Privacy Policy | designs.directory

This page explains what personal data designs.directory collects when you visit the site or upload a design, why we collect it, and what we do with it. It is provided in accordance with Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR") and Romanian Law 190/2018. It covers every endpoint we run — the public gallery, search, the upload form, and the admin pages.

Data controller

The controller of your personal data is:

Bringes Technology SRL
Str. Crișului nr. 14 Bis, Oraș Băicoi, Jud. Prahova, Romania
VAT: RO45896025
Contact: hello@bringes.io

We have not appointed a Data Protection Officer because our processing does not meet the thresholds of Article 37 GDPR. For any privacy matter write to the address above.

Data we collect

Uploaded design zips. When you use Add your design we extract the archive and store the individual files (HTML previews, README, SKILL, assets, and the original zip) in a Hetzner S3 bucket. The files are served publicly from that bucket once an admin approves the design.
Design metadata. Title, file list, upload size, moderation status, views, upvotes, and downvotes are stored in our Turso (SQLite) database.
Votes. To enforce one vote per visitor we store a SHA-256 hash of your IP address (salted) with the vote. We do not store the raw IP. The hash is a one-way fingerprint used only for deduplication.
Views. Every visit to a design page increments a counter on that design. We store the counter, not the visitor identity.
Search queries. The text you type into the search box is saved together with how many results it returned. Admins use this to understand what people are looking for. Search logs are not tied to your identity.
Feedback. If you submit feedback, we store the message, the optional email you provide, the page you sent it from, and your user-agent string.
Admin accounts. Admins sign in with Google OAuth. We store the name, email, profile image, and Google account id provided by Google, plus session records needed to keep them logged in. The public-facing site does not offer user accounts.
Analytics (PostHog). We use PostHog (EU region) to track page visits, clicks on interactive elements, and — when enabled — session recordings with form inputs masked. PostHog drops a first-party cookie / local-storage entry to maintain an anonymous visitor id. Analytics run only after you accept cookies.
Analytics (Google Analytics 4). We also load Google Analytics 4 (measurement ID G-H26RM0T4X2) via the gtag.js tag. Google receives your IP address (truncated), user-agent, and the pages you view. GA uses first-party cookies (the _ga family) to distinguish unique visitors. GA runs only after you accept cookies.

Why we collect it and on what legal basis

We process personal data under the following Article 6 GDPR bases:

Performance of a service (Art. 6(1)(b)): hosting and serving uploaded designs, running moderation, processing take-down requests.
Legitimate interests (Art. 6(1)(f)): preventing vote manipulation through salted IP hashes, counting page views, logging search queries to improve the product, keeping admin session records, and protecting the Service against abuse. You may object to processing based on legitimate interests (see "Your rights" below).
Consent (Art. 6(1)(a)): PostHog and Google Analytics cookies and the associated processing. Consent is collected through the cookie banner and can be withdrawn at any time by clearing the cc cookie in your browser, after which analytics stop loading.
Legal obligation (Art. 6(1)(c)): keeping records we are required to keep under Romanian tax, accounting, or platform-regulation laws, and responding to valid requests from competent authorities.

Who can see what

Public: anything in an approved design (the files, the README, the SKILL, the title, the view and vote counts).
Admins only: pending / rejected designs, feedback messages, search logs, admin-session metadata.
Processors and sub-processors: Hetzner Online GmbH (Germany, EU — file hosting), Turso / ChiselStrike (EU region — database), Cloudflare (worker + edge delivery), Google Ireland Limited (admin sign-in + Analytics), PostHog (EU region — analytics). Each of them receives only the data needed to provide that service.

International transfers

We aim to keep personal data within the European Economic Area. Cloudflare and Google may process limited data (your IP address, request metadata) outside the EEA. When that happens, transfers are covered by the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and, for Google, the EU-US Data Privacy Framework adequacy decision of 10 July 2023. You can ask us for a copy of the safeguards in place.

Retention

Approved designs and metadata: stored until the uploader or an admin deletes them.
Pending or rejected designs: up to 90 days, then deleted unless kept longer for a specific moderation reason.
Salted IP-hash vote records: kept for the lifetime of the design they relate to.
Feedback messages: up to 24 months from receipt.
Search logs: up to 12 months, then aggregated or deleted.
Admin sign-in records: kept while the admin is active and for up to 12 months after deactivation.
PostHog and Google Analytics events: as per each provider's default retention (typically 12–14 months).

Your rights under the GDPR

If we hold personal data about you, you have the right to:

Access the data we hold (Art. 15).
Rectify data that is inaccurate or incomplete (Art. 16).
Erase data ("right to be forgotten", Art. 17).
Restrict processing in certain circumstances (Art. 18).
Data portability — receive the data you gave us in a machine-readable format (Art. 20).
Object to processing based on legitimate interests (Art. 21).
Withdraw consent you have given for analytics at any time, without affecting the lawfulness of processing carried out before withdrawal (Art. 7(3)).
Lodge a complaint with a supervisory authority. In Romania this is the Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP), B-dul G-ral Gheorghe Magheru 28-30, Sector 1, București, dataprotection.ro. You may also complain to the authority in your EU country of residence.

To exercise any of these rights email hello@bringes.io. We respond within one month (extendable by two months for complex requests, as allowed by Article 12(3) GDPR).

Automated decisions and profiling

We do not use your personal data to make automated decisions with legal or similarly significant effects on you, and we do not build behavioural profiles for advertising.

Security

Data is transmitted over HTTPS, admin access is protected by Google OAuth and single-sign-on session cookies marked HttpOnly and SameSite, and secrets are kept in the runtime environment rather than in the code. We review access to admin endpoints regularly. No system can be guaranteed secure, but we use reasonable technical and organisational measures proportionate to the risk, as required by Article 32 GDPR.

Cookies & local storage

We use a small number of cookies and storage entries, split into two categories:

Strictly necessary (no consent required): a session cookie for admin sign-in (first-party, HttpOnly), a did first-party cookie that stores an anonymous visitor id for linking searches and votes, the cc cookie that remembers your cookie-banner choice, and session-storage entries used to avoid double-counting a page view within a single tab.
Analytics (require your consent): PostHog's cookie / local-storage entry for an anonymous visitor id, and the Google Analytics _ga family of cookies. These load only after you click Accept in the cookie banner.

We do not use cross-site advertising cookies. You can withdraw analytics consent at any time by clearing the cc cookie or by blocking analytics scripts in your browser.

Changes

We may update this policy. Material changes will be noted at the top of this page with a new "last updated" date.

Contact

Bringes Technology SRL, Str. Crișului nr. 14 Bis, Oraș Băicoi, Jud. Prahova, Romania — VAT RO45896025. Questions, takedown requests, or corrections: hello@bringes.io.