Legal

Privacy Policy

We believe in transparency. Here is exactly what we collect, why, and what you can do about it.

Last updated: 1 January 2025  ·  Effective date: 1 January 2025

1. Who we are

BucketList ("BucketList", "we", "us", or "our") is the operator of the website located at bucketlist.app and its associated services. This Privacy Policy explains how we collect, use, share, and protect personal data when you use our platform.

Our data controller is BucketList. If you have questions about this policy, contact us at privacy@bucketlist.app.

2. Data we collect

We collect the following categories of personal data:

Data you provide directly

  • Account information: username, email address, password (stored as a bcrypt hash — we never store your plain-text password).
  • Profile information: avatar, bio, and any other optional details you add.
  • User-generated content: bucket lists, goals, comments, and any files you upload.

Data we collect automatically

  • Log data: hashed IP address (we never store your raw IP address), browser type, pages visited, and timestamps.
  • Usage data: features used, goals completed, and aggregate activity patterns.
  • Cookies and local storage: session tokens for authentication. We do not use advertising cookies.

3. Legal basis for processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, our legal bases for processing personal data are:

  • Contract performance: to provide the BucketList service you signed up for.
  • Legitimate interests: to improve our service, detect abuse, and ensure security.
  • Consent: for optional features such as marketing emails (you can withdraw consent at any time).
  • Legal obligation: to comply with applicable law.

4. How we use your data

  • To operate and improve the BucketList platform.
  • To authenticate your account and keep it secure.
  • To send transactional emails (password reset, account notifications).
  • To send product updates and newsletters, if you have opted in.
  • To detect and prevent fraud, abuse, and security incidents.
  • To comply with our legal obligations.

5. Data sharing

We do not sell your personal data. We share data only in the following circumstances:

  • Service providers: third-party vendors who process data on our behalf (hosting, email delivery), bound by data processing agreements.
  • Public content: bucket lists you mark as public are visible to anyone, including search engines.
  • Legal requirements: if required by law, court order, or to protect our rights.

6. Data retention

We retain your personal data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where we are required to retain it by law.

7. Your rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: request a copy of the data we hold about you.
  • Correction: request that we correct inaccurate data.
  • Erasure: request deletion of your account and data ("right to be forgotten").
  • Portability: receive your data in a machine-readable format.
  • Objection: object to processing based on legitimate interests.
  • Restriction: request that we limit processing of your data.
  • Withdraw consent: where processing is based on consent, withdraw it at any time.

To exercise any of these rights, email us at privacy@bucketlist.app. We will respond within 30 days.

8. Cookies

We use the following types of cookies:

  • Essential cookies: required for authentication and security. These cannot be disabled.
  • Analytics cookies: used to understand how visitors use our site (aggregated, anonymised). You can opt out at any time.

We do not use advertising or tracking cookies from third parties.

9. Data security

We take security seriously. Passwords are hashed with bcrypt. IP addresses are one-way hashed before storage. Data is transmitted over TLS. We conduct regular security reviews.

No system is perfectly secure. If we become aware of a data breach that affects your rights or freedoms, we will notify you as required by applicable law.

10. International transfers

Our servers are located in the European Union. If we transfer data outside the EEA, we do so only where appropriate safeguards are in place (such as Standard Contractual Clauses).

11. Children

BucketList is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such data, please contact us immediately.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by a prominent notice on our website at least 14 days before the changes take effect.

13. Contact us

For any privacy-related questions or to exercise your rights, contact us at privacy@bucketlist.app or write to us at the address listed in our Terms of Service.