Privacy Policy

Last updated: May 2, 2026

FoliHub (“we”, “us”, “FoliHub”) operates the website at folihub.comand the dashboard, public profile pages, and APIs connected to it (the “Service”). This page explains what data we collect, why we collect it, and the choices you have.

1. Information you give us

• Account info — email, display name, username, profile photo, password hash. Provided when you sign up or via Google OAuth.
• Public profile content — links, donate info, images — anything you choose to publish on your linkfolio.
• Payment slip images — when you upgrade to Pro / Pro+, your PromptPay slip is uploaded to Supabase Storage for verification.

2. Information we collect automatically

• Page-view analytics — when visitors view your public profile, we record a daily aggregate counter (no personally-identifying data). Pro / Pro+ users additionally receive 30 days of event-level data: a non-reversible visitor hash (sha256 of IP + user agent + private salt), HTTP Refererhostname, and country code (from Vercel’s edge geolocation header).
• Cookies — Supabase auth session cookies (httpOnly, secure) for login. A short-lived fh_pw_ cookie when a visitor unlocks a password-protected page. We do not use third-party advertising or tracking cookies.
• Logs — standard server logs containing IP and request URL, retained for 30 days for security investigations.

3. How we use the data

• To run your account and render your public profile.
• To verify payment slips through SlipOK and activate your Pro / Pro+ tier.
• To compute aggregate analytics shown back only to the profile owner.
• To prevent abuse — bot detection, rate limits, fraud signals on payments.
• To send transactional notifications related to your account (rare; opt-out planned).

We do not sell your data. We do not share your private details (payment slips, email) with other users or third parties beyond the providers listed below.

4. Third-party services

• Supabase — hosts our database, authentication, file storage. Subject to Supabase’s privacy policy.
• Vercel — hosts the application and serves static + edge requests.
• Google — OAuth login. We receive your name + email if you sign in with Google.
• SlipOK — verifies Thai PromptPay payment slips. Slip image data is forwarded to SlipOK for verification.
• Cloudflare — DNS for folihub.com.

5. Data retention

• Profile data: kept while your account exists.
• Free-tier visit counters: pruned after 7 days.
• Pro / Pro+ visit events (referrer / country): pruned after 30 days.
• Server logs: 30 days.
• When you delete your account, all profile data, socials, payments rows, and uploaded files are removed within 24 hours. Aggregate analytics counters that no longer link to a profile may persist indefinitely.

6. Your rights

You can at any time:

• Export a JSON file of your account data from /dashboard/account.
• Edit any profile field via the dashboard.
• Delete your account permanently from /dashboard/account.
• Revoke the Google OAuth connection from your Google account settings.

7. Children’s data

FoliHub is intended for users 13 years and older. We don’t knowingly collect data from children under 13. If we learn that a child under 13 has registered, we’ll delete the account.

8. International transfers

Our infrastructure is hosted in Singapore (Supabase ap-southeast-1) and Tokyo (Vercel ap-northeast-1). Data moves between these regions and your browser as part of normal operation.

9. Security

All traffic uses TLS. Passwords are hashed (Supabase Auth uses bcrypt; page passwords use scrypt). Database row-level security restricts access at the table level. We’re a small team — if you find a security issue, please email us at warayut.bunrattanang.fluk@gmail.com.

10. Changes

We’ll update the date at the top when this policy changes. Material changes will be announced via the dashboard.

11. Contact

Questions about this policy? warayut.bunrattanang.fluk@gmail.com