Octodoro is operated by Max Marino trading as Octodoro, a sole trader based in the United Kingdom. For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, we are the "controller" of the personal data described in this policy.

You can reach us about privacy at octodoro@gmail.com.

• Account data: name, username, email address, a hashed password (for email/password login), and a profile image if you sign in with Google.
• Authentication & security data: session and verification data needed to sign you in, keep your account secure, and prevent abuse.
• Study & productivity data: timer activity, session history, reflections, focus/satisfaction ratings, tasks, XP, levels, streaks, and coins.
• Social data: friend relationships, clan membership, study-lobby participation, inbox messages, and leaderboard records.
• Purchase data: premium status, your Stripe customer and subscription IDs, and a record of coin/diamond purchases. We never receive or store your full card number — Stripe handles payment details directly.
• Technical data: basic device, log, and request information (such as IP address) generated when any website is used.

• To provide and maintain core features — the timer, tasks, social systems, and leaderboards.
• To authenticate you, secure your account, and detect abuse or policy violations.
• To process purchases and keep your premium status and balances up to date.
• To generate the progress insights, reports, and AI output you ask for.
• To respond to support requests and to meet our legal obligations.

Under UK GDPR we rely on the following lawful bases:

• Contract: to deliver the service you sign up for and manage your account and purchases.
• Legitimate interests: to keep the service secure and reliable and to improve it, balanced against your rights.
• Consent: where the law requires it, including optional features you choose to use. Where we rely on consent, you can withdraw it at any time without affecting prior processing.
• Legal obligation: to comply with applicable laws, such as tax and accounting rules.

Octodoro offers optional AI features (for example, session summaries and the coach chat). When you choose to use these features, we send selected study activity to our AI provider (currently OpenAI) to generate a response. You can use Octodoro fully without ever using AI features.

What we send for an AI request

Depending on the feature, a request may include:

• Session logs — the date, duration, and mode of recent sessions.
• Reflections — the optional notes you write after a session.
• Ratings — your focus and satisfaction ratings, when provided.
• Your prompt — the question you type in coach chat.

How we limit AI data use

• Purpose limitation: the data is shared only to produce the specific output you asked for, such as a summary or a chat answer.
• No account identifiers by default: we do not intentionally include direct identifiers such as your email address in AI prompts.
• Encrypted transport: requests are sent over encrypted connections.
• No automated decisions about you: AI output is informational only. We do not use it to make decisions that produce legal or similarly significant effects on you.

Your choices and responsibilities

• If you would rather this data was not sent to the AI provider, simply don't use the AI features.
• Please don't put sensitive personal information (for example health records, financial account details, or government ID numbers) in reflections or chat prompts.
• AI output can be wrong or incomplete and should not be relied on as professional advice.

We use strictly necessary cookies and similar technologies to keep you signed in, protect your account, and run core functionality. These don't require consent because the service can't work without them.

We also use your browser's local storage for app settings and timer preferences. Some third-party services you choose to use (such as Google sign-in or Stripe checkout) may set their own cookies under their own policies. We do not use advertising or cross-site tracking cookies.

We don't sell your personal data. We share it only with service providers who help us run Octodoro:

• Hosting & database: our hosting provider and MongoDB (database), plus file storage for images.
• Authentication & email: Google sign-in and our email delivery provider.
• Payments: Stripe, for subscription billing, coin/diamond purchases, and the billing portal.
• AI provider: OpenAI, for the AI summaries and coach chat you request.
• Legal & safety: authorities or advisers where required to comply with the law or protect rights and safety.
• Business transfers: a buyer or successor if the service is ever sold or reorganised, subject to this policy.

These providers act as our processors and may only use your data on our instructions.

Some of our providers are based outside the UK, so your data may be processed abroad (including in the United States). Where that happens, we rely on a lawful transfer mechanism: a UK "adequacy" decision for the destination country, the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, or — for some US providers — the UK Extension to the EU–US Data Privacy Framework.

We keep your data only as long as we need it. As a guide:

• Account & study data: while your account is active, and for a short period after you close it in case you reactivate or we need to resolve a dispute.
• Financial & transaction records: up to six years, to meet UK tax and accounting requirements.
• Security & log data: for a limited period needed to protect the service.

When we no longer need data, we delete or anonymise it.

We use technical and organisational measures designed to protect your personal data, including encrypted connections and hashed passwords. No system is perfectly secure, but we work to keep your information safe and will notify you and the ICO of a serious breach where the law requires.

Under UK data protection law you have the right to:

• access a copy of your personal data;
• have inaccurate data corrected;
• have your data deleted in certain circumstances;
• restrict or object to certain processing;
• receive your data in a portable format;
• withdraw consent where we rely on it.

To exercise any of these, email octodoro@gmail.com. We'll respond within one month. We may need to verify your identity first.

If you're unhappy with how we handle your data, you can complain to the Information Commissioner's Office (ICO), the UK supervisory authority, at ico.org.uk or 0303 123 1113. We'd appreciate the chance to put things right first.

Octodoro is intended for users aged 13 and over, and is not directed at children under 13. We recognise that under-18s use the service, and we aim to follow the ICO's Age Appropriate Design Code (the Children's Code) by collecting the minimum data needed and avoiding manipulative design.

If you believe a child under 13has given us personal data, contact us and we'll review and remove it as appropriate.

We may update this policy from time to time. We'll post changes here with a new "last updated" date, and we'll tell you about significant changes where appropriate.

For any privacy question or request, email octodoro@gmail.com.