The Pain Points Project← Back to Stream

Privacy Policy

Last updated: 24 May 2026

This policy explains what personal data The Pain Points Project ("we", "us", "the site") collects, why, what we do with it, and the rights you have under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who we are

The Pain Points Project is an independent platform operated from the United Kingdom. We are the data controller for the personal data described in this policy.

For privacy questions, data requests, or complaints: admin@thepainpointsproject.com

2. The principle: we collect only what we need

We don't want your personal data beyond what's strictly required for the site to work. We do not sell data, run advertising, or share it with third parties for marketing.

3. What we collect, and why

a. When you sign in (optional)

Sign-in is only needed to leave comments. If you sign in:

  • Magic link: we collect your email address so we can send you a one-time sign-in link.
  • Google sign-in: Google provides us with your email address and an account identifier. We do not request your profile photo, contacts, or any other Google data.

Lawful basis: performance of a contract (we cannot give you an account or let you comment without it) and our legitimate interest in operating the site securely.

b. When you submit a pain point

We store the content of your submission, the target industry, your collaboration intent, any optional tags, and the timestamp. You do not need to sign in to submit a pain point — anonymous submissions are tied to an anonymous session, not to you personally. If you choose to include personal data in the pain-point text itself (for example, your name in a description), that data becomes part of the public record once approved.

Lawful basis: our legitimate interest in building a public database of real-world problems, balanced against your right not to over-share. Don't put confidential or identifying information in submissions.

c. When you leave a comment

We store the comment body, your account identifier, the email address associated with your account (used internally to verify admin status), and the timestamp. The email address is not shown publicly on your comments — visitors see only your display name.

You can delete any of your own comments at any time. Deleting a top-level comment also removes its reply thread.

d. Your display name (username)

On your first sign-in we generate a random, friendly username for you (something like swift-fox-742) so your comments aren't tied to your email. You can change it any time on the Settings page. Names are public, must be unique (case-insensitive), and a small set of reserved words (such as anything containing "admin", "moderator", or the project name) are blocked to prevent impersonation. We reserve the right to remove any display name we consider misleading or offensive.

e. When you contact us

The Contact form collects your email address and the message you write so we can reply. We hold these messages for up to 12 months and then delete them, unless an ongoing conversation requires keeping them longer.

Lawful basis: our legitimate interest in answering enquiries.

f. Technical and server logs

Our hosting provider and Supabase keep short-lived logs containing IP addresses, browser/user-agent strings, and request paths. These are used for security and debugging and are typically retained for 14–30 days at the infrastructure layer.

f. Vercel

We use Vercel Web Analytics to monitor general, aggregated traffic on our platform (such as page views, device types, and country locations) so we can improve the user experience. This tool is cookie-free and does not collect or store any Personally Identifiable Information (PII) except for email addresses. Any data processed to calculate unique visitors is instantly anonymised. We cannot track your personal identity, search history, or activity across other websites.

4. Cookies

We use the minimum cookies needed to make the site work:

  • Supabase authentication cookies — set only when you sign in. These keep you signed in across pages and are essential to the service.

We don't use analytics cookies, tracking pixels, or third-party advertising cookies. Because we only use strictly necessary cookies, no consent banner is required under the PECR rules.

5. Who processes your data on our behalf

We rely on a small number of trusted service providers ("processors") to run the site. Each is bound by a data-processing agreement and processes data only on our instructions:

  • Supabase — database, authentication, and storage. Our project is hosted in the European Union. See supabase.com/privacy.
  • Google — only if you choose Google sign-in. Google receives a sign-in request and returns your email + account ID. See policies.google.com/privacy.
  • Our hosting provider — serves the site and handles DDoS/HTTPS termination.

Registering interest in a post. Signed-in users can click "I'm interested in collaborating!" on any pain point. We store one row per (user, post) pair recording your account ID and a timestamp — no other personal data. The post's author can see how many people have registered and when, and on the first click they receive a single email notification at the email address tied to their account. We send at most one email per post regardless of how many people click. Anonymous users can't register interest (no account = no way to enforce click-once). The email is sent via our SMTP provider Resend; see the processors list above.

Matrix (for collaboration chat) is separate. The "Open the project space" button on any pain point opens our single shared Matrix Space (a container for chat rooms) on Matrix.org — an independent open-source chat network — in a new tab. We don't share your email, name, or any activity from this site with Matrix or with anyone in the chat room. If you choose to create a Matrix account to chat, your relationship is with Matrix and the homeserver you use (e.g. matrix.org). Your participation there is governed by their privacy policy and the terms of whichever Matrix client (e.g. Element) you choose. The Pain Points Project does not record who clicked the button or who joined the room.

6. Where your data lives

Our database is hosted in the European Union. We deliberately chose an EU region to keep your data within the EEA. If you sign in with Google, your sign-in handshake is processed by Google's global infrastructure under the appropriate data-transfer safeguards.

7. How long we keep things

  • Account email & sign-in records: until you ask us to delete them, or you delete your account.
  • Approved pain-point submissions: indefinitely, because they're part of the public database. If you want yours removed, email us.
  • Comments: until you (or we) delete them, or your account is deleted.
  • Contact form messages: up to 12 months.
  • Server logs: 14–30 days.

8. Your rights

Under UK GDPR you have the right to:

  • Be told what personal data we hold about you (Subject Access Request).
  • Have inaccurate data corrected.
  • Ask us to erase your data ("right to be forgotten") — subject to a few legal exceptions.
  • Restrict or object to certain uses of your data.
  • Receive a copy of your data in a portable format.
  • Withdraw consent (where consent is the lawful basis) at any time.

To exercise any of these rights, email admin@thepainpointsproject.com. We aim to respond within one month.

9. Children

The site is intended for users aged 13 and over. We do not knowingly collect personal data from anyone under 13. If you believe a child has provided us with their information, contact us and we'll delete it.

10. Security

We use HTTPS for all connections, store passwords nowhere (sign-in is via magic link or Google), and rely on Supabase's encryption-at-rest. No system is perfectly secure — if you suspect a breach has affected your data, contact us immediately.

11. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top will reflect any change. Significant changes will be highlighted on the site.

12. Complaints

If you're unhappy with how we've handled your data, you have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint. We'd appreciate it if you contacted us first so we can try to resolve it.

By using The Pain Points Project you acknowledge that you've read this policy. See also our Terms of Use.