Privacy Policy
Last updated: 14 February 2026
1. Who we are
Tindra Labs is a sole-trader business based in the United Kingdom. For the purposes of data protection law, Tindra Labs is the data controller for the personal data described in this policy.
- Trading name: Tindra Labs
- Country: United Kingdom
- Contact email: privacy@tindralabs.com
2. Scope
This policy applies to all personal data processed by Tindra Labs through:
- Our website at tindralabs.com (the "Website")
- Our self-hosted software product Cloudberry (the "Software")
- Our license management and account services
Cloudberry runs entirely on hardware you control. This policy covers only the limited data that your Cloudberry instance sends to our servers (license validation) and data you provide to us directly (purchases, account registration).
3. Data we collect
3.1 Account registration
When you create a Tindra Labs account, we collect your email address and a hashed password. We use this to authenticate you and manage your licenses.
| Data | Lawful basis | Retention |
|---|---|---|
| Email address | Contract | Until account deletion |
| Hashed password | Contract | Until account deletion |
3.2 License validation
When your Cloudberry instance validates a premium license, it sends the following to our license server:
| Data | Lawful basis | Retention |
|---|---|---|
| License key | Contract | While license is active |
| Randomly generated instance ID | Contract | While license is active |
| Software version number | Legitimate interest | While license is active |
We do not collect your IP address, Apple ID credentials, photos, photo metadata, or any other data from your server during license validation.
3.3 Purchases
Payments are processed by our merchant of record, Lemon Squeezy (Lemon Squeezy LLC, a US company). When you purchase a license, Lemon Squeezy collects your name, email address, billing address, and payment card details. Lemon Squeezy is an independent data controller for payment data — see their privacy policy.
From Lemon Squeezy, we receive: your email address, order ID, product purchased, and subscription status. We do not receive or store your payment card details.
3.4 Website
This website is a static site. We do not use cookies, analytics, tracking pixels, or any third-party scripts that collect visitor data. We do not process server access logs for analytics purposes.
3.5 Support communications
If you contact us by email, we retain your email address and the content of the communication for the purpose of responding to your query. Lawful basis: legitimate interest. Retention: up to 24 months after the last communication, unless required longer for legal purposes.
4. Data we do NOT collect
Cloudberry is self-hosted software. The following data never leaves your server and is never transmitted to Tindra Labs:
- Your Apple ID credentials (stored locally on your server, encrypted at rest)
- Your photos, videos, or live photos
- Photo metadata (EXIF data, GPS coordinates, camera information)
- Album names and organisation
- Usage analytics or telemetry
- IP addresses
- Device fingerprints or advertising identifiers
5. How we use your data
We process personal data for the following purposes:
- Account management — to create and maintain your account, authenticate you, and manage your licenses
- License validation — to verify your license is valid and within activation limits
- Order fulfilment — to deliver license keys and process subscription changes
- Support — to respond to your queries and troubleshoot issues
- Legal compliance — to meet tax, accounting, and regulatory obligations
We do not use your data for profiling, automated decision-making, direct marketing, or selling to third parties.
6. Lawful bases for processing (UK & EU GDPR)
We rely on the following lawful bases under the UK GDPR and EU GDPR:
- Performance of a contract (Art. 6(1)(b)) — processing necessary to provide you with a license, account, or support
- Legitimate interests (Art. 6(1)(f)) — security, fraud prevention, and improving our services, balanced against your rights
- Legal obligation (Art. 6(1)(c)) — tax records, regulatory compliance
7. Data sharing and third parties
We share personal data only with the following categories of recipients:
| Recipient | Purpose | Location |
|---|---|---|
| Lemon Squeezy LLC | Payment processing, merchant of record | United States |
| Infrastructure providers (hosting) | License server and account API hosting | EU (AWS eu-west region) |
We do not sell, rent, or trade your personal data to any third party. We do not share data with data brokers or advertising networks.
8. International data transfers
Our license server is hosted in the EU (AWS eu-west). When you make a purchase, your payment data is processed by Lemon Squeezy in the United States. This transfer is protected by:
- The EU-US Data Privacy Framework (where applicable)
- Standard Contractual Clauses (SCCs) approved by the European Commission
- The UK International Data Transfer Agreement (IDTA) or UK Addendum to SCCs, as applicable
Where we rely on Lemon Squeezy as merchant of record, they act as an independent data controller for payment processing and maintain their own safeguards for international transfers.
9. Data retention
- Account data — retained until you delete your account or request deletion
- License records — retained while your license is active, then deleted within 30 days of cancellation and deletion request
- Purchase records — retained for 7 years to meet UK tax and accounting obligations (HMRC requirements)
- Support emails — retained for up to 24 months after the last communication
10. Data security
We implement appropriate technical and organisational measures to protect your data, including:
- Passwords are hashed using industry-standard algorithms (bcrypt) and never stored in plain text
- All data in transit is encrypted using TLS 1.2 or higher
- Access to production systems is restricted and protected by multi-factor authentication
- Regular security reviews of our infrastructure and codebase
11. Your rights under UK and EU GDPR
If you are in the United Kingdom or European Economic Area, you have the following rights under the UK GDPR / EU GDPR:
- Right of access (Art. 15) — request a copy of the personal data we hold about you
- Right to rectification (Art. 16) — request correction of inaccurate data
- Right to erasure (Art. 17) — request deletion of your personal data ("right to be forgotten")
- Right to restriction (Art. 18) — request that we limit processing of your data
- Right to data portability (Art. 20) — receive your data in a structured, machine-readable format
- Right to object (Art. 21) — object to processing based on legitimate interests
- Right to withdraw consent (Art. 7(3)) — where processing is based on consent, withdraw it at any time
To exercise any of these rights, email us at privacy@tindralabs.com. We will respond within 30 days (or one calendar month, as required by law). We may ask for proof of identity before processing your request.
You also have the right to lodge a complaint with your local data protection authority:
- UK: Information Commissioner's Office (ICO) — ico.org.uk
- EU: Your national data protection authority — list of EU DPAs
12. Your rights under US state privacy laws
If you are a resident of a US state with a comprehensive privacy law (including California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia), you may have additional rights including:
12.1 California (CCPA / CPRA)
Under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, California residents have the right to:
- Know what personal information we collect, use, and disclose
- Delete personal information we hold about you
- Correct inaccurate personal information
- Opt out of sale or sharing — we do not sell or share your personal information as defined by the CCPA/CPRA
- Non-discrimination — we will not discriminate against you for exercising your rights
Categories of personal information collected in the past 12 months:
| Category | Examples | Sold? |
|---|---|---|
| Identifiers | Email address, account ID | No |
| Commercial information | Purchase history, license keys | No |
We do not collect sensitive personal information, biometric data, geolocation data, or internet browsing history. We do not use personal information for cross-context behavioural advertising.
12.2 Other US states
Residents of Colorado, Connecticut, Virginia, and other states with comprehensive privacy laws have similar rights to access, delete, correct, and opt out. To exercise these rights, contact us at privacy@tindralabs.com. We will respond within the timeframe required by your state's law (typically 45 days). You may appeal our decision by replying to our response.
13. Children's privacy
Our services are not directed at children under the age of 16 (or 13 in the United States). We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us at privacy@tindralabs.com and we will promptly delete it.
14. Cookies and local storage
The Website (tindralabs.com) does not use analytics, advertising, or third-party cookies. We use only the following strictly necessary cookies and browser storage:
| Name | Type | Purpose | Duration |
|---|---|---|---|
| tl_session | Cookie | Keeps you logged in to your account | 30 days |
| i18nextLng | localStorage | Remembers your language preference | Persistent |
| cookieConsent | localStorage | Stores your cookie banner choice | Persistent |
All of the above are strictly necessary for the website to function and do not require consent under UK PECR regulation 6(4) or EU ePrivacy Directive Article 5(3). We display a cookie banner for transparency purposes.
Your Cloudberry instance, running on your own server, may use local-storage or session-storage in your browser for authentication and preferences. This data never leaves your server and is not accessible to Tindra Labs.
15. Changes to this policy
We may update this privacy policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically. Your continued use of our services after changes are posted constitutes your acceptance of the updated policy.
16. Contact
For any privacy-related questions, data access requests, or complaints, contact us at:
- Email: privacy@tindralabs.com
- Website: tindralabs.com
We aim to resolve all privacy queries directly. If you are not satisfied with our response, you have the right to complain to the UK Information Commissioner's Office or your local data protection authority.