Privacy Policy

Information you provide directly:

• Account information: name, email address, password (hashed)
• Business information: company name, address, industry details
• Team and client data you enter into the platform
• Payment information (processed by Paddle — we do not store card details)
• Communications you send to our support team

Information collected automatically:

• Log data: IP address, browser type, pages visited, timestamps
• Device information: operating system, screen resolution, locale
• Usage data: features accessed, session duration, click patterns
• Cookies and similar tracking technologies (see Section 6)

We use collected information to:

• Provide, operate, and improve the Service
• Process transactions and send related billing information
• Send transactional emails (receipts, password resets, feature updates)
• Respond to support inquiries and troubleshoot issues
• Analyze usage patterns to improve product features
• Detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations
• Send marketing communications (with your consent; opt-out anytime)

We do not sell your personal information to third parties. We do not use your business data to train AI models without explicit opt-in consent.

For users in the European Economic Area (EEA), we process your personal data under the following legal bases:

• Contract performance: Processing necessary to provide the Service you signed up for
• Legitimate interests: Improving the Service, detecting fraud, and ensuring security
• Legal obligation: Compliance with applicable laws and regulations
• Consent: Marketing communications and optional analytics

We share your information only in the following circumstances:

• Paddle — Our payment processor and Merchant of Record. Paddle handles all payment transactions and stores payment card data. Paddle's privacy policy governs their data handling.
• Supabase — Our database and authentication provider. Data is stored in Supabase-managed PostgreSQL databases with encryption at rest.
• Anthropic — We use Anthropic's Claude API for AI-powered features. Only the data necessary for the specific AI feature is transmitted; we do not send full account data.
• Vercel — Our hosting provider. Application code and serverless functions run on Vercel infrastructure.
• Law enforcement — If required by law, court order, or governmental authority.
• Business transfers — In connection with a merger, acquisition, or sale of assets, with notice to you.

We retain your personal data for as long as your account is active or as needed to provide the Service. Upon account deletion:

• Account data is deleted within 90 days
• Billing records are retained for 7 years (legal/tax obligation)
• Anonymized, aggregated analytics data may be retained indefinitely
• Backup copies may persist for up to 30 additional days

You may request a copy of your data or early deletion by emailing privacy@tidaly.io.

We use the following types of cookies:

• Essential cookies: Required for authentication, session management, and core functionality. Cannot be disabled.
• Analytics cookies: Used to understand how users interact with the Service (e.g., page views, session duration). May be disabled.
• Preference cookies: Remember your settings and customizations between sessions.

You can manage cookie preferences through your browser settings. Note that disabling essential cookies will impact Service functionality.

We implement industry-standard security measures to protect your information:

• TLS/HTTPS encryption for all data in transit
• AES-256 encryption for sensitive data at rest
• Passwords hashed using bcrypt with salt
• Role-based access controls limiting internal data access
• Regular security audits and vulnerability assessments

No system is 100% secure. In the event of a data breach, we will notify affected users within 72 hours as required by GDPR.

GDPR Rights (EEA residents):

• Right to access your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent at any time

CCPA Rights (California residents):

• Right to know what personal information is collected
• Right to delete personal information
• Right to opt-out of the sale of personal information (we do not sell data)
• Right to non-discrimination for exercising privacy rights

To exercise any of these rights, email us at privacy@tidaly.io. We will respond within 30 days (or 45 days for complex requests).

Tidaly operates from the United States. If you access our Service from outside the US, your information may be transferred to and processed in the US.

For EEA users, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate protection for data transferred outside the EEA. A copy of our DPA (Data Processing Agreement) is available upon request.

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that a child under 16 has provided us with personal information, we will delete it promptly.

We may update this Privacy Policy periodically. We will notify you of material changes via email or a prominent notice within the Service at least 14 days before changes take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.

For privacy-related questions, requests, or complaints:

EEA residents may also lodge a complaint with their local data protection authority if they believe we have not handled their data in accordance with applicable law.