Privacy Policy

Pomoflow is a web-based productivity application operated from Washington State, United States. For the purposes of applicable data protection laws, Pomoflow is the data controller responsible for your personal information. If you have any questions about how we handle your data, you can contact us at hello@pomoflowapp.com.

When you use Pomoflow, we may collect the following information:

• Account information: Your name, email address, and password when you create an account with credentials. If you sign in with Google, we receive your name and email address from Google.
• Session data: Focus duration, flow duration, recovery duration, session goals, and reflections you enter during timer sessions.
• Settings: Your timer preferences such as default session duration, theme, and sound settings.
• Payment information: When you upgrade to Premium, payment is processed by Stripe. We store your Stripe customer ID and subscription status but do not store your credit card number or payment details — Stripe handles this securely.
• Usage data: We use Vercel Analytics to collect anonymous, aggregated page view data. This does not use cookies and does not track individual users.
• Technical data: Our hosting provider (Vercel) automatically collects standard server log data, which may include your IP address, browser type, operating system, referring URL, and timestamps. This data is used for security and operational purposes.

We use your information for the following purposes:

• To provide, operate, and maintain the Pomoflow service
• To save your timer settings and session history
• To process payments through Stripe
• To send transactional emails (email verification, password resets)
• To improve the Service through anonymous, aggregated analytics
• To detect, prevent, and address security issues or abuse
• To comply with legal obligations

We do not use your personal information for advertising or marketing purposes. We do not use your User Content (session goals, reflections) for any purpose other than providing the Service to you.

If you are located in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, we process your personal data under the following legal bases:

• Contract performance: Processing necessary to provide you with the Service, including account management, session tracking, and payment processing.
• Legitimate interests: Processing necessary for our legitimate interests, such as improving the Service, ensuring security, and preventing fraud, provided these interests are not overridden by your rights.
• Legal obligation: Processing necessary to comply with applicable laws and regulations.
• Consent: Where required by law, we will obtain your consent before processing your data for specific purposes. You may withdraw consent at any time.

We do not sell, rent, or trade your personal information. We share data only with the following third-party service providers that are necessary to operate Pomoflow:

• Stripe: Payment processing — receives your email and payment details to process Premium purchases.
• Resend: Transactional email delivery — receives your email address to send verification codes and password reset links.
• Vercel: Hosting and anonymous analytics — hosts the application and collects cookieless, aggregated page view data.
• Google: OAuth sign-in — if you choose to sign in with Google, Google shares your name and email with us.
• Supabase: Database hosting — stores your account data, session history, and settings on secure, encrypted infrastructure.

We may also disclose your information if required by law, court order, or governmental authority, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

Pomoflow uses only essential cookies required for the Service to function. We do not use advertising, marketing, or third-party tracking cookies.

Vercel Analytics is fully cookieless and does not store any data on your device.

We take reasonable technical and organizational measures to protect your personal information, including:

• Passwords are hashed using bcrypt before storage
• All traffic is encrypted in transit via HTTPS/TLS
• Data is encrypted at rest on our database infrastructure (Supabase)
• Rate limiting on authentication endpoints to prevent brute-force attacks
• Security headers (Content Security Policy, X-Frame-Options, etc.)
• Regular review of security practices and dependencies

While we strive to protect your personal information, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security.

• Account data: Retained for as long as your account is active. When you delete your account, all associated data (sessions, settings, subscription records) is permanently and irreversibly deleted from our systems.
• Stripe records: Upon account deletion, we remove your Stripe customer record. Stripe may retain certain transaction records in accordance with their own data retention policies and legal obligations.
• Anonymous analytics: Aggregated, anonymous page view data collected via Vercel Analytics is retained indefinitely as it cannot be linked to any individual user.
• Server logs: Standard server log data is retained by Vercel in accordance with their data retention policies, typically for a limited period.

Regardless of where you are located, you can:

• Update your name, email, and password in Account Settings
• Reset your session analytics data at any time
• Delete your account entirely, which permanently removes all your data from our systems

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete personal data.
• Right to erasure: Request deletion of your personal data (you can do this directly via Account Settings).
• Right to restrict processing: Request that we limit how we use your data in certain circumstances.
• Right to data portability: Request your data in a structured, machine-readable format.
• Right to object: Object to processing based on legitimate interests.
• Right to withdraw consent: Where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at hello@pomoflowapp.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection supervisory authority.

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with the following rights:

• Right to know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the purposes for collection, and the categories of third parties with whom we share it.
• Right to delete: You may request that we delete your personal information. You can do this directly through Account Settings or by contacting us.
• Right to opt-out of sale: We do not sell your personal information to third parties.
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.

To submit a request, contact us at hello@pomoflowapp.com.

Pomoflow is operated from the United States. If you are accessing the Service from outside the United States, please be aware that your personal information will be transferred to, stored, and processed in the United States where our servers and service providers are located.

For users in the EEA, UK, or Switzerland, we rely on appropriate safeguards for international data transfers, including the service providers' compliance with applicable data protection frameworks and standard contractual clauses where applicable. By using the Service, you consent to the transfer of your information to the United States.

Pomoflow is not directed to children under the age of 13 (or under 16 in the EEA). We do not knowingly collect personal information from children under these ages. If we become aware that we have collected personal information from a child below the applicable age, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at hello@pomoflowapp.com.

Some browsers transmit "Do Not Track" (DNT) signals. Since there is no industry-standard interpretation of DNT signals, Pomoflow does not currently respond to them. However, as described in this policy, we minimize data collection and do not engage in cross-site tracking or behavioral advertising.

This Privacy Policy is governed by and construed in accordance with the laws of the State of Washington, United States, without regard to conflict of law provisions, and subject to the overriding applicability of data protection laws in your jurisdiction (such as the GDPR for EEA users).

We may update this Privacy Policy from time to time to reflect changes to our practices, legal requirements, or the Service. For material changes, we will provide at least thirty (30) days' notice via email or a prominent notice within the Service. Your continued use of the Service after the effective date of the revised policy constitutes your acceptance of the changes.

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at hello@pomoflowapp.com.