Legal

Privacy Policy

Last updated: 2026-05-07

🇪🇬 اقرأ بالعربية

1. Information We Collect

Account Information: When you register, we collect your name, email address, phone number, and organization details.

Business Data: The Service stores your business data including products, sales, receipts, customer records, and financial information. This data belongs to you.

Usage Data: We automatically collect usage data such as login times, feature usage, and browser type to improve the Service.

2. How We Use Your Information

  • To provide and maintain the Service
  • To process billing and subscriptions
  • To send service-related notifications
  • To improve the Service and develop new features
  • To provide customer support
  • To comply with legal obligations

2a. Legal Basis for Processing (Art. 6 GDPR)

Data Category Legal Basis GDPR Article
Account info (name, email, phone)Contract performanceArt. 6(1)(b)
Business data (products, receipts, invoices)Contract performanceArt. 6(1)(b)
Billing data (payment provider)Contract performanceArt. 6(1)(b)
Usage & analytics (login times, features used)Legitimate interestArt. 6(1)(f)
Audit logs (IP address, actions)Legitimate interest (security)Art. 6(1)(f)
OAuth profile (Google/Apple)ConsentArt. 6(1)(a)
Marketing emailsConsentArt. 6(1)(a)

3. Data Isolation

Tilly is a multi-tenant application. Each organization's data is logically isolated using tenant-scoped database queries. No organization can access another organization's data.

4. Data Sharing

We do not sell your personal or business data. We may share data with:

  • Payment Processors: Paddle processes subscription payments. Their privacy policy applies to payment data.
  • Infrastructure Providers: GoDaddy provides cloud hosting and infrastructure services. Data is stored securely on their servers.
  • Legal Requirements: We may disclose data when required by law or to protect our rights.

5. Data Security

We implement industry-standard security measures including:

  • Encrypted data transmission (HTTPS/TLS)
  • Bcrypt password hashing
  • Role-based access control (RBAC)
  • Regular security audits
  • Automated encrypted backups

6. Data Retention

Your business data is retained as long as your account is active. Upon account deletion, data is retained for 30 days (grace period) before permanent removal.

You can export your data at any time from Settings → Backup → Export JSON.

7. Cookies

We use essential cookies for authentication and session management. We do not use third-party tracking cookies or advertising cookies.

A cookie consent notice is displayed on your first visit. Since we only use strictly necessary cookies, no opt-in is required under GDPR Art. 5(3) ePrivacy Directive.

8. Your Rights

Under applicable data protection law, you have the right to:

  • Right of Access (Art. 15): Request a copy of your personal data
  • Right to Rectification (Art. 16): Correct inaccurate personal data
  • Right to Erasure (Art. 17): Delete your account and all associated data from Settings
  • Right to Restrict Processing (Art. 18): Request that we limit processing of your data
  • Right to Data Portability (Art. 20): Export your personal data in a machine-readable JSON format from your Profile page
  • Right to Object (Art. 21): Object to processing based on legitimate interest
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw at any time without affecting prior processing
  • Right to Lodge a Complaint: You may file a complaint with your local data protection supervisory authority at any time

To exercise any of these rights, contact us at privacy@nescoder.com or use the self-service tools in your account Settings and Profile pages.

9. GDPR Compliance (EU/EEA & UK Users)

If you are located in the European Economic Area or the United Kingdom, the following additional rights and disclosures apply:

  • Legal Basis: We process data based on contractual necessity (Art. 6(1)(b)), legitimate interest (Art. 6(1)(f)), and consent (Art. 6(1)(a)). See Section 2a above for a detailed per-category breakdown.
  • Data Portability: You may export your personal data in a machine-readable JSON format from your Profile page at any time.
  • Right to Erasure: You may request complete deletion of your account and all associated data from Settings → Danger Zone.
  • DPO Contact: privacy@nescoder.com
  • Data Processing Agreement: A publicly viewable DPA is available. Enterprise customers may request a signed copy.
  • EU Supervisory Authority: You may lodge a complaint with the data protection authority in your EU/EEA member state.

9.1 UK GDPR (Data Protection Act 2018)

For users in the United Kingdom, processing is governed by the UK GDPR as retained under the Data Protection Act 2018. All rights described in this policy apply equally under UK law.

UK Supervisory Authority: Information Commissioner's Office (ICO) — https://ico.org.uk

You may lodge a complaint with the ICO at any time if you believe your data protection rights have been violated.

9.5 Automated Decision-Making

We do not use automated decision-making or profiling as defined by Article 22 of the GDPR. No decisions that produce legal effects or significantly affect you are made solely by automated processing.

9.6 Children's Data

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@nescoder.com and we will delete the data promptly.

10. CCPA Compliance (California Users)

If you are a California resident, the following additional rights apply under the California Consumer Privacy Act:

  • Right to Know: You may request details about what personal information we collect and how it is used.
  • Right to Delete: You may request deletion of your personal information.
  • Right to Opt-Out: We do not sell personal information. No opt-out is necessary.
  • Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

11. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes via email or in-app notification.

12. Contact

For privacy-related questions, contact our Data Protection Officer at privacy@nescoder.com.