Privacy Policy

1. Introduction

This Privacy Policy describes how we collect, use, and protect your information when you use TumbleT. By using this application, you agree to the collection and use of information in accordance with this policy.

1.1 Data Controller

The data controller responsible for your personal data is:

• Name: Joseph Levy
• Location: Santa Clarita, California, United States
• Email: support@tumblet.app

2. Information We Collect

2.1 Information You Provide

We collect information that you provide directly to us, including:

• Account Information: Email address, user ID (if you sign in with Firebase)
• Task and Activity Data: Tasks, goals, activities, notes, journal entries, and other content you create
• Health Data: Blood pressure readings, medications, symptoms, menstrual cycle data, pregnancy information, body metrics (weight, measurements), sleep data, exercise/workout logs, food/nutrition logs, mood and wellness ratings, and progress photos
• Location Data: GPS coordinates for activity tracking (walks, runs, drives), saved routes, and geofences (when you enable location features)
• Financial Data: Expense tracking entries you create (amounts, categories, descriptions)
• Photos: Progress photos, vision board images, and contact photos you upload
• AI Chat Data: Messages you send to the AI assistant are processed by Google Gemini. Data is sent to Google's servers only when you explicitly send a message — TumbleT does not passively stream your data to AI services. The relevant context from your account (e.g. tasks, habits, health summary) is included with your query so the AI can give contextual answers. See Section 2.3 for important details on Gemini data retention.
• Contact/People Data: Names, relationships, and interaction logs for people you track
• Payment Information: Email address, payment type (Zelle/Venmo), payment amounts, and transaction records
• Settings and Preferences: Application settings and customization preferences

2.2 Automatically Collected Information

We automatically collect certain information when you use the application:

• Usage Data: How you interact with the application, features used, and timestamps
• Device Information: Browser type, device type, and technical information
• Location Data (Foreground): When you use activity tracking features (walks, runs, drives), we collect GPS coordinates while the app is open
• Location Data (Background): When you enable Auto Drive Detection, TumbleT collects your precise GPS location in the background — even when the app is closed or not in use — to automatically detect driving trips, record routes, log mileage, and track traffic stops. This includes: coordinates, speed, route paths, stop locations, and timestamps. Background location collection only occurs while Auto Drive Detection is enabled and can be disabled at any time in Settings. You will be prompted with a separate consent dialog before background location is first activated.
• Local Storage: Data stored locally on your device for application functionality

2.3 Third-Party Services

We use third-party services that may collect or process information:

• Firebase (Google): Authentication, cloud storage, data synchronization, and App Check
• Google Gemini AI: Processes AI chat messages to generate responses. Messages and relevant context are sent to Google's API servers only when you explicitly send a query — never passively. AI queries are processed through TumbleT's paid Gemini API account. Under Google's current paid-tier terms, Google does not use your data for model training and data is retained only transiently for the duration of the request. These terms are subject to change by Google — see Google AI Terms and Gemini API Additional Terms for the latest.
• Sentry: Error tracking and performance monitoring. Collects anonymized error reports, device info, and stack traces
• Payment Processors: Zelle, Venmo, Stripe, PayPal (if used) — subject to their privacy policies

2.4 Google API Services

When you connect your Google account, we may access the following data with your explicit consent:

• Google Calendar: Read and write calendar events to sync your tasks and deadlines
• Google Tasks: Read and write tasks to sync your to-do items between TumbleT and Google Tasks
• Google Drive: Create and read backup files in a dedicated app folder for data backup/restore
• Google Fit: Read activity and fitness data to display health metrics (if enabled)

Important: TumbleT's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy , including the Limited Use requirements.

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the application
• Process payments and manage payment records
• Send dismissal codes and payment confirmations via email
• Sync your data across devices (if you use cloud sync)
• Display premium notifications and manage dismissal states
• Respond to your requests and provide customer support
• Comply with legal obligations

4. Data Storage and Security

4.1 Local Storage

Most application data is stored locally on your device using browser localStorage. This data remains on your device and is not automatically transmitted to our servers.

4.2 Cloud Storage (Firebase)

If you choose to sign in and use cloud sync, your data is stored on Firebase servers. This includes:

• Tasks, goals, activities, and other application data
• Settings and preferences
• Payment records and premium dismissal codes
• User authentication information

Firebase is operated by Google and subject to Google's Privacy Policy and Terms of Service.

4.3 Security Measures

We implement reasonable security measures to protect your information, including:

• Encryption of sensitive data (dismissal codes, payment information)
• Secure authentication via Firebase
• Access controls and authentication requirements

However, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

5. Payment Information

When you make payments via Zelle, Venmo, or other payment methods:

• We collect your email address for code delivery
• We record payment amounts, types, and transaction dates
• We generate and store unique dismissal codes
• Payment processing is handled by third-party services (Zelle, Venmo, etc.)
• We do not store your payment card numbers or bank account information
• Payment verification is performed manually for Zelle/Venmo payments

6. Google API Data Usage

TumbleT integrates with Google services to provide synchronization features. This section explains how we handle data from Google APIs:

6.1 Data We Access

• Google Calendar Events: Event titles, dates, times, and descriptions for task synchronization
• Google Tasks: Task titles, due dates, notes, and completion status
• Google Drive: Only files created by TumbleT in the app-specific folder
• Google Fit: Step count, activity minutes, and other fitness metrics you choose to share

6.2 How We Use Google Data

• Sync your tasks and events bidirectionally between TumbleT and Google services
• Display your calendar events alongside TumbleT tasks
• Create encrypted backups of your app data on Google Drive
• Show fitness progress in the Health tab (if Google Fit is connected)

6.3 Data Storage and Retention

• Google API data is primarily used in real-time and not permanently stored on our servers
• Cached data is stored locally on your device for offline access
• You can disconnect Google services at any time from Settings
• Disconnecting removes cached Google data from your device

6.4 Limited Use Disclosure

TumbleT's use of information received from Google APIs will adhere to the Google API Services User Data Policy , including the Limited Use requirements. Specifically:

• We only use Google data to provide the features you request
• We do not transfer Google data to third parties except as necessary to provide the service
• We do not use Google data for advertising purposes
• We do not allow humans to read your Google data unless required for security or legal compliance

7. Data Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties. We may share information only in the following circumstances:

• Service Providers: With Firebase (Google) for cloud storage and authentication
• Payment Processors: With Zelle, Venmo, Stripe, PayPal for payment processing
• Legal Requirements: When required by law or to protect our rights
• Business Transfers: In connection with a merger, acquisition, or sale of assets

8. Your Rights and Choices (GDPR & CCPA)

Under GDPR, CCPA, and similar privacy laws, you have the following rights regarding your personal data:

8.1 Right to Access

You can request a copy of all personal data we hold about you. In TumbleT, you can do this directly:

• Go to Settings > Account
• Click "Export My Data"
• Download your complete data as a ZIP file containing JSON data

8.2 Right to Rectification

You can correct any inaccurate or incomplete personal information directly within the application by editing your tasks, settings, and profile information.

8.3 Right to Erasure ("Right to be Forgotten")

You can request permanent deletion of your account and all associated data:

• Go to Settings > Account
• Click "Delete My Account"
• Follow the confirmation steps

When you request deletion:

• Your account will be scheduled for deletion with a 7-day grace period
• You will receive a confirmation email
• You can cancel the deletion anytime during the grace period
• After 7 days, all your data will be permanently and irreversibly deleted
• This includes: all tasks, goals, notes, journal entries, health data, settings, and your Firebase account

8.4 Right to Data Portability

You can export your data in a machine-readable format (JSON) using the "Export My Data" feature. This allows you to transfer your data to another service if desired.

8.5 Right to Restrict Processing

You can disable cloud sync at any time to keep your data local only:

• Go to Settings > Data & Sync
• Enable "Local Only Mode"

8.6 Right to Object

TumbleT does not use your data for marketing, advertising, or profiling purposes. If you have concerns about how your data is being processed, contact us.

8.7 How to Exercise Your Rights

Most rights can be exercised directly in the app. For additional requests or questions, contact us at support@tumblet.app. We will respond to valid requests within 30 days.

9. Children's Privacy

This application is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately.

10. International Data Transfers

Your information may be transferred to and stored on servers located outside your country of residence. By using this application, you consent to the transfer of your information to these servers.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. You are advised to review this Privacy Policy periodically for any changes.

12. Data Retention

In plain language: We keep your data for as long as you have an active account. When you delete something inside the app (a task, a journal entry, a health record, etc.), it is removed from your view and from active use, but a background copy may be kept in an archive for up to 90 days before it is permanently erased. This archive exists solely so we can recover data if something goes wrong (accidental deletion, sync errors, etc.) — it is never used for advertising, profiling, or shared with third parties.

We retain your personal data for as long as:

• Your account is active
• Necessary to provide our services
• Required by law (e.g., for tax or legal compliance)

12.1 How Long We Keep Different Types of Data

• Tasks, notes, journal entries, goals, and other content: Kept while your account is active. If you delete an individual item, it is archived for up to 90 days (for recovery purposes), then permanently erased.
• Health data (blood pressure, medications, symptoms, body metrics, sleep, food logs, etc.): Same as above — kept while your account is active, archived up to 90 days after individual deletion.
• Location data (routes, mileage, tracked drives/walks/runs): Retained based on your chosen retention period (see section 12.2 below). The default is 180 days.
• AI chat messages: Stored on our servers while your account is active. When you send a query, relevant context is sent to Google Gemini transiently — under Google's current paid-tier terms, Google does not permanently store your data. These terms are subject to change by Google. See Section 2.3 and Google AI Terms for details.
• Payment records: Kept for up to 7 years after the transaction to meet tax and legal requirements.
• Account information (email, user ID): Kept until you delete your account.

12.2 Location Data Retention

Routes and mileage entries (recorded during tracked drives, walks, and runs) are retained based on your preference in Settings > Security > Privacy Controls > Location Data Retention. The default retention period is 180 days. You may choose 30 days, 90 days, 180 days, 1 year, or forever. Data older than your chosen period is automatically deleted from your device and cloud storage.

Geofences (saved locations/landmarks you create) are retained until you manually delete them, as they represent active user-created data.

To disable location collection entirely: Turn off Auto Drive Detection in Settings > App Behavior, and revoke location permissions in your device settings. Previously collected location data can be deleted via Settings > Data > Delete Data.

12.3 Archive and Durable History

When you delete a record inside TumbleT (for example, removing a task or clearing a health entry), we do not immediately hard-delete it from our servers. Instead, the record is moved to an internal archive where it is kept for up to 90 days. During this period:

• The data is no longer visible in the app or used for any active purpose
• It can potentially be restored if you contact support within the 90-day window
• It is not shared with third parties, used for analytics, or processed in any way
• After 90 days, the archived data is permanently and irreversibly deleted

Why do we archive instead of immediately deleting? Accidental deletions, sync conflicts, and device issues happen. The 90-day archive acts as a safety net. If you want immediate permanent deletion of specific data, contact us at support@tumblet.app and we will remove it promptly.

12.4 Your Controls Over Data Retention

You have several ways to manage how long your data is kept:

• Export your data: Go to Settings > Account > Export My Data to download everything as a ZIP file at any time
• Delete individual items: Remove specific tasks, entries, or records within the app (archived for 90 days, then permanently deleted)
• Adjust location retention: Choose your preferred retention window in Settings > Security > Privacy Controls
• Delete your entire account: Go to Settings > Account > Delete My Account — all data (including archives) is permanently erased within 7 days (see section 8.3)
• Request immediate deletion: Email support@tumblet.app if you need specific data removed before the 90-day archive window expires

12.5 Account Deletion

When you delete your account, we permanently delete all your data — including any archived records — within 7 days (or immediately if you choose immediate deletion). After deletion is complete, no data can be recovered. Some anonymized, aggregated data may be retained for analytics purposes but cannot be linked back to you.

13. Affiliate Links Disclosure

TumbleT participates in the Amazon Associates Program, an affiliate advertising program designed to provide a means to earn fees by linking to Amazon.com and affiliated sites.

Some features in TumbleT reference books and research that informed their design. These references may include affiliate links to Amazon. If you click a book link and make a purchase, TumbleT may earn a small commission at no additional cost to you.

• Affiliate links are used only for books and resources that genuinely informed TumbleT's features
• We never recommend a book solely for commission — every referenced book is one TumbleT's features are actually built on
• Affiliate commissions do not influence which features are built or how they work
• No user data is shared with Amazon beyond what occurs in a normal click-through to amazon.com

This disclosure is made in compliance with the FTC's guidelines on endorsements and testimonials.

14. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact us:

• Email: support@tumblet.app
• Alternative: support@tumblet.app
• Application: TumbleT

For GDPR-related inquiries, we will respond within 30 days. For urgent matters regarding data breaches or security concerns, we will respond as quickly as possible.