Privacy Policy

1. Who We Are

PalPal (" we ," " us ," " our ") operates palpal.live and a suite of associated productivity applications. We are the data controller for personal information collected through our Services.

We are committed to protecting your personal data and processing it in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR) where applicable.

2. Information We Collect

Information You Provide Directly

• Account registration details (email address, display name)
• Content you create within our apps (e.g., work session logs, notes, tags)
• Support communications you send to us
• Voluntary donation or payment information (processed by third-party payment processors)

Information Collected Automatically

• Basic usage data (pages visited, features used, session duration)
• Device information (browser type, operating system, screen resolution)
• IP address (used for security and analytics purposes)
• Error and crash logs (to improve app stability)

Information from Third Parties

When you sign in with Google, we receive from Google the following account information:

We do not request or receive access to your Gmail, Google Drive, Google Calendar, contacts, or any other Google service data. Our OAuth scopes are limited to openid , email , and profile .

3. How We Use Your Information

We use the information we collect exclusively to:

• Provide our Services — create and manage your account, store your app data, and deliver app features.
• Improve our Services — analyse usage patterns to fix bugs and prioritise features.
• Ensure security — detect fraud, abuse, and unauthorized access.
• Communicate with you — respond to support requests and, with your consent, send product updates.
• Legal compliance — fulfil obligations under applicable law.

We do not use your data for advertising, profiling, or any purpose beyond operating and improving PalPal Services.

4. Google Sign-In and OAuth 2.0

PalPal uses Google Sign-In (OAuth 2.0) via Firebase Authentication. This is our only supported authentication method. When you choose to sign in with Google:

• You are redirected to Google's secure sign-in page — PalPal never sees your Google password.
• Google authenticates you and returns an authorisation token to our system.
• We use that token only to establish your identity and create/access your PalPal account.
• The token is stored securely in your browser session and is never transmitted to third parties.

Scopes requested: We only request the minimum OAuth scopes required:

• openid — Confirms your identity
• email — Your Google email address
• profile — Your name and profile photo

You can review and revoke PalPal's access to your Google Account at any time at myaccount.google.com/permissions . Revoking access will sign you out of PalPal but will not delete your stored data (you must contact us separately to delete your data).

5. Data Sharing and Disclosure

We do not sell your personal information. We share your data only in the following limited circumstances:

• Service Providers: We use Google Firebase (Firestore database and Firebase Authentication) to store and process data. These providers are bound by strict data processing agreements and process data only on our instructions.
• Legal Requirements: We may disclose your data if required by law, subpoena, court order, or other legal process, or if we believe in good faith that such disclosure is necessary to protect our rights or the safety of others.
• Business Transfer: In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will notify you before your data is subject to a different privacy policy.
• With Your Consent: We may share your information for any other purpose with your explicit consent.

6. Data Storage and Security

Your data is stored in Google Firebase Firestore , a cloud database operated by Google Cloud Platform. Firebase provides enterprise-grade security including:

• Encryption in transit (TLS/HTTPS) and at rest (AES-256)
• Role-based access controls and Firebase Security Rules
• ISO 27001 and SOC 1/2/3 certified infrastructure
• Regular security audits and penetration testing by Google

We implement additional security measures including strict Firestore Security Rules that ensure users can only access their own data. No PalPal employee can read your app data unless required for critical support purposes, and only with your explicit permission.

Despite these measures, no method of transmission or storage is 100% secure. We encourage you to use a strong, unique password for your Google account.

7. Data Retention

We retain your personal data for as long as your account is active or as needed to provide our Services. Specifically:

• Account data (email, display name): Retained until account deletion.
• App data (work sessions, logs): Retained until you delete it or your account.
• Usage analytics : Retained in aggregated, anonymised form indefinitely.
• Support communications : Retained for up to 3 years for quality and legal purposes.

Upon account deletion request, we will delete your personal data within 30 days, except where retention is required by law or for legitimate business interests (e.g., fraud prevention).

8. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal data:

To exercise any of these rights, contact us via our support page . We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

9. Cookies and Tracking

We use minimal cookies and local storage, limited to:

• Session cookies — Maintain your signed-in state (essential; cannot be disabled).
• Preference cookies — Remember your UI preferences (e.g., theme settings).
• Firebase Authentication tokens — Stored in IndexedDB to keep you signed in.

We do not use advertising cookies, third-party tracking pixels, or cross-site tracking technologies. We do not participate in any ad networks.

You can clear cookies at any time through your browser settings. Clearing authentication cookies will sign you out of PalPal.

10. Children's Privacy

Our Services are not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us immediately and we will delete that information promptly.

Users between the ages of 13 and 18 should use our Services only with parental or guardian consent. Parents or guardians who become aware that their child has provided personal information without consent should contact us.

11. International Users

Our Services are operated from and data is stored in servers managed by Google Cloud Platform, which may process data in multiple regions globally, including the United States and European Economic Area (EEA).

By using our Services, you consent to the transfer of your information to these regions. Google Firebase complies with applicable data transfer mechanisms including Standard Contractual Clauses (SCCs) for GDPR compliance.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date and, where appropriate, notify registered users by email or in-app notice.

We encourage you to review this Policy periodically. Your continued use of our Services after any changes constitutes your acceptance of the updated Policy.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please reach out:

• Website: palpal.live
• Support page: palpal.live/support.html

We take all privacy inquiries seriously and will respond within 30 days.