Privacy Policy

At Spartan9, we believe privacy is a fundamental right, not a feature. Tenacio is built with a privacy-first approach: we collect only what is necessary to provide the service, we do not track you, and we do not sell or share your data with advertisers. This Privacy Policy explains exactly what data we collect, why we collect it, and how we protect it.

Information We Collect

We collect the minimum information necessary to provide and secure the service:

Account Information

  • Name and email address — provided during registration, used to identify your account and communicate with you
  • Password — stored as a one-way hash using BCrypt; we cannot see or retrieve your password

Preferences

  • Time zone, currency, working days, week start/end days, and time block duration — used to personalise the application to your workflow

Content You Create

  • Projects, tasks, time blocks, journal entries, reminders, domains, and activities — this is the core data you create and manage within the application

Security Information

  • IP addresses — recorded at sign-in and during failed login attempts for security monitoring and account protection
  • Failed login attempts — tracked to detect and prevent brute-force attacks

Payment Information

  • Payment processing is handled entirely by Stripe. Your credit card details are never sent to or stored on our servers. We retain only a Stripe customer identifier to manage your subscription.

What We Do Not Collect

We want to be explicit about what we do not do:

  • We do not use analytics or tracking tools (no Google Analytics, no tracking pixels, no fingerprinting)
  • We do not serve advertisements or share data with advertisers
  • We do not build behavioural profiles or perform targeted advertising
  • We do not sell, rent, or trade your personal data to any third party
  • We do not embed third-party scripts that track your browsing behaviour

How We Use Your Information

We use your information solely to:

  • Provide, operate, and maintain the Tenacio application
  • Process your subscription and manage billing through Stripe
  • Send you transactional emails (account verification, password resets, invitations, and optional daily/weekly summary emails)
  • Protect your account through security measures such as rate limiting and account lockout after repeated failed login attempts
  • Maintain application logs for troubleshooting and security monitoring

We do not send marketing emails. All emails are directly related to your use of the service.

Third-Party Services

We use only two third-party services, both strictly necessary for the operation of Tenacio:

  • Stripe — processes payments and manages subscriptions. Your payment details are handled directly by Stripe and never pass through our servers.
  • Postmark — delivers transactional emails (account verification, password resets, and optional summary emails). We share only your email address and name with Postmark for the purpose of delivering these emails.

We do not use any analytics, advertising, or data processing services beyond those listed above.

Cookies and Sessions

Tenacio uses a single session cookie to keep you signed in. This cookie:

  • Is marked HttpOnly (not accessible to JavaScript)
  • Is marked Secure in production (transmitted only over HTTPS)
  • Uses SameSite=Lax to prevent cross-site request forgery
  • Expires after 24 hours of inactivity by default

We do not use tracking cookies, third-party cookies, or any form of cross-site tracking.

Data Security

We implement multiple layers of security to protect your data:

  • Passwords are hashed using BCrypt with a high cost factor and are never stored in plain text
  • Sessions are cryptographically signed and secured as described above
  • CSRF protection is enforced on all state-changing requests
  • Rate limiting is applied to login attempts, registration, and password resets to prevent abuse
  • Sensitive data (journal content, client names, financial information, email addresses, and Stripe identifiers) is redacted from application logs
  • Security tokens (email verification, password reset) are hashed before storage and expire automatically
  • HTTPS is enforced in production for all connections

Your Rights and Choices

You have full control over your data:

  • Access and correct your personal data at any time through your account preferences
  • Export your data in a portable JSON format, including all projects, tasks, time blocks, journal entries, and reminders
  • Delete your account and all associated data permanently from within the application. This also cancels any active Stripe subscription immediately.
  • Opt out of summary emails by adjusting your notification preferences

For any other requests regarding your personal data, please contact us by email.

Data Retention

We retain your personal data for as long as your account is active. When you cancel your account, all of your data is permanently deleted, including your projects, tasks, time blocks, journal entries, reminders, domains, and activities. This deletion is immediate and irreversible.

Security logs (IP addresses associated with sign-in and failed login attempts) are retained as part of your account record and are deleted when your account is cancelled.

Children's Privacy

Tenacio is not intended for children under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child, we will take steps to delete the information as soon as possible.

Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA), our legal basis for processing your personal data is:

  • Contract performance — processing necessary to provide the Tenacio service you have signed up for
  • Legitimate interests — security monitoring (IP logging, failed login tracking, rate limiting) to protect your account and our service
  • Consent — where you have opted in to receive summary emails
  • Legal obligation — where required by applicable law

Disclosure of Data

We may disclose personal data only in the following circumstances:

  • To comply with a legal obligation
  • To protect and defend our rights or property
  • To prevent or investigate possible wrongdoing in connection with the service
  • To protect the personal safety of users of the service or the public

We will never voluntarily disclose your data to third parties for commercial purposes.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page. We encourage you to review this policy periodically.

Contact Information

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us by email.

This Privacy Policy was last updated on 7 February, 2025.