Privacy Policy

What We Collect

• Account information — name, email, date of birth, role, department. Used for your profile and crew roster.
• Wellness data — mood check-ins, sleep logs, hydration, journal entries, breathing sessions. This is your most private data and is protected by our Three-Tier Framework (see below).
• Usage analytics — feature opens, page views, session duration. First-party only (our own Supabase tables). No third-party tracking scripts, pixels, or advertising SDKs.
• Nox conversations — messages between you and Nox are stored to maintain conversation context. Nox uses Anthropic Claude to generate responses.
• Tour data — schedules, venues, hotels, expenses, guest lists. Shared with your tour crew as part of normal tour operations.

How We Use It

• App functionality — your data powers the features you use: schedule countdowns, mood trends, road tools, crew chat.
• Nox personalization — Nox uses your mood history, sleep patterns, tour schedule, and conversation history to provide contextual responses. Nox never shares individual data with other users or management.
• Aggregate insights — managers see anonymous, aggregate wellness data only (e.g., “3 crew members reported drained today”). Individual check-ins, journal entries, and personal data are never visible to managers.

Three-Tier Data Framework

Third-Party Services

We use the following third-party services to operate Tamid on Tour:

We do not sell, rent, or share your personal data with advertisers, data brokers, or any party not listed above.

SNDCHK SESH Coaching Referrals

Tamid on Tour offers an optional referral pathway to SNDCHK SESH, a one-on-one coaching service for touring professionals operated independently by Daniel Rinaldi. SNDCHK SESH is a coaching service — it is not therapy, clinical care, or medical treatment.

If Nox suggests a coaching referral and you accept, we share your name, email address, and the basic context of your referral with Daniel for the purpose of coordinating coaching sessions. We do not share the contents of your conversations with Nox, your wellness check-ins, or any other personal data with Daniel unless you choose to discuss them with him during a coaching session.

You can decline a referral at any time, and declining has no effect on your access to Tamid on Tour. If you accept a referral, the coaching relationship that follows is between you and Daniel Rinaldi directly — your communications with him during coaching are not part of Tamid on Tour.

If you are experiencing a mental health emergency or crisis, do not rely on SNDCHK SESH or Nox. Contact emergency services (911 in the US) or the 988 Suicide and Crisis Lifeline.

Your Rights

• Access — view all data we hold about you through the app. View what Nox knows about you in Settings > What Nox Knows About You.
• Export — download all your data (journals, moods, expenses, Nox conversations) as a ZIP file via Settings > Your Data > Export My Data.
• Delete messages — delete your own messages in DM conversations at any time. Deleted messages are replaced with “[deleted]” to preserve thread context.
• Delete your account — see “Deleting Your Account & Your Right to Be Forgotten” below for both the standard 30-day path and the immediate (Article 17) erasure path.
• Nox data control — view, edit, or delete any context Nox has learned about you. Archive or permanently erase all Nox conversations and memories. Reset Nox's consolidated memory.
• Opt out of signal monitoring — disable wellness signal monitoring (Nox flagging patterns to tour management) at any time in Settings > Privacy.
• Disable mesh networking — disable peer-to-peer mesh at any time in Settings > Privacy. Your device stops sharing network info immediately.
• Disable Nox AI — turn off Nox entirely via the kill switch in Settings. Your data is preserved but Nox stops processing.

Deleting Your Account & Your Right to Be Forgotten

You can delete your Tamid on Tour account at any time, for any reason, without contacting us. We've built two paths because they serve different needs.

The standard path: 30-day deletion with a recovery window

When you delete your account from Settings, here's what happens:

• Your profile is marked for deletion immediately. You're signed out across every device. Anyone who tries to find, message, or tag you sees that the account is no longer active.
• Your data is preserved, but inaccessible to you, for 30 days. Nothing is exposed during this window. Your journal, your conversations with Nox, your mood check-ins, your private memories — all of it stays sealed in the same encrypted, row-level-secured state it was in before you initiated deletion.
• You can come back. If you sign in within 30 days, your account reactivates and everything is exactly where you left it. No support ticket required. The product handles it.
• After 30 days, the data is permanently destroyed. A daily process runs at 03:00 UTC and removes the underlying data from our systems for every account whose 30-day window has elapsed. Once that runs against your account, your data is gone and cannot be recovered by anyone — including us.

We chose 30 days because deletion regret is real, especially on tour. People delete things at 4 a.m. in a hotel in a strange city and feel different about it three days later. We'd rather give you the window than tell you “should've thought twice.”

The immediate path: Article 17 / Right to Erasure

If you don't want the 30-day window — if you want your data erased immediately and irreversibly — Tamid on Tour supports this directly from Settings. Choose the immediate option instead of the standard option. This corresponds to your right to erasure under Article 17 of the EU General Data Protection Regulation (GDPR) and analogous rights under the California Consumer Privacy Act (CCPA) and other jurisdictions.

What “immediately” means in practice:

• Data tied solely to your identity is deleted. Your journal entries, mood check-ins, private memories, conversations with Nox, expense records, and any other data that exists only because your account exists — all removed in the same transaction.
• Data that exists in shared contexts is anonymized rather than deleted. Some data you create touches other crew members — a message in a group chat, a post on the Crew Board, a comment on someone else's content. Deleting that data outright would break other people's experience of the platform (a conversation full of “[deleted] said:” placeholders is unusable). Instead, we sever the connection between that content and your identity: your user ID is removed, your display name is replaced with an anonymous placeholder, and any link back to you is destroyed. The content remains for the people you shared it with; the trail back to you does not.
• You receive a manifest. Every immediate deletion returns a record of exactly which tables had rows deleted and which had columns anonymized. This is logged in our audit trail and is available to you on request.
• It is not reversible. Once immediate deletion completes, there is no recovery window. We cannot restore the data, even at your request. This is by design.

What we keep, briefly, and why

A small set of data persists after deletion in either path:

• Anonymized audit records. We keep a record that an account was deleted, when, and by which method (standard or immediate), but not who. This exists so we can answer regulator questions, demonstrate compliance, and detect abuse patterns — not to track you.
• Aggregate analytics with no personal identifiers. Counts, trends, and patterns that include your past usage stay in aggregate form. Your individual contribution cannot be re-derived from these.
• Legally required retention. If a specific record is subject to a legal hold (subpoena, ongoing dispute, regulatory requirement), it remains until the hold lifts. We notify you when this applies. It almost never will.

That's it. Everything else goes.

How to use either path

In the Tamid on Tour app: Settings > Account > Delete Account. You'll see both options, a preview of what will be removed for your account specifically, and a confirmation step calibrated to the path you choose. The standard path asks you to type the word DELETE. The immediate path asks you to type your email address — a higher-friction check since that action cannot be undone. The confirmation is intentional — not a dark pattern, just a moment of friction to make sure this is what you want.

If you cannot access the app for any reason (you've lost your device, your account is locked, you'd prefer not to log back in), email privacy@tamidontour.health with the subject line “Account Deletion Request” and include the email address associated with your account. We will verify your identity and process the request within 30 days, in either mode you specify. The default if you don't specify is the standard 30-day path.

After deletion

Once your account is permanently destroyed — either at the end of the 30-day window, or immediately if you chose that path — we cannot help you recover anything. We don't have it. This isn't a policy decision; it's an architectural one. The data isn't sitting in a backup somewhere waiting to be restored on request. It is gone.

We mention this not to scare you, but to be honest about what deletion actually means here. A platform that promises “we'll delete your data” but quietly keeps a copy for “operational reasons” hasn't deleted anything. We have, and we will.

Third-Party AI Processing

Nox, our AI crew companion, uses Anthropic Claude (Haiku for extraction, Sonnet/Opus for conversation) to generate responses. When you send a message to Nox:

• Your message and recent conversation context are sent to Anthropic's API.
• Messages are encrypted in transit (TLS) and are not used to train Anthropic's models (we use the API, not the consumer product).
• Resume uploads are processed by Anthropic Claude to extract structured data. The original file is discarded immediately after processing.
• You are notified of AI processing on first use and can review what data has been extracted at any time.

Mesh Networking Data

CrewMesh is an optional peer-to-peer networking feature for offline communication. When enabled:

• When enabled, your device fingerprint (a hash of your user agent — not personally identifiable), local network address, and battery status are shared with mesh-enabled crew on your tour.
• Battery status is used for super-peer election (devices with more power handle relay duties). It is not stored long-term.
• Messages sent via mesh are encrypted and relayed through nearby crew devices.
• Mesh networking is opt-in only and disabled by default. Enable or disable at any time in Settings > Privacy.
• BLE (Bluetooth Low Energy) mesh is available on native platforms only and requires separate consent.
• All mesh data (peer records, routing logs, topology) is purged when the tour ends.

Wellness Data Handling

We treat wellness data with the highest level of protection:

• Mood check-ins, journal entries, breathing sessions, and hydration logs are stored as daily aggregate counts only — no timestamps, duration, or time-of-day information.
• Wellness signal monitoring (flagging patterns to tour management for safety) is enabled by default but can be disabled by the user at any time.
• Wellness data is never shared with third parties, advertisers, or insurance providers.
• SOS alert GPS coordinates are automatically stripped after 24 hours. The alert record is retained for audit purposes.

Cookies & Local Storage

We use localStorage (not cookies) for:

• Authentication session state (required for app functionality) — stored in secure cookies, not localStorage.
• User preferences (display mode, text size, high contrast mode, dismissed banners).
• Offline journal drafts (auto-saved every 5 seconds, cleared on successful save).
• PWA install prompt dismissal status.

We do not use third-party cookies, tracking pixels, or advertising SDKs.

Data Retention

How long we keep different types of data:

Cannabis Information

The cannabis legality feature displays publicly available legal status information for US states. We do not collect, store, or process any data about cannabis use. The feature is age-gated (21+), opt-in only, and display-only. No analytics are tracked on the cannabis page.

Contact

Questions about this policy? Email privacy@tamidontour.health