Privacy Policy

Version 1.0 · effective from April 26, 2026

Who we are
What data we collect
Why and on what legal basis
How long we keep data
Who we share data with
Transfers outside the EU
Your rights
Message recipients (non-registered)
Cookies
Security
Children
California residents (CCPA)
Changes to this policy

1. Who we are

The operator of the Thank You App service (the "Service") is:

Tomáš Střída
Sudoměřská 650/48, Praha 3, 130 00
Fyzická osoba
Contact email: tomas.strida@gmail.com

Under Regulation (EU) 2016/679 (GDPR), we are the data controller. We are not required to appoint a Data Protection Officer (DPO) — we do not process special categories of data on a large scale.

2. What data we collect

2.1 About you (the user)

Email address, name
Password as a bcrypt hash (only if you use email/password registration)
If signing in with Google: name and email from your Google profile
IP address and user-agent header on login (audit and security)
Date and version of the privacy policy and terms you accepted

2.2 About your messages

Message content (salutation, expression of gratitude, closing, signature)
Recipient's name and email
Scheduled send time, delivery status, message language

2.3 About recipients in your address book

If you save a recipient to your address book, we store their name, email, and relationship (e.g., "parent", "colleague"). You are responsible for adding recipients and should have a legitimate reason (a personal relationship).

2.4 What we do not collect

No third-party cookies
No marketing tracking, no advertising pixels
Plausible Analytics: only anonymous aggregate stats (no cookies, no IPs, no identifiers)
We do not read, share, or feed your message content into AI for analysis

3. Why and on what legal basis

Data	Purpose	Legal basis
Email, name, password	Account operation	Contract performance (Art. 6(1)(b) GDPR)
Message content	Delivery at scheduled time	Contract performance
Recipient email	Message delivery	Sender's legitimate interest (Art. 6(1)(f))
Login logs (IP, user-agent)	Security, fraud prevention, audit	Legitimate interest
Email verification	Anti-spam, recipient protection	Legitimate interest
Consent record	Proof of consent for authority	Legal obligation

4. How long we keep data

Account and message content: as long as you have an account. After account deletion, we remove all data within 30 days (audit window for dispute resolution).
Login logs with IP: 90 days, then automatically deleted.
Verification and reset tokens: password reset tokens expire after 1 hour. Verification tokens persist until verified.
DB backups: daily backup sent to operator's email, 30-day retention.
Anonymized statistics: aggregate numbers without ties to a specific person are kept indefinitely.

5. Who we share data with (processors)

We never sell your data. To deliver the Service we use the following processors, contractually bound to protect your data:

Processor	What they do	Location
Brevo (Sendinblue)	Sending emails (gratitude, verification, reset)	France (EU)
Google	Sign-in via Google OAuth	USA
Railway	Application and database hosting	USA
Plausible Analytics	Anonymous traffic stats (no cookies, no IPs)	Germany (EU)

6. Transfers outside the EU

Some processors (Google, Railway) are based in the USA. Transfers of your data are protected by Standard Contractual Clauses (SCCs) under Art. 46 GDPR and by the EU-US Data Privacy Framework decision where applicable. Brevo and Plausible are in the EU — no extra-EU transfer occurs there.

7. Your rights

Under GDPR you have the following rights:

Access (Art. 15) — request a full export of your data. In the app: Account settings → Download my data.
Rectification (Art. 16) — if data is inaccurate, correct it in your account or contact us.
Erasure (Art. 17, "right to be forgotten") — in the app: Account settings → Delete account. All data removed within 30 days.
Restriction of processing (Art. 18) — request that we temporarily stop processing your data.
Data portability (Art. 20) — we will export your data as machine-readable JSON.
Objection (Art. 21) — to processing based on legitimate interest (e.g., login logs).
Complaint to authority — Czech Office for Personal Data Protection, uoou.gov.cz, Pplk. Sochora 27, 170 00 Prague 7. EU residents may also contact their local supervisory authority.

To exercise your rights, write to tomas.strida@gmail.com. You will receive a response within 30 days.

8. Message recipients (people without an account)

When a user sends you a thank-you message, we process your email address. You are a data subject with the same GDPR rights as registered users.

Purpose: message delivery and status tracking.
Legal basis: sender's legitimate interest in expressing gratitude.
Retention: as long as the sender has an account (they can delete sooner).
Your rights: every delivered email contains a "Report inappropriate message" link. If you want all messages with your address removed across all senders, write to tomas.strida@gmail.com.

9. Cookies

Short answer: we do not use tracking cookies, so you don't need any cookie banner.

We use a single cookie:

connect.sid — a technical session cookie required for sign-in. It is "strictly necessary" and exempt from consent under the ePrivacy Directive.

Third parties:

Plausible Analytics uses no cookies and stores no visitor IPs.
Google Fonts — fonts are loaded from Google's CDN, which may log IPs. If this concerns you, use a browser with a blocker.

10. Security

All communication runs over HTTPS/TLS.
Passwords are never stored in plaintext — we use bcrypt hashes.
Database access is restricted to the operator.
Regular automated backups.
Rate limiting against brute-force on login and registration.

In case of a data breach, we notify affected users and the Czech Personal Data Protection Office within 72 hours per Art. 33 GDPR.

11. Children

The Service is not intended for persons under 16. If we learn we hold data from a younger person without parental consent, we delete it immediately.

12. California residents (CCPA / CPRA)

If you are a California resident, under CCPA you have the right to:

Know what personal data we collect and why (all listed above).
Request deletion of your data.
Request a copy of your data.
Not be discriminated against for exercising these rights.

We do not sell or share personal information for targeted advertising. We therefore do not display a "Do Not Sell or Share My Personal Information" link — there is nothing to opt out of.

13. Changes to this policy

We may update this policy from time to time. We notify you of material changes by email and show a dialog on your next sign-in with the new version. Minor edits (typos, grammar) are made without notice.

Version 1.0 · April 26, 2026 · Terms of Service