Last updated · 2026-05-26

Privacy Policy

Last updated: May 26, 2026

This Privacy Policy explains how TOODDAY ("Toodday", "we", "us"), an individual freelancer based in Querétaro, México, collects, uses, stores, and shares your personal information when you use the Toodday web application and related services (the "Service").

By using the Service you consent to the practices described in this Policy. This Policy is intended to be compliant with the Mexican Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP) and references practices from the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) where applicable.

1. Information We Collect

1.1 Account Information

When you create an account through Clerk, we collect:

Email address
Name (if provided)
Profile image URL (if you upload one)
Authentication identifiers from Clerk

1.2 Billing Information

When you start a paid subscription, Stripe collects and stores your payment method (credit/debit card details, billing address). We do not store full card numbers. We receive from Stripe:

A Stripe customer ID
Last 4 digits of your card and card brand
Subscription status, billing history, and invoice records
Country and tax-relevant location data

1.3 Customer Content

Information you create, upload, or store within the Service, including:

Tasks, notes, projects, comments, descriptions
File attachments (images, documents) stored in Cloudflare R2
Imported Jira CSV data (tickets, fix versions, assignees)
Settings and preferences

1.4 AI Provider Credentials

If you enable AI features, we collect:

The API key you provide for your chosen AI Provider (Anthropic, OpenAI, Google, DeepSeek)
API keys are encrypted at rest using AES-256-GCM before storage

1.5 Usage Data

Pages visited within the Service and timestamps
Features used (e.g., AI report generations)
Approximate IP-derived location (city/country level)
Browser, OS, device type
Error logs and crash reports

1.6 Communications

If you contact support@toodday.com, we retain the contents of your message and our response.

2. How We Use Your Information

We use your information to:

Provide, operate, maintain, and improve the Service
Authenticate you and protect your account
Process payments and manage subscriptions
Send service-related communications (transactional emails, security notices, important updates)
Respond to support requests
Detect and prevent fraud, abuse, and security incidents
Comply with legal obligations
Generate aggregated, anonymized analytics about Service usage

We do not use your Customer Content to train any AI model. We do not sell, rent, or trade your personal information to third parties.

3. AI Provider Data Sharing

When you use an AI feature:

Relevant Customer Content (such as ticket descriptions, task content, standup notes) is transmitted from our servers to the AI Provider you selected, using the API key you provided
Your content becomes subject to the AI Provider's data handling and retention policies
We do not control how AI Providers use or retain the data you send through them

We recommend you review the privacy policies of any AI Provider you connect:

Anthropic: https://www.anthropic.com/legal/privacy
OpenAI: https://openai.com/policies/privacy-policy
Google (Gemini): https://policies.google.com/privacy
DeepSeek: https://chat.deepseek.com/privacy

You can disconnect any AI Provider at any time from your account Settings.

4. Third-Party Service Providers

We use the following sub-processors to deliver the Service. Each is bound by their own privacy and security obligations:

Provider	Purpose	Data Processed	Location
Clerk	Authentication and user management	Email, name, auth tokens	USA
Supabase	Database and backend infrastructure	All Customer Content, account data	USA / Global
Cloudflare R2	File and image storage	Uploaded files	Global edge network
Cloudflare	DNS, CDN, email routing	IP addresses, request metadata	Global
Vercel	Application hosting	IP addresses, request logs	Global edge
Stripe	Payment processing	Payment method, billing address, transaction data	USA / Global
Anthropic / OpenAI / Google / DeepSeek	AI features (only if you enable them)	Content you submit through AI features	Provider-specific

We may add or change sub-processors as the Service evolves. Material changes will be reflected in this Policy.

5. Data Retention

Account data: retained while your account is active
Customer Content: retained while your account is active
After account termination: retained for 30 days, then permanently deleted
Billing records: retained for 5 years to comply with tax and accounting obligations
Support communications: retained for 2 years
Server and security logs: retained for up to 90 days

You can export your data at any time via Settings → Data → Export.

6. Your Rights

Depending on your jurisdiction, you may have the following rights with respect to your personal data:

Access: request a copy of your personal data
Correction: request correction of inaccurate or incomplete data
Deletion: request deletion of your personal data (subject to legal retention requirements)
Portability: request your data in a structured, machine-readable format
Objection: object to certain processing of your data
Withdrawal of consent: withdraw consent where processing is based on consent
Lodging a complaint: with the Mexican National Institute of Transparency, Access to Information and Personal Data Protection (INAI), or your local data protection authority

To exercise any of these rights, email support@toodday.com. We will respond within 20 business days.

7. Security

We implement reasonable technical and organizational measures to protect your data:

TLS 1.2+ encryption for all data in transit
Encrypted database storage (Supabase managed Postgres)
AES-256-GCM encryption at rest for sensitive credentials (AI API keys)
Row-level security (RLS) policies enforcing tenant isolation in our database
Authentication via Clerk with optional multi-factor authentication
Regular security reviews of infrastructure and dependencies

However, no system is perfectly secure. We cannot guarantee absolute security and recommend you use a strong, unique password and enable multi-factor authentication.

8. International Data Transfers

The Service is operated from México, and our sub-processors operate globally. Your data may be transferred to, stored, and processed in countries outside your jurisdiction, including the United States and European Union. By using the Service you consent to such transfers.

9. Children's Privacy

The Service is not directed at children under 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us at support@toodday.com and we will delete it.

10. Cookies and Tracking

We use the following types of cookies and storage:

Essential cookies: authentication session (Clerk), CSRF protection. These are required for the Service to function.
Preference storage: theme, settings preferences, locally stored in your browser (localStorage).
No advertising cookies. No cross-site tracking.

If we enable product analytics (e.g., PostHog) in the future, this Policy will be updated and you will be notified.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified by email and/or in-app notice at least 14 days before they take effect. The "Last updated" date at the top of this Policy indicates when it was last revised.

12. Contact

For questions, requests, or complaints related to this Privacy Policy or your personal data, contact:

Email: support@toodday.com Operator: Toodday, an individual based in Querétaro, México Data Protection Authority (México): Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI) — https://home.inai.org.mx/

This Privacy Policy is provided as a good-faith effort to comply with applicable data protection laws. It is not legal advice. As your business grows, we recommend professional legal review.