Privacy

Privacy policy

EFFECTIVE 2026-07-18

The short version: no analytics, no ad tech, no cookies from us. Accounts are optional. A build you share as a #-link lives in the URL and never reaches our servers; a sheet you publish to the gallery is stored on our backend until you delete it.

What we collect

  • Optional account. Browsing, composing, and #-link sharing need no account and no signup. If you sign in to keep your published sheets (email and password, or Google sign-in where offered), we store the sign-in identifier — your email address, or your Google account id — with Google Firebase Authentication. No profile, no name field, no mailing list.
  • Published sheets. Filing a sheet in the gallery (“Publish”) stores the sheet itself: title, bike, part names, prices, and any links or codes you added, plus a short readable slug for its /s/ address, a timestamp, and the user id that owns it — an anonymous session id, or your account id if you signed in. Published sheets are public by design: anyone with the link can open them, and the newest appear in the gallery strips.
  • Build-card images. Publishing may also upload the sheet's build-card PNG to Google Cloud Storage so shared links unfurl with a real preview image. Card images are publicly readable at their URL.
  • No analytics. No Google Analytics, no pixels, no fingerprinting scripts, no ad tech. If we ever add measurement, it will be privacy-respecting and this policy will change first, with the date at the top bumped.
  • No cookies from us. We set none, which is why there is no consent banner. Your draft and sign-in state live in your own browser's storage, on your device.

Our infrastructure keeps standard access logs — IP address, requested path, browser user-agent, timestamp — like nearly every site on the internet. Pages, published sheets, and sign-in run on Google's infrastructure (Firebase Hosting, Cloud Functions, Firestore), which processes those requests the way any host does. We use logs for security and debugging, not to profile anyone.

Sharing a #-link vs. publishing

A shared build URL looks like unstocked.app/b/#v1.… — everything after the # is the build itself, encoded into the address. Browsers never send the fragment part of a URL to any server, ours included: a #-link build is decoded locally in the reader's browser and never reaches us.

Publishing is different by design. “Publish to gallery” writes the sheet to our Firebase backend (see above) so it can live at a stable /s/ address and appear in the gallery. You can unpublish it (hide it from the gallery) or delete it at any time from the My sheets panel in the composer.

A #-link sheet is its URL: keep the link and you keep the build. A published sheet lives on our backend until you delete it from My sheets.

The build composer keeps your in-progress draft in your browser's localStorage so you don't lose work between visits. It never leaves your device. Clearing your browser's site data for unstocked.app removes it.

Deleting your data

  • Published sheets. Open My sheets in the composer: unpublish hides a sheet from the gallery; delete removes the stored sheet, and its address stops resolving.
  • Leftovers. A deleted sheet's build-card image and readable-address entry can persist after deletion — email us and we clear them.
  • Accounts. Email hey@unstocked.app from the account's address and we delete the account and everything tied to it.

Third parties

  • Google Firebase / Google Cloud. Sign-in, published sheets, and card images are stored and served by Google Cloud (Firebase Authentication, Firestore, Cloud Storage, Hosting) acting as our infrastructure provider. Google processes IP addresses and the data above on our behalf; Google's terms for cloud services govern that processing.
  • Fonts. Pages load the Big Shoulders, Libre Franklin, and Courier Prime typefaces from Google Fonts. That request goes to Google's servers, which see your IP address like any web request; Google's privacy policy governs it.
  • Retailer links. Buy links lead to third-party retailer sites. Once you're there, their privacy policies apply — not ours. Retailers and affiliate networks may set their own cookies on their own domains, including the ones that attribute an affiliate purchase. Those cookies are set by them, not by us.

Affiliate disclosure

Some outbound retailer links are affiliate links: if you buy after clicking one, the retailer may pay Another One, LLC a small commission. Your price does not change. Builds shared by creators carry the creator's own links instead of ours.

Children

Unstocked is not directed at children under 13, and we do not knowingly collect personal information from children.

Your rights

If you never sign in and never publish, we hold no personal data about you. If you did either, the deletion paths above cover it — and for an access or export request (what a sheet or account holds), email hey@unstocked.app and we'll send it.

Changes

If this policy changes, the new version is posted at this address with an updated effective date. No retroactive surprises.

Who we are

Unstocked is operated by Another One, LLC, a US company. Questions about this policy: hey@unstocked.app.

Effective July 18, 2026.