← Back
Hyllah

Privacy Policy

Last updated: 12 May 2026 · Effective: 12 May 2026

Hyllah is built to be a quiet, private home for your music collection. We take the privacy of your data seriously, both because we care and because we're legally required to under Norwegian and EU law (GDPR).

This page explains exactly what we collect, why, how long we keep it, and what your rights are. No legalese, just plain English.

Who we are

Hyllah is operated by Frederik Flakne, an individual based in Norway. Contact: [email protected]

Under GDPR, we are the data controller for personal information you provide when you sign up and use the service.

What we collect

Account data

When you sign up, we store:

  • Your email address (required, used for magic-link login)
  • Your username, display name, bio, and avatar (optional, only if you provide them)
  • Your account creation date and last sign-in time

Collection data

Anything you add about your music collection, including:

  • Record metadata (artist, title, year, label, format, condition)
  • Personal notes, tags, and custom fields
  • Purchase prices and personal valuations
  • Tracklists and cover art images you upload

All of this is private by default. Nothing in your collection is visible to anyone else unless you explicitly opt to make your profile public.

Technical data

  • IP address (used briefly for security — preventing abuse — then discarded; we do not log IPs persistently)
  • Anonymous page-visit statistics via Umami analytics (no cookies, no fingerprinting, no personal identifiers)
  • Standard server logs (access times, error logs) — retained for 30 days for debugging

What we don't collect

  • Passwords — we use magic-link login, so we never store passwords
  • Payment information — the service is free; if you tip via PayPal, that transaction is between you and PayPal
  • Tracking cookies or advertising identifiers
  • Location data beyond what your IP roughly suggests
  • Anything from third-party platforms (Spotify, Discogs profile, etc.)

Where your data lives

All personal data is stored on servers in the European Union (Zürich, Germany), operated by Supabase Inc. as our data processor. Cover-art images are stored in the same region. We do not transfer data outside the EEA.

Email is sent through Resend, also EU-hosted. Analytics run on Umami's EU cloud. The website itself is served via Cloudflare's global CDN, but no personal data is cached there.

How long we keep your data

  • Your account and collection: as long as your account exists
  • Server access logs: 30 days
  • Anonymous analytics: indefinitely (no personal data)
  • Deleted accounts: all personal data permanently erased within 30 days

Your rights under GDPR

You have the right to:

  • Access a copy of all personal data we hold about you
  • Correct any inaccurate data (most of this you can do yourself in your account settings)
  • Delete your account and all associated data ("right to be forgotten")
  • Export your collection data in a portable format (JSON)
  • Object to specific processing activities
  • Lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) at datatilsynet.no

See the GDPR page for instructions on how to exercise these rights, or just email [email protected].

Third parties we use

The following services help us operate Hyllah:

  • Supabase (EU) — database and authentication
  • Cloudflare (global CDN) — website hosting and DNS
  • Resend (EU) — sending login emails
  • Umami (EU) — anonymous analytics
  • PayPal (EU, optional) — only if you choose to use the tip jar

Each of these has its own privacy policy and is a GDPR-compliant data processor. We do not share your data with any third party for marketing, advertising, or any purpose other than running the service.

Public profiles (optional)

If you choose to make your profile public, the following becomes visible at hyllah.com/u/your-username:

  • Your username, display name, bio, and avatar (if you set them)
  • Records and collections you mark as public
  • Pricing information, only if you also enable that toggle

Your email address is never shown publicly. You can revoke public visibility at any time in your account settings.

Cookies

We use only essential cookies required for authentication (your login session). We do not use tracking cookies, advertising cookies, or analytics cookies. This is why you don't see a cookie banner — there's nothing to consent to beyond the functional login cookie, which is exempt from consent requirements under EU law.

Children

Hyllah is not directed at children under 16. If you are under 16, please don't sign up without your parent or guardian's permission.

Changes to this policy

If we materially change how we handle your data, we'll update this page and notify active users by email. The "Last updated" date at the top reflects the most recent revision.

Contact

Questions, requests, complaints: [email protected]