Privacy Policy

Last updated: November 30, 2025

1. Information We Collect

Anonymous Users (Local Storage)

When you use Tondio without signing in, all data is stored locally on your device:

  • Lawn care data: Mowing sessions, fertilization records, equipment information, and todo items
  • Location data: Lawn location names and coordinates (if provided)
  • Preferences: Temperature units and reminder settings

Important: This data never leaves your device and is not accessible to us.

Note: Photo uploads require a signed-in account. Anonymous users cannot upload or store photos.

Authenticated Users (Cloud Sync)

When you sign in with Google or Twitter/X, we collect and store:

  • Google OAuth data: Email address (always provided) and profile name when you sign in with Google
  • Twitter/X OAuth data: Profile name and optionally your email address (only if you grant permission) when you sign in with Twitter/X
  • Lawn care data: Same data as anonymous users, but synced to our secure cloud database
  • Photos: Images you upload are compressed server-side and stored in secure cloud storage (Supabase Storage)
  • Session information: Authentication tokens for secure access

Note: Email is optional for full app functionality - if you sign in with Twitter/X and don't provide email permission, you can still use all features.

2. How We Use Your Information

We use the information we collect to:

  • Provide and maintain the Tondio service
  • Sync your lawn care data across your devices (authenticated users only)
  • Authenticate your identity and manage your account
  • Provide weather information relevant to your lawn locations
  • Send you service-related communications (if authenticated)

We do not:

  • Sell, rent, or share your personal information with third parties for marketing purposes
  • Use your data for advertising or tracking
  • Analyze your usage patterns or behavior
  • Share your lawn care data with anyone

3. Data Storage and Security

Local Storage Security

For anonymous users, data is stored in your browser's localStorage with:

  • Client-side encryption for sensitive session data using AES-GCM 256-bit encryption
  • Data compression to optimize storage space
  • TTL (Time-To-Live) expiration for cached data

Cloud Storage Security

For authenticated users, data is stored securely using:

  • Supabase: Enterprise-grade PostgreSQL database with encryption at rest and in transit
  • Row Level Security (RLS): Our database enforces access control at the database level itself. This means that regardless of how data is queried, the database automatically ensures you can only access your own data. This is a more secure approach than application-level filtering as it provides an additional layer of protection.
  • Rate limiting: API endpoints are protected against abuse (100 requests/hour)
  • CSRF protection: Enhanced origin validation prevents cross-site attacks
  • Security logging: All access attempts are logged for monitoring

4. Third-Party Services

We use the following third-party services:

OAuth Providers (Authentication)

Google OAuth

  • Purpose: Secure sign-in without storing passwords
  • Data shared: Email address and profile name
  • Privacy policy: Google Privacy Policy

Twitter/X OAuth

  • Purpose: Secure sign-in without storing passwords
  • Data shared: Email address (optional - only if you grant permission) and profile name
  • Privacy policy: Twitter Privacy Policy

OpenWeatherMap API (Weather Data)

  • Purpose: Provide weather information for your lawn locations
  • Data shared: Location coordinates (city/country) only when you provide them
  • Privacy policy: OpenWeatherMap Privacy Policy

Supabase (Cloud Database & Authentication)

  • Purpose: Authentication services and cloud storage for signed-in users
  • Data shared: Your lawn care data, uploaded photos, and Google OAuth information
  • Privacy policy: Supabase Privacy Policy

Netlify (Hosting)

  • Purpose: Web hosting and content delivery
  • Data shared: Standard web server logs (IP addresses, user agents)
  • Privacy policy: Netlify Privacy Policy

Google Analytics 4 (Optional Analytics)

  • Purpose: Usage analytics to improve the application (only when you opt in via cookie consent banner)
  • Data shared: Anonymized usage patterns, page views, and interactions
  • IP anonymization: Enabled by default - your IP address is anonymized before processing
  • Your control: Managed via Cookie Preferences in Settings - you can opt out anytime
  • Privacy policy: Google Privacy Policy

Important: Google Analytics is completely optional. The application works fully without accepting analytics cookies.

5. Your Rights Under GDPR

As Tondio is operated from Luxembourg and serves users in the European Union, you have the following rights under GDPR:

Right of Access

You can request a copy of all personal data we hold about you. For authenticated users, you can export your data directly from the application.

Right to Rectification

You can correct any inaccurate personal data. All lawn care data can be edited directly in the application.

Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data. For authenticated users, you can delete your account and all associated data from the settings page.

Right to Restrict Processing

You can request that we limit how we process your personal data.

Right to Data Portability

You can request your data in a machine-readable format. The application provides export functionality for all your lawn care data.

Right to Object

You can object to processing of your personal data for direct marketing purposes (though we don't do marketing).

Response Timeframe

We will respond to all GDPR requests within 30 days of receipt, as required by law. In complex cases, we may extend this period by up to two additional months, but we will inform you of any extension within the initial 30-day period.

6. Data Retention

Anonymous users: Data is retained locally on your device until you clear your browser data or manually delete it.

Authenticated users: Data is retained until you delete your account or request data deletion. We do not automatically delete inactive accounts.

Security logs: Access logs are retained for 90 days based on our legitimate interest (GDPR Article 6(1)(f)) in maintaining the security of our service, detecting and preventing unauthorized access, and complying with legal obligations. This retention period balances security needs with data minimization principles.

7. Cookies and Tracking

Tondio uses cookies and local storage for essential functionality and optional analytics. You can manage your cookie preferences in the application settings.

Essential Cookies (Required)

These cookies are necessary for the application to function and cannot be disabled:

  • Authentication cookies: sb-access-token, sb-refresh-token - Supabase Auth session cookies for signed-in users
  • Application data: lawncare-* - Local storage items for your lawn care data, preferences, and onboarding state
  • Cookie consent: lawncare-cookie-consent - Stores your cookie preferences

Analytics Cookies (Optional)

These cookies help us understand how the application is used. They are only loaded when you explicitly opt in via our cookie consent banner:

  • Google Analytics 4: _ga, _ga_*, _gid, _gat
  • IP anonymization: Enabled by default for all analytics tracking
  • Control: You can change your preferences anytime in Settings → Cookie Preferences

No advertising cookies: We don't serve ads or use advertising networks.

8. International Data Transfers

For authenticated users, your data may be transferred to and stored in countries outside the European Economic Area (EEA) through our third-party services:

  • Supabase: Uses AWS infrastructure with appropriate safeguards
  • Google: GDPR-compliant with appropriate transfer mechanisms

All transfers are protected by appropriate safeguards as required by GDPR.

9. Children's Privacy

Tondio is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If you become aware that a child has provided us with personal information, please contact us.

10. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date.

For significant changes, we will provide more prominent notice (including, for some services, email notification of privacy policy changes).

11. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your GDPR rights, please contact us:

Data Controller: Norbert Godany
Email: norbert.godany@gmail.com

You can also use the feedback system available in the application.

Data Protection Contact: For GDPR-related inquiries, please email norbert.godany@gmail.com with "GDPR Request" in the subject line.

Supervisory Authority: You have the right to lodge a complaint with the Luxembourg National Commission for Data Protection (CNPD) if you believe your data protection rights have been violated.