Privacy Policy

This Privacy Policy describes how Timeboxing ("we," "us," or "our") collects, uses, stores, and protects your information when you use the service at timeboxing.pro. We take privacy seriously. We collect only what we need and we do not sell your data.

1. Information We Collect

Account information

• Email address (used for authentication and account recovery)
• Username (your display name, visible to friends)
• Password (stored as a one-way hash — we cannot read it)
• Home timezone (used for day boundary calculations)

Usage and game data

• Work blocks: category, tier, duration, description, timestamps, XP earned
• Shadow (break) records: tier, timestamps, duration, description, XP earned
• Streak data: chunk outcomes, token balances, streak history
• Goals: task descriptions, deadlines, outcomes
• Aggregate stats: total XP, level, Nightmare score, Merits, days active

Payment information

We never store your payment card details. All payment processing is handled by Stripe. We store only your Stripe customer ID and subscription ID to manage your access status.

Technical data

• Server-side logs (request timestamps, IP addresses) — retained briefly for security and debugging
• No analytics tools are currently active. We plan to add PostHog in the future, at which point this policy will be updated.

2. How We Use Your Information

• To provide, operate, and maintain the service
• To authenticate your account and manage your session
• To process payments and manage your subscription
• To compute game mechanics (XP, streaks, levels, daily stats)
• To enable social features (friend leaderboards — only friends see your stats)
• To send transactional emails (account verification, password reset)
• To respond to support requests
• To detect and prevent fraud or abuse

We do not send marketing emails. We do not sell, rent, or share your personal data with third parties for their marketing purposes.

3. Third-Party Services

We use a small number of third-party services to operate. Each receives only what it needs:

4. Data Security

We take reasonable technical measures to protect your data:

• All data in transit is encrypted via HTTPS/TLS
• Passwords are hashed using bcrypt — we cannot recover your password
• Database access is protected by Row-Level Security — no user can access another user's data, even in the event of a SQL injection
• Sensitive identifiers (payment IDs) are encrypted at the application layer before storage
• All secrets (API keys, credentials) are stored as environment variables and never in source code

No system is perfectly secure. In the event of a data breach that affects your personal information, we will notify you via the email address on your account.

5. Cookies and Local Storage

We use cookies strictly for authentication (session management via Supabase Auth). We do not use advertising cookies, tracking cookies, or cross-site cookies.

Your browser may also store local session data (JWTs) to keep you logged in. This data stays on your device and is cleared when you log out.

6. Data Retention

Your personal data is retained for as long as your account is active. When you delete your account:

• A 30-day recovery window begins. You can reactivate by logging in.
• After 30 days: email, username, password hash, payment IDs, timezone, friend connections, and IP logs are permanently deleted.
• Your game data (blocks, shadows, streaks, goals) is anonymized — your user ID is replaced with a random identifier that cannot be traced back to you. This anonymized data is retained for aggregate analysis.
• Stripe retains payment transaction records per their own legal obligations (financial/tax reporting). We cannot control or delete these records.

7. Your Rights — GDPR (EEA/UK)

If you are located in the European Economic Area or United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR):

• Access: Request a copy of the personal data we hold about you.
• Rectification: Correct inaccurate or incomplete data (e.g. update your email via account settings).
• Erasure: Request deletion of your personal data. You can trigger this directly in-app (Settings > Delete Account).
• Portability: Export your block history as a CSV file from within the app (Settings > Download Block History).
• Restriction: Request that we restrict processing of your data in certain circumstances.
• Objection: Object to processing where we rely on legitimate interests as the legal basis.

Our legal basis for processing your data is: contract performance (to provide the service you signed up for) and legitimate interests (security, fraud prevention). To exercise any of these rights, contact us at support@timeboxing.pro. We will respond within 30 days.

8. Your Rights — CCPA (California)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

• Know: Request disclosure of the categories and specific pieces of personal information we collect about you.
• Delete: Request deletion of your personal information (subject to certain exceptions).
• Opt-out of sale: We do not sell personal information. There is nothing to opt out of.
• Non-discrimination: We will not discriminate against you for exercising any CCPA rights.

To submit a CCPA request, contact us at support@timeboxing.pro.

9. Children's Privacy

The service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has created an account, contact us and we will delete the account and associated data.

10. Changes to This Policy

We may update this Privacy Policy as the service evolves. When we do, we will update the effective date above. If changes are material, we will notify you via the email address on your account. Continued use of the service after changes are posted constitutes acceptance of the revised policy.

11. Contact

For any privacy questions, data requests, or concerns, contact us at: support@timeboxing.pro