Privacy Policy

1. Introduction

Togoal ("we", "our", or "us") operates the togoal.co website and related services (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

We are committed to protecting your personal data and respecting your privacy rights under the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Data We Collect

We collect the following categories of personal data:

2.1 Account Information

Email address
Username and display name
Profile picture (if uploaded)
Password (stored as a secure hash, never in plain text)

2.2 Profile and Content Data

Links you create and their associated metadata
Bio and profile customization settings
Social media icons and URLs
Appearance and theme preferences
Uploaded images and media files

2.3 Analytics and Usage Data

Page views and link click events
Approximate geographic location (derived from IP address; we store a hashed IP, not the raw address)
Device type, browser, and operating system
Referrer information (traffic source)
Session identifiers for deduplication
UTM campaign parameters (if present)

2.4 Subscriber Data

If you use our email collection features, we store subscriber emails and names on your behalf. You are the data controller for your subscribers' data.

3. How We Use Your Data

We use collected data for the following purposes:

Service delivery: To create and maintain your account, display your public profile, and manage your links
Analytics: To provide you with insights about your profile's performance (views, clicks, traffic sources)
Security: To detect and prevent fraud, click manipulation, and unauthorized access
Communication: To send essential account notifications (password resets, security alerts)
Improvement: To analyze usage patterns and improve our Service

4. Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases:

Contract performance: Processing necessary to provide the Service you signed up for
Legitimate interests: Analytics, security, fraud prevention, and service improvement
Consent: Marketing cookies and optional analytics tracking (which you can opt out of)
Legal obligation: Where we are required by law to retain certain data

5. Cookies and Tracking

We use the following types of cookies:

Essential cookies: Required for authentication and core functionality (session tokens, CSRF protection)
Analytics cookies: Help us understand how visitors interact with profiles (page views, click tracking)
Preference cookies: Store your theme preference (dark/light mode) and cookie consent choice

You can manage your cookie preferences at any time through the cookie consent banner shown on your first visit. Essential cookies cannot be disabled as they are necessary for the Service to function.

6. Data Sharing and Disclosure

We do not sell your personal data. We may share data with:

Infrastructure providers: Vercel (hosting), Neon (database) — to operate the Service
Legal authorities: When required by law, court order, or to protect our legal rights
Public profile visitors: Your display name, bio, avatar, links, and social icons are publicly visible by design

7. Data Retention

Account data: Retained for the duration of your account. Deleted within 30 days of account deletion.
Analytics events: Retained based on your plan (Free: 28 days, Starter: 90 days, Pro: 365 days, Premium: indefinitely). Aggregated statistics may be retained longer.
Hashed IP addresses: Retained with analytics events for fraud detection purposes.
Subscriber data: Retained until you delete the subscriber or your account.

8. Your Rights (GDPR)

Under the GDPR and applicable data protection laws, you have the following rights:

Right of access: Request a copy of all personal data we hold about you
Right to rectification: Correct inaccurate or incomplete personal data
Right to erasure: Request deletion of your personal data ("right to be forgotten")
Right to data portability: Receive your data in a structured, machine-readable format (JSON/CSV export available in account settings)
Right to object: Object to processing based on legitimate interests
Right to restrict processing: Request limitation of processing in certain circumstances
Right to withdraw consent: Withdraw consent for cookie tracking at any time

To exercise any of these rights, you can use the data export feature in your account settings or contact us at privacy@togoal.co. We will respond within 30 days.

9. Data Security

We implement industry-standard security measures to protect your data:

Passwords are hashed using bcrypt with appropriate work factors
All data transmitted over HTTPS/TLS encryption
Database access is restricted and encrypted at rest
Two-factor authentication (2FA) is available for additional account security
Rate limiting on authentication endpoints to prevent brute-force attacks
IP addresses are hashed before storage for privacy

10. International Data Transfers

Your data may be processed in the United States and other countries where our service providers operate. We ensure appropriate safeguards are in place, including standard contractual clauses where required by GDPR.

11. Children's Privacy

Our Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email or through a notice on the Service. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data protection rights, contact us at:

Email: privacy@togoal.co
Website: togoal.co

You also have the right to lodge a complaint with your local data protection supervisory authority if you believe your rights have been violated.