Privacy Policy

Last updated: May 14, 2026

TallyBloom (“TallyBloom”, “we”, “us”) is a habit counter and heatmap. This policy explains what we collect, why, and what we do with it. Plain language; if anything is unclear, contact us and we'll fix the wording.

What we collect

• Account data— the email address you sign up with, an encrypted password hash (if you sign up by email/password), and the date you joined. If you sign in with Google, we also store the Google account's stable identifier (the “sub” claim) so we can recognize you on return.
• Counter data— the counters you create, the daily counts you record, and any color settings you customize. This is the product; we can't run TallyBloom without it.
• Session cookies — an HttpOnly auth cookie that keeps you signed in. We do not use third-party analytics, advertising, or tracking cookies.
• Server logs — standard request logs (timestamps, IPs, paths, status codes) retained for a short period for debugging and abuse prevention.

What we don't collect

• No third-party analytics, advertising, or behavioral tracking.
• No access to your Google contacts, calendar, drive, or anything else from your Google account. The “Sign in with Google” scope is limited to your name, email, and profile picture URL.

How we use it

We use account data to authenticate you and counter data to render your dashboards, calendars, and heatmaps. Server logs are used to investigate errors and abuse. We do not sell or rent your data to anyone.

Who we share it with

We share data only with infrastructure providers we depend on:

• Cloudflare — fronts both the marketing site and the API tunnel; sees request headers and bodies in transit.
• Our hosting provider — runs the Postgres database and Django backend.
• Google — receives the OAuth handshake when you choose to sign in with Google; we do not push your counter data to them.

Where it lives

Your data is stored on infrastructure we operate. Backups (if any) are encrypted at rest.

Your rights

You can delete a counter at any time from the dashboard, which also permanently deletes its day-count history. To delete your entire account and all associated data, email us at privacy@tallybloom.com from the address on file.

Cookies

We use one cookie: auth_token, set HttpOnly and Secure, used solely to keep you signed in. It expires when you log out or when its OAuth token TTL elapses.

Children

TallyBloom is not directed at children under 13 and we do not knowingly collect data from them. If you believe a child has signed up, contact us and we'll delete the account.

Changes

We'll update this page when our practices change. Material changes will be announced in-product.

Contact

Questions: privacy@tallybloom.com.