Privacy Policy

1. Introduction

FocusFlow ("we", "our", "us") is a web application that implements the Pomodoro Technique for time management and productivity tracking. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our website and services. By using FocusFlow, you consent to the data practices described in this policy.

We are committed to protecting your privacy and ensuring the security of your personal data. We comply with applicable data protection laws, including the General Data Protection Regulation (GDPR), the Brazilian General Data Protection Law (LGPD), and the California Consumer Privacy Act (CCPA).

2. Information We Collect

We collect the following categories of information:

Account Information: When you create an account, we collect your email address and display name. If you sign in using a third-party provider (Google, GitHub), we receive your name, email, and profile picture from that provider.

Usage Data: We store your Pomodoro session data (start time, end time, duration, mode, completion status, and optional task labels), habit tracking data, and timer settings. This data is used to provide you with productivity statistics, heatmaps, and streak tracking.

Study Room Data: When you join or create a study room, we collect your display name, participant status, and heartbeat timestamps for the duration of the session. This information is shared with other room participants in real time and is deleted when you leave the room or the room is closed.

Device Information: We automatically collect technical information such as browser type, operating system, screen resolution, and language preference. This data is used to optimize the user experience and is not linked to your personal identity.

3. Payment Information

Premium subscriptions are processed through Stripe, a PCI-compliant payment processor. We do not store, process, or have access to your full credit card number, expiration date, or CVC at any time. Stripe handles all payment processing securely. We only receive a confirmation of your subscription status (active, canceled, or expired) and your Stripe customer ID to manage your plan.

For more information on how Stripe handles your payment data, please refer to Stripe's Privacy Policy at https://stripe.com/privacy.

4. How We Use Your Information

We use the information we collect for the following purposes: providing and maintaining the FocusFlow service; generating your personal productivity statistics and analytics; enabling real-time collaboration in study rooms; processing Premium subscription payments; sending essential service-related communications (password resets, billing notifications); improving our service quality and fixing bugs; and complying with legal obligations.

We do not sell, rent, or trade your personal data to third parties for marketing purposes. We will never use your data for purposes incompatible with those described in this policy without your explicit consent.

5. Cookies and Local Storage

We use essential cookies and browser local storage to ensure the proper functioning of FocusFlow. These include: authentication tokens to keep you signed in; language and theme preferences; cached timer settings for offline functionality; and session identifiers for study room connectivity.

Third-party advertising services (such as Google AdSense) may set their own cookies for ad personalization and performance measurement. You can manage or disable cookies through your browser settings, though some features may not function properly without essential cookies.

6. Third-Party Services

FocusFlow integrates with the following third-party services, each with their own privacy policies:

Supabase: Cloud database and authentication infrastructure. Your account data and session history are stored on Supabase's servers with encryption at rest and in transit. Privacy policy: https://supabase.com/privacy.

Stripe: Payment processing for Premium subscriptions. Privacy policy: https://stripe.com/privacy.

Vercel: Hosting and content delivery network (CDN). Privacy policy: https://vercel.com/legal/privacy-policy.

Google AdSense (future): Advertising services that may collect anonymous usage data for ad personalization. Privacy policy: https://policies.google.com/privacy.

7. Data Security

We implement industry-standard security measures to protect your personal information, including: encryption of data in transit using TLS/SSL protocols; encryption of data at rest on our database servers; secure authentication via Supabase Auth with bcrypt password hashing; row-level security (RLS) policies ensuring users can only access their own data; and regular security audits and dependency updates.

While we strive to use commercially acceptable means to protect your personal data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we are committed to promptly notifying affected users in the event of a data breach.

8. Data Retention

We retain your personal data for as long as your account is active or as needed to provide you with services. Session data (Pomodoro history, statistics) is retained indefinitely while your account exists so you can access your historical productivity data.

Study room data (participant lists, heartbeats) is transient and is automatically cleaned up when sessions end. If you delete your account, all personal data associated with it will be permanently removed within 30 days.

9. Children's Privacy

FocusFlow is not directed at children under the age of 13 (or 16 in the European Economic Area). We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child without parental consent, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at the email listed below.

10. International Data Transfers

Your information may be transferred to and processed on servers located outside your country of residence, including the United States. We ensure that any international transfers comply with applicable data protection laws through appropriate safeguards, such as Standard Contractual Clauses (SCCs) approved by the European Commission.

11. Your Rights

Depending on your location, you may have the following rights regarding your personal data under GDPR, LGPD, and CCPA:

Right of Access: Request a copy of the personal data we hold about you. Right of Rectification: Request correction of inaccurate or incomplete data. Right of Erasure: Request deletion of your personal data ("right to be forgotten"). Right of Portability: Receive your data in a structured, machine-readable format. Right to Object: Object to certain processing of your data. Right to Withdraw Consent: Withdraw previously given consent at any time.

To exercise any of these rights, please contact us at the email address listed below. We will respond to your request within 30 days.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date. Your continued use of FocusFlow after any changes constitutes acceptance of the revised policy.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at: support@focusflowpomodoro.com