Supabase's and Cloudflare's Data Processing Agreements.
6. How long we keep your data
Summary: We keep your data while your account exists. If you delete your account, we delete it.
- Active accounts: We retain your profile, journal entries, and reviews for as long as your account is open.
- Deleted accounts: When you delete your account, we delete your profile, journal entries, reviews, and avatar within 30 days. Encrypted database backups may retain the data for up to 90 days before rotation.
- Logs: Edge request logs are retained by Cloudflare per their defaults (typically 7 days).
7. Your rights
Summary: You can see, correct, export, or delete your data.
Depending on where you live, you may have some or all of the following rights:
- Access—see what we have about you (most of it is already visible in your profile and journal)
- Correction—fix inaccurate data (you can edit your profile and entries directly; for anything else, email us)
- Export—request a copy of your data in a machine-readable format (typically JSON)
- Deletion—delete your account and associated data
- Objection / restriction—ask us to stop processing your data in specific ways
- Portability—receive your data in a format you can move to another service
- Withdraw consent—where we rely on consent, you can withdraw it at any time
To exercise any of these, email hello@broadwaylog.app from the address associated with your account. We will respond within one month. For complex requests, we may extend this by up to two additional months and will notify you of the extension.
If you are in the EU/EEA or UK, you have the right to lodge a complaint with your local data protection authority if you believe we've handled your data unlawfully.
If you are in California, you have additional rights under the CCPA/CPRA including the right to know, delete, and opt out of "sale" or "sharing" of personal information. We do not sell or share your personal information as those terms are defined by the CCPA.
8. Children
The Service is not intended for children. We do not knowingly collect personal information from anyone under 16, and we do not knowingly collect personal information from anyone under 13. If you are under 13, do not use the Service. If we learn that we have collected data from a child under 13 without verifiable parental consent, we will delete it.
9. Security
Summary: We follow industry-standard practices, but no service is 100% secure.
- Passwords are hashed by Supabase using bcrypt. We never see plaintext passwords.
- All traffic is served over HTTPS with HSTS.
- Authentication cookies are
httpOnly,Secure,SameSite=Lax. - We apply CSP, X-Frame-Options, and other security headers.
- We rate-limit authentication endpoints to discourage brute-force attacks.
- Access to production infrastructure is limited to the operator.
We cannot guarantee absolute security. If we discover a breach that affects you, we will notify you without undue delay where required by applicable law. Where applicable law requires notification to a supervisory authority, we will do so within the timeframe required by that law.
10. Changes to this policy
If we update this policy, we will post the updated version here with a new "Last updated" date. Material changes affecting how we use your existing data will be communicated by email before the change takes effect.
11. Contact
Questions? Email hello@broadwaylog.app.