Privacy Policy

1. Introduction

Welcome to Pomodoro Timer ("we," "our," or "us"). We are committed to protecting your privacy and ensuring transparency about how we handle your information. This Privacy Policy explains our practices regarding data collection, use, and storage when you use our Pomodoro Timer application.

2. Information We Collect

2.1 Account & Cloud Data (Registered Users)

If you choose to sign in with Discord or Google, we collect:

• Identity Data: Discord/Google User ID, username, avatar, and email address (for account linking)
• Cloud Sync Data: Timer, audio, and display settings synced to our secure backend
• Progress Data: XP, level, and Pomodoro statistics for continuity across devices

For users who do not sign in, core settings remain local to the browser via localStorage.

2.2 Analytics, Monitoring, and Feature Flag Data

When enabled or required for service reliability, we process:

• PostHog (Product Analytics): App events (for example timer actions and feature usage), platform/device metadata, and session-level analytics identifiers. PostHog analytics is opt-in via the consent banner.
• Sentry (Error & Performance Monitoring): Error details, stack traces, performance traces, browser/device metadata, and technical context needed to diagnose issues.
• GrowthBook (Feature Flags): Feature flag evaluation attributes such as internal user ID, level/faction, locale, and platform context.

We use this data to improve reliability, ship safer releases, and understand feature adoption.

2.3 Information We Do NOT Collect

We do not collect:

• Payment card information
• Precise location data
• Biometric data
• Your private Discord message content

3. How We Use Your Information

The information we collect is used solely for the following purposes:

• Account Sync: To enable cross-device settings and progress continuity
• Service Functionality & Security: To authenticate users and protect platform integrity
• Analytics & Monitoring: To improve functionality, reliability, and user experience

4. Data Storage and Security

4.1 Database, Security, and Local Storage

For registered users, account and progression data are stored in secure backend services. The app also stores settings locally for performance and continuity. Local browser data:

• Remains on your device unless you sign in and choose synced functionality
• Can be cleared at any time through your browser settings
• Is isolated to our domain and cannot be accessed by other websites

4.2 Third-Party Services

We use the following third-party services:

• Supabase: Authentication, database, and backend functions
• PostHog: Product analytics (opt-in through consent choices)
• Sentry: Error and performance monitoring
• GrowthBook: Feature flags and controlled rollouts
• Upstash Redis: Rate limiting and backend cache support
• Cloudflare R2: Hosting and delivery of audio/media assets
• Vercel: Frontend hosting and edge delivery; some public pages may also use Vercel analytics scripts

5. Cookies and Tracking

We use essential storage mechanisms (such as localStorage and required auth/session storage) to run the app.

• Essential Storage: Required for sign-in, security, and core functionality
• Analytics Storage: PostHog analytics is disabled by default and is only enabled when you opt in through the consent banner

You can change consent preferences later from the privacy/cookie settings interface in the app.

6. Music and Audio Content

The music and audio files available in our application are sourced from copyright-free and royalty-free collections available on the internet. We believe these files are free to use, but if you are a rights holder and believe your content has been included without proper authorization:

7. Your Rights and Choices

You have the following rights regarding your data:

• Access: You can request access to account-linked data we store in backend services
• Deletion: You can delete local data by clearing localStorage, and you can request account deletion for backend data
• Opt-Out: You can opt out of product analytics via consent settings; this does not disable strictly necessary security/error monitoring

8. Children's Privacy

Our application does not knowingly collect any personal information from children under the age of 13. The application is designed to be safe for all ages, and we do not request or store any personal data from any users, regardless of age.

9. International Data Transfers

Depending on your location and selected providers, data may be processed in multiple regions (including EU and other jurisdictions) by our infrastructure and subprocessors.

• Supabase (auth/database/backend)
• PostHog (product analytics)
• Sentry (error/performance telemetry)
• GrowthBook (feature delivery)
• Cloudflare R2 and CDN delivery networks
• Vercel hosting/edge delivery

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal compliance. We will update the "Last Updated" date at the top of this policy. Continued use of the application after changes constitutes acceptance of the updated policy.

11. Third-Party Links

Our application may contain links to third-party websites or services. We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies before providing any information.

12. Data Retention

Local storage data remains on your device until you clear it. Account-linked data in our backend is retained while your account is active and as needed for security, fraud prevention, and legal obligations. Provider telemetry retention (for PostHog, Sentry, and related services) follows each provider's configured retention policy.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

14. Legal Compliance

This application is designed to comply with major privacy regulations including:

• General Data Protection Regulation (GDPR) - European Union
• California Consumer Privacy Act (CCPA) - United States
• Other applicable data protection laws

We process data only for the purposes described in this policy and apply data minimization, access controls, and transparency practices appropriate to the services we operate.