Privacy Policy

1. Introduction

Welcome to Frodito ("we," "our," or "us"). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our team engagement platform, available via web and mobile applications.

By using Frodito, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our services.

2. Information We Collect

2.1 Personal Information

When you register for an account, we collect:

• Full name
• Email address
• Password (stored in encrypted form using bcrypt hashing)
• Office days (working schedule preferences)
• Age (optional)
• Location (optional)
• Company name (optional)
• Job title (optional)
• Company size (optional)
• Industry (optional)

The optional information (age, location, company details) helps us understand our user base better and improve our services. You can choose to provide this information during registration or skip it entirely.

2.2 Team and Usage Data

As you use Frodito, we collect:

• Team memberships and roles (owner, admin, member)
• Prompt responses (text, photos, mood check-ins, poll answers, ratings)
• Social interactions (reactions, comments, tags, coffee matches)
• Wordle game submissions and statistics
• Notification preferences
• Custom prompts created by team owners

2.3 Payment Information

When you subscribe to a paid plan, we process payments through Stripe. We store your Stripe Customer ID but do not store credit card details on our servers. All payment information is securely handled by Stripe in accordance with PCI-DSS standards.

2.4 Technical Data

We automatically collect certain technical information:

• Device information (mobile push notification tokens via Expo)
• Log data (IP addresses, access times, browser type)
• Cookies and session data
• Usage analytics via Google Analytics

2.5 Content You Upload

Photos and images you share in prompt responses are stored on Amazon Web Services (AWS) S3 in the EU-West-1 region. These images are associated with your posts and visible to your team members based on your sharing preferences.

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain our services
• Process your transactions and manage your subscriptions
• Send you daily prompts and team notifications
• Enable social features (comments, reactions, tagging)
• Personalize your experience and content
• Improve and develop new features
• Communicate with you about updates, security alerts, and support
• Analyze usage patterns to enhance user experience
• Understand our user demographics and market segments for product development
• Conduct market research and improve our marketing efforts
• Prevent fraud and ensure platform security
• Comply with legal obligations

Optional demographic and professional information (age, location, company details) is used solely for aggregate analytics and market research. We never share individual profile details with third parties for marketing purposes without your explicit consent.

4. Data Retention

We retain your data for different periods depending on the type:

• Prompt responses and posts: Automatically deleted after 24 hours
• Daily prompts: Automatically deleted at the end of the day
• Team invitations: Automatically expire and are deleted after 7 days
• Session tokens: Expire after 7 days
• User accounts and profile data: Retained until you delete your account
• Wordle game data: Retained for historical statistics and leaderboards
• Subscription and billing data: Retained as required by law and accounting standards

5. Information Sharing and Disclosure

5.1 Within Your Team

Your prompt responses, comments, and reactions are visible to other members of your team(s) unless you choose the anonymous option where available. Team owners and admins can see team membership and activity.

5.2 Third-Party Service Providers

We share data with trusted service providers who help us operate our platform:

• Stripe: Payment processing and subscription management
• Amazon Web Services (AWS): Cloud storage for images and infrastructure
• MongoDB Atlas: Database hosting and management
• Expo: Mobile push notifications
• Email service provider: Transactional emails (invitations, notifications)
• Google Analytics: Usage analytics and insights
• Render.com: Application hosting

These providers are contractually obligated to protect your data and use it only for the purposes we specify.

5.3 Legal Requirements

We may disclose your information if required by law, court order, or governmental request, or to protect the rights, property, or safety of Frodito, our users, or the public.

5.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such change in ownership or control of your personal information.

6. Data Security

We implement industry-standard security measures to protect your data:

• Passwords are hashed using bcrypt with salt rounds
• Data transmission is encrypted using HTTPS/TLS
• Authentication tokens expire regularly (access tokens: 15 minutes, refresh tokens: 7 days)
• API rate limiting to prevent abuse (varies by endpoint: 5-100 requests per time window)
• HTTP security headers via Helmet.js
• Database access controls and connection pooling
• Regular security updates and monitoring

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

7. Your Rights and Choices

You have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Correction: Update or correct your profile information at any time
• Deletion: Request deletion of your account and associated data
• Objection: Object to certain processing of your data
• Portability: Request your data in a machine-readable format
• Notification preferences: Control which notifications you receive (prompts, mentions, comments, reactions)
• Anonymous posting: Choose to post anonymously where supported
• Post visibility: Toggle visibility of your posts

To exercise these rights, please contact us using the information in the Contact section below.

8. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to maintain your session, remember your preferences, and analyze usage patterns. We use:

• Essential cookies: Required for authentication and security (refresh tokens in HTTP-only cookies)
• Functional cookies: Remember your preferences and settings
• Analytics cookies: Help us understand how you use Frodito via Google Analytics

You can control cookies through your browser settings, but disabling certain cookies may affect functionality.

9. International Data Transfers

Your data is primarily stored in the European Union (AWS EU-West-1 region). However, some of our service providers may process data in other jurisdictions. When we transfer data internationally, we ensure appropriate safeguards are in place, such as:

• Standard contractual clauses approved by the European Commission
• Privacy Shield certification (where applicable)
• Data processing agreements with third-party providers

10. Children's Privacy

Frodito is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete such information promptly.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. We will notify you of any material changes by:

• Posting the updated policy on our website and mobile app
• Updating the "Last Updated" date at the top of this policy
• Sending you an email notification for significant changes

Your continued use of Frodito after any changes indicates your acceptance of the updated Privacy Policy.

12. GDPR Compliance (EU Users)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):

• Legal basis for processing: We process your data based on contract performance, legitimate interests, and your consent
• Right to withdraw consent: You can withdraw consent at any time where we rely on consent
• Right to lodge a complaint: You can file a complaint with your local data protection authority
• Data Protection Officer: You can contact our DPO for privacy-related concerns

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: