~/ § LEGAL Privacy Policy

Privacy Policy

· 5 min read · English

BoomBigNose collects only the data we need to run the service, never sells it, and hosts it on Supabase with row-level security. This page explains exactly what we collect, why, and the rights you have over it.

1. What we collect

When you use BoomBigNose Learn or related BoomBigNose surfaces, we collect a narrow set of data:

  • From Google Sign-In: your email address, display name, profile picture URL, and your Google account ID (the OpenID Connect sub claim).
  • From LINE Sign-In: your LINE user ID, display name, and profile picture.
  • Account metadata: signup date, last login timestamp, and the IP address used at sign-in (for security auditing only).
  • Service usage inside BoomBigNose Learn: pages visited within the app, learning sessions, goals you set, and skills the system detects from your activity.

We do not collect your contacts, your Google Drive files, your Gmail messages, your YouTube watch history, or any Google data beyond the basic identity scopes (openid, email, profile).

2. Why we collect each data point

  • Email + Google/LINE user ID — to identify your account across sessions and let you sign back in.
  • Display name + profile picture — to personalize your dashboard so it feels like your space, not a generic UI.
  • Signup date, last login, IP address — to detect suspicious activity (credential stuffing, account takeover) and keep your account safe.
  • Learning sessions, goals, detected skills — the actual product: BoomBigNose Learn shows you what you've studied, what you're aiming for, and what you've gotten better at over time. This data only exists so the tracker can do its job for you.

Your Google sign-in data is used only to authenticate you and personalize your dashboard with your name and avatar. It is not sold, not used for advertising, and not shared for marketing. We never receive your Google password — OAuth returns identity tokens, not credentials.

3. How we use Google user data — Limited Use compliance

BoomBigNose's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

  • We use Google user data only to provide and improve user-facing features of BoomBigNose Learn that are prominent in the app (sign-in, your dashboard, your profile).
  • We do not transfer Google user data to third parties except as necessary to provide the service (e.g., hosting on Supabase), for security purposes, or to comply with applicable law.
  • We do not use Google user data to serve advertisements, and we do not share it with any party for ad targeting.
  • We do not use Google user data to develop, improve, or train generalized or non-personalized AI or machine learning models.
  • We do not allow humans to read Google user data, except: (a) with your explicit consent, (b) for security purposes such as investigating abuse, (c) when required by law, or (d) when the data has been aggregated and anonymized for internal operations.

4. Legal basis (PDPA + GDPR)

If you live in Thailand, the Personal Data Protection Act B.E. 2562 (2019) (PDPA) applies. If you live in the European Union or the EEA, the General Data Protection Regulation (GDPR) applies. We rely on the following legal bases:

  • Consent — when you click "Sign in with Google" or "Sign in with LINE", you consent to the identity data being shared with us.
  • Contract necessity — we need your email and user ID to actually run the service you signed up for.
  • Legitimate interest — for security and anti-abuse (e.g., logging the IP used at sign-in to detect account takeover).

5. Where your data is stored

All account data lives in a managed Supabase Postgres database in the Sydney, Australia (ap-southeast-2) region. Specifically:

  • Each user row is protected by Row-Level Security (RLS) policies — by default no other user can read your data.
  • If we ever issue an email/password credential, the password is hashed by Supabase Auth using bcrypt; the plaintext is never stored.
  • Database backups are encrypted at rest.
  • Connections to the database use TLS in transit.

6. Sharing with third parties

We don't sell your data, and we don't share profile data with advertisers. The only third parties that process your data are the data processors and sub-processors below:

7. Cookies and session storage

Supabase Auth uses HTTP-only cookies and browser localStorage to keep you signed in across page loads. We do not run third-party ad tracking, fingerprinting, or marketing pixels on the site today.

If we ever add product analytics (for example, Google Analytics 4 or Plausible), we will update this policy and bump the effective date before turning the analytics on.

8. Your rights

Under PDPA and GDPR, you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct anything that's wrong.
  • Deletion ("right to be forgotten") — ask us to delete your account and associated data.
  • Portability / export — request your data in a machine-readable format.
  • Withdraw consent — at any time, with future effect.
  • Restrict processing — pause our use of your data while a question is being resolved.
  • Object — to any processing based on legitimate interest.

In addition, because Google is your identity provider, you can revoke our access to your Google account at any time at myaccount.google.com/permissions. Revoking access there will sign you out of BoomBigNose Learn on the next request. You can also delete your BoomBigNose Learn account from within the app.

9. Data retention

  • Active accounts: kept for as long as you keep using the service.
  • Deleted accounts: primary records are purged from the live database within 30 days of your deletion request.
  • Backups: any references to your data are purged from rolling encrypted backups within 90 days.
  • Security audit logs (sign-in IPs, sign-in timestamps): kept for up to 1 year for abuse investigation, then automatically deleted.

10. International transfers

Because our Supabase region is Sydney, Australia, your data physically leaves Thailand the moment you create an account. We rely on Supabase's standard contractual clauses and security commitments to keep that transfer lawful under PDPA. PDPA continues to apply to your data regardless of where it is stored.

11. Security

  • All connections to the site and to Supabase use TLS in transit.
  • Data is encrypted at rest in the managed database and in backups.
  • Row-Level Security policies enforce per-user isolation at the database layer — your row is invisible to other users by default.
  • We follow least privilege for service keys. The Supabase service_role key is never shipped to the browser; it's only used from server-side edge functions.
  • OAuth tokens are stored server-side or in HTTP-only cookies — never in JavaScript-readable storage.

12. Children's privacy

BoomBigNose Learn is intended for users 13 years of age or older. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has signed up, please email contact@boombignose.org and we will delete the account.

13. Changes to this policy

If we make material changes to this policy, we will update this page, bump the effective date at the top, and notify active users by email. Minor wording or formatting changes may happen without a separate notice.

14. Contact

BoomBigNose is operated by Vittawat Sootawee (วิทวัส สุดทวี), based in Bangkok, Thailand. For any privacy question — including PDPA data subject requests — please reach out at: