Privacy Policy

Last updated: April 27, 2026

LISTA is a private workspace for your home and garden projects. Privacy is the product. This policy describes what we collect, why, who we share it with, and what you can do about it.

1. Data controller

The data controller responsible for your personal data is:

OnlineTools Kft.
Szent Donát út 20.
8258 Badacsonytomaj
Hungary
info@lista.house

2. What we collect

We collect only what we need to run the service:

Account data. Email address, optional display name, and a language preference (en / de / hu).
Authentication data. Magic-link tokens, passkey credentials (public key only — your private key never leaves your device), session tokens, IP address, user-agent, and timestamps. Required for security and session management.
Content you create. Locations, projects, notes, chat messages, photos, and documents you upload, plus their metadata (filename, size, MIME type, capture date if present in the file).
Sharing data. Email addresses of people you invite, the scope and permission you grant them, and access timestamps.
Audit log. An append-only record of significant actions (creations, edits, share invites, deletions). Visible to you in the History tab. Used for accountability and debugging.

We do not collect tracking data for advertising. We do not run third-party analytics. We do not sell your data.

3. Why we use it

Run the service. Authenticate you, store your content, deliver shared links — Art. 6(1)(b) GDPR (contract performance).
Send transactional email. Magic-link sign-in and share invites — Art. 6(1)(b) GDPR.
Keep things working safely. Logs, abuse prevention, security telemetry — Art. 6(1)(f) GDPR (legitimate interest).
Comply with the law. Tax records, legal requests, statutory retention — Art. 6(1)(c) GDPR.

4. Subprocessors

The following providers handle data on our behalf. We have data-processing agreements with each. We picked them deliberately to keep data inside the EU where possible.

Provider	Role	Region
Vercel Inc.	Application hosting, edge network	EU (Frankfurt)
Neon, Inc.	Database (PostgreSQL)	EU (Frankfurt)
Cloudflare, Inc.	Object storage (R2) for photos and documents	EU / global edge
MailerSend (Mailerlite, UAB)	Transactional email delivery	EU (Lithuania)

5. Retention

Account and content: kept while your account is active. When you delete your account, we delete your content within 30 days, except where we are required to retain records for tax or legal reasons.
Soft-deleted content: notes, projects, and locations you delete from the app are hidden immediately and purged within 30 days.
Audit log entries: kept for 12 months by default, longer for security investigations.
Email delivery logs: kept by MailerSend per their policy (typically 30 days).

6. Cookies

We use only the cookies necessary to run the service:

better-auth.session_token — your sign-in session. HTTP-only, SameSite=Lax, expires after 30 days.
better-auth.session_data — a short-lived (5 minute) cache of session metadata to avoid round-tripping to the database on every request.
NEXT_LOCALE — your interface language preference, set when you change locales.

We do not use marketing or tracking cookies. No consent banner is required.

7. Your rights

Under the GDPR you have the right to:

Access the personal data we hold about you.
Rectify data that's inaccurate or incomplete.
Erase your account and content.
Restrict processing in specific cases.
Receive your data in a portable format.
Object to processing based on legitimate interest.
Lodge a complaint with a supervisory authority — for users in Hungary, the Hungarian National Authority for Data Protection and Freedom of Information (NAIH, naih.hu); for users elsewhere in the EU/EEA, your local DPA.

To exercise any of these rights, email info@lista.house with the subject line “GDPR”. We respond within 30 days.

8. Changes to this policy

We'll update this page when we change how we handle data. The “Last updated” date at the top reflects the most recent revision. Material changes will be communicated to active users by email.