directree

Privacy Policy

Last updated: July 2026

directree (operated by Henrik Malmkvist, Sweden) is an honest software directory. We take your privacy as seriously as we take honest listings. This policy explains what data we collect, why we collect it, who we share it with, and what rights you have under the General Data Protection Regulation (GDPR) and applicable Swedish law.

1. Who we are

Controller: Henrik Malmkvist, Sweden. Contact us via the contact page.

2. Data we collect and why

2.1 Account data

When you create an account we collect your email address, display name, location (optional), short bio (optional), and avatar image (optional). We use this to provide your account, enable listing submissions, and identify you as a verified listing representative if you choose to claim a tool.

Legal basis: Performance of a contract (account service) and legitimate interest (preventing abuse).

2.2 Listing and community activity

We record tool submissions, votes, bookmarks, comments, and edits you make while logged in. This data is publicly visible as part of the directory's community feature.

2.3 Tool listing data (public websites)

directree crawls publicly accessible software websites to build structured listings. We only process publicly available information (homepage copy, pricing pages, integration lists, screenshots). We do not scrape personal data from those sites.

2.4 AI-inferred fields

We use OpenAI to generate structured descriptions, category suggestions, and "best for" summaries from crawled website content. These fields are always labelled AI-inferredin the UI. The content sent to OpenAI is the crawled public text of a tool's marketing site, not any personal data.

2.5 Usage data and cookies

We use cookies strictly for authentication and session management (provided by Supabase Auth). We do not use advertising cookies or third-party tracking pixels. We may collect anonymised request logs (IP address, browser, page path) on our infrastructure for security and debugging purposes; these are not linked to your account and are retained for a maximum of 30 days.

2.6 Contact form messages

Messages submitted via the contact form (name, email, message text) are delivered to us by email and not stored in a database. We retain them only as long as necessary to respond.

3. Third parties

We do not sell your data. Ever.

4. Data retention

Account data is retained for as long as your account is active. If you delete your account, we delete or anonymise your personal data within 30 days, except where we are required to keep it longer by law (e.g. financial records).

5. International transfers

Our primary data storage is in the EU (Ireland via Supabase). When we use OpenAI, data is transferred to the United States under OpenAI's Standard Contractual Clauses. Vercel operates globally with edge caching; no personal data is stored at edge nodes beyond transient request logs.

6. Your rights (GDPR)

You have the right to:

To exercise any of these rights, use our contact page. We will respond within 30 days.

7. Security

We use industry-standard security measures including TLS encryption in transit, row-level security in Supabase, and minimal access controls. No system is perfectly secure; if you discover a vulnerability please contact us responsibly.

8. Changes to this policy

We may update this policy as the product evolves. When we make material changes we will update the "Last updated" date above. Continued use of directree after changes constitutes acceptance.

9. Contact

For any privacy questions or to exercise your rights, please use our contact page.