Privacy Policy
Smile Rain (“we,” “us,” “our”) operates the workspace at app.smile-rain.top. This policy explains what personal data we collect, why we collect it, and the rights you can exercise over it.
1. Data we collect
Account data. When you sign in via Google OAuth we receive your email address, display name, and profile photo URL from Google. We never see your Google password.
Content you create. Tasks on the kanban board are stored in your browser’s localStorage on your own device and are not transmitted to our servers. Your account profile (email, display name) is synced to our database on first sign-in.
Encrypted vault. Secrets you store in the Keys feature are encrypted client-side with a key that never leaves your device. We store only the resulting ciphertext and cannot access the underlying content.
Communications. If you subscribe to our newsletter or join a product waitlist, we collect your email address for that purpose. You can withdraw consent and unsubscribe at any time via the link in any email we send you, or by contacting us directly.
Operational data. An authentication session cookie (firebase-auth-token) and anonymous performance telemetry via Vercel Analytics and Speed Insights — page-load timings and page-view counts with no personal identifiers attached.
2. Legal basis for processing (GDPR)
Under GDPR Article 6, we rely on the following lawful bases:
- Performance of contract (Art. 6(1)(b)). We process your account data and session cookie to provide the workspace you signed up for.
- Legitimate interests (Art. 6(1)(f)). We process anonymous performance telemetry to keep the service fast and reliable. This interest is not overridden by your privacy rights given the non-personal nature of the data.
- Consent (Art. 6(1)(a)). We send newsletter and waitlist emails only where you have explicitly opted in. You may withdraw consent at any time by clicking the unsubscribe link in any email or by emailing [email protected]; withdrawal does not affect the lawfulness of processing before withdrawal.
3. Who we share with
We never sell your data. We share the minimum necessary with the following sub-processors, each bound by appropriate data-processing agreements:
- Google LLC (Firebase Authentication, Firestore, FCM). Hosts your account record and processes authentication on our behalf.
- Vercel Inc. (hosting, Analytics, Speed Insights). Serves the application and records anonymous performance metrics.
- Resend Inc. (email delivery). Stores and delivers newsletter and waitlist emails on our behalf. Email addresses you provide for communications are transferred to Resend solely for that purpose.
4. International transfers
Our sub-processors may store or process data in the United States and other countries outside the EU/EEA. Where the GDPR applies, such transfers are safeguarded by the European Commission’s Standard Contractual Clauses (SCCs) and any supplementary measures required by the sub-processor’s transfer impact assessment. Copies of applicable SCCs are available on request.
5. Retention
Account and profile data is retained for as long as your account is active. We delete your Firestore profile within 90 days of a deletion request. Content stored in your browser’s localStorage persists until you clear it from your browser; we have no copy and cannot delete it on your behalf.
Email addresses collected for newsletter or waitlist communications are retained until you unsubscribe or request deletion. We do not retain them beyond 30 days of a deletion request.
6. Your rights
Depending on where you live you may have the right to: access a copy of your data, correct inaccurate data, request erasure, restrict or object to processing, and receive your data in a portable format. You also have the right to withdraw consent at any time where consent is the legal basis (see §2).
EU/EEA/UK residents may lodge a complaint with their local supervisory authority (e.g. the CNIL in France, the ICO in the UK, or the lead authority in your country of residence).
California residents (CCPA/CPRA) have the right to know what personal information we collect, to request deletion, and to opt out of the sale or sharing of personal information. We do not sell or share personal information.
To exercise any right, email [email protected]. We respond within 30 days.
7. Children
Smile Rain is not directed at children under 16 (EU/EEA) or under 13 (United States). We do not knowingly collect personal data from children below these ages. If you believe we have done so, contact us and we will delete the data without undue delay.
8. Security
All data is encrypted in transit using TLS. Authentication is managed by Firebase, which encrypts data at rest. The Keys vault is encrypted client-side; the plaintext never reaches our servers. We restrict access to personal data to personnel who need it to operate the service and review our security posture at least annually.
9. Changes to this policy
We update this page when our data practices change and revise the effective date at the top. For material changes — such as a new category of data or a new legal basis — we will provide advance notice via an in-app announcement at least 14 days before the change takes effect.
10. Contact
Questions, requests, or complaints: [email protected]. For enterprise data-processing terms, see our DPA.