Privacy Policy

Effective Date: January 2026

The Short Version: Thoga is local-first software. Your data stays on your device. We don't have servers that store your workflows, files, or personal information. We collect only: (1) authentication data for login, (2) license data for access control, and (3) anonymous, aggregated analytics to improve the product.

1. Our Privacy Commitment

Thoga is designed with privacy as a core principle. Unlike cloud-based automation tools:

Your workflows run locally on your device
Your data never passes through our servers
We cannot see, access, or analyze your automations
We have no backend infrastructure that stores your information

2. What We Collect

2.1 Authentication Data

When you sign in with Google, we receive:

Data	Purpose	Stored Where
Email address	Account identification, license management	Firebase Authentication (Google)
Google user ID	Unique account identifier	Firebase Authentication (Google)
Display name	Personalization (optional)	Firebase Authentication (Google)

This data is stored by Firebase (Google Cloud) and governed by Firebase's Privacy Policy.

2.2 License Data

We store minimal licensing information:

License status (trial, active, expired)
License type (annual, lifetime)
Purchase date and expiry date

This is stored as metadata in Firebase Authentication custom claims.

2.3 Payment Data

Payments are processed by Paddle.com, our Merchant of Record. We do not store:

Credit card numbers
Bank account details
Billing addresses

Paddle handles all payment data under their Privacy Policy.

2.4 Anonymous Analytics

By signing up, you agree to the collection of anonymous, aggregated analytics to help us improve Thoga. We collect:

Data	Purpose	Example
Feature usage counts	Understand which features are popular	"HTTP node used 500 times today"
Session duration	Measure engagement	"Average session: 45 minutes"
Workflow run counts	Understand usage patterns	"1,000 workflow executions today"
Node type usage	Prioritize development	"Camera node: 200 users"
Platform/OS	Platform prioritization	"60% Mac, 30% Windows, 10% Linux"
Error counts	Identify stability issues	"5 crashes reported today"

What we do NOT collect in analytics:

Workflow content or structure
Node configurations or values
API keys, credentials, or secrets
File contents or names
Personal identifiers in events
IP addresses or precise location

Analytics are processed via Firebase Analytics and stored in aggregated form only. Individual user behavior cannot be reconstructed from this data.

3. What We Do NOT Collect

We do not collect, store, or have access to:

Your workflows or automations (content, structure, or logic)
Your API keys, passwords, or credentials
Files you process through Thoga
Data from your connected services
Your precise location or IP address
Keystroke or interaction data
Personal identifiers in analytics events

4. Local Data Storage

All application data is stored locally on your device:

Database: SQLite database encrypted with AES-256 (SQLCipher)
Encryption keys: Stored in your system's secure keychain (macOS Keychain, Windows Credential Manager, Linux Secret Service)
Location: Your device's application data folder

We cannot access this data. If you uninstall Thoga or lose your device, this data cannot be recovered by us.

5. Peer-to-Peer Sharing

If you use Thoga's P2P features to share workflows or collaborate:

Data is transmitted directly between devices you authorize
Connections are end-to-end encrypted
No data passes through our servers
You control who can connect to your instance

6. Third-Party Services

Thoga integrates with third-party services. When you connect these services, their privacy policies apply:

Service	Purpose	Privacy Policy
Firebase (Google)	Authentication	Link
Paddle	Payment processing	Link
Google OAuth	Sign-in	Link

Any other services you connect (APIs, databases, etc.) are configured and controlled by you. We have no visibility into those connections.

7. Cookies

The Thoga website (thoga.app) uses minimal cookies:

Authentication: Session cookies for Google sign-in
No tracking cookies: We do not use advertising or analytics cookies

8. Children's Privacy

Thoga is not intended for children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us.

9. Data Retention

Authentication data: Retained while your account is active
License data: Retained for legal/tax purposes (up to 7 years)
Local data: Controlled entirely by you on your device

10. Your Rights

Depending on your location, you may have the right to:

Access: Request a copy of data we hold about you
Deletion: Request deletion of your account and associated data
Portability: Receive your data in a portable format
Correction: Update inaccurate information

To exercise these rights, contact us at support@thoga.app.

Note: We cannot delete or export your local data (workflows, etc.) because we don't have access to it. That data is entirely under your control.

11. International Users

Authentication data is processed by Firebase (Google Cloud) which operates globally. By using Thoga, you consent to data processing in jurisdictions where Google operates.

For EU users: Google is certified under the EU-US Data Privacy Framework.

12. Security

We implement security measures including:

AES-256 encryption for local database
Secure keychain storage for encryption keys
End-to-end encryption for P2P connections
HTTPS for all web communications
OAuth 2.0 for authentication (no password storage)

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of material changes through the application or website. Continued use after changes constitutes acceptance.

14. Contact Us

For privacy-related questions or concerns:

Email: support@thoga.app

Last updated: January 2026