Privacy Policy

1. Who We Are

TheTopXList ("we", "us", "our") operates the website thetopxlist.com (the "Service"). We are based in the European Union and are committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR) and applicable EU/EEA data protection laws.

2. Data We Collect

2.1 Account Data (when you sign in with Google)

When you sign in using Google OAuth, we receive and store:

• Your name
• Your email address
• Your profile picture URL

Legal basis: Contract performance (Art. 6(1)(b) GDPR) — this data is necessary to provide your account and the Service.

2.2 Content You Create

When you create or edit lists, we store the titles, descriptions, images, and rankings you provide. This content is associated with your account and displayed publicly on the Service.

Legal basis: Contract performance (Art. 6(1)(b) GDPR).

2.3 Voting Data

When you vote on list items, we store a randomly generated visitor identifier (stored in a browser cookie) along with your vote. This identifier is not linked to your personal identity and is used solely to prevent duplicate voting.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — to maintain the integrity of the voting system.

2.4 Analytics

We use Vercel Analytics, a privacy-friendly, cookieless analytics service provided by Vercel Inc. It does not use cookies, does not track individual users across sites, and does not collect personal data. It provides us with aggregate, anonymized metrics such as page views and visitor counts.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — to understand how the Service is used and improve it. No consent is required as no personal data is processed.

2.5 View Counts

We count page views on individual lists for display purposes (e.g., "1,234 views"). These counts are aggregated and anonymous — we do not store which users viewed which lists.

3. Cookies

We use the following cookies:

• Session cookie — set by our authentication system to keep you signed in. This is a strictly necessary cookie and does not require consent under GDPR.
• Visitor ID cookie — a randomly generated ID stored in your browser used solely to prevent duplicate votes. It contains no personal information.

We do not use any advertising cookies, tracking cookies, or third-party analytics cookies.

4. How We Use Your Data

We use the data we collect to:

• Provide, maintain, and improve the Service
• Display your created content (lists, votes) on the Service
• Authenticate you and manage your account
• Prevent abuse and ensure voting integrity
• Understand aggregate usage patterns (via anonymized analytics)

We do not sell your data, use it for advertising, or share it with third parties for marketing purposes.

5. Third-Party Services

• Google OAuth — used for authentication. Google's privacy policy: policies.google.com/privacy
• Vercel — hosts the Service and provides cookieless analytics. Vercel's privacy policy: vercel.com/legal/privacy-policy
• Cloudflare Images — used for image hosting. Cloudflare's privacy policy: cloudflare.com/privacypolicy

6. Data Storage & Transfers

Your data is stored in a PostgreSQL database. The Service is hosted on Vercel, which may process data in the United States. Where data is transferred outside the EEA, appropriate safeguards are in place (such as Vercel's adherence to EU-U.S. Data Privacy Framework and Standard Contractual Clauses).

7. Your Rights Under GDPR

As a data subject in the EU/EEA, you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — request correction of inaccurate data
• Erasure — request deletion of your personal data ("right to be forgotten")
• Restriction — request that we limit how we process your data
• Portability — receive your data in a structured, machine-readable format
• Objection — object to processing based on legitimate interests

To exercise any of these rights, please contact us at the email below. We will respond within 30 days as required by law.

8. Data Retention

We retain your account data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days. Anonymized data (aggregate view counts, anonymized vote records) may be retained indefinitely as it cannot be linked back to you.

9. Children

The Service is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by updating the "Last updated" date at the top of this page. Your continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact

If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us at: privacy@thetopxlist.com

You also have the right to lodge a complaint with your local data protection authority if you believe your rights have been violated.