1. Who We Are

Tidl ("we", "us", "our") is an irregular income management tool operated as a Canadian software service at tidl.ca. For privacy questions, contact us at privacy@tidl.ca.

This policy applies to all users of Tidl, including free and paid subscribers. By using Tidl, you agree to the collection and use of information described here.

2. What We Collect

We collect only what is necessary to provide the service:

• Account information — your email address and encrypted password, used solely for authentication
• Income data — amounts, dates, sources, types (T4/Invoice/Other), and notes you enter manually
• Expense data — amounts, dates, categories, and descriptions you enter manually
• Mileage data — distances, dates, and trip purposes you log
• Profile preferences — your province, fixed costs, and plan status
• Volunteer data — stored locally in your browser (not on our servers)
• Payment information — processed exclusively by Stripe. We never see or store your credit card details
• Usage data — basic session information (login timestamps, session duration) for security purposes

We do not collect your location, contacts, device identifiers, or any data beyond what you explicitly enter.

3. How We Use Your Data

Your data is used only to:

• Provide the Tidl service — displaying your income, calculating your tax reserve, and generating reports
• Authenticate your account and maintain your session
• Process subscription payments via Stripe
• Send transactional emails (account confirmation, password resets, receipts)
• Improve the service — we may analyze anonymized, aggregated usage patterns (never individual financial data)

We do not use your financial data for advertising, profiling, or any purpose beyond operating Tidl.

4. Data Storage and Security

Your data is stored on Supabase, a SOC 2 Type II certified cloud database provider. Specific protections include:

• Encryption at rest — all database data is encrypted using AES-256
• Encryption in transit — all data transmitted between your device and our servers uses TLS 1.2 or higher
• Row Level Security — database policies ensure your data can only be accessed by your account
• Password hashing — passwords are hashed using bcrypt and never stored in plain text
• Token-based authentication — sessions use rotating JWT tokens that expire automatically

No security system is perfect. If you discover a vulnerability, please report it responsibly to security@tidl.ca.

5. Data Sharing

We share your data with:

• Supabase (supabase.com) — database and authentication infrastructure
• Stripe (stripe.com) — payment processing. Stripe's privacy policy governs payment data
• Netlify (netlify.com) — web hosting. Netlify may log IP addresses for security purposes

We do not sell, rent, or share your personal or financial data with any other third parties, advertisers, data brokers, or analytics services.

6. Your Rights Under PIPEDA

As a Canadian service, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA). You have the right to:

• Access — request a copy of all personal information we hold about you
• Correction — ask us to correct inaccurate personal information
• Deletion — request deletion of your account and all associated data
• Withdrawal of consent — cancel your account at any time
• Complaint — file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca

To exercise any of these rights, use the "Delete account" option in the app or email privacy@tidl.ca. We will respond within 30 days.

7. Data Retention

We retain your data for as long as your account is active. When you delete your account:

• Your income, expense, and profile data is deleted immediately from our active database
• Backup copies may persist for up to 30 days before being purged from backup systems
• Stripe retains payment records as required by law (typically 7 years for tax purposes)

8. Cookies and Local Storage

Tidl uses:

• Session storage — to maintain your login session (necessary for the app to function)
• Local storage — to store volunteer data, mileage data, and app preferences on your device

We do not use tracking cookies, advertising cookies, or any third-party analytics cookies.

9. Children's Privacy

Tidl is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, contact us at privacy@tidl.ca and we will delete it promptly.

10. Changes to This Policy

We may update this policy as the service evolves. We will notify you of material changes by email or by a prominent notice in the app at least 30 days before the change takes effect. Continued use of Tidl after that date constitutes acceptance of the updated policy.