Privacy Policy

1. Introduction

At Pomodoro Club, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our focus and productivity application. We are committed to GDPR compliance and protecting your personal data.

2. Information We Collect

Account Information

When you sign up using Google Sign-In, we receive:

• Your email address
• Your display name
• Your profile picture (if available)

Usage Data

We collect data about how you use Pomodoro Club to provide and improve the Service:

• Focus session durations and completion status
• Music preferences and listening patterns
• Streak data and activity history
• Task completion data
• Your timezone (for streak calculations)

Technical Data

We automatically collect certain technical information:

• Browser type and version
• Device type
• IP address (anonymized for analytics)

3. Third-Party Integrations

Pomodoro Club offers optional integrations with third-party services. These integrations require your explicit authorization through OAuth and can be disconnected at any time from your account settings.

Spotify Integration

When you connect your Spotify account, we request access to:

• Your Spotify profile information (display name, email)
• Your listening history and currently playing track
• Playback control (play, pause, skip) during focus sessions

We use this data to provide focus music playback during your work sessions and to personalize music recommendations. We store your Spotify OAuth tokens (encrypted with AES-256-GCM) to maintain your connection. We do not access your Spotify playlists, saved library, or make any changes to your Spotify account beyond playback control during active focus sessions.

Google Calendar Integration

When you connect your Google Calendar, we request read-only access to:

• Your calendar event titles, times, and locations
• Your Google account email address

We use this data to display your scheduled events alongside your tasks in the daily planner view. Calendar data is synced periodically and stored in our database to provide a unified view of your day. We store your Google OAuth tokens (encrypted with AES-256-GCM) to maintain your connection. We request read-only access and cannot create, modify, or delete any events on your Google Calendar.

Google API Services User Data Policy

Pomodoro Club's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We only use Google user data to provide and improve user-facing features of Pomodoro Club (displaying your calendar events in the daily planner)
• We do not use Google user data for serving advertisements
• We do not transfer Google user data to third parties unless necessary to provide or improve user-facing features, you provide explicit consent, or it is required for security or legal purposes
• We do not allow humans to read Google user data unless we have your affirmative consent, it is necessary for security purposes, or it is required by law

Revoking Third-Party Access

You can disconnect any third-party integration at any time from your Settings page. When you disconnect:

• We immediately delete the stored OAuth tokens
• All synced data from that service is removed from our database
• You can also revoke access directly from Google Account Permissions or Spotify Connected Apps

4. How We Use Your Information

We use your information to:

• Provide and maintain the Service
• Personalize your music recommendations based on your preferences
• Display your calendar events in the daily planner
• Calculate and display your focus streaks
• Generate productivity insights and analytics
• Send weekly focus reports (if you opt in)
• Send product updates and tips (if you opt in)
• Improve and optimize the Service
• Respond to your support requests

5. Legal Basis for Processing (GDPR)

Under GDPR, we process your data based on:

• Contract: To provide the Service you signed up for
• Legitimate interests: To improve and secure the Service
• Consent: For marketing emails, optional integrations (Spotify, Google Calendar), and optional features (you can withdraw consent anytime)

6. Marketing Communications

We only send marketing emails if you explicitly opt in. You can manage your email preferences at any time in your account settings. Marketing consent is:

• Optional and not required to use the Service
• Recorded with timestamp for GDPR compliance
• Easily revocable through your settings

7. Data Sharing

We do not sell your personal data. We may share your information with:

• Service providers: Who help us operate the Service (hosting, email delivery)
• Third-party integrations: Spotify and Google receive only the authentication tokens necessary for the integration to function. We do not share your Pomodoro Club usage data with these services.
• Legal authorities: When required by law or to protect our rights

All service providers are contractually bound to protect your data and only use it for the purposes we specify.

8. Data Retention

We retain your data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, including all third-party integration tokens and synced data, except where we need to retain it for legal obligations or legitimate business purposes.

9. Your Rights (GDPR)

Under GDPR, you have the right to:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate personal data
• Erasure: Request deletion of your personal data
• Restriction: Request limited processing of your data
• Portability: Receive your data in a portable format
• Object: Object to processing based on legitimate interests
• Withdraw consent: Withdraw consent at any time for consent-based processing, including third-party integrations

To exercise these rights, contact us at hodlhausteam@gmail.com

10. Data Security

We implement appropriate technical and organizational measures to protect your data:

• 256-bit SSL/TLS encryption for data in transit
• AES-256-GCM encryption for sensitive data at rest (including OAuth tokens)
• Regular security audits
• Access controls and authentication
• Secure token storage with industry-standard encryption

11. Cookies

We use essential cookies to maintain your session and preferences. We do not use third-party tracking cookies for advertising purposes. The cookies we use include:

• Authentication cookie: A secure, HTTP-only cookie containing your session token
• Preference cookies: To remember your theme and display settings

12. Children's Privacy

Pomodoro Club is not intended for children under 16 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.

13. International Data Transfers

Your data may be processed in countries outside your residence, including the United States where our servers are hosted. We ensure appropriate safeguards are in place, such as Standard Contractual Clauses, to protect your data during international transfers.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by email or through the Service. Your continued use of the Service after changes constitutes acceptance of the updated policy.

15. Contact Us

If you have questions about this Privacy Policy or want to exercise your rights, contact us at: