tikable Privacy Policy

Version 1.1 - Effective Date: 1 February 2026

This document is provided in English only. tikable is governed by the laws of England and Wales, and the English language version of this document is the sole legally binding version.

1. Introduction

tikable ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal information when you use the tikable service. tikable is operated from England and Wales, United Kingdom.

By using tikable, you agree to the collection and use of information in accordance with this policy. This policy should be read alongside our Terms & Conditions.

2. Information We Collect

2.1 Information You Provide

When you register for and use tikable, we collect:

• Account information: your name, email address, and password (encrypted)
• Organisation information: organisation name, industry, business areas, and business functions
• Profile information: your default business area and function preferences
• Content you create: lists, items, updates, descriptions, and comments
• Communications: messages you send to us via support channels

2.2 Information Collected Automatically

When you use tikable, we automatically collect:

• Log data: IP address, browser type, operating system, referring URLs, and access timestamps
• Usage data: features used, pages visited, and actions taken within the application
• Device information: device type, screen resolution, and browser version

2.3 Payment Information

Payment processing is handled entirely by Stripe. We do not store your credit card number, bank account details, or other payment credentials on our servers. Stripe may collect and store payment information in accordance with their own privacy policy. We receive only confirmation of payment status and a customer reference from Stripe.

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the tikable service
• Authenticate your identity and manage your account
• Process subscription payments and manage billing
• Send service-related communications including account notifications, usage alerts, and security alerts
• Respond to your support requests and enquiries
• Monitor service performance, diagnose technical issues, and improve the application
• Enforce our Terms & Conditions and protect against misuse
• Comply with legal obligations

We do not use your information for profiling, automated decision-making, or targeted advertising.

4. Legal Basis for Processing (UK GDPR)

We process your personal information under the following legal bases:

• Contract: Processing necessary to provide the tikable service you have signed up for (account management, content storage, billing)
• Legitimate interests: Service improvement, security monitoring, and fraud prevention, where these interests do not override your rights
• Legal obligation: Where we are required to process data by law (e.g. financial records, law enforcement requests)
• Consent: Where you have given explicit consent (e.g. optional marketing communications, if offered in future)

5. Information Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share your information only in the following circumstances:

• Service providers: We use third-party services that process data on our behalf, including Supabase (database and authentication), Stripe (payment processing), Resend (transactional email), and Amazon Web Services (hosting). These providers are contractually obligated to protect your data and use it only for the services they provide to us.
• Within your organisation: Other members of your tikable organisation can see your name, email address, and content you create within shared lists. External users can only see items explicitly shared with them.
• Legal requirements: We may disclose your information if required by law, court order, or governmental authority, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
• Business transfer: If tikable is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.

6. Cookies, Local Storage, and Tracking Technologies

6.1 What We Use

tikable uses browser local storage (not traditional cookies) to operate the application. We do not use advertising cookies, social media tracking pixels, or third-party analytics services.

6.2 Local Storage

We store the following data in your browser's local storage. This data remains on your device and is not transmitted to third parties:

• Authentication tokens (token, refreshToken): Keeps you signed in between page loads. Removed on logout.
• User profile (user): Your basic account information (name, email, role) to avoid repeated server requests. Removed on logout.
• Language preference (tikable_language): Your chosen display language (e.g. en-GB). Persists until you change it.
• Invitation token (pendingInviteToken): Temporarily stored when you arrive via a team invitation link. Removed after signup.

6.3 Server-Side Cookies

tikable does not set any server-side cookies. Our authentication system uses bearer tokens transmitted in request headers, not cookies.

6.4 Third-Party Cookies

When you interact with Stripe for payment processing, Stripe may set its own cookies in accordance with their privacy policy. These cookies are controlled by Stripe and are subject to their terms. We have no access to or control over these cookies.

6.5 Managing Stored Data

You can clear all tikable local storage data at any time through your browser settings (typically under "Site Data" or "Storage"). Clearing this data will sign you out and reset your language preference. It will not affect your account or any data stored on our servers.

6.6 Do Not Track

tikable does not track users across third-party websites and does not respond to Do Not Track (DNT) browser signals, as we do not engage in the type of tracking that DNT is designed to prevent.

7. Data Security

We implement appropriate technical and organisational measures to protect your personal information, including:

• All data transmitted between your browser and our servers is encrypted using TLS (HTTPS)
• Passwords are hashed using industry-standard algorithms and are never stored in plain text
• Authentication tokens expire and are refreshed automatically
• Database access is restricted and monitored
• Our infrastructure is hosted on secure, reputable cloud platforms

While we take reasonable steps to protect your information, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security.

8. Data Retention

• Active accounts: We retain your information for as long as your account is active and the service is in use.
• Cancelled subscriptions: Your account reverts to the free plan and your data is retained for 12 months, during which you can continue using the service within free plan limits or resubscribe to restore full access.
• Inactive free accounts: Free plan accounts not accessed by any user for 12 consecutive months may be deleted after 30 days’ written notice to the organisation administrator.
• Account deletion: When you or your organisation administrator requests account deletion, your data enters a 30-day grace period before permanent removal. During this period, deletion can be reversed.
• Legal requirements: We may retain certain information for longer periods where required by law (e.g. financial transaction records).

9. Your Rights

Under UK data protection law (UK GDPR), you have the following rights:

• Right of access: Request a copy of the personal information we hold about you
• Right to rectification: Request correction of inaccurate or incomplete data. You can update most information directly in your profile settings.
• Right to erasure: Request deletion of your personal data, subject to our legal obligations to retain certain records
• Right to restrict processing: Request that we limit how we use your data in certain circumstances
• Right to data portability: Request your data in a structured, machine-readable format. tikable supports CSV export of your lists and items.
• Right to object: Object to processing based on legitimate interests
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at privacy@tikable.com. We will respond to your request within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

10. International Data Transfers

Our service providers may process data outside the United Kingdom. Where personal data is transferred internationally, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the UK government, or transfers to countries with an adequate level of data protection as determined by the UK Secretary of State.

11. Children's Privacy

tikable is a business-to-business service and is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a minor, we will take steps to delete that information promptly.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you through the application or by email. The "Effective Date" at the top of this page indicates when the policy was last revised. Your continued use of tikable after changes are posted constitutes acceptance of the updated policy.

13. Contact Us

For questions about this Privacy Policy, your personal data, or our privacy practices, contact us at:

privacy@tikable.com