Privacy policy

1) Who is responsible (Controller)

Controller (data protection law):
Philipp Bochmann
c/o Impressumservice Dein-Impressum, Stettiner Str. 41, 35410 Hungen
hi@tealytics.app

2) What data we collect

2.1 Data you provide

• Account data: name, email address, password hash (never your plaintext password).
• Billing data (if paid plans): billing contact details, billing address (if collected), tax IDs (if provided). Payment card details are processed by our payment provider, not stored by us.
• Support communications: messages you send us, attachments, feedback.

2.2 Data you upload or generate in the Service

• User Content: data you enter, import, or generate in Tealytics (may include personal data depending on what you upload).

2.3 Data collected automatically

• Server access logs: our hosting provider (Vercel) may process IP addresses and request timestamps as part of standard server operation.
• Privacy-friendly web analytics: we use Rybbit, a cookie-free analytics tool we self-host on our own infrastructure, to collect anonymized usage data (page views, referrer, browser type, device type, country, anonymized JavaScript error events, and in-app feature usage events). Rybbit does not use cookies, does not store IP addresses, and does not track users across websites or sessions. See Section 8 for details.
• Cookies: see Section 8.

3) How we use data (purposes)

We use personal data to:

• Provide and operate the Service (authentication, core functionality).
• Secure the Service (fraud prevention, abuse detection, monitoring).
• Process subscriptions and invoices (if applicable).
• Communicate with you (support, important notices).
• Improve the Service (debugging, product analytics, feature development).
• Meet legal obligations (tax, accounting, compliance).

We do not sell personal information.

4) Legal bases (GDPR/UK GDPR, where applicable)

Where GDPR/UK GDPR applies, our legal bases include:

• Contract (Art. 6(1)(b)): to provide the Service you requested.
• Legitimate interests (Art. 6(1)(f)): to secure and improve the Service, prevent abuse, and operate our business.
• Consent (Art. 6(1)(a)): where required (e.g., certain cookies/marketing).
• Legal obligation (Art. 6(1)(c)): e.g., tax/accounting compliance.

5) Sharing data (processors and recipients)

We share personal data only as needed to run Tealytics, including with:

• Vercel — hosting, CDN, and edge functions (US).
• Convex — database, file storage, and backend functions (US).
• Brevo (Sendinblue) — transactional email for magic link authentication (EU/France).
• Google — OAuth 2.0 authentication and Gemini API for AI-powered label scanning (US).

We may also share data:

• To comply with law or legal requests.
• To protect rights, safety, and security (fraud, abuse, incidents).
• In connection with a merger, acquisition, or asset sale (with appropriate safeguards).

6) International transfers

We may process data in countries outside your country of residence (including the US). Where required by GDPR/UK GDPR, we rely on appropriate safeguards such as:

• EU Standard Contractual Clauses (SCCs) and/or UK addendum,
• Adequacy decisions (where applicable),
• Additional technical/organizational measures as appropriate.

7) Data retention

We keep personal data only as long as necessary:

• Account data: while your account is active. Deleted immediately upon account deletion (see Section 9).
• Authentication sessions: expire after 30 days.
• Magic link tokens: expire after 24 hours and rate-limit logs are purged after 15 minutes.
• Server access logs: retained per our hosting provider’s standard policy (Vercel).
• Backups: retained per our database provider’s standard policy (Convex).

You can delete your account and all data from your account settings at any time (see Section 9).

8) Cookies and tracking

We use only strictly necessary cookies for authentication and security:

• Session cookies: to keep you signed in (CSRF token, session token).

We do not use marketing or tracking cookies. Because these cookies are strictly necessary to provide the Service you requested, no consent is required (TDDDG § 25 Abs. 2).

8.1 Web analytics (Rybbit)

We use Rybbit, an open-source, privacy-friendly analytics tool that we self-host on our own infrastructure. Your analytics data is never sent to a third-party analytics provider. Rybbit:

• does not use cookies or any other device storage,
• does not store your IP address (it is used only transiently to derive coarse data such as country, then discarded),
• does not track users across websites, and uses no persistent cross-session identifiers,
• collects only anonymized, aggregated data: page views, referrer URL, browser type, device type, country, anonymized JavaScript error events, and in-app feature usage events (including on authenticated pages once you are signed in).

Because Rybbit stores no information on your device and does not retain personal data, no consent is required under GDPR (Art. 6(1)(f), legitimate interest), TDDDG § 25 Abs. 2, or ePrivacy rules. Use of analytics within the signed-in app is also described in our Terms and Conditions.

9) Your rights

9.1 GDPR/UK GDPR rights (EEA/UK users)

Depending on your situation, you may have rights to:

• Access your data, correct it, delete it.
• Restrict or object to processing.
• Data portability.
• Withdraw consent (where processing is based on consent).
• Lodge a complaint with a supervisory authority.

9.2 US privacy rights (state laws, where applicable)

Depending on your state, you may have rights to:

• Access, delete, correct certain personal information.
• Opt out of certain processing (e.g., targeted advertising) where applicable.
• Non-discrimination for exercising privacy rights.

How to exercise rights: You can delete your account and all associated data directly from your account settings. You can export your data before deletion. For other requests, email hi@tealytics.app.

10) Children

The Service is not directed at children. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us so we can delete it.

11) Security

We use reasonable technical and organizational measures to protect data (access controls, encryption in transit, monitoring). No system is 100% secure, so we cannot guarantee absolute security.

12) Changes

We may update this policy. If changes are material, we will provide notice (email or in-app) and update the effective date.

13) Contact

Privacy questions or requests: hi@tealytics.app
Controller: Philipp Bochmann