Privacy Policy

Last updated: 2025-11-01

1) Who is responsible (Controller)

Controller
Marc Thun
Hinüber 6
42477 Radevormwald, Germany
Email (privacy): privacy@tuckedaway.app
(For general/business contact, please use contact@tuckedaway.app – see Impressum.)

2) What data we process on this website

• Essential data (necessary to run the site): server logs (IP address, user agent, URL, timestamp, error codes) generated by Vercel when you visit our pages.
• Consent choices: if you interact with our consent banner, we store that choice in an essential cookie so we don’t keep asking.
• Newsletter / email signup (Mailchimp): if you enter your email to receive updates, this email address is sent to Mailchimp (The Rocket Science Group LLC d/b/a Mailchimp, USA) and stored there for the purpose of sending you emails. Mailchimp processes the email delivery and open/click statistics.
• Analytics (Vercel Analytics): we use Vercel Analytics to understand which pages are visited, from which countries, and which events (e.g. downloads) are triggered. Vercel Analytics is designed to be privacy-friendly: it does not use cookies, does not track you across sites, and works with aggregated data. We use this to improve the site.
• App / AI usage data: if you use our journaling or AI features, your prompts and responses may be processed by our backend and our AI provider (currently OpenAI) to deliver the service.
• Business / support emails (Zoho Mail): if you write to us at contact@tuckedaway.app or privacy@tuckedaway.app, your message will be processed and stored by our professional email provider (Zoho Mail) so we can answer you.

3) Why we process your data (purposes) & legal bases

• Operate and secure the website (detect errors, prevent abuse, measure basic availability).
  Legal basis: legitimate interests (Art. 6(1)(f) GDPR) and/or legal obligation (Art. 6(1)(c)).
• Respond to contact requests and manage support threads.
  Legal basis: contract (Art. 6(1)(b)) or legitimate interests (6(1)(f)) if pre-contractual, plus consent (6(1)(a)) for optional marketing opt-in.
• Analytics (Vercel Analytics) to improve content and UX. Because this analytics tool is privacy-friendly and cookie-less, we rely on legitimate interests (Art. 6(1)(f) GDPR). If we ever add a cookie-based analytics or marketing tool (e.g. GA4, Meta), we will ask for consent first.
• Newsletter via Mailchimp: to send you the emails you asked for.
  Legal basis: consent (Art. 6(1)(a) GDPR). You can withdraw anytime via unsubscribe link or by emailing privacy@tuckedaway.app.
• Business communications via Zoho Mail: to receive and answer your emails to our contact addresses, and to keep an audit trail of the communication.
  Legal basis: legitimate interests (Art. 6(1)(f) GDPR) in operating professional email and responding to inquiries; and contract (Art. 6(1)(b)) where the message relates to our service.
• Marketing/retargeting (only if you opt in in the future).
  Legal basis: consent (Art. 6(1)(a)).

4) Cookies & consent

On first visit, we ask for your choice via our banner (if non-essential tools are used). You can change it any time here: Manage cookies.

• Essential cookie: stores your consent selection (mg_consent). Max age: 12 months.
• Analytics (Vercel Analytics): at the time of writing, this works without setting tracking cookies.
• Mailchimp: if we embed Mailchimp forms or confirmation pages, Mailchimp may set technically necessary cookies or use similar technologies for delivering the signup.

Deutschland/EU-Hinweis: Für das Speichern oder Auslesen von Informationen auf Ihrem Endgerät (z. B. nicht-essenzielle Cookies) stützen wir uns auf § 25 TTDSG in Verbindung mit Art. 6 Abs. 1 lit. a DSGVO (Einwilligung). Essenzielle Cookies sind nach § 25 Abs. 2 TTDSG zulässig.

5) Processors (vendors) we use

• Hosting/CDN: Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA – serves this site and serverless functions.
• Analytics: Vercel Analytics (privacy-friendly, cookie-less).
• Database: MongoDB Atlas – data storage for app users.
• AI provider: OpenAI – processes prompts and outputs when you use AI features in our app.
• Email/newsletter: Mailchimp (The Rocket Science Group LLC d/b/a Mailchimp, Atlanta, GA, USA) – for sending you newsletters and managing email lists.
• Professional email (inbound/outbound): Zoho Mail (Zoho Corporation) – to receive and manage emails sent to contact@tuckedaway.app and privacy@tuckedaway.app. Depending on your location, data may be processed outside the EU; we rely on DPAs/SCCs where applicable.
• Email transport: your email provider / mail service, to deliver contact form messages.

We have Data Processing Agreements (DPAs) where required. Some providers may transfer data to third countries; we rely on Standard Contractual Clauses (SCCs) and additional safeguards where applicable.

6) Retention

• Server logs: typically 30–90 days unless needed longer.
• Mailchimp contacts: as long as you are subscribed; deleted when you unsubscribe or when we prune inactive contacts.
• Emails in Zoho Mail: as long as needed to process your request and for documentation/business purposes, then archived or deleted per our retention schedule.
• Consent records: up to 12 months or until you change your preference.

7) Security

We use industry-standard measures (TLS encryption, access controls, least-privilege, backups). No method is 100% secure, but we continuously improve our safeguards.

8) Your rights under GDPR (EU/EEA, incl. Germany)

You can exercise these rights at any time by emailing privacy@tuckedaway.app:

• Access (Art. 15), Rectification (Art. 16), Erasure (Art. 17), Restriction (Art. 18).
• Portability (Art. 20) in a common, machine-readable format.
• Object (Art. 21) to processing based on legitimate interests and to direct marketing.
• Withdraw consent (Art. 7(3)) at any time, without affecting prior lawful processing.
• Lodge a complaint with a supervisory authority. In Germany, you can find your authority here: List of authorities. If you’re in North Rhine-Westphalia, for example, the LDI NRW is competent.

9) California (CCPA/CPRA) – Notice at Collection

We collect the following categories of personal information for the purposes described above:

• Identifiers (e.g., name, email, IP address).
• Internet activity (pages visited, device/browser data) – mainly in aggregated form via Vercel Analytics.
• Inferences drawn from the above to improve the site (aggregated / anonymous where possible).

Your CPRA rights: know/access, correct, delete, portability, limit use/disclosure of sensitive data (we don’t seek sensitive categories here), and opt-out of “selling”/“sharing” personal information. We do not sell personal information in the traditional sense. If we ever engage in cross-context behavioral advertising, you can opt out via cookie choices or by emailing us.

To exercise your rights, email privacy@tuckedaway.app. You may use an authorized agent; we may need to verify your request.

10) Children

This site is not directed to children under 16. If you believe a child provided us data, contact us and we will delete it.

11) Changes to this policy

We will update this page when our practices change. Material changes will be highlighted for at least 30 days.

11a) DDG/DSA transparency notes (Germany/EU)

We operate this website as a hosting-based online service provider. Provider identification is available in our Impressum. If you believe content on this site is unlawful, please contact us via privacy@tuckedaway.app with details; we will review and act where required by law. These notes reflect the German Digitale-Dienste-Gesetz (DDG) implementing aspects of the EU Digital Services Act (DSA).

12) Contact

Privacy contact: privacy@tuckedaway.app
General/business contact (see Impressum): contact@tuckedaway.app
Postal: Marc Thun, Hinüber 6, 42477 Radevormwald, Germany