Privacy Policy
Your privacy is important to us. This policy explains how Treffortly collects, uses, and protects your personal information across all our platforms.
Last Updated: January 1, 2025
Table of Contents
1. Introduction
Welcome to Treffortly. We are committed to protecting your personal information and your right to privacy. This Privacy Policy applies to all information collected through our suite of platforms:
- Task Manager - Gamified productivity platform (app.treffortly.com)
- Markdown Editor - AI-powered writing tool (editor.treffortly.com or md.treffortly.com)
- Finance Tracker - Subscription management (finances.treffortly.com)
- Unified Authentication - Single sign-on system (auth.treffortly.com)
By using our services, you agree to the collection and use of information in accordance with this policy. If you do not agree, please discontinue use of our services.
2. Information We Collect
2.1 Account Information
When you create an account, we collect:
- • Email address (required for account creation and communication)
- • Full name (optional, for personalization)
- • Password (encrypted and hashed - we never store plain text passwords)
- • Profile preferences (theme, language, notification settings)
2.2 Platform-Specific Data
Task Manager
- • Tasks, projects, and to-do lists you create
- • XP points, levels, and achievement progress
- • Team collaboration data (shared tasks, team members)
- • Time tracking data
- • Productivity analytics
Markdown Editor
- • Markdown documents you create and edit
- • Version history and document revisions
- • Collaboration data (co-editors, comments)
- • AI interaction data (prompts, suggestions accepted/rejected)
- • Export formats and preferences
Finance Tracker
- • Stripe-connected subscription data (subscription names, amounts, billing dates)
- • Budget settings and forecasts
- • Spending categories and custom tags
- • Alert preferences for renewals
2.3 Payment Information
Payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. We do not store your credit card numbers, CVV, or full payment details. We only receive:
- • Last 4 digits of your card (for identification)
- • Card brand (Visa, Mastercard, etc.)
- • Subscription status and billing history
- • Stripe customer ID (tokenized reference)
2.4 Usage Data
- • Login timestamps and frequency
- • Feature usage patterns (which tools you use most)
- • Device information (browser type, OS, screen resolution)
- • IP address (for security and geo-location)
- • Anonymized analytics data
2.5 Cookies and Tracking Technologies
We use cookies and similar technologies for authentication, preferences, and analytics. See our Cookie Policy for detailed information.
3. Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA), UK, and Switzerland, we process your personal data based on the following legal grounds under GDPR Article 6:
3.1 Contract Performance (Art. 6(1)(b))
Processing necessary to provide our services: account creation, platform access, feature delivery, customer support, and billing.
3.2 Legitimate Interests (Art. 6(1)(f))
Processing for legitimate business purposes: fraud prevention, security monitoring, service improvement, analytics, and product development. We have assessed that these interests do not override your rights and freedoms.
3.3 Consent (Art. 6(1)(a))
Processing with your explicit consent: marketing communications, optional analytics, and future AI training (if implemented). You can withdraw consent at any time.
3.4 Legal Obligation (Art. 6(1)(c))
Processing required by law: tax records, anti-money laundering compliance, and law enforcement requests.
4. How We Use Your Data
We use the information we collect for the following purposes:
Service Delivery
Provide access to all three platforms with unified authentication
AI Features
Power task suggestions, writing assistance, and spending insights
Security
Fraud detection, abuse prevention, and account security
Communication
Service updates, billing notifications, and customer support
- • Analytics: Understand usage patterns to improve features and user experience
- • Personalization: Customize your dashboard, recommendations, and preferences
- • Marketing: Send promotional emails (opt-in required; can unsubscribe anytime)
- • Legal Compliance: Meet regulatory requirements and respond to legal requests
- • Product Development: Develop new features and improve existing ones
5. AI and Machine Learning
Current AI Usage
We currently use third-party AI services (such as OpenAI and similar providers) to power features like task suggestions, writing assistance, and spending insights. When you use these features, your content may be sent to these providers for processing.
5.1 We Do NOT Currently Train AI Models
Treffortly does not currently use your personal data, tasks, documents, or financial information to train our own AI models or machine learning systems.
5.2 Future AI Training - Your Choice
In the future, we may explore training custom AI models to improve our services. If we decide to pursue this:
- ✓ Opt-in Required: We will ask for your explicit consent before using your data for AI training
- ✓ Always Optional: Declining will NOT limit your access to any features or services
- ✓ Transparent: We will clearly explain what data would be used and how
- ✓ Revocable: You can withdraw consent at any time via account settings
- ✓ Advance Notice: You will receive email notification before any such program begins
5.3 Third-Party AI Providers
Our current third-party AI providers process your content according to their own privacy policies and terms. We select providers who commit not to use your data for training their models without consent.
6. Data Sharing & Third Parties
We share your information only in the following limited circumstances:
6.1 Service Providers
- • Stripe: Payment processing (PCI DSS Level 1 certified)
- • AI Providers: OpenAI or similar for feature functionality
- • Cloud Hosting: AWS, Google Cloud, or similar for data storage
- • Analytics: Anonymous usage data for product insights
- • Email Service: Transactional and marketing email delivery
All service providers are bound by data processing agreements and are required to protect your data.
6.2 Legal Requirements
We may disclose your information if required by law, court order, or government request, or to protect our legal rights, prevent fraud, or ensure user safety.
6.3 Business Transfers
If Treffortly is involved in a merger, acquisition, or sale, your data may be transferred to the acquiring entity. You will be notified via email of any such change.
6.4 We Do NOT Sell Your Data
Treffortly does NOT sell, rent, or trade your personal information to third parties for their marketing purposes. Your data is used solely to provide and improve our services.
7. International Data Transfers
Treffortly operates globally, and your data may be processed in the United States and European Union. If you are located in the EEA, UK, or Switzerland, we ensure adequate protection for your data through:
- • Standard Contractual Clauses (SCCs): EU-approved data transfer agreements
- • Adequacy Decisions: Transfers to countries recognized by the EU as providing adequate protection
- • Privacy Shield Framework: Compliance with applicable US-EU data transfer frameworks
- • Technical Safeguards: Encryption, access controls, and security measures
8. Data Retention
8.1 Active Accounts
We retain your personal data and content for as long as your account is active and you continue to use our services.
8.2 Account Deletion
When you delete your account:
- • Your account data and platform content are deleted within 30 days
- • Some data may persist in backups for up to 90 days for disaster recovery
- • Anonymized analytics data may be retained indefinitely (cannot be linked back to you)
8.3 Legal Retention
We retain certain financial records (billing history, tax information) for 7 years to comply with legal and regulatory requirements, even after account deletion.
8.4 Inactive Accounts
Accounts with no login activity for 3 years may be considered inactive. We will email you before deleting inactive accounts.
9. Your Privacy Rights
9.1 Rights for All Users
- ✓ Access: Request a copy of your personal data
- ✓ Correction: Update inaccurate information via account settings
- ✓ Deletion: Delete your account and associated data
- ✓ Export: Download your data in machine-readable format (JSON)
- ✓ Opt-out: Unsubscribe from marketing emails
9.2 Additional GDPR Rights (EEA, UK, Switzerland)
If you are located in the European Economic Area, UK, or Switzerland, you have additional rights under GDPR:
- ✓ Data Portability (Art. 20): Receive your data in a structured, commonly used format and transmit to another controller
- ✓ Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing
- ✓ Restrict Processing (Art. 18): Limit how we use your data in certain circumstances
- ✓ Withdraw Consent (Art. 7): Withdraw consent for optional processing (e.g., marketing, analytics, AI training)
- ✓ Automated Decision-Making (Art. 22): Not be subject to solely automated decisions with legal effects (not applicable - our AI provides suggestions only)
- ✓ Lodge a Complaint: File a complaint with your local data protection authority
9.3 California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- ✓ Right to Know: Request details about personal information collected, used, disclosed, or sold
- ✓ Right to Delete: Request deletion of your personal information
- ✓ Right to Opt-Out: Opt-out of "sale" of personal information (not applicable - we don't sell data)
- ✓ Right to Correct: Request correction of inaccurate information
- ✓ Right to Limit: Limit use of sensitive personal information
- ✓ Non-Discrimination: We will not discriminate against you for exercising your privacy rights
9.4 Virginia and Other State Privacy Rights
Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and Utah (UCPA) have similar rights to CCPA. Contact us at [email protected] to exercise these rights.
9.5 How to Exercise Your Rights
To exercise any of your privacy rights:
- • Email: [email protected]
- • Account Settings: Many rights can be exercised directly via your account dashboard
- • Subject Access Request: For GDPR/CCPA requests, include "Privacy Rights Request" in subject line
- • Response Time: We will respond within 30 days (GDPR) or 45 days (CCPA)
- • Verification: We may request verification of your identity to prevent unauthorized access
10. Security Measures
We implement industry-standard security measures to protect your personal information:
🔒 Encryption
256-bit SSL/TLS encryption for data in transit; AES-256 encryption for data at rest
🛡️ Access Controls
Role-based access, multi-factor authentication, and principle of least privilege
✅ Compliance
SOC 2 Type II certified, GDPR compliant, PCI DSS (via Stripe)
👁️ Monitoring
24/7 security monitoring, intrusion detection, and regular penetration testing
Your Responsibility: Maintain strong passwords, enable two-factor authentication, and do not share your account credentials. We are not liable for security breaches resulting from compromised credentials.
12. Children's Privacy
12.1 Age Requirements
Treffortly is not intended for children under 13 years old. We do not knowingly collect personal information from children under 13.
- • US (COPPA): Must be 13+ to create an account
- • EU/UK (GDPR Article 8): Must be 16+ without parental consent; ages 13-15 require verifiable parental consent
- • Other Jurisdictions: Must meet local age requirements for online services
12.2 Parental Consent
If you are a parent/guardian and believe your child under 13 (or 16 in the EU) has created an account without consent, contact us immediately at [email protected] to have the account deleted.
12.3 Discovery of Underage Users
If we discover that we have inadvertently collected data from a child under the required age, we will delete that information immediately.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service offerings.
13.1 Notification of Changes
- • Material Changes: We will email you 30 days before material changes take effect
- • Minor Changes: "Last Updated" date at the top of this page will be updated
- • Continued Use: Using our services after changes become effective constitutes acceptance
- • Objection: If you object to changes, you may delete your account before they take effect
13.2 Review Regularly
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.
14. Contact Us
If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us:
Response Time: We will respond to all privacy inquiries within 30 days (GDPR) or 45 days (CCPA).
Have Questions About Your Privacy?
We're here to help. Contact our privacy team for any concerns or questions.
Contact Privacy Team