Privacy Policy
Last updated: July 2026
directree (operated by Henrik Malmkvist, Sweden) is an honest software directory. We take your privacy as seriously as we take honest listings. This policy explains what data we collect, why we collect it, who we share it with, and what rights you have under the General Data Protection Regulation (GDPR) and applicable Swedish law.
1. Who we are
Controller: Henrik Malmkvist, Sweden. Contact us via the contact page.
2. Data we collect and why
2.1 Account data
When you create an account we collect your email address, display name, location (optional), short bio (optional), and avatar image (optional). We use this to provide your account, enable listing submissions, and identify you as a verified listing representative if you choose to claim a tool.
Legal basis: Performance of a contract (account service) and legitimate interest (preventing abuse).
2.2 Listing and community activity
We record tool submissions, votes, bookmarks, comments, and edits you make while logged in. This data is publicly visible as part of the directory's community feature.
2.3 Tool listing data (public websites)
directree crawls publicly accessible software websites to build structured listings. We only process publicly available information (homepage copy, pricing pages, integration lists, screenshots). We do not scrape personal data from those sites.
2.4 AI-inferred fields
We use OpenAI to generate structured descriptions, category suggestions, and "best for" summaries from crawled website content. These fields are always labelled AI-inferredin the UI. The content sent to OpenAI is the crawled public text of a tool's marketing site, not any personal data.
2.5 Usage data and cookies
We use cookies strictly for authentication and session management (provided by Supabase Auth). We do not use advertising cookies or third-party tracking pixels. We may collect anonymised request logs (IP address, browser, page path) on our infrastructure for security and debugging purposes; these are not linked to your account and are retained for a maximum of 30 days.
2.6 Contact form messages
Messages submitted via the contact form (name, email, message text) are delivered to us by email and not stored in a database. We retain them only as long as necessary to respond.
3. Third parties
- Supabase (supabase.com) – our database and authentication provider. Data is stored in EU-West-1 (Ireland). Supabase is GDPR-compliant and a data processor under a DPA.
- Vercel (vercel.com) – hosting and edge functions. Vercel processes request logs on our behalf.
- OpenAI (openai.com) – used to infer structured listing fields from crawled public website text. We do not send personal user data to OpenAI.
- one.com – our email provider for outbound transactional and contact messages.
We do not sell your data. Ever.
4. Data retention
Account data is retained for as long as your account is active. If you delete your account, we delete or anonymise your personal data within 30 days, except where we are required to keep it longer by law (e.g. financial records).
5. International transfers
Our primary data storage is in the EU (Ireland via Supabase). When we use OpenAI, data is transferred to the United States under OpenAI's Standard Contractual Clauses. Vercel operates globally with edge caching; no personal data is stored at edge nodes beyond transient request logs.
6. Your rights (GDPR)
You have the right to:
- Access the personal data we hold about you
- Rectify inaccurate data
- Eraseyour data ("right to be forgotten") where no overriding legal basis applies
- Export a copy of your data in a machine-readable format (data portability)
- Restrict processing in certain circumstances
- Object to processing based on legitimate interest
- Lodge a complaint with the Swedish Authority for Privacy Protection (IMY, imy.se) if you believe we have processed your data unlawfully
To exercise any of these rights, use our contact page. We will respond within 30 days.
7. Security
We use industry-standard security measures including TLS encryption in transit, row-level security in Supabase, and minimal access controls. No system is perfectly secure; if you discover a vulnerability please contact us responsibly.
8. Changes to this policy
We may update this policy as the product evolves. When we make material changes we will update the "Last updated" date above. Continued use of directree after changes constitutes acceptance.
9. Contact
For any privacy questions or to exercise your rights, please use our contact page.