Privacy Policy

We collect information you provide directly to us and information we collect automatically when you use our service.

**Personal Information** may include:
- Identifiers such as your email address and name
- Commercial information such as subscription details
- Internet activity such as your interactions with our service
- Device information such as browser type and operating system

**Required Information**: We require your email address to provide authentication and send you magic links for sign-in.

**Optional Information**: You may choose to provide additional information such as task details, project names, and time allocations to use our service features.

We use the information we collect to:

1. **Provide, maintain, and improve our service** - This includes processing your tasks, managing your projects, and delivering core features.
2. **Process transactions and send related information** - This includes sending authentication emails and account notifications.
3. **Send technical notices and support messages** - We may contact you about your account, security updates, or support issues.
4. **Respond to your comments and questions** - We use your information to provide customer support.
5. **Monitor and analyze trends, usage, and activities** - This helps us improve our service and develop new features.
6. **Detect, investigate, and prevent security incidents** - We use information to protect our service and users.

**Legal Basis for Processing (GDPR)**:
- **Contract Necessity**: Processing required to provide our service under our terms
- **Legitimate Interests**: Maintaining security, improving our service, and preventing fraud
- **Consent**: Where required by law, we obtain your explicit consent before processing

We do not sell your personal information.

**Service Providers**: We share information with trusted third parties who assist us in operating our service:

- **Supabase Inc.** (database hosting) - Stores your account data and tasks
- **Vercel Inc.** (hosting platform) - Delivers our web application

These service providers have access to your information only to perform specific tasks on our behalf and are contractually obligated to keep your information confidential.

**Legal Requirements**: We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., court orders, subpoenas).

**Business Transfers**: In the event of a merger, acquisition, or sale of assets, your information may be transferred.

**No Third-Party Sales**: We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

We retain your personal information for as long as necessary to provide our service and fulfill the purposes outlined in this policy.

**Specific Retention Periods**:
- **Account Data**: Retained while your account is active
- **Tasks and Projects**: Retained until you delete them or close your account
- **Authentication Logs**: Retained for 30 days for security purposes
- **Deleted Accounts**: Personal information is deleted within 30 days of account closure, except where we are required to retain information by law (e.g., tax records for 7 years)

**Your Right to Deletion**: You may request deletion of your personal information at any time through your account settings or by contacting us at privacy@meinblock.app.

**Under GDPR (EU/UK)**, you have the right to:
1. **Access** - Request a copy of your personal information
2. **Rectification** - Request correction of inaccurate information
3. **Erasure** - Request deletion of your personal information ("right to be forgotten")
4. **Restrict Processing** - Request that we limit how we use your information
5. **Data Portability** - Request transfer of your data to another service
6. **Object** - Object to processing based on legitimate interests
7. **Withdraw Consent** - Withdraw consent at any time where processing is based on consent

**Under CCPA/CPRA (California)**, you have the right to:
1. **Know** - Request disclosure of categories of information we collect and share
2. **Delete** - Request deletion of your personal information
3. **Opt-Out** - Opt-out of the sale or sharing of your personal information (we do not sell data)
4. **Non-Discrimination** - Not receive discriminatory treatment for exercising your rights

**How to Exercise Your Rights**:
- Use the "Export Data" feature in your account settings
- Use the "Delete Account" feature in your account settings
- Email us at privacy@meinblock.app

**Response Time**: We will respond to your request within 30 days (GDPR) or 45 days (CCPA) of receipt.

We implement appropriate technical and organizational security measures to protect your personal information:

**Technical Safeguards**:
- Encryption of data in transit (TLS/HTTPS)
- Encryption of data at rest (AES-256 via Supabase)
- Secure authentication (magic links with expiration)
- Regular security assessments and updates

**Organizational Safeguards**:
- Access limited to authorized personnel only
- Employee training on data privacy and security
- Data processing agreements with all service providers
- Incident response procedures for data breaches

**Data Breach Notification**: In the event of a data breach affecting your rights, we will notify you within 72 hours (GDPR) or without unreasonable delay (CCPA) in accordance with applicable law.

**No System is Perfect**: While we take reasonable measures to protect your information, no method of transmission or storage is completely secure. We cannot guarantee absolute security.

Your information may be transferred to and processed in countries other than your country of residence.

**Data Storage**: Our primary data storage is provided by Supabase Inc., which hosts data in the United States.

**Safeguards**: When we transfer your information internationally, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Compliance with GDPR requirements for international data transfers
- Data Processing Agreements with all third-party processors

**UK GDPR**: If you are in the UK, your data is protected by UK GDPR and may be transferred to countries recognized as providing adequate protection or under appropriate safeguards.

Our service is not intended for children under the age of 16 (or the age of majority in your jurisdiction).

If we learn that we have collected personal information from a child under 16 without parental consent, we will take steps to delete that information.

**Parental Access**: Parents may request access to, correction of, or deletion of their child's information by contacting us at privacy@meinblock.app.

We may update this privacy policy from time to time. We will notify you of any changes by:

- Posting the new policy on this page with an updated "Last Updated" date
- Sending you an email notification for material changes (if you have opted in to receive such notices)

**Your Continued Use**: Continued use of our service after the effective date of changes constitutes acceptance of the updated policy.

**Review Schedule**: We review and update this policy at least annually to ensure ongoing compliance with applicable laws.

If you have questions about this privacy policy or our data practices, please contact us:

**Email**: privacy@meinblock.app
**Website**: https://meinblock.app
**Data Protection Representative (EU)**: [Designated DPO contact if applicable]

**GDPR Data Protection Rights**: If you are in the EU or UK, you also have the right to lodge a complaint with your local data protection authority.