Privacy Policy

1.Definitions

For the purposes of this Privacy Policy:

• "Personal Data" means any information relating to an identified or identifiable natural person, within the meaning of Article 4(1) of the General Data Protection Regulation 2016/679 ("GDPR").
• "Processing" has the meaning given in Article 4(2) GDPR.
• "Controller", "Processor" have the meanings set out in Article 4(7) and Article 4(8) GDPR, respectively.
• "Applicable Privacy Laws" means all worldwide data-protection and privacy laws and regulations applicable to the processing of Personal Data under this Privacy Policy, including but not limited to GDPR, the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 ("CCPA/CPRA"), the UK GDPR, the Swiss Federal Act on Data Protection, Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), and Nevada SB 220.
• "Sub‑processor" means any Processor engaged by us for the Processing of Personal Data.

2.Lawful Bases for Processing

We rely on the following legal bases under Article 6(1) GDPR (and equivalent provisions of Applicable Privacy Laws) to process your Personal Data:

• (a) Contractual Necessity. Processing is necessary to perform the contract governing our provision of the Service, including account creation, authentication, and billing.
• (b) Legal Obligation. Processing is necessary to comply with legal obligations, e.g. tax and accounting rules or responding to lawful requests.
• (c) Legitimate Interests. Processing is necessary for our legitimate interests in securing and improving the Service, provided those interests are not overridden by your rights and freedoms.
• (d) Consent. Where we ask for your explicit consent (e.g. marketing emails), you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

3.Information We Collect

Note: This section incorporates the previously detailed subsections 2.1 – 2.4 by reference. We collect minimal personal information including username and email address only.

4.Cookies and Similar Technologies

We do not use analytics, advertising, or third‑party tracking cookies. The only cookies we set are strictly necessary session cookies served by Supabase for authentication. These cookies are exempt from consent requirements under Article 5(3) of the ePrivacy Directive 2002/58/EC.

5.International Transfers

Where Personal Data originating from the European Economic Area (EEA), the United Kingdom, or Switzerland is transferred to a country that has not been deemed to provide an adequate level of protection, we rely on:

• the European Commission's Standard Contractual Clauses (SCCs) pursuant to Commission Decision (EU) 2021/914,
• the UK Addendum to the SCCs issued under Section 119A of the UK Data Protection Act 2018, and
• the Swiss Transborder Data Flow Agreement,

as well as supplementary measures consistent with the recommendations of the European Data Protection Board (EDPB) and the Court of Justice of the European Union's Schrems II ruling.

6.Sub‑processors

We engage the following Sub‑processors to support the Service:

Sub‑processor	Purpose	Location
Supabase	User authentication / data hosting	United States
Stripe, Inc.	Payment processing	United States / EU
PayPal, Inc.	Alternative payment processing	United States / EU

We will notify you at least thirty (30) days in advance of any addition or replacement of a Sub‑processor and provide an opportunity to object on reasonable grounds.

7.Data Subject Rights

You have the following rights, subject to verification of your identity:

• Access. Obtain confirmation as to whether Personal Data concerning you is processed, and access such data.
• Rectification. Request correction of inaccurate or incomplete Personal Data.
• Erasure ("Right to be Forgotten"). Request deletion of Personal Data where no lawful basis for retention exists.
• Restriction. Request restriction of processing in the circumstances set out in Article 18 GDPR.
• Portability. Receive a copy of Personal Data in a portable format.
• Objection. Object to processing carried out on the basis of legitimate interests.
• Automated Decision‑Making. We do not engage in decisions based solely on automated processing that produce legal effects concerning you.

To exercise any of these rights, please contact us at [email protected]. We will respond within one (1) month in accordance with Article 12 GDPR.

8.California Privacy Notice

If you are a resident of California, the following additional disclosures apply:

• We do not "sell" or "share" Personal Data as those terms are defined under CCPA/CPRA §1798.140.
• Your rights of know, delete, correct, and opt‑out of sharing may be exercised by emailing [email protected] with the subject line "California Rights Request."
• Authorized agents may submit requests on your behalf consistent with Cal. Civ. Code §1798.135.

9.Security Measures

We implement comprehensive security measures to protect your information:

• All data in transit is encrypted using TLS 1.3 with AES‑256 encryption.
• Password hashing uses the argon2id algorithm with industry‑recommended parameters.
• Quarterly penetration testing and annual SOC 2 Type II audits (report available under NDA).

10.Data Retention

We retain account metadata for up to six (6) years after account deletion to comply with tax and financial‑reporting obligations (Art. 30 GDPR; 26 U.S.C. §6001). After expiry of statutory retention periods, data is securely erased using NIST SP 800‑88 Revision 1 guidelines.

11.Children's Privacy

Our Service is not directed to children under 13 years of age in compliance with COPPA 1998. We do not knowingly collect personal information from children under 13.

12.Changes to This Policy

We will provide at least thirty (30) days' notice via email and in‑app notifications before material changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the revised Policy.

13.Contact Information & EU Representative

For privacy-related inquiries, please contact us at [email protected].

EU/EEA, UK, and Swiss data subjects may also contact our appointed representative under Article 27 GDPR: