Privacy Policy

Last updated 2026-06-01. This policy describes what data Crema collects, where it's stored, and your rights.

The short version

Crema runs almost entirely in your browser. We don't sell your data, we don't show ads, and we don't have a tracking pixel network. The only personal data we store on a server is your email address (if you choose to sign in) and your synced preferences.

What we collect when you use Crema anonymously

• Browser local storage on your device — your preferences (theme, font, layout order, bookmarks, calendar URL, location override, stock tickers, etc.). This never leaves your device.
• Approximate location — used by the Weather card to fetch your local forecast. We use your browser's geolocation API (with your permission) or fall back to your IP-based location via ipapi.co. Coordinates are cached in your browser; we do not transmit them to our servers.
• Vercel Analytics — privacy-friendly, cookieless page-view counts and Web Vitals. No personal identifiers, no cross-site tracking. See Vercel's analytics privacy notes.

What we collect when you sign in (optional)

• Email address — used only for sign-in (magic link / one-time code) and to identify your account. We never send marketing email.
• Your synced settings — the same preferences listed above, stored as a single JSON blob in a Postgres database hosted by Supabase, so they follow you across devices.

Sign-in is powered by Supabase (Auth + Postgres) under their privacy policy. Row-Level Security policies ensure each user can only read or modify their own settings row.

Third-party services Crema calls on your behalf

To render the cards, Crema fetches data from these services. Some calls are made directly from your browser (so the third party sees your IP), others go through our serverless proxies (so we see the request, but cache it). None of these services receive personal info beyond what's needed to fulfill the request.

• Weather — Open-Meteo (worldwide), US National Weather Service (US fallback)
• Photo of the Day — NASA APOD, Wikimedia Commons, Bing
• News & feeds — rss2json for RSS parsing; the underlying feeds come from publishers (AP, Reuters, NPR, etc.)
• Sports — ESPN
• On This Day — Wikimedia
• Trending — Reddit, Wikipedia
• Calendar — your provided iCal URL plus a US holiday calendar
• Reverse geocoding — bigdatacloud.net (to convert lat/lon to a city name)
• Fonts — Google Fonts (request includes your IP and User-Agent per Google's CDN)

How long we keep your data

• Browser local storage — until you clear it or uninstall the PWA.
• Account + synced settings — until you delete your account in Settings → Account → Delete account. Deletion is immediate and permanent.
• Server logs — Vercel retains short-lived request logs (typically 1 hour to a few days). We don't aggregate or analyze them beyond debugging.

Your rights

• Access — your settings are visible in the Settings panel and stored in plain JSON in our database.
• Correction — change any setting in the Settings panel.
• Deletion — click Delete account in the Account section of Settings, or email the address below. Deletion removes your email, your password (none — we use magic links), and your synced settings row. Cannot be undone.
• Portability — your settings are available as a single JSON blob via the Supabase row; contact us for an export.
• Anonymous use — you can use Crema entirely without an account; in that case we hold no personal data about you.

Cookies

Crema doesn't set tracking cookies. Sign-in uses a Supabase auth session stored in your browser's local storage (not a cookie). Vercel Analytics is cookieless.

Children

Crema isn't directed at children under 13. We don't knowingly collect data from them.

Changes to this policy

If we make material changes, we'll update the date above and surface a notice in the "What's New" popup on your next visit.

Contact

Questions or requests: hello@crema.today.

← Back to Crema