Privacy Policy

Last updated: April 24, 2026

The short version

Kortlist is built to keep your data on your device. You can make, score, and share boards without an account and without sending anything to our servers. A Google sign-in is only needed for the optional URL Scan feature, and scan-pack payments are handled by Stripe.

Kortlist is owned and operated by MB Local Ghost, a limited liability company registered in and operating within the European Union. We act as the data controller for any personal data processed through Kortlist. Questions? info@kortlist.eu.

Using Kortlist without an account

By default, Kortlist requires no account. Boards, items, parameters, scores, and settings are stored locally in your browser (IndexedDB / local storage) and never leave your device. When you share a board via a link, the board is encoded directly into the URL — we don't keep a server copy of it.

Clearing your browser storage, using a private window, or switching devices will not give us access to your data, because we never had it. You are responsible for your own backups.

Signing in for the URL Scan feature

The URL Scan feature (which fetches and analyses a web page to populate item fields) requires you to sign in. The only sign-in option currently supported is Google Sign-In. When you sign in, we store the following information to provide the feature:

Your email address (from your Google account)
Your name (from your Google profile)
Your scan allowance — how many complimentary and purchased scans you have remaining

Purchased scans are tied to the signed-in account. We do not store your Google password, profile picture, contacts, or any other Google account data. You can request deletion of your account and associated data at any time by contacting info@kortlist.eu.

Payments

Optional scan packs are purchased through Stripe. Stripe collects card information, billing address, and VAT data directly at checkout — we never see your card. What we receive is a record that a purchase completed and the number of scans to credit to your account. See Stripe's privacy policy for how they handle your payment data.

Analytics and trackers

No session replay. No cross-site profiling. No Meta Pixel.

We use two privacy-focused analytics services across both the marketing site (kortlist.eu) and the web app (app.kortlist.eu), plus Google Ads conversion tracking on the marketing site only:

Pirsch — a privacy-focused, cookieless analytics service that collects anonymous page view statistics. No personal data collected, no tracking cookies set. It tells us which pages and features get used so we can improve the product.
Umami — a privacy-focused, cookieless analytics service that collects anonymous page view statistics. No personal data collected, no tracking cookies set.
Google Ads (gtag.js) — conversion tracking for our Google Ads campaigns, loaded only on the marketing site (kortlist.eu) and only after you accept in the consent banner. We use Google Consent Mode v2 with ad storage, ad user data, ad personalisation, and analytics storage all defaulted to "denied" until you opt in. Data controller: Google Ireland Limited. See Google's privacy policy for how they handle this data.

We don't sell or rent your data. The only third party we share any data with for marketing purposes is Google, and only for visitors who explicitly accept in the consent banner.

Cookies and local storage

Kortlist uses local storage (not cookies) to keep your boards, theme, and preferences in your browser, and to remember your choice from the consent banner on the marketing site (stored under the kortlist-consent key with a value of "granted" or "denied").

When you use Google Sign-In for the URL Scan feature, Google and our authentication provider may set cookies or storage entries in your browser that are strictly necessary to keep you signed in. These are set as part of the sign-in flow — see Google's privacy policy for details of what Google collects during sign-in.

Pirsch and Umami do not set tracking cookies. Stripe may set cookies during checkout for fraud prevention and to maintain your payment session — those are managed by Stripe directly; see Stripe's cookie settings .

If you accept in the consent banner, Google Ads conversion tracking may set cookies in your browser (for example _gcl_au, _gcl_aw, and related _gcl_* cookies) to attribute your visit to one of our ads. These cookies are only set after you accept; if you reject or haven't chosen yet, the tag runs in Google's cookieless "denied" mode and no tracking cookies are set. You can change your mind at any time by clearing kortlist-consent from this site's local storage, which will re-show the banner on your next visit.

Data retention

Local board data remains in your browser until you clear it. Account data (email, name, scan allowance) is retained while your account is active. If you request deletion, we will remove your account data within a reasonable period, subject to any legal obligations (for example, retaining invoice records required by EU tax law). Anonymous analytics data is retained according to Pirsch's and Umami's standard retention policies.

Your rights

Under the EU General Data Protection Regulation (GDPR) you have the right to access, correct, export, or delete personal data we hold about you, and to object to or restrict our processing of it. To exercise any of these rights, email info@kortlist.eu from the address associated with your account. You also have the right to lodge a complaint with your local data protection authority.

Children's privacy

Kortlist is not directed at children under 13, and we do not knowingly collect personal data from them.

Changes to this policy

We may update this policy from time to time. Substantive changes will be reflected by an updated "last updated" date at the top of this page.

Contact

Questions, requests, or concerns? Reach us at info@kortlist.eu.