Privacy Policy

TinctureTally is operated by Konfidens. We're the data controller for the information you provide when using this service — meaning we're responsible for how your data is collected, stored, and used.

When you create an account:

• Your email address and a hashed password (we never see or store your actual password — that's handled by our authentication provider, Supabase)

When you use the app:

• The practice data you enter: your products, suppliers, stock levels, dispense records, restock logs, formula templates, and dosage shortcuts
• A currency preference and default unit setting

That's it. Notably, we do not collect any information about your clients. Dispense records use anonymous client IDs — a reference string that you choose yourself. TinctureTally has no way of knowing who those IDs refer to, and we never ask.

We do not collect:

• Client names, contact details, dates of birth, or health information
• Payment data (the service is free; no payments are processed)
• Your location
• Browsing behaviour or usage analytics

TinctureTally uses one type of cookie: a session cookie set by Supabase to keep you logged in. It's strictly functional — without it, the app doesn't work. There are no analytics cookies, no advertising cookies, and no third-party tracking of any kind.

Fonts are self-hosted: Inter is bundled with the application at build time, so no requests are made to Google Fonts (or anywhere else) when you use the app.

Because we only use strictly necessary cookies, a cookie consent banner is not legally required. We've chosen not to show one.

We use three infrastructure providers to run TinctureTally. Each acts as a data processor on our behalf:

We don't sell your data. We don't share it with anyone else.

Your account and practice data is stored in Supabase's eu-west-1 region in Ireland. This means your data stays within the European Union and is subject to EU data protection standards.

We keep your data for as long as your account is active. If you delete your account, your data is deleted from our systems. We don't retain practice data after account deletion.

If you'd like your data deleted and can't find a delete option in the app, email hello@konfidens.com and we'll take care of it within 30 days.

Under GDPR (and UK GDPR), you have the right to:

• Access the data we hold about you
• Correct anything that's inaccurate
• Delete your account and associated data
• Export your data in a portable format
• Object to or restrict how we process your data
• Withdraw consent at any time (though we rely on contract performance, not consent, as our legal basis)

To exercise any of these rights, email hello@konfidens.com. We'll respond within 30 days.

If you're in the EU or UK and feel we've handled your data incorrectly, you have the right to lodge a complaint with your supervisory authority — the Data Protection Commission (DPC) in Ireland, or the ICO in the UK.

We process your account and practice data on the basis of contract performance — it's necessary to provide the service you've signed up for. We don't rely on consent for core data processing, which means you don't need to "accept" anything beyond creating an account.

All data in transit is encrypted via TLS. Data at rest is encrypted by Supabase (AES-256 on AWS). User data is logically isolated — no account can access another account's data, enforced at the database level via Row Level Security.

If we become aware of a data breach that affects you, we'll notify you within 72 hours.

For any privacy questions or data requests: hello@konfidens.com