Trust, security & privacy

The Yarn Studio is built on the Lovable Cloud platform. Lovable provides hosting, the database engine, authentication primitives, and file storage. The Yarn Studio team is responsible for the app's access rules, data model, and how your information is used inside the product. You are responsible for keeping your account credentials safe and for the content you upload.

Accounts are protected by email + password sign-in, with optional Google sign-in. Passwords are never stored by the app — authentication is handled by the underlying platform. You can sign out at any time from the account menu, and you can request account deletion by contacting us from the footer of any page.

The Yarn Studio stores the information you enter to run the product: your yarn stash, needles and hooks, patterns, projects, uploaded pattern PDFs and cover images, and the email address on your account. Your stash and projects are private to your account by default and are only visible to you when signed in.

We use row-level access rules so that each signed-in user can only read and modify their own stash, patterns, and projects.

Pattern PDFs and images you upload are stored in private file storage scoped to your account. They are not listed publicly and are served to you through short-lived, signed links.

To provide certain features, The Yarn Studio uses:

• Lovable Cloud — hosting, database, authentication, file storage.
• Lovable AI — to scan uploaded yarn labels and pattern PDFs and auto-fill fields.
• Ravelry — optional connection you initiate, to import patterns you own on Ravelry.
• Google — optional sign-in provider, only if you choose it.

We do not sell your data, and we do not share your stash or project data with third parties for advertising.

The Yarn Studio uses a small, purpose-built set of cookies and browser storage. We group them into the categories below.

• Strictly necessary — authentication. Set by the underlying auth platform to keep you signed in, refresh your session, and protect against cross-site request forgery. These cannot be turned off because the app will not work without them. Signing out clears them.
• Strictly necessary — preferences. Local storage entries that remember small UI choices such as the last inventory tab you opened or your theme. They never leave your browser.
• Analytics. We use privacy-friendly, aggregate visit analytics provided by the hosting platform (page, country, device, referrer). This is measured server-side from request metadata and does not set tracking cookies or a persistent identifier in your browser. Because of that, no separate consent banner is shown.
• Advertising / third-party tracking. None. We do not run ad networks, retargeting pixels, or cross-site trackers.

Opt-in & opt-out controls. If we ever introduce a cookie or storage category that is not strictly necessary (for example, optional product analytics that do set an identifier), it will be off by default and an in-app opt-in toggle will appear here and in your account settings before it is activated. You can also block or clear cookies and local storage at any time through your browser settings; doing so will sign you out and reset saved preferences.

Your data is retained for as long as your account is active. If you want a copy of your data exported, or your account and its contents deleted, contact us using the Contact form in the footer and we will action your request.

• Inventory data (yarn stash, needles, hooks, patterns, projects) is kept for the lifetime of your account so you can return to it at any time. Items you delete from the app are removed immediately and are not recoverable.
• Uploaded files (pattern PDFs and cover images) are kept for as long as the pattern or project they belong to exists. Deleting the pattern or project removes the associated files from storage.
• Account & auth records (email, sign-in metadata) are kept while your account is active.
• Account deletion. When you request account deletion, your inventory, uploads, and account record are removed within 30 days. Encrypted operational backups may retain residual copies for up to 30 additional days before being overwritten on their normal rotation.
• Inactive accounts. We do not automatically delete inactive accounts today; if that ever changes we will notify you by email first.

If you believe you've found a security issue affecting The Yarn Studio, please reach out through the Contact form in the footer with a description of the issue and steps to reproduce. Please do not publicly disclose the issue until we've had a chance to respond.

A concise summary of how we keep the app and your data safe:

• Update frequency. Application code and platform dependencies are reviewed on an ongoing basis. Security-relevant patches are applied as soon as reasonably possible after they are available, and routine dependency updates are rolled out at least monthly.
• Disclosure process. Report suspected vulnerabilities privately via the Contact form in the footer. We aim to acknowledge reports within 5 business days, investigate and confirm impact, deploy a fix, and only then coordinate with the reporter on public disclosure. Please do not publicly share details until a fix is released.
• Responsible handling of user data. We collect only what's needed to run the product, scope every stash, pattern, project, and uploaded file to the owning account using row-level access rules, serve uploads through short-lived signed links, never sell your data, and honour export and deletion requests sent through the Contact form.

The Yarn Studio is an independent, app-owner-maintained service. We do not currently hold formal certifications such as SOC 2, ISO 27001, HIPAA, or PCI DSS, and nothing on this page should be read as such a certification. If your use case requires specific compliance assurances, please contact us before relying on the app.