Privacy Policy

How we collect, use, and protect your information across tilorah.co and intent: trade.

01Who we are

Tilorah is an independent product studio operated by TILORAH CORE LLC, a Florida limited liability company ("Tilorah", "we", "us"). We are the data controller for personal information processed through tilorah.co and intent: trade.

For privacy questions, contact hello@tilorah.co.

02Scope

This Policy covers tilorah.co and the current public Tilorah service, including intent: trade the intent: trade app distributed via web, Apple App Store, and Google Play. Our Terms of Service govern your use of these services. Internal, local-only, draft, paused, or personal projects are outside this public customer-facing Policy unless Tilorah later publishes them under a separate notice.

Product-specific privacy summary

Property	Privacy position	Processors / responsibility
tilorah.co public pages	Public website pages may generate hosting/server logs such as IP address, request time, requested URL, referrer, and user agent. At this time, we do not use analytics cookies, advertising cookies, or cross-site tracking cookies on public Tilorah pages.	Hosting/CDN providers may process server logs for security, delivery, abuse prevention, and diagnostics. Some pages load Google Fonts, which causes your browser to request font assets from Google.
intent: trade	Cloud service controlled by Tilorah. We process account data, trade journal content, chart images, settings, subscription status, diagnostics, server logs, and optional AI/OCR requests to provide the service.	Processors include Supabase for hosting/auth/database/edge functions, AI providers only when you trigger AI/OCR, app stores/payment providers for purchases, and email providers for account/support messages. Retention, deletion/export, AI processing, and no-ad-tracking commitments are described below.

Other internal, local-only, draft, or paused Tilorah tools are outside this public customer-facing Policy unless we later publish a product-specific privacy notice for them.

03What we collect

Information you give us

Category	Examples	Where
Account info	Email address, password (hashed), display name (optional)	intent: trade sign-up
Profile / preferences	Time zone, currency, default lot size, theme	App settings
Trade entries	Symbol, direction, entry/exit, P/L, notes, tags, dates	Logged by you in-app
Uploaded images	Chart screenshots, broker statement screenshots	Attached to trade entries / submitted to OCR / AI features
Communications	Email content, support requests, feedback	When you email hello@tilorah.co
Payment info	Subscription status, transaction ID, plan tier	Via Apple, Google, or our payment processor — we do not store card numbers

Information collected automatically

Category	Examples	Source
Identifiers	User ID (UUID), session token	Generated on sign-up
Device / app info	OS version, app version, language, locale, device model	App runtime
Diagnostics	Crash logs, error traces (no trade data attached)	App runtime
Usage	Feature interactions (e.g. opened OCR, ran analysis), aggregated counts	App runtime
Server logs	IP address, request timestamps, requested URL, referrer, user agent	Public website hosting, CDN, backend, and Supabase

What we do NOT collect

• We do not connect to your broker or read your live brokerage account.
• We do not collect your card or bank information directly — that goes to Apple, Google, or our payment processor.
• We do not use third-party advertising trackers, fingerprinting SDKs, or behavioral ad networks.
• We do not collect precise location, contacts, microphone, or camera data unless you explicitly upload an image.

04Why we use it

Purpose	What we use
Provide the Service (account, sync, journal)	Account info, trade entries, uploaded images, identifiers
Run the AI features you trigger	The specific image or text you submit
Process payments and manage subscriptions	Payment info, account info
Customer support	Communications, account info, diagnostics
Security, fraud prevention, abuse detection	Server logs, identifiers, device info
Improve product reliability	Diagnostics, aggregated usage
Comply with legal obligations	Whatever is necessary

We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We do not use your trade entries or screenshots to train third-party AI models.

05Legal basis (GDPR)

If you are in the EU, UK, or other GDPR/UK GDPR jurisdictions, we rely on the following lawful bases under Article 6:

• Contract (Art. 6(1)(b)) — to deliver the Service you signed up for: account creation, sync, journal, AI features, customer support.
• Legitimate interests (Art. 6(1)(f)) — for security, fraud prevention, debugging, and basic product improvement, balanced against your rights.
• Legal obligation (Art. 6(1)(c)) — when we must retain or disclose data to comply with law (e.g. tax records, lawful requests).
• Consent (Art. 6(1)(a)) — for anything that requires it, such as optional marketing emails. You can withdraw consent at any time.

06Who we share with

We share personal information only with the service providers we need to run the product. They process data on our instructions under written agreements.

Provider	Role	Data shared	Region
Supabase	Hosting, authentication, database, file storage, edge functions	All account and product data	US / EU (configurable)
Anthropic, PBC (default when configured)	Chart analysis and OCR via Claude models	The image and prompt you submit when you trigger AI features. Training, logging, and retention commitments must match the active Anthropic contract, plan, and account settings.	US / as configured
Google LLC (alternate when configured)	Chart analysis and OCR via Gemini models	The image and prompt you submit when you trigger AI features. Training, logging, and retention commitments must match the active Google API contract, plan, and account settings.	US / as configured
OpenAI, L.L.C. (alternate when configured)	Chart analysis and OCR via GPT-class models	The image and prompt you submit when you trigger AI features. Training, logging, and retention commitments must match the active OpenAI API contract, project settings, and data controls.	US / as configured
Apple	App distribution, in-app purchases, App Store receipts	Subscription status, transaction IDs	Per Apple
Google	App distribution, in-app billing	Subscription status, transaction IDs	Per Google
Email provider (transactional)	Sending verification, password reset, receipt emails	Email address, message content	US / EU

We may also disclose data when required by law, court order, or to protect the rights, property, or safety of Tilorah, our users, or others.

If Tilorah is involved in a merger, acquisition, or asset sale, personal information may be transferred to the successor entity, subject to this Policy.

07AI features

intent: trade includes optional AI features (chart analysis, trade-entry OCR). When you trigger one of these:

• The relevant image or text is sent over TLS to our backend (Supabase Edge Function), which forwards the request to the AI provider configured for that feature at the time of use. Tilorah may configure Anthropic, Google, OpenAI, or another commercial provider depending on product settings and availability.
• The provider returns a result. We store the result with the related trade entry in your account.
• Tilorah's policy is to use commercial API settings/contracts that do not permit providers to train their models on your submitted content. Provider logging, abuse monitoring, retention windows, regions, and opt-out settings vary by provider and account configuration, so any absolute statement must be verified against the active vendor contract and settings before release.
• You can choose not to use AI features. The rest of the journal works without them.

08Retention

Data	Retention
Active account data	Until you delete your account or request deletion
Backups	Up to 30 days after deletion
Server logs	Up to 90 days
Crash diagnostics	Up to 90 days
Billing / tax records	As required by Thai law and other applicable tax law (typically up to 7 years)
Support emails	Up to 24 months unless you ask us to delete sooner

09Security

• All traffic is encrypted in transit (TLS 1.2+).
• Data at rest is encrypted by our infrastructure provider.
• Passwords are hashed with industry-standard algorithms — we never see your password in plaintext.
• Row-level security restricts each user's data to that user.
• We follow the principle of least privilege for internal access.

No system is perfectly secure. If we discover a breach affecting your data, we will notify you and the relevant authorities as required by law.

10International transfers

Tilorah operates from Thailand. Our service providers may process data in the United States, the European Union, and other regions. When personal data of EU/UK residents is transferred outside the EEA/UK, we rely on:

• Adequacy decisions where available, or
• EU Standard Contractual Clauses (SCCs) and/or the UK International Data Transfer Addendum, supplemented by appropriate technical and organizational safeguards.

11Your rights (Thailand — PDPA)

If you are in Thailand, the Personal Data Protection Act B.E. 2562 (2019) ("PDPA") gives you the following rights as a data subject:

• Access your personal data and request a copy.
• Rectify inaccurate, incomplete, or outdated data.
• Erase data when it is no longer necessary, when you withdraw consent, or when it was processed unlawfully.
• Restrict processing in defined circumstances.
• Object to processing based on legitimate interests, including direct marketing.
• Portability — receive your data in a structured, machine-readable format.
• Withdraw consent at any time (without affecting the lawfulness of prior processing).
• Lodge a complaint with the Personal Data Protection Committee (PDPC) at pdpc.or.th.

To exercise these rights, email hello@tilorah.co with subject "PDPA Privacy Request". We will respond within 30 days.

12Your rights (GDPR / UK GDPR)

If you are in the EU, UK, or another jurisdiction with similar law, you have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate or incomplete data.
• Erase data ("right to be forgotten") in defined circumstances.
• Restrict processing in defined circumstances.
• Object to processing based on legitimate interests, including profiling.
• Portability — receive your data in a structured, machine-readable format.
• Withdraw consent at any time when consent is the legal basis.
• Lodge a complaint with your local data-protection authority. EU residents can find theirs at edpb.europa.eu; UK residents can contact the ICO at ico.org.uk.

To exercise any of these rights, email hello@tilorah.co. We will respond within 30 days.

13Your rights (California — CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act and California Privacy Rights Act give you the right to:

• Know what personal information we collect, the sources, the purposes, and the categories of third parties we share with.
• Access a copy of the personal information we have collected about you in the last 12 months.
• Delete personal information, subject to legal exceptions.
• Correct inaccurate personal information.
• Limit use of sensitive personal information to purposes specified by law.
• Opt out of "sale" or "sharing" for cross-context behavioral advertising. Tilorah does not sell or share personal information in the CCPA/CPRA sense, and has not done so in the preceding 12 months.
• Non-discrimination — we will not deny service, charge a different price, or provide a different quality of service because you exercised a privacy right.

To submit a request, email hello@tilorah.co with subject "California Privacy Request". We may need to verify your identity before fulfilling the request. You may also designate an authorized agent to make a request on your behalf.

Categories collected (CCPA/CPRA notice)

• Identifiers (email, user ID, IP address)
• Customer records (account info, billing info — card details handled by processor)
• Commercial information (subscription tier, transaction IDs)
• Internet/network activity (server logs, app usage, diagnostics)
• User content (trade entries, uploaded images, notes)

We do not knowingly collect "sensitive personal information" as defined by CPRA in any category that would trigger the right to limit, beyond credentials used to access your account. We do not use this data for inference about characteristics.

14Children

Our Services are not directed to children under 16. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us personal information, contact hello@tilorah.co and we will delete it.

15App Store / Play Store disclosures

Apple App Privacy ("Nutrition Label") summary

For intent: trade, the data types we declare to Apple, the purposes, and whether linked to your identity:

Data type	Purpose	Linked to you	Used for tracking
Email address	App functionality, account management	Yes	No
Name (optional)	App functionality	Yes	No
User ID	App functionality	Yes	No
Purchase history	App functionality, subscription management	Yes	No
User content (trade entries, photos)	App functionality (the journal itself)	Yes	No
Diagnostics (crash data, performance)	App functionality	No	No
Usage data (product interactions)	Analytics (aggregated only)	No	No

We do not use any data for tracking across apps and websites owned by other companies.

Google Play Data Safety summary

Data type	Collected	Shared	Purpose
Email address	Yes	No	Account management, app functionality
Name	Optional	No	Personalization
User IDs	Yes	No	Account management, app functionality
Photos	Yes (only those you upload)	To AI provider for the analysis you request	App functionality (chart analysis, OCR)
Files and docs	Yes (only what you upload, e.g. exports)	No	App functionality
App activity	Yes	No	Analytics, app functionality
Crash logs / diagnostics	Yes	No	App functionality
Purchase history	Yes	No	Subscription management

Encryption in transit: yes. You can request data deletion: yes (in-app or via email).

16Cookies and similar technologies

tilorah.co uses minimal cookies and local storage:

• Public website pages — at this time, no analytics cookies, advertising cookies, or cross-site tracking cookies are used on public tilorah.co pages. Hosting/server logs may still record IP address, request time, requested URL, referrer, and user agent for security, delivery, abuse prevention, and diagnostics.
• Authenticated apps — session storage, local storage, or cookies may be used for authentication, sync state, security, theme, language, and product settings.
• Local-only or internal tools — any local-only or internal Tilorah tool may use local storage or files on the configured device. Tilorah does not receive that local app data during normal use unless you send it to us for support or the tool is later externalized under separate terms.
• We do not use third-party advertising or cross-site tracking cookies.

You can clear cookies and local storage in your browser settings at any time.

17Changes

We may update this Policy. Material changes will be announced via email or in-app notice at least 14 days before they take effect, except when changes are required by law. The "Last updated" date at the top reflects the most recent revision.

18Contact

For privacy questions, requests, or complaints:

• Email: hello@tilorah.co
• Subject line for rights requests: "Privacy Request — [PDPA / GDPR / CCPA / Other]"

If you are in the EU and we appoint an Article 27 representative, we will list them here. Until then, please contact us at the email above.