Privacy Policy

1. Who We Are

toomanyideas is a product of ITQAN Labs, registered in Dubai, UAE. When we say "we", "us", or "our", we mean ITQAN Labs. When we say "you" or "your", we mean you, the user of our service.

Contact: [email protected]

2. Data We Collect

We collect only what is necessary to provide the service:

• Account information: email address and a hashed password (we never store your raw password).
• Project data: project titles, descriptions, tasks, notes, and documents you create within the app.
• Billing data: if you upgrade to a paid plan, Stripe processes your payment. We store your Stripe customer ID and subscription ID — never your card number.
• Usage data: AI generation count and plan type for enforcing usage limits.
• Technical data: server logs may temporarily contain IP addresses and user-agent strings for security purposes. These are not linked to your account.

3. How We Use Your Data

• To provide and maintain the service (authentication, project storage, AI features).
• To process payments via Stripe.
• To send transactional emails (verification, password reset, billing notifications) via Resend.
• To enforce plan limits and prevent abuse.

We do not sell, rent, or share your personal data with third parties for marketing purposes. Ever.

4. Third-Party Services

We use the following third-party processors, limited to what is necessary:

• Stripe — payment processing. Subject to Stripe's Privacy Policy.
• Resend — transactional email delivery. Subject to Resend's Privacy Policy.
• OpenRouter — AI content generation. Prompts sent contain your project data (titles, descriptions) to generate tasks and documents. Subject to OpenRouter's Privacy Policy.

5. Cookies

We use a single, essential session cookie (sid) to keep you logged in. It is:

• HttpOnly (not accessible to JavaScript).
• Not used for tracking or advertising.
• Expires after 7 days or when you log out.

We also store your cookie consent preference and theme choice in your browser's localStorage. These are not cookies and are never sent to our server.

For more details, see our Cookie Policy.

6. Data Retention

• Your account and project data are retained for as long as your account is active.
• If you delete your account, your data is soft-deleted and retained for up to 30 days (for recovery purposes), then permanently purged.
• Server logs are retained for a maximum of 90 days.
• Email logs are retained for a maximum of 12 months.

7. Your Rights

Regardless of where you are located, we provide the following rights to all users:

• Access: You can export all your data at any time from the Settings page.
• Rectification: You can update your account information from within the app.
• Deletion: You can permanently delete your account from the Settings page.
• Portability: Data export is available in JSON format.
• Objection: You can contact us to object to any processing.

For GDPR-specific rights (EU/EEA residents) and CCPA rights (California residents), see our Data Rights page.

8. Security

We take reasonable measures to protect your data, including:

• Passwords are hashed using bcrypt with a cost factor of 10.
• All connections are encrypted via HTTPS/TLS.
• Session tokens are cryptographically random.
• Sensitive operations require re-authentication.

No system is 100% secure. If you discover a vulnerability, please email us at [email protected].

9. Children's Privacy

toomanyideas is not intended for users under the age of 16. We do not knowingly collect data from children. If we learn we have collected data from a child under 16, we will delete it promptly.

10. Changes to This Policy

We may update this policy from time to time. If we make material changes, we will notify you via email or an in-app notice. The "Last updated" date at the top reflects when the latest changes were made.

11. Contact

For privacy-related questions, data requests, or concerns:

ITQAN Labs
Dubai, United Arab Emirates
[email protected]