Tagenda

Privacy Policy

Last updated: 2026-05-10

This policy explains what personal data Tagenda collects, why, and how it is processed. It applies to the Tagenda web application at usetagenda.com.

1. Data controller

The data controller is Giulia Galli (NIE 0Y2349253R), based in Arrecife, Spain. For privacy questions, contact support@usetagenda.com.

2. What we collect

Account data

Email address — for sign-in, transactional emails, and account recovery.
Password (hashed) — stored using bcrypt; we cannot read or recover your plaintext password.
Google account ID — only if you sign in via Google. We do not access your Gmail or other Google data.

Content you forward

Forwarded email content — when you forward booking-related emails to your unique Tagenda inbound address, we store the sender, subject, date, and body of those emails so you can view them in the app.

Billing data

Stripe customer ID — a reference to your customer record in Stripe. We do not store your card number, CVC, or full payment details. These are handled directly by Stripe.

Usage data

Server logs — IP address, user-agent, request paths, and timestamps, retained for up to 30 days for security and debugging.

3. Legal basis for processing (GDPR Art. 6)

Performance of a contract — to provide the Service you signed up for, including processing forwarded emails and managing your subscription.
Legitimate interest — for security logging, fraud prevention, and improving the Service.
Consent — for any optional processing where we explicitly ask for it.
Legal obligation — to retain billing records as required by Spanish tax law.

4. Third-party processors

We rely on the following providers to operate the Service. Each is bound by their own privacy and data-processing agreements:

Fly.io — application hosting (server and database). Region: EU (Paris).
Cloudflare — DNS, CDN, and inbound email routing. Forwarded emails pass through Cloudflare Email Routing before reaching our server.
Stripe — payment processing for paid subscriptions. Stripe receives your email, billing details, and card data directly.
Resend — sending transactional emails (password reset, recurring-event reminders).
Anthropic — AI processing for email summaries, gap detection, and routing. When you use these features, the relevant email content is sent to Anthropic's API. Anthropic does not use this data to train its models (per their commercial terms).
Google — only if you choose to sign in with Google (OAuth identity verification).

Some providers process data outside the EU. Where this is the case, transfers are governed by the European Commission's Standard Contractual Clauses or equivalent safeguards.

5. How long we keep your data

Account and content data — for as long as your account is active.
After account deletion — we delete your account, events, and forwarded emails within 30 days, except for billing records, which we retain for 5 years to comply with Spanish accounting law.
Server logs — up to 30 days.

6. Your rights (GDPR)

Under EU data protection law you have the right to:

Access — request a copy of the personal data we hold about you.
Rectification — correct inaccurate data.
Erasure — delete your account and associated data ("right to be forgotten").
Portability — receive your data in a structured, machine-readable format.
Restriction or objection — limit or object to certain processing.
Withdraw consent — where processing is based on consent.

To exercise any of these rights, email support@usetagenda.com. We respond within 30 days.

You also have the right to lodge a complaint with the Spanish data protection authority, the Agencia Española de Protección de Datos (AEPD).

7. Cookies and local storage

Tagenda uses browser localStorage to keep you signed in (storing a JWT token), remember your category preference, and cache event data for offline use. When you sign in with Google, we briefly set a single secure, httpOnly cookie (_g_auth) to complete the sign-in handshake; it expires within 60 seconds and is removed as soon as you are signed in. These are strictly necessary to operate the Service. We do not use third-party tracking cookies, advertising cookies, or analytics that profile users.

8. Security

We protect your data with TLS in transit, bcrypt password hashing, signed JWT tokens, and access controls. No system is perfectly secure; if we ever experience a data breach affecting your data, we will notify you and the relevant authority within 72 hours of becoming aware, as required by GDPR.

9. Staff access

Authorized personnel may access your account data and forwarded email content only when strictly necessary to provide support or investigate a technical issue you report. Such access is limited, logged, and not used for any other purpose.

10. Changes

We may update this policy from time to time. We'll update the "Last updated" date above and, for material changes, notify you by email.

11. Contact

Privacy questions or requests: support@usetagenda.com.