Privacy Policy

1. Introduction

This Privacy Policy explains how Tommodoro ("we," "us," or "our") collects, uses, discloses, and safeguards your information when you use our web application (the "Service"). We respect your privacy and are committed to protecting it through our compliance with this policy.

2. Data Controller

For the purpose of the EU General Data Protection Regulation (GDPR), the data controller is Tommodoro. For any data protection inquiries, you can contact us at privacy@tommodoro.com.

3. Information We Collect

We collect "Personal Data," which is any information that can be used to identify you, and "Non-Personal Data," which cannot. We collect this data in the following ways:

• Information You Provide to Us: This includes your name, email address, password, and any profile information you choose to add when you create an account.
• Payment Information: When you subscribe to a premium plan, your payment is processed by our Merchant of Record, Paddle.com. We do not directly collect or store your full payment card details. Paddle provides us with a token and information such as your country and subscription status.
• Automatically Collected Information: We automatically collect data about your use of the Service, such as IP address, browser type, device information, pages visited, and session durations ("Usage Data").

4. Legal Basis for Processing

Under GDPR, we process your Personal Data based on the following legal grounds:

• Consent: Where you have given us clear consent to process your data for a specific purpose.
• Contract: The processing is necessary for a contract we have with you (e.g., to provide you with the Service you subscribed to).
• Legitimate Interests: The processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect your personal data which overrides those legitimate interests.

5. How We Use Your Information

We use the information we collect for various purposes, including to:

• Provide, operate, secure, and maintain our Service.
• Process transactions and manage your subscription.
• Send you transactional emails, technical notices, and support messages.
• Analyze usage to monitor and improve our Service.
• Prevent fraudulent activities and ensure compliance with our Terms of Service.

6. Data Sharing and Disclosure

We do not sell or rent your Personal Data. We may disclose your data to third parties under the following conditions:

• Service Providers: We share data with trusted third parties who perform services on our behalf, such as payment processing (Paddle) and infrastructure hosting. These providers are bound by confidentiality agreements.
• Legal Compliance: We may disclose your information if required by law, subpoena, or other legal process.
• Business Transfers: In connection with any merger, sale of company assets, or acquisition of all or a portion of our business by another company.

7. Your Data Protection Rights (GDPR)

If you are a resident of the European Economic Area (EEA), you have the following data protection rights:

• The right to access, update, or delete the information we have on you.
• The right of rectification. You have the right to have your information corrected if that information is inaccurate or incomplete.
• The right to object. You have the right to object to our processing of your Personal Data.
• The right of restriction. You have the right to request that we restrict the processing of your personal information.
• The right to data portability. You have the right to be provided with a copy of the information we have on you in a structured, machine-readable format.
• The right to withdraw consent. You also have the right to withdraw your consent at any time where Tommodoro relied on your consent to process your personal information.

To exercise these rights, please contact us at privacy@tommodoro.com.

8. Data Security

We implement robust technical and organizational measures to protect your Personal Data.

9. Children's Privacy

Our Service is not directed to individuals under the age of 18. We do not knowingly collect Personal Data from children. If you become aware that a child has provided us with Personal Data, please contact us and we will take steps to delete such information.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Effective Date" at the top.

11. Cookie Policy

We use cookies and similar tracking technologies to track activity on our Service and hold certain information. Cookies are files with a small amount of data which may include an anonymous unique identifier. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent.

Types of cookies we use:

• Essential Cookies: These cookies are essential to provide you with services available through our website and to enable you to use some of its features.
• Analytics Cookies: These cookies allow us to analyze how our website is being accessed and used, enabling us to improve our service.
• Functionality Cookies: These cookies allow our website to remember choices you make when you use our website.

12. Third-Party Services

Our Service integrates with the following third-party services, each with their own privacy policies:

• Paddle.com: Our payment processor. View their privacy policy at paddle.com/legal/privacy
• Supabase: Our database and authentication provider. View their privacy policy at supabase.com/privacy
• Vercel: Our hosting provider. View their privacy policy at vercel.com/privacy
• Cloudflare Turnstile: Our bot protection and security service. View their privacy policy at cloudflare.com/privacypolicy

13. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify you within 72 hours of becoming aware of the breach, in accordance with applicable law. We will also notify relevant supervisory authorities as required by law.

14. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. Specifically:

• Account Data: Retained until account deletion or 3 years of inactivity
• Payment Data: Retained for 7 years for tax and accounting purposes
• Usage Data: Retained for 2 years for analytics and service improvement
• Contact Form Submissions: Retained for 1 year

15. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: You have the right to request information about the personal data we collect, use, and disclose about you.
• Right to Delete: You have the right to request deletion of your personal data.
• Right to Opt-Out: You have the right to opt-out of the sale of personal data (we do not sell personal data).
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise these rights, contact us at privacy@tommodoro.com.

16. International Data Transfers

Your information may be transferred to and maintained on computers located outside of your state, province, or country. We ensure such transfers are protected by appropriate safeguards, including:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions by the European Commission
• Certification schemes approved by relevant authorities

17. Service Provider Information

This Service is operated by:

18. Contact Us

If you have any questions, concerns, or complaints about this Privacy Policy, please contact us at: privacy@tommodoro.com.