Privacy Policy

Tidy ("we", "us", "our") is the data controller for personal data collected through tidy.ing. We are committed to protecting your privacy and handling your data in an open and transparent manner, in accordance with the EU General Data Protection Regulation (GDPR) and applicable Irish data protection law.

This policy explains what data we collect, why we collect it, how we use and protect it, and what rights you have. If you have questions, contact us at hello@tidy.ing.

We collect different data depending on how you use Tidy:

Free Scan (no account required)

Paid Account

All Users

We process personal data under the following GDPR legal bases:

• —Contract. Processing your X handle and OAuth token to deliver the Service you have requested (Art. 6(1)(b)).
• —Legitimate interests. Fraud prevention, abuse detection, and anonymous analytics to improve the Service, where these interests are not overridden by your rights (Art. 6(1)(f)).
• —Legal obligation. Retaining billing records as required by Irish tax law (Art. 6(1)(c)).
• —Consent. Where we send optional communications (e.g. waitlist updates), we rely on your explicit opt-in (Art. 6(1)(a)). You may withdraw consent at any time.

When you connect your X account, X issues Tidy an OAuth access token. We use this token only to execute actions you initiate within the Tidy interface (reading posts, analysing engagement, deleting selected posts). We never receive your X password.

OAuth tokens are encrypted using AES-256 at rest in our database and transmitted exclusively over HTTPS. We store only the scopes you have authorised; no additional permissions are requested.

You can revoke Tidy's access at any time in your X account settings under Settings → Security → Connected apps. Revoking access disables paid features but does not delete your Tidy account data; contact us to request full deletion.

We do not sell, rent, or trade your personal data. We share data only with the following sub-processors where necessary to deliver the Service:

• —X Corp. — We send API requests to X's platform on your behalf. X's own Privacy Policy governs X's use of data.
• —Lemon Squeezy. — Our payment processor and merchant of record. They receive your name, email, and payment details to process transactions. See their Privacy Policy.
• —Hosting & infrastructure providers. — Cloud infrastructure providers that process data on our behalf under data processing agreements with appropriate safeguards. Servers are located within the EU/EEA.

We may disclose data if required by law, court order, or regulatory authority, or where necessary to protect the rights, safety, or property of Tidy or others.

• —Free scan results. Retained for 30 days to power shareable report links, then permanently deleted.
• —Email address. Retained for the lifetime of your account. Deleted within 30 days of account closure.
• —OAuth token. Retained until you revoke access or close your account. Immediately deleted upon either event.
• —X account data. Cached for up to 24 hours to improve performance. Not retained beyond this window unless you explicitly save a report.
• —Billing records. Retained for 7 years as required by Irish tax law.

Tidy uses essential cookies only. We do not use advertising, cross-site tracking, or third-party analytics cookies.

• —Session cookie. Used to maintain your authenticated session on paid accounts. Expires when you close the browser or log out.
• —CSRF token. A security cookie to prevent cross-site request forgery. Expires with the session.

No cookie consent banner is required because we only set strictly necessary cookies. You can disable cookies in your browser settings, but this will prevent login.

We apply industry-standard technical and organisational measures to protect your data:

• —All data in transit is encrypted with TLS 1.2+
• —OAuth tokens are encrypted at rest with AES-256
• —Database access is restricted to authenticated application services
• —Access to production systems is limited to authorised personnel via MFA-protected credentials
• —Dependencies are monitored for known vulnerabilities

No method of transmission over the internet is 100% secure. If you discover a security vulnerability, please report it responsibly to hello@tidy.ing.

Under the GDPR, you have the following rights regarding your personal data. To exercise any of them, email hello@tidy.ing. We will respond within 30 days.

• —Access. Request a copy of the personal data we hold about you.
• —Rectification. Correct inaccurate or incomplete data.
• —Erasure. Request deletion of your data where we have no legal obligation to retain it.
• —Restriction. Ask us to pause processing while a dispute is resolved.
• —Portability. Receive your data in a structured, machine-readable format.
• —Objection. Object to processing based on legitimate interests.
• —Withdraw consent. Where processing is consent-based, withdraw at any time without affecting prior processing.

You also have the right to lodge a complaint with the Irish Data Protection Commission at dataprotection.ie or with the supervisory authority in your EU member state.

The Service is not directed at persons under 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected such data, contact us and we will delete it promptly.

We may update this Privacy Policy from time to time. If we make material changes, we will notify paid account holders by email and post a notice on the Service at least 14 days before the changes take effect. The updated policy will always be available at tidy.ing/privacy.