Privacy Policy

Last Updated: December 16, 2024 | Version: 2.0.0

1. Introduction

Welcome to Tiny Little Notes ("we," "our," or "us"). This Privacy Policy explains how Pandora Cloud collects, uses, discloses, and safeguards your information when you use our mobile application.

We are committed to protecting your privacy and complying with applicable data protection laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other relevant privacy regulations.

Please read this Privacy Policy carefully. By using Tiny Little Notes, you agree to the collection and use of information in accordance with this policy.

2. Data Controller

Pandora Cloud

For privacy inquiries, contact us at: support@tinylittlenotes.com

3. Information We Collect

3.1 Account Information

• Email address
• Password (encrypted, never stored in plaintext)
• Authentication tokens for session management

3.2 Profile Data (About Your Contacts)

When you create profiles for people in your life, you may provide:

Basic Information:

• Names (first, last, nickname, maiden name)
• Birthday and age
• Gender and pronouns
• Relationship type (family, friend, colleague, romantic, etc.)
• Photos

Physical Details:

• Height, weight, body type
• Eye color, hair color and style
• Clothing sizes (shirt, pants, shoe, ring, shoe width)
• Distinguishing features

Preferences:

• Food and dietary restrictions
• Entertainment preferences (movies, music, books, TV shows)
• Hobbies and activities
• Gift preferences and wishlists (with prices, priorities, categories)
• Personality traits

Contact Information:

• Phone numbers
• Email addresses
• Physical addresses
• Social media handles (Facebook, Instagram, Twitter/X, TikTok, Snapchat, LinkedIn, Bluesky, Pinterest, Discord, WhatsApp, Signal)
• Gaming platform usernames (Steam, PlayStation, Xbox, Nintendo, mobile)

Health Information:

• Blood type
• Allergies
• Dietary restrictions
• Medication details

Important Dates:

• Birthdays, anniversaries, milestones
• Custom dates and reminders

Pets:

• Pet names, types, breeds
• Pet birthdays and adoption dates
• Pet preferences, allergies, and personality notes
• Pet photos

Notes:

• Personal notes and observations
• Gift ideas with importance levels

Groups:

• Custom categories to organize your contacts

3.3 Usage Data

• App interactions and features used
• Search queries (text and voice)
• AI chat conversations (with consent)
• Error logs and crash reports (with consent)

3.4 Device Information

• Device type and operating system
• App version
• Device name (optional)
• Push notification tokens

3.5 Consent Records

When you provide consent, we record:

• Type of consent granted
• Timestamp of consent
• Policy version accepted
• IP address and user agent (for verification purposes only)

4. How We Use Your Information

We use your information to:

• Provide Services: Store and sync your profile data across devices
• AI Assistant: Process your queries and provide personalized suggestions (with consent)
• Push Notifications: Send birthday reminders, event reminders, and "On This Day" memories
• Improve the App: Analyze crash reports to fix bugs (with consent)
• Analytics: Understand app usage patterns to improve features (with consent)
• Communication: Send important service updates
• Security: Protect against unauthorized access

Marketing Use of Anonymized Data

We may use anonymized, aggregated data for our own marketing purposes. This includes:

• Aggregate statistics (e.g., "Users have tracked over 50,000 birthdays")
• Anonymized trends (e.g., "Most popular gift categories among our users")
• General usage patterns for promotional materials

Important: This data is completely anonymized and cannot be traced back to you or any individual user. We never sell your personal data to third parties.

Legal Basis for Processing (GDPR)

Purpose	Legal Basis
Account creation	Contract performance
Profile data storage	Contract performance
AI Assistant	Consent
Crash reporting	Consent
Analytics	Consent
Push notifications	Consent
Anonymized marketing	Legitimate interest
Security	Legitimate interest

5. Data Sharing and Third Parties

5.1 Service Providers

We share data with the following third-party service providers:

Supabase (Database & Authentication)

• Location: United States
• Data shared: All profile data, photos, authentication credentials
• Purpose: Data storage, user authentication, real-time sync
• Privacy Policy: https://supabase.com/privacy

Anthropic (AI Processing)

• Location: United States
• Data shared: User queries, profile context (names, preferences, notes)
• Purpose: AI-powered suggestions, gift recommendations, profile insights
• Privacy Policy: https://www.anthropic.com/privacy
• Note: Only shared when AI Assistant is enabled
• Rate Limit: 50 AI queries per day per user

Amplitude (Analytics)

• Location: United States
• Data shared: Anonymized usage events (no personally identifiable information)
• Purpose: Understanding feature usage, improving app experience
• Privacy Policy: https://amplitude.com/privacy
• Note: Only active when analytics consent is granted; you can opt out in Settings

Sentry (Error Tracking)

• Location: United States
• Data shared: Error messages, stack traces, anonymized context
• Purpose: Bug fixing and app stability
• Privacy Policy: https://sentry.io/privacy/
• Note: Only shared when crash reporting is enabled in Settings

Expo (Push Notifications)

• Location: United States
• Data shared: Device push tokens, notification content
• Purpose: Delivering birthday reminders, event notifications, and app updates
• Privacy Policy: https://expo.dev/privacy

5.2 International Data Transfers

Your data may be transferred to and processed in the United States. We ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) where required by GDPR.

5.3 We Do NOT:

• Sell your personal data - We never have and never will sell your information to third parties
• Share data with advertisers
• Use data for profiling or automated decision-making with legal effects
• Share your data with data brokers

6. Data Retention

Data Type	Retention Period
Account data	Until account deletion
Profile data	Until deleted by user or account deletion
Photos	Until deleted by user or account deletion
AI chat history	User-configurable (1 day to forever)
Push notification tokens	Until deactivated or device unregistered
Crash reports	90 days
Analytics data	2 years (anonymized)
Consent records	Duration of account + 3 years
Shared profile links	Until expiration date or manual deletion

7. Your Rights

For All Users:

• Access: Request a copy of your data
• Correction: Update inaccurate information
• Deletion: Delete your account and all data
• Export: Download your data (JSON format with photos in ZIP archive)

Additional Rights (EU/UK - GDPR):

• Restriction: Limit how we process your data
• Objection: Object to processing based on legitimate interests
• Portability: Receive data in machine-readable format
• Withdraw Consent: Revoke consent at any time without affecting prior processing

Additional Rights (California - CCPA):

• Know: What personal information is collected
• Delete: Request deletion of personal information
• Opt-Out: We do not sell personal information
• Non-Discrimination: Equal service regardless of privacy choices

How to Exercise Your Rights:

1. In-App: Settings > Privacy & Security
2. Email: support@tinylittlenotes.com
3. Response Time: Within 30 days (45 days for complex requests)

8. Data Security

We implement appropriate technical and organizational measures:

• Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Authentication: Secure password hashing (bcrypt), optional biometric authentication
• Access Control: Row-level security in database ensures users only access their own data
• Secure Storage: Credentials stored in device secure enclave (Keychain/Keystore)
• Rate Limiting: AI queries limited to prevent abuse
• Regular Audits: Security practices reviewed regularly

Data Breach Notification

In the event of a data breach that affects your personal information, we will:

• Notify affected users within 72 hours of discovery
• Notify relevant supervisory authorities as required by law
• Provide details about the breach and steps taken to mitigate harm

9. Children's Privacy

Tiny Little Notes is not intended for users under 16 years of age. We do not knowingly collect personal information from children under 16. If you believe we have collected data from a child under 16, please contact us immediately at support@tinylittlenotes.com, and we will promptly delete such information.

10. Third-Party Data

Important: When you store information about other people (contacts, friends, family), you are responsible for ensuring you have the right to store that information. We recommend:

• Only storing information about people you know personally
• Not storing sensitive information without their knowledge
• Respecting others' privacy preferences
• Informing people that you're storing their information if appropriate

We are not responsible for your collection, use, or disclosure of other people's information.

11. Device Features

Biometric Authentication

If you enable biometric authentication (Face ID, Touch ID, Fingerprint, Face Unlock):

• Biometric data is processed entirely on your device
• We never receive, store, or transmit your biometric data
• Only a success/failure signal is used for authentication

Voice Input

If you use voice search or voice input:

• Voice processing occurs entirely on your device using native speech recognition
• We do not record, store, or transmit your voice
• Only the transcribed text is used for search or AI queries

Device Contacts

If you import contacts from your device:

• Contact data is copied to your Tiny Little Notes profile
• We do not continuously access or sync your device contacts
• The import is a one-time copy; changes to device contacts are not automatically reflected

Offline Mode

When using the app offline:

• Data is cached locally on your device in an encrypted database
• Cached data syncs to our servers when you reconnect
• Local cache is cleared when you sign out

12. Profile Sharing

When you share a profile:

• A unique share code is generated
• Shared data is stored in a public bucket accessible via the share link
• You can set expiration times (24 hours, 7 days, 30 days, 90 days, or never)
• View counts are tracked for your reference
• Recipients can import the shared profile to their own account

13. Referral Program

If you participate in our referral program:

• Your referral code is linked to your account
• We track when referred users sign up
• Referral data includes: referrer ID, referred user ID, status, and conversion date
• This data is used solely for administering referral rewards

14. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by:

• Updating the "Last Updated" date
• Sending an in-app notification
• Requiring re-acceptance for significant changes

We encourage you to review this policy periodically. Continued use after changes constitutes acceptance of the updated policy.

15. Contact Us

For questions, concerns, or to exercise your rights:

Email: support@tinylittlenotes.com

For EU users, you also have the right to lodge a complaint with your local Data Protection Authority.

---

Pandora Cloud
Version 2.0.0