Privacy Policy

Effective Date: March 7, 2026

This Privacy Policy explains how LitList ("we," "us," or "our") collects, uses, discloses, and protects personal information when you use the LitList mobile application ("App"). By downloading or using the App, you agree to the practices described in this Policy.

We are committed to protecting your privacy and complying with applicable privacy laws worldwide, including Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), the European Union and United Kingdom General Data Protection Regulation (GDPR/UK GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and Australia's Privacy Act 1988 and Australian Privacy Principles (APPs). If you do not agree with this Policy, please do not use the App.

1. Who We Are

LitList is the data controller responsible for your personal information. We are based in Ontario, Canada.

Contact: privacy@litlist.ca

Support: support@litlist.ca

Website: https://litlist.ca

2. Information We Collect

We collect only the information necessary to provide and improve the App.

2.1 Information You Provide Directly

Account registration: name, email address, password
Profile details: reading goal, favourite genres, preferred book format, avatar, bio, country
Reading data: books added, page counts, reading sessions, journal entries, ratings, quotes
Family shelf data: children's names/ages and their associated book lists (stored locally on your device or linked to your account)
Communications: feedback, bug reports, or support messages you send us

2.2 Information Collected Automatically

Usage data: features used, screens visited, session duration
Device information: device type, operating system version, app version
Crash reports and diagnostic data (used solely for app improvement)
Reading streak and habit statistics derived from your usage

2.3 Information from Third Parties

Google Books API: book metadata (title, author, cover image, description, page count, genre) fetched when you search for or add books. No personal information about you is shared with Google Books during this process.
Supabase (database provider): hosts your account data and syncs it across your devices. Supabase processes data on our behalf under a Data Processing Agreement.
Anthropic API: when you use the AI Recommendations feature, a anonymised taste profile (your genres, ratings, and reading history without your name or email) is sent to generate personalised suggestions. No personally identifiable information is transmitted.
Goodreads CSV import: if you choose to import a Goodreads export, your CSV file is processed locally on your device and the data is imported directly into your account. We do not retain the raw CSV file.

3. How We Use Your Information

We use your information for the following purposes:

To create and manage your account
To provide core app functionality: book tracking, reading timer, journal, streaks, and statistics
To generate AI-powered book recommendations based on your reading history
To enable family shelf features, including tracking children's reading
To sync your data across devices via our cloud infrastructure
To send notifications you have opted into (e.g., streak reminders, reading goals) — you can disable these at any time in your device settings
To respond to support requests and feedback
To analyse aggregate, anonymised usage trends to improve the App
To detect and prevent fraud, abuse, or security incidents
To comply with legal obligations

If you are located in the European Economic Area (EEA) or United Kingdom, we rely on the following legal bases under GDPR/UK GDPR:

Contract performance (Article 6(1)(b)): processing necessary to provide the App services you have requested
Legitimate interests (Article 6(1)(f)): improving app performance, preventing fraud, and ensuring security — balanced against your rights
Consent (Article 6(1)(a)): for optional features such as push notifications and AI recommendations, which you may withdraw at any time
Legal obligation (Article 6(1)(c)): where processing is required by applicable law

We do not sell your personal information. We may share your information only in the following circumstances:

5.1 Service Providers

We engage trusted third-party providers who process data on our behalf under contractual obligations consistent with this Policy:

Supabase Inc. — database hosting and authentication (United States)
Anthropic PBC — AI recommendation processing (United States)
Google LLC — book metadata via Google Books API (United States)
Apple Inc. — app distribution and in-app purchase processing (United States)

5.2 Legal Requirements

We may disclose your information if required by law, regulation, court order, or governmental authority, or if necessary to protect the rights, property, or safety of LitList, our users, or others.

5.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will notify you of any such change and your rights in that regard.

5.4 With Your Consent

We may share information in other ways if you have explicitly consented.

6. International Data Transfers

Your data may be transferred to and processed in countries outside your home country, including the United States and Canada. Where we transfer personal data from the EEA, UK, or other jurisdictions with transfer restrictions, we ensure appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs) approved by the European Commission
UK International Data Transfer Agreements (IDTAs), where applicable
Adequacy decisions where recognised by the relevant authority

For transfers from Australia, we take reasonable steps to ensure overseas recipients handle your data consistently with the Australian Privacy Principles.

7. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

7.1 All Users

Right to access: request a copy of the personal information we hold about you
Right to correction: request that we correct inaccurate or incomplete information
Right to deletion: request that we delete your account and associated data. You can do this directly in the App via Profile → Delete Account, or by emailing privacy@litlist.ca
Right to withdraw consent: for any processing based on consent (e.g., notifications, AI recommendations), you may withdraw at any time without affecting prior processing

7.2 EEA and UK Users (GDPR / UK GDPR)

Right to data portability: receive your data in a structured, machine-readable format
Right to restriction of processing: request that we limit how we use your data in certain circumstances
Right to object: object to processing based on legitimate interests
Right to lodge a complaint with your local supervisory authority (e.g., your national Data Protection Authority within the EEA, or the ICO in the UK)

7.3 California Residents (CCPA / CPRA)

California residents have the following additional rights:

Right to know: the categories and specific pieces of personal information we have collected about you, and how we use and share it
Right to delete: request deletion of your personal information, subject to certain exceptions
Right to opt out of sale or sharing: we do not sell or share your personal information for cross-context behavioural advertising
Right to correct: request correction of inaccurate personal information
Right to limit use of sensitive personal information: we do not use sensitive personal information for purposes beyond those permitted by the CPRA
Right to non-discrimination: we will not discriminate against you for exercising your rights

To exercise your CCPA rights, contact us at privacy@litlist.ca or use the in-app account deletion feature.

7.4 Australian Users (Privacy Act 1988 / APPs)

Right to access and correction of personal information held about you
Right to make a complaint to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au
Right to opt out of direct marketing (we do not engage in direct marketing)

To exercise any of your rights, contact privacy@litlist.ca. We will respond within 30 days (or 45 days where legally permitted with notice).

8. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the App services. Specifically:

Account and profile data: retained while your account is active. Deleted within 30 days of account deletion.
Reading data, journal entries, and streaks: retained as part of your account. Deleted upon account deletion.
Crash and diagnostic logs: retained for up to 90 days for debugging purposes.
Anonymised aggregate statistics: may be retained indefinitely as they cannot be linked to any individual.

When you delete your account, we will permanently delete your personal information from our active systems within 30 days. Residual copies in backups may persist for up to 90 days, after which they are purged.

9. Children's Privacy

The App is not directed to children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children under these ages. If you believe we have inadvertently collected information from a child, please contact us immediately at privacy@litlist.ca and we will delete it promptly.

The Family Shelf feature allows parents or guardians to create reading profiles for children. All data under Family Shelf is linked to the parent's account and managed by the account holder. Children do not create their own accounts.

10. Security

We take reasonable technical and organisational measures to protect your personal information from unauthorised access, loss, misuse, or disclosure. These measures include:

Encryption of data in transit (TLS/HTTPS)
Encryption of data at rest via Supabase
Password hashing and secure authentication
Access controls limiting who can access your data within our service providers

No method of transmission or storage is 100% secure. If you become aware of any security concern, please contact us at privacy@litlist.ca.

11. Third-Party Links and Services

The App may contain links to third-party websites or services (e.g., Goodreads). We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing any personal information.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by displaying a notice within the App or by email. The updated Policy will be effective upon posting with a revised effective date. Continued use of the App after changes constitutes acceptance of the updated Policy.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal information, please contact us:

Email: privacy@litlist.ca