Handpicked

Privacy Policy

Handpicked Privacy Policy

Effective date: January 22, 2026

This Privacy Policy explains how TERA POWER LLC ("we") collects, uses, and shares information when you use handpicked.you and the Handpicked Service.

1. Summary of key points

You can use Handpicked without an account.

Accounts are 18+ only. Users under 18 may use the Service anonymously.

We use Supabase for authentication/database, Vercel for hosting/logs, Resend for email, and PostHog for analytics/error tracking.

If you accept cookies, PostHog may use cookies/localStorage for cross-session analytics. If you reject cookies, PostHog runs in memory mode (no cookies or localStorage persistence).

We do not sell personal information and do not share it for cross-site targeted advertising at this time.

We voluntarily honor Global Privacy Control (GPC) and Do Not Track (DNT) signals as described below.

2. Information we collect

2.1 Information you provide

Account information (18+ only):

- Email address (used for login and account communication)

- Email verification status

Support communications:

- If you email us, we receive the contents of your message and your email address.

2.2 Information collected automatically

Device and usage data (via logs and analytics):

- IP address (e.g., server/CDN logs; sometimes in analytics)

- Device and browser information (user agent)

- Timestamps

- Error/diagnostic data (including client/server errors)

Coarse location:

- We may infer general location (e.g., country/region) from IP address.

2.3 Bouquet content data

We do not store your bouquet image output on our servers as part of the sharing flow. You export/download the image locally and share it via your device.

3. How we use information

We use information to:

- Provide and operate the Service (authentication, security, core functionality)

- Send transactional emails (verification, account notices)

- Provide support and respond to inquiries

- Monitor reliability and diagnose issues (error tracking)

- Understand usage at a high level to improve the Service (analytics)

4. Analytics and identifiers (PostHog)

4.1 Cookie consent modes

- If you accept cookies: PostHog may use cookies and localStorage for cross-session analytics.

- If you reject cookies: PostHog runs in memory mode (no cookies; no localStorage persistence; identifiers reset when the session ends).

4.2 Anonymous users and minors

For users who are not logged in (including users under 18), we limit analytics to non-identifying, non-persistent measurement. We do not intentionally use persistent identifiers (cookies/localStorage) for those users when cookies are rejected, and we avoid identifying those users by email.

4.3 Logged-in users (18+)

If you are logged in, we may associate analytics/events with your account. We identify your account to PostHog using a non-email identifier (your internal user ID) and we aim to minimize sensitive fields in analytics while ensuring URL/token sanitization (see below).

4.4 URL query parameters and marketing attribution

We may collect marketing attribution parameters (such as UTM parameters). We aim to avoid collecting sensitive tokens in analytics. We will:

- allowlist common campaign parameters (e.g., utm_*, gclid), and

- avoid capturing authentication/verification tokens in URLs sent to analytics (for example, by cleaning URLs on sensitive auth callback routes before analytics runs).

5. Cookies and similar technologies

We use cookies and similar technologies for:

- functionality (where needed)

- analytics (subject to your consent choices)

See the Cookie Policy below for details.

6. How we share information

We share information with service providers that help us run the Service:

- Vercel (hosting, CDN, logs)

- Supabase (authentication, database, storage)

- Resend (email delivery)

- PostHog (Cloud - USA region) (analytics and error tracking)

We may also share information:

- to comply with law or respond to lawful requests

- to protect rights, safety, and security (e.g., investigate fraud/abuse)

- as part of a business transfer (e.g., merger, acquisition), with appropriate safeguards

7. Data retention

We retain information only as long as necessary for the purposes described above, unless a longer retention period is required or permitted by law.

General guidance:

- Account email: retained while the account exists; deletion upon request (subject to backups and legal/security needs)

- Support emails: retained as needed to handle the request and for recordkeeping

- Logs/analytics: retained for operational and security purposes; durations may vary by system and provider settings

8. Your choices and rights

8.1 Cookie choices

Use the cookie banner to accept or reject cookies. You can also clear cookies in your browser.

8.2 Global Privacy Control and Do Not Track

We honor GPC and DNT signals as follows:

- If we detect a GPC/DNT signal, we will treat it as a request to opt out of analytics cookies where feasible and will apply a more privacy-protective mode (for example, memory-only analytics) even if you have not otherwise accepted cookies.

8.3 Requests about your data (DSARs)

You can request access, correction, or deletion of your account information by emailing support@myoberry.com.

We will respond within the time required by applicable law. For example, California guidance indicates businesses generally respond within 45 days, extendable by another 45 days with notice in some cases.

8.4 California (CCPA/CPRA) disclosures (best-practice)

We do not sell personal information and do not share it for cross-context behavioral advertising at this time. If we begin selling or sharing as defined by applicable law, we will update this Policy and provide appropriate opt-out mechanisms (including honoring GPC where applicable).

8.5 India (DPDP) best-practice

If you are in India, you may have rights under applicable law (such as access and correction). We provide email-based support at support@myoberry.com for such requests.

9. Children's privacy

The Service is available for anonymous use, including by users under 18. However:

- Users under 18 may not create accounts or purchase paid content.

- If we learn an account belongs to a user under 18, we may suspend/terminate it.

- We aim to limit analytics for users who are not logged in to non-persistent, non-identifying measurements.

If you are a parent/guardian and believe a child has provided account information to us, contact support@myoberry.com.

10. International users

We are based in the United States and use service providers that may process data in the United States and other countries. Where required, we will rely on appropriate safeguards for cross-border transfers through our vendors' standard contractual and security measures.

11. Security

We use reasonable administrative, technical, and organizational measures to protect information, including HTTPS in transit, access controls, least-privilege practices, monitoring, and backups. No method of transmission or storage is 100% secure.

12. Changes to this Privacy Policy

We may update this Policy. If changes are material, we will notify account holders by email and update the policy page.

13. Contact

Email: support@myoberry.com

Notice address (Registered Agent):

NORTHWEST REGISTERED AGENT LLC, 418 BROADWAY, STE N, ALBANY, NY 12207, USA