This Privacy Policy describes how Tidl ("we") collects, uses and protects your personal data when you use the application and the website tidl.app. It supplements the Terms of Use and applies to all Users, whether or not they have an account.
1. Data controller
The data controller within the meaning of Regulation (EU) 2016/679 (GDPR) and the French "Informatique et Libertés" Act is:
Publisher: [COMPANY NAME OR FULL NAME], [legal form]
Tidl is not required to appoint a Data Protection Officer (DPO). Any request regarding your data can be addressed directly to the publisher via the contact form.
2. Data we collect
We apply a data minimisation principle: we only collect data strictly necessary for the Service to work.
Password — never stored in clear text, kept as a hash (bcrypt). Optional if you use Google sign-in.
First name (optional) — to personalise the interface and emails.
Preferred language — to serve the interface in the correct language (fr/en).
Google identifier (only if you sign in with Google) — the unique "sub" identifier provided by Google. We do not access any other data from your Google account (Gmail, Drive, contacts, etc.).
2.2 Payment data
Card payment — processed directly by Stripe. We never see or store your card number. We only receive a Stripe transaction identifier, the amount, the currency and the status.
Invoicing data — buyer's email address, date, amount, license identifier. Kept for 10 years for accounting and tax obligations (article L123-22 of the French Commercial Code).
License key — generated locally and associated with your account if you purchase the Premium version.
2.3 Synchronisation data (end-to-end encrypted)
If you enable Premium sync, your application data (tasks, routines, focus sessions, inbox notes, etc.) is sent to our servers only in encrypted form.
Encrypted payload — the encryption key is derived from your password and never leaves your device. We cannot read the content.
Technical metadata — size of the encrypted blob, timestamp, operation identifier, version number. Required to resolve sync conflicts.
2.4 Technical data
IP address — used for security (rate limiting, abuse detection) and written to server logs.
User-Agent and platform — to tailor downloads (Android, PWA) and diagnose bugs.
Error logs — server-side error stacks, with no user content in clear text.
Google Ireland Ltd. — OAuth authentication when you choose "Sign in with Google". Google Privacy Policy.
Infrastructure host — see article 1. Data stored within the European Union.
Google Play Store / Apple App Store — if you purchase the application via a store, the store handles the payment and only forwards us anonymised proof of purchase.
We do not sell, rent or trade your personal data. No targeted advertising is served through Tidl.
6. Transfers outside the European Union
Data stored by Tidl resides within the European Union. However, some processors (Stripe, Google) may process data from or to the United States.
Such transfers are governed by Standard Contractual Clauses approved by the European Commission and, where applicable, by the EU-US Data Privacy Framework (DPF). No encrypted sync data is transferred outside the EU.
7. Retention periods
We keep your data only for as long as necessary for the relevant purpose:
User account — kept as long as your account is active, then deleted on request or after 24 months of inactivity (prior notice sent by email).
Encrypted sync data — deleted immediately when your account is deleted or when sync is disabled.
Invoicing data — kept for 10 years for accounting obligations (article L123-22 of the French Commercial Code). Used only in the event of a tax audit or an explicit request to resend a license key.
Contact messages and bug reports — kept for 3 years after the last exchange.
Server and error logs — kept for a maximum of 12 months, then purged automatically.
Session and refresh tokens — short-lived (access tokens) or revocable (refresh tokens). Invalidated upon logout.
8. Your rights
In accordance with articles 15 to 22 of the GDPR, you have the following rights:
Right of access — obtain a copy of the data we hold about you.
Right to rectification — correct inaccurate information (first name, email).
Right to erasure ("right to be forgotten") — request deletion of your account and data.
Right to restriction — temporarily restrict processing.
Right to data portability — recover your data in a structured, reusable format (JSON).
Right to object — object to processing based on legitimate interest.
Withdrawal of consent — for consent-based processing (Google OAuth in particular), at any time.
Post-mortem directives — define what happens to your data after your death (French Act of October 7, 2016).
To exercise these rights, contact us via the contact form or at contact@tidl.app. A reply will be provided within a maximum of 1 month. Proof of identity may be requested in case of reasonable doubt.
Self-service from the application: you can at any time export your data or delete your account from your profile ("My account" section).
If you believe your rights have not been respected, you can lodge a complaint with the French CNIL — 3 place de Fontenoy, 75007 Paris — cnil.fr/en/plaintes — or with the supervisory authority of your EU country of residence.
9. Security
We implement technical and organisational measures to protect your data:
Encryption in transit — all communications use TLS 1.2 or higher (HTTPS).
End-to-end encryption for sync — your application data is encrypted on your device before any transmission. The encryption key is derived from your password and never sent to our servers.
Password hashing — bcrypt with a random salt. Plaintext passwords are never stored.
Signed-token authentication — short-lived access tokens + revocable refresh tokens. Bound to the device.
Signed and verified Stripe webhooks — to prevent spoofing of payment notifications.
Per-user isolation — each user can only access their own data, verified server-side on every request.
No transmission over the Internet or method of electronic storage is 100% secure. We commit to applying industry best practices, without being able to guarantee absolute security.
In the event of a data breach posing a risk to your rights and freedoms, you will be informed without undue delay, and the CNIL will be notified within 72 hours in accordance with article 33 of the GDPR.
10. Cookies and local storage
Tidl uses only cookies and storage elements that are strictly necessary for the Service to work:
Session cookie — to keep you signed in. Removed on logout or expiry.
CSRF token — to protect forms against cross-site request forgery.
Language preference — to serve the interface in the language of your choice.
No third-party cookies, no advertising cookies, no behavioural analytics (no Google Analytics, no Meta Pixel).
The application also uses your device's local storage (IndexedDB, localStorage) to host your data while offline. This data remains on your device and is not transmitted to us without your explicit action (sync, export, etc.).
11. Minors
Tidl is not intended for children under 15 years old (France) or the minimum age required in your country of residence (13 to 16 years depending on EU jurisdictions). In accordance with article 8 of the GDPR, parental consent is required below that age.
If you believe a child has sent us data without parental authorisation, please contact us at contact@tidl.app: we will delete the account without delay.
12. Changes and contact
12.1 Changes to this policy
We may amend this Privacy Policy to reflect changes in the Service, our processors or applicable regulations. The date of the last update is shown at the top of the page. In the event of a material change, you will be informed by email or via an in-app notification at least 30 days before it takes effect.
12.2 Contact us
For any question regarding your personal data or the exercise of your rights: