Legal

Privacy Policy

Your privacy is important to us. This policy explains how Treffortly collects, uses, and protects your personal information across all our platforms.

Last Updated: January 1, 2025

1. Introduction

Welcome to Treffortly. We are committed to protecting your personal information and your right to privacy. This Privacy Policy applies to all information collected through our suite of platforms:

  • Task Manager - Gamified productivity platform (app.treffortly.com)
  • Markdown Editor - AI-powered writing tool (editor.treffortly.com or md.treffortly.com)
  • Finance Tracker - Subscription management (finances.treffortly.com)
  • Unified Authentication - Single sign-on system (auth.treffortly.com)

By using our services, you agree to the collection and use of information in accordance with this policy. If you do not agree, please discontinue use of our services.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • • Email address (required for account creation and communication)
  • • Full name (optional, for personalization)
  • • Password (encrypted and hashed - we never store plain text passwords)
  • • Profile preferences (theme, language, notification settings)

2.2 Platform-Specific Data

Task Manager

  • • Tasks, projects, and to-do lists you create
  • • XP points, levels, and achievement progress
  • • Team collaboration data (shared tasks, team members)
  • • Time tracking data
  • • Productivity analytics

Markdown Editor

  • • Markdown documents you create and edit
  • • Version history and document revisions
  • • Collaboration data (co-editors, comments)
  • • AI interaction data (prompts, suggestions accepted/rejected)
  • • Export formats and preferences

Finance Tracker

  • • Stripe-connected subscription data (subscription names, amounts, billing dates)
  • • Budget settings and forecasts
  • • Spending categories and custom tags
  • • Alert preferences for renewals

2.3 Payment Information

Payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. We do not store your credit card numbers, CVV, or full payment details. We only receive:

  • • Last 4 digits of your card (for identification)
  • • Card brand (Visa, Mastercard, etc.)
  • • Subscription status and billing history
  • • Stripe customer ID (tokenized reference)

2.4 Usage Data

  • • Login timestamps and frequency
  • • Feature usage patterns (which tools you use most)
  • • Device information (browser type, OS, screen resolution)
  • • IP address (for security and geo-location)
  • • Anonymized analytics data

2.5 Cookies and Tracking Technologies

We use cookies and similar technologies for authentication, preferences, and analytics. See our Cookie Policy for detailed information.

4. How We Use Your Data

We use the information we collect for the following purposes:

Service Delivery

Provide access to all three platforms with unified authentication

AI Features

Power task suggestions, writing assistance, and spending insights

Security

Fraud detection, abuse prevention, and account security

Communication

Service updates, billing notifications, and customer support

  • Analytics: Understand usage patterns to improve features and user experience
  • Personalization: Customize your dashboard, recommendations, and preferences
  • Marketing: Send promotional emails (opt-in required; can unsubscribe anytime)
  • Legal Compliance: Meet regulatory requirements and respond to legal requests
  • Product Development: Develop new features and improve existing ones

5. AI and Machine Learning

Current AI Usage

We currently use third-party AI services (such as OpenAI and similar providers) to power features like task suggestions, writing assistance, and spending insights. When you use these features, your content may be sent to these providers for processing.

5.1 We Do NOT Currently Train AI Models

Treffortly does not currently use your personal data, tasks, documents, or financial information to train our own AI models or machine learning systems.

5.2 Future AI Training - Your Choice

In the future, we may explore training custom AI models to improve our services. If we decide to pursue this:

  • Opt-in Required: We will ask for your explicit consent before using your data for AI training
  • Always Optional: Declining will NOT limit your access to any features or services
  • Transparent: We will clearly explain what data would be used and how
  • Revocable: You can withdraw consent at any time via account settings
  • Advance Notice: You will receive email notification before any such program begins

5.3 Third-Party AI Providers

Our current third-party AI providers process your content according to their own privacy policies and terms. We select providers who commit not to use your data for training their models without consent.

6. Data Sharing & Third Parties

We share your information only in the following limited circumstances:

6.1 Service Providers

  • Stripe: Payment processing (PCI DSS Level 1 certified)
  • AI Providers: OpenAI or similar for feature functionality
  • Cloud Hosting: AWS, Google Cloud, or similar for data storage
  • Analytics: Anonymous usage data for product insights
  • Email Service: Transactional and marketing email delivery

All service providers are bound by data processing agreements and are required to protect your data.

6.2 Legal Requirements

We may disclose your information if required by law, court order, or government request, or to protect our legal rights, prevent fraud, or ensure user safety.

6.3 Business Transfers

If Treffortly is involved in a merger, acquisition, or sale, your data may be transferred to the acquiring entity. You will be notified via email of any such change.

6.4 We Do NOT Sell Your Data

Treffortly does NOT sell, rent, or trade your personal information to third parties for their marketing purposes. Your data is used solely to provide and improve our services.

7. International Data Transfers

Treffortly operates globally, and your data may be processed in the United States and European Union. If you are located in the EEA, UK, or Switzerland, we ensure adequate protection for your data through:

  • Standard Contractual Clauses (SCCs): EU-approved data transfer agreements
  • Adequacy Decisions: Transfers to countries recognized by the EU as providing adequate protection
  • Privacy Shield Framework: Compliance with applicable US-EU data transfer frameworks
  • Technical Safeguards: Encryption, access controls, and security measures

8. Data Retention

8.1 Active Accounts

We retain your personal data and content for as long as your account is active and you continue to use our services.

8.2 Account Deletion

When you delete your account:

  • • Your account data and platform content are deleted within 30 days
  • • Some data may persist in backups for up to 90 days for disaster recovery
  • • Anonymized analytics data may be retained indefinitely (cannot be linked back to you)

8.3 Legal Retention

We retain certain financial records (billing history, tax information) for 7 years to comply with legal and regulatory requirements, even after account deletion.

8.4 Inactive Accounts

Accounts with no login activity for 3 years may be considered inactive. We will email you before deleting inactive accounts.

9. Your Privacy Rights

9.1 Rights for All Users

  • Access: Request a copy of your personal data
  • Correction: Update inaccurate information via account settings
  • Deletion: Delete your account and associated data
  • Export: Download your data in machine-readable format (JSON)
  • Opt-out: Unsubscribe from marketing emails

9.2 Additional GDPR Rights (EEA, UK, Switzerland)

If you are located in the European Economic Area, UK, or Switzerland, you have additional rights under GDPR:

  • Data Portability (Art. 20): Receive your data in a structured, commonly used format and transmit to another controller
  • Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing
  • Restrict Processing (Art. 18): Limit how we use your data in certain circumstances
  • Withdraw Consent (Art. 7): Withdraw consent for optional processing (e.g., marketing, analytics, AI training)
  • Automated Decision-Making (Art. 22): Not be subject to solely automated decisions with legal effects (not applicable - our AI provides suggestions only)
  • Lodge a Complaint: File a complaint with your local data protection authority

9.3 California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know: Request details about personal information collected, used, disclosed, or sold
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out: Opt-out of "sale" of personal information (not applicable - we don't sell data)
  • Right to Correct: Request correction of inaccurate information
  • Right to Limit: Limit use of sensitive personal information
  • Non-Discrimination: We will not discriminate against you for exercising your privacy rights

9.4 Virginia and Other State Privacy Rights

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and Utah (UCPA) have similar rights to CCPA. Contact us at [email protected] to exercise these rights.

9.5 How to Exercise Your Rights

To exercise any of your privacy rights:

  • Email: [email protected]
  • Account Settings: Many rights can be exercised directly via your account dashboard
  • Subject Access Request: For GDPR/CCPA requests, include "Privacy Rights Request" in subject line
  • Response Time: We will respond within 30 days (GDPR) or 45 days (CCPA)
  • Verification: We may request verification of your identity to prevent unauthorized access

10. Security Measures

We implement industry-standard security measures to protect your personal information:

🔒 Encryption

256-bit SSL/TLS encryption for data in transit; AES-256 encryption for data at rest

🛡️ Access Controls

Role-based access, multi-factor authentication, and principle of least privilege

✅ Compliance

SOC 2 Type II certified, GDPR compliant, PCI DSS (via Stripe)

👁️ Monitoring

24/7 security monitoring, intrusion detection, and regular penetration testing

Your Responsibility: Maintain strong passwords, enable two-factor authentication, and do not share your account credentials. We are not liable for security breaches resulting from compromised credentials.

11. Cookies & Tracking

We use cookies and similar tracking technologies. For detailed information, see our Cookie Policy.

11.1 Types of Cookies We Use

  • Essential Cookies: Required for authentication, security, and basic functionality (cannot be disabled)
  • Preference Cookies: Remember your settings (theme, language, dashboard layout)
  • Analytics Cookies: Understand usage patterns (can opt-out without affecting service)
  • No Advertising Cookies: We do not use third-party advertising cookies or trackers

11.2 Managing Cookies

You can control cookies through your browser settings or via Account Settings for analytics opt-out. Note that disabling essential cookies may prevent you from using certain features.

12. Children's Privacy

12.1 Age Requirements

Treffortly is not intended for children under 13 years old. We do not knowingly collect personal information from children under 13.

  • US (COPPA): Must be 13+ to create an account
  • EU/UK (GDPR Article 8): Must be 16+ without parental consent; ages 13-15 require verifiable parental consent
  • Other Jurisdictions: Must meet local age requirements for online services

12.2 Parental Consent

If you are a parent/guardian and believe your child under 13 (or 16 in the EU) has created an account without consent, contact us immediately at [email protected] to have the account deleted.

12.3 Discovery of Underage Users

If we discover that we have inadvertently collected data from a child under the required age, we will delete that information immediately.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service offerings.

13.1 Notification of Changes

  • Material Changes: We will email you 30 days before material changes take effect
  • Minor Changes: "Last Updated" date at the top of this page will be updated
  • Continued Use: Using our services after changes become effective constitutes acceptance
  • Objection: If you object to changes, you may delete your account before they take effect

13.2 Review Regularly

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

14. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us:

Privacy Inquiries

[email protected]

Data Subject Access Requests (GDPR/CCPA)

[email protected]

Subject line: "Privacy Rights Request"

General Support

[email protected]

Business Name

Treffortly

Response Time: We will respond to all privacy inquiries within 30 days (GDPR) or 45 days (CCPA).

Have Questions About Your Privacy?

We're here to help. Contact our privacy team for any concerns or questions.

Contact Privacy Team