PickChillBack

Privacy

Last updated 12 July 2026

The short version

PickChill is built to hold the things you are not ready to say out loud. So what you are deciding between stays yours: your decision titles and your option labels are never collected, never analysed, and never used to build a profile of you. We measure how the app is used - counts and clicks - not what you put in it. There is no advertising, no tracking across other sites, and nothing is ever sold.

What we store

Your account. Your email address, your display name, and - if you sign in with Google - the avatar picture Google gives us. If you signed up with a password, we store it hashed (bcrypt), never as text. We also keep the date you joined and the date you last signed in.

Your decisions. The title and description you give a decision, the options you put in it, and every pick you make between them. We keep the picks because they are what lets you replay a decision, undo a step, and see how you reached your top pick. This content is stored so that you can come back to it - it is visible to you, and not to anyone else, unless you choose to share it.

When you share. If you turn on a share link or send someone a decision to compare, that decision becomes readable by anyone holding the link - that is what the link is for. The shared copy is stripped down first: it never carries your account id or your other decisions. You can turn a link off at any time.

When someone picks for you. If a friend follows your compare link, we store the name they type in and the single option they picked. They stay anonymous otherwise - no account, no email, no tracking.

The demo stays on your device. Anything you do in the demo at /demo lives in your browser's local storage and is never sent to us - unless you create an account, at which point we offer to bring those decisions with you.

Analytics - what we measure, and what we never measure

We use PostHog to understand how people use PickChill: which features get used, where people get stuck, whether the demo leads anywhere. Our PostHog project runs on PostHog EU Cloud, so the data stays in the European Union.

We record a fixed, short list of events. That list is:

  • You opened the demo
  • A decision was created, and how many options it had
  • A pick was made, which round it was in, and whether the tie-helper was used
  • A decision was completed, with the number of options and picks it took
  • A feature was used - export, a compare link, a reminder
  • An account was created, and whether by email or Google

Every one of those carries only counts, yes/no flags and fixed labels- a number of options, a round number, the word "png" or "pdf". That is enforced in our code: an event that tried to carry your text would not build.

What we deliberately do not do:

  • No session recording. We do not replay your screen. Ever.
  • No autocapture. Many analytics setups hoover up the text of everything you click. That would scrape your option labels straight off the page, so it is switched off - both in the code and on the PostHog project itself.
  • No decision content. Titles, descriptions and option labels never leave your device for our analytics.
  • No advertising networks, no data brokers, no cross-site tracking.

There are two modes, depending on whether you are signed in:

  • Signed out - analytics runs in cookieless mode. It writes nothing at all to your device: no cookie, no id, nothing to carry you between visits.
  • Signed in - we already know who you are from your session cookie, so events are attached to your account id. Even then, analytics stores nothing on your device; the id is handed to it fresh on each page load and forgotten when you close the tab.

Cookies and device storage

We only set cookies that the app cannot work without. There are no advertising cookies, no analytics cookies and no third-party trackers - which is why you have not been asked to accept any.

authjs.session-token
Keeps you signed in. It is a signed token holding your user id, name, email and avatar - nothing else. Cleared when you sign out.
authjs.csrf-token
Protects sign-in and sign-up forms against cross-site request forgery, so nobody else can submit them on your behalf.
authjs.callback-url
Remembers where to send you back to after you sign in.
pc_new_signup
Set for 120 seconds right after you create an account, so we can welcome you and bring across any decisions you made in the demo. Expires on its own.
pc_demo_reset
Set when you sign out, so the demo starts clean for the next person on this device. Read once, then cleared.
pc_responder
Only if someone sends you a decision to compare. It keeps your run tied to your own browser so you can finish it, and stops the link being used twice. It is not an account and does not identify you.

On a secure connection your browser will show the first three with a __Secure- prefix. That is the same cookie, locked to HTTPS.

We also use your browser's local storage for two things that never reach our servers: the demo's decisions, and a note of whether you last signed in with Google or with email, so we can point you at the right button next time.

Email

We email you only when you ask us to: a password reset link when you request one, and a reminder about a decision when you set one. There is no marketing email and no newsletter. Reset links expire after an hour.

Who else touches your data

We keep this list short on purpose. Each of these is a service PickChill runs on - none of them is given your data for their own purposes:

  • Vercel - hosting and serving the app.
  • Neon - the database your account and decisions live in.
  • Upstash - short-lived cache and rate-limiting.
  • Resend - sending the password-reset and reminder emails.
  • PostHog (EU Cloud) - the analytics described above.
  • Google - only if you choose to sign in with Google. We ask Google for your email address, name and avatar, nothing more.

How long we keep things

Your account and your decisions are kept until you delete them. A deleted decision is recoverable for 30 minutes (that is what the Undo is), and then it is gone. Analytics events are kept by PostHog under their standard retention.

Deleting your data

You can delete any decision from the app at any time. You can delete your whole account from your profile page. That removes your account and everything attached to it - your decisions, your options, your picks, your share links - immediately and for good. There is no soft-delete and no grace period, so please be sure.

If you are in the UK or the EU, you also have the right to ask for a copy of your data, to have it corrected, or to object to how we use it. Email us and we will sort it out.

Security

Passwords are hashed with bcrypt. Password-reset links are stored hashed, so even we cannot read them. Traffic is served over HTTPS only, and every request for a decision is re-checked against its owner before anything is returned.

Changes to this policy

If we change what we collect, we will change this page and update the date at the top. If we ever want to store something on your device that is not strictly necessary, we will ask you first - properly, with a real choice.

Contact

Questions, requests, or something here that does not look right: privacy@pickchill.com.