Folio
Sign in
Folio · privacy

Privacy policy

Last updated: 22 April 2026

Folio is a private writing and editorial platform for the book Futureproofing Society. Access is restricted to an invitation-only allowlist. This policy explains what personal data we process, why, and the rights you have under the UK GDPR and EU GDPR.

1. Who we are

The data controller for Folio is cauri jaye (the site owner). If you have questions about this policy or want to exercise any of your rights, contact caurijaye@gmail.com.

2. What personal data we process

Folio only holds data on people we have deliberately invited. For each signed-in user we process:

  • Email address — received from Google when you sign in, and matched against our allowlist.
  • Name and profile photo — if your Google account shares them; used only to display who is signed in.
  • Google account identifier — stored by Supabase Auth to keep your session linked across sign-ins.
  • Session cookie — a Supabase authentication cookie, set in your browser, so you stay signed in between visits.
  • Usage signals — if adaptive layout is enabled we log which surfaces of the app you open (e.g. editor, graph, research) and when, to order the navigation to what you actually use. We do not log the content of what you write.
  • Contributions you make — any text, comments or edits you create in the platform are associated with your user identity so we can show authorship and history.

We do not buy, sell, or receive personal data from advertising networks. We do not run any analytics service that profiles users beyond the in-app adaptive-layout signals above.

3. Why we process it (legal basis)

  • Performing our agreement with you (UK GDPR Art. 6(1)(b)) — to give you access to the platform you were invited to use.
  • Legitimate interests (Art. 6(1)(f)) — to secure the platform through allowlisting, to operate session cookies, and to improve navigation through the adaptive-layout signals. You can object to the adaptive-layout signals at any time (see "Your rights" below).

4. Who processes the data on our behalf

We use a small set of data processors. Each is bound by their own data-protection terms; none of them use your data for their own advertising.

  • Supabase (Supabase, Inc.) — authentication and database. Our Supabase project is hosted in the AWS eu-west-1 region (Ireland), so your account data and your contributions are stored in the EEA.
  • Vercel (Vercel, Inc.) — hosting of the web application and its serverless functions. Requests may be processed in multiple regions; data at rest on Vercel is only build artefacts, not your personal data.
  • Google (Google Ireland Ltd. / Google LLC) — Google OAuth provider for sign-in. When you click "Sign in with Google", your browser talks directly to Google and returns an ID token to Supabase. We never see your Google password.
  • AI model providers — when you use AI features (editorial agents, the concierge, retrieval), the text you supply is sent to one or more of: Anthropic (Anthropic PBC), OpenAI (OpenAI Ireland Ltd. / OpenAI L.L.C.), Voyage AI (for embeddings). These providers do not train their foundation models on API inputs by default under their standard enterprise/API terms.
  • Research sources — when the research pipeline runs it queries Brave Search and (optionally) Apify. These services receive only the topic you asked about, not your identity.

5. International transfers

Your primary account and platform data stay in the EEA (Supabase, Ireland). Some processors above are headquartered in the United States and process requests there. These transfers rely on the EU Commission's Standard Contractual Clauses and, where applicable, on the EU–US and UK Data Privacy Framework. We do not transfer data outside jurisdictions with adequacy decisions or equivalent safeguards.

6. How long we keep it

Your account data is retained for as long as your email is on the sign-in allowlist. When an admin removes you, your contributions remain (so the book's history stays intact), but you can no longer sign in. You can ask for your account and the personal data associated with it to be deleted — see below.

Session cookies are removed when you sign out or when they expire (typically within a week). Usage signals for adaptive layout are kept for up to 90 days.

7. Your rights under the GDPR

You have the following rights in respect of your personal data. To exercise any of them, email caurijaye@gmail.com — we'll normally respond within one month.

  • Right of access — request a copy of the data we hold about you.
  • Right to rectification — ask us to correct inaccurate data.
  • Right to erasure — ask us to delete your account and associated personal data.
  • Right to restriction — ask us to pause processing of your data while a concern is being resolved.
  • Right to portability — receive your data in a structured, machine-readable format.
  • Right to object — object to processing based on legitimate interests, including the adaptive-layout signals.

If you believe we have mishandled your data, you can complain to a supervisory authority. In the UK this is the Information Commissioner's Office (ico.org.uk). In the EEA you can contact the data-protection authority in the country where you live or work.

8. Cookies

Folio uses only strictly necessary cookies:

  • Supabase session cookie — keeps you signed in. Set after you complete Google sign-in. Removed when you sign out or when it expires.
  • Theme preference — remembers light or dark mode. Stored locally in your browser; never sent to our servers.

We do not use advertising, tracking, or analytics cookies. You do not need to accept a cookie banner because we do not set any non-essential cookies.

9. Automated decision-making

Folio does not make decisions about you that produce legal or similarly significant effects through automated processing alone. AI features generate suggestions in the editor, but a human always decides whether to accept them.

10. Security

We rely on Supabase row-level security and our own allowlist gate to keep data inaccessible to anyone outside the invited group. Transport is protected by TLS. Sign-in is limited to Google identities that match an entry on the allowlist — there are no passwords to compromise.

11. Changes to this policy

If we make a material change to this policy, we will update the "Last updated" date above and, for active users, tell you through the app. The current version is always available at /privacy.

12. Contact

For any privacy matter — questions, data requests, complaints — email caurijaye@gmail.com.