Privacy Policy

Introduction

I'm Tom Spetter, and I operate ChainOfDots, a habit tracking application based in British Columbia, Canada. I'm committed to protecting your privacy and being transparent about how I collect, use, and safeguard your personal information.

This Privacy Policy explains my practices in accordance with the General Data Protection Regulation (GDPR), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), and other applicable privacy laws.

Information I Collect

Account Information

• Email Address: Required for account creation, login, and communication
• Password: Securely hashed using bcrypt (I cannot see your password)

Habit Data

• Habit Names: Encrypted using AES-256-CBC encryption before storage
• Completion Dates: Stored to track your habit progress
• Color Preferences: Visual customization settings
• Sort Order: Your preferred habit display order

Technical Data

• Session Cookies: Required for login authentication (HTTP-only, secure)
• Cookie Consent Preferences: Stored locally in your browser
• Analytics (Optional): Privacy-focused usage statistics via Umami (only if you consent)

How I Protect Your Data

Encryption

Your habit names are encrypted using AES-256-CBC encryption with unique encryption keys per user. This means:

• Even if my database is compromised, your habit names remain encrypted
• Each user's data is encrypted with a different key
• I cannot read your encrypted habit names without the master encryption key (which is stored securely in environment variables, not in the codebase)

Password Security

Passwords are hashed using bcrypt, a one-way cryptographic hash function. I cannot retrieve or view your password.

Session Security

• HTTP-only cookies (cannot be accessed by JavaScript)
• SameSite=Strict (CSRF protection)
• Secure flag on HTTPS connections
• 1-hour inactivity timeout

Rate Limiting

Login attempts are rate-limited (maximum 5 failed attempts before 15-minute lockout) to prevent brute-force attacks.

How I Use Your Information

I use your information solely for:

• Account Authentication: To verify your identity and provide access to your habit data
• Application Functionality: To store and display your habit tracking data
• Email Verification: To verify your email address during registration
• Password Resets: To send password reset codes when requested
• Analytics (Optional): To understand how users interact with the app (only with your consent)

I do NOT: Send marketing emails, sell your data, or contact you for upselling purposes. This is a personal project with no commercial intent.

Third-Party Services

Brevo (Email Service)

I use Brevo to send transactional emails (email verification codes and password reset codes). Brevo receives:

• Your email address
• Verification or reset codes

Brevo does NOT receive your habit data, passwords, or any other personal information.

Note for Self-Hosters: Email functionality can be disabled by setting EMAIL_ENABLED = false in the configuration.

Umami Analytics (Optional)

With your consent, I use Umami for privacy-focused analytics. Umami:

• Does not collect personally identifiable information
• Does not use cookies for tracking
• Does not track users across websites
• Collects aggregate usage statistics only

You can opt out via the cookie consent banner or by using an ad blocker.

Cookies

Essential Cookies (Always Active)

• PHP Session Cookie (PHPSESSID): Required for login authentication. Deleted when you close your browser.

Optional Cookies

• Umami Analytics: Privacy-focused analytics (only if you accept via the cookie consent banner)

Your Data Rights

Under GDPR and PIPEDA, you have the following rights:

Right to Access

You can view all your data at any time within the application.

Right to Data Portability

Export your data in CSV or JSON format using the "Export Data" feature in the app.

Right to Erasure ("Right to be Forgotten")

Delete your account and all associated data using the "Delete Account" feature in account settings. Data is:

• Immediately deleted from the active database
• Removed from backups within 14 days (automatic backup rotation)

Right to Rectification

Update or correct your habit data at any time within the application.

Right to Opt-Out of Analytics

Choose "Essential Only" in the cookie consent banner or use an ad blocker to disable Umami analytics.

Data Retention

• Account Data: Retained while your account is active
• Deleted Accounts: Immediately removed from active database; backups deleted within 14 days
• Verification Codes: Automatically deleted after 15 minutes
• Session Data: Deleted after 1 hour of inactivity or when you log out
• Login Attempts: Rate limiting data cleared after 15 minutes

International Data Transfers

ChainOfDots is hosted in Canada. Your data is stored on servers located in Canada and subject to Canadian privacy laws (PIPEDA). If you are accessing the service from outside Canada, please be aware that your information may be transferred to, stored, and processed in Canada.

Self-Hosted Instances

ChainOfDots is open-source and can be self-hosted. If you run your own instance:

• You are the data controller and responsible for compliance with privacy laws
• This privacy policy applies to the official ChainOfDots instance only
• Self-hosters should create their own privacy policy
• Email features (Brevo) can be disabled if not needed

Children's Privacy

ChainOfDots is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete such information.

Changes to This Privacy Policy

I may update this Privacy Policy from time to time. The "Last Updated" date at the top of this page will reflect when changes were made. I encourage you to review this Privacy Policy periodically. Continued use of the service after changes constitutes acceptance of the updated policy.

Contact Me

If you have any questions about this Privacy Policy or my privacy practices, please contact me: