Privacy Policy

Combobulato collects what it needs to work as a note-sharing app, nothing more. We tell you what that is (this page). We don't sell your data or run ads today. If that changes — or anything else on this page changes — we'll tell you, and you'll be asked to opt in before it applies to you.

Combobulato is run by Dan Hughes, operating from the United Kingdom. If you need to reach us about anything on this page, email dan@combobulato.com. We're the data controller for everything described below under UK GDPR.

When you use Combobulato, the following data exists about you:

Account data. Your email address, your chosen display name, your handle, a hashed (non-reversible) form of your password, and the date you joined.

Content you create. Notes you write, topics you tag them with, comments you post, wishlists and items you add, to-do lists and their items, pledges you make, and the circles you create or join.

Relationships. Who you share notes with, which circles you belong to, who you mention, who pledges what.

Technical data. Your IP address (in server logs, for security and debugging), session cookies that keep you signed in, and basic interaction data that helps us keep the service working.

Push notification tokens (if you opt in on mobile). A device token issued by Apple (or Google, in future) that lets us send notifications to your device. The token identifies the device, not you personally, but is linked to your account on our side.

We don't collect any special-category data (health, political views, biometrics, etc.) but when you include this sort of information in your notes for example, it's stored like any other content.

To run the service. That means: signing you in, showing you your notes and the notes shared with you, sending notifications when someone interacts with your content, and keeping logs long enough to debug problems and respond to abuse reports. Legal basis: performance of the contract (providing the service) for most of this; legitimate interest for security logs; consent for push notifications.

Your content is visible to the people you share it with, via circles. Nobody outside those circles can see it through the app.

A few third parties process data on our behalf to make the service work:

• Render (hosts our servers and database, located in Frankfurt, Germany). Sees all data at rest and in transit.
• Postmark (sends transactional email like invites and password resets, US-based with EU routing). Sees the email address and the content of the message we send you.
• Apple Push Notification service (delivers push notifications to iOS devices, US-based). Sees device tokens and notification payloads.
• Namecheap (handles our domain and email forwarding for dan@combobulato.com).

Where data leaves the UK or EU (Postmark, Apple), it's covered by Standard Contractual Clauses and / or equivalent safeguards.

We don't sell your data. We don't share it with advertisers. We don't build profiles for anyone else to use. That's the current state — if it changes, see "When this changes" below.

While your account exists: we don't auto-delete anything. Your account and notes stay yours until you ask us to delete them — we don't force-expire accounts for inactivity, because a note you made three years ago should still be there when you come back. If you go genuinely quiet for five years (no sign-in), we'll email the address on your account to check you still want it before doing anything.

When you delete your account: we mark it for deletion and purge it within 30 days. A short grace period lets you change your mind. Some records (like audit logs or anti-abuse records) may be kept longer where we have a legal reason to.

Server logs: we keep them for 90 days, then rotate.

Push tokens: removed when you turn off notifications in the app, uninstall, or delete your account.

Under UK GDPR, you have the right to:

• See the data we hold about you (request by email).
• Correct anything that's wrong — most of it you can edit directly in the app.
• Delete your account and all associated data.
• Export your content in a portable form (ask us and we'll put something together; we're working on self-serve export).
• Object to how we're processing something, or ask us to restrict processing.
• Complain to the Information Commissioner's Office (ico.org.uk) if you think we've got something wrong. We'd rather hear it first, but it's your call.

Email dan@combobulato.com for any of the above. We aim to respond within 30 days, as the law requires.

This page describes what we do right now. When any of the following happens, we'll tell you — by email to your account address — and we'll ask you to opt in to the change before it applies to your data:

• We introduce a new category of third-party processing — for example analytics, advertising, or recommendations — that isn't listed above.
• We start using your data for a purpose not described here.
• We introduce a commercial layer that changes what's collected or how it's used.

Until you opt in, your data keeps being handled under the terms of this page as you accepted it. If you don't opt in, you can keep using Combobulato on the old terms (though this might only be available for a limited period), or you can delete your account.

Small corrections — fixing a typo, naming the same processor more precisely, updating contact details, or swapping one processor for an equivalent one in the same category (for example, moving from one transactional email provider to another with the same safeguards) — don't need your re-consent. Material changes do. We'll always be clear which is which.

We use cookies to keep you signed in and to protect forms against cross-site request forgery. We don't use analytics cookies, advertising cookies, or third-party tracking. The cookies we do use are essential — you can't turn them off and still use the service.

Combobulato is not intended for children under 13. We don't knowingly collect data from anyone under 13. If you believe a child has signed up, email us and we'll remove the account.

Questions, requests, complaints:

Email: dan@combobulato.com
Regulator: ico.org.uk (UK Information Commissioner's Office)