Legal

Privacy Policy

Last updated: June 9, 2026

The short version

Your photos never leave your device. If you turn on Voice Lock, the voice profile that recognises you is biometric data that also stays only on your device and you can delete it any time. To keep the free version running, Tidy shows Google AdMob ads. Where you allow it, those ads are personalised, which means your advertising ID and IP address are shared with Google for advertising. We also keep a little anonymous data for the referral programme, fraud prevention, crash reports, and purchases. You can opt out of personalised/tracking ads and delete your data from Settings → Privacy in the app, or by emailing us. This policy covers the EU/UK (GDPR), California and other US states (CCPA/CPRA), and India (DPDPA).

1. Who we are

Tidy ("Tidy", "the app", "we", "us", "our") is a photo-cleanup app for iOS (Apple App Store) and Android (Google Play). It is developed and operated by Aditya Bhat, an individual based in India. For privacy law, Aditya Bhat is the data controller (GDPR), business (CCPA/CPRA), and Data Fiduciary (India DPDPA) for the limited data described below.

One place for everything. Our data-protection contact and our Grievance Officer (India DPDPA) can be reached directly at support@tidyupapp.online and through our Compliance page, where the current officers and how to exercise your rights are listed. EU/EEA users: for any data-protection matter, including matters that would otherwise be directed to a representative under GDPR Article 27, please contact us at support@tidyupapp.online.

2. What stays on your device and never leaves it

The two most sensitive things Tidy touches are processed only on your device and are never uploaded to us or to anyone else:

Tidy also uses the accelerometer and gyroscope in Motion mode to detect tilt. That sensor data is used in real time only and is never stored or transmitted.

3. Data we do process — categories, purpose, and lawful basis

Apart from the on-device items above, Tidy processes a small amount of data through the third-party services it relies on. The table below lists every category, why we process it, and our lawful basis under GDPR (mirrored to DPDPA's "consent" and "legitimate uses", and to CCPA's "business purpose").

Data categoryPurposeLawful basis
Anonymous Firebase user ID (random, not your name/email)Sign you in anonymously so the referral and consent-logging features work without an accountLegitimate interest (GDPR Art. 6(1)(f)) / legitimate use (DPDPA) in providing the requested feature
Advertising identifier (Apple IDFA / Google GAID)Serve and measure ads; where you consent, personalise adsConsent (GDPR Art. 6(1)(a); ePrivacy; DPDPA consent)
IP addressDeliver ads, security/anti-fraud, and to derive approximate location for ad and consent rulesConsent for advertising use; legitimate interest for security
Approximate location (country/region derived from IP — not precise GPS)Show the right consent form, comply with regional ad rules, coarse ad relevanceConsent (ads) / legitimate interest (legal compliance)
Device / install fingerprint hash (a one-way hash of coarse device traits + a random install ID)Detect and prevent referral fraud and abuseLegitimate interest in preventing fraud (GDPR Art. 6(1)(f)) / legitimate use (DPDPA)
Consent log: IAB TCF consent string, iOS App Tracking Transparency (ATT) status, app version, timestampProve and honour your privacy choices (we are required to be able to demonstrate consent)Legal obligation / legitimate interest (GDPR Art. 6(1)(c)/(f); Art. 7 demonstrability)
Referral graph: anonymous install IDs and inviter/invitee links and countsRun the invite-a-friend programme and grant rewardsConsent / performance of the referral terms you opt into
Crash diagnostics (Firebase Crashlytics: device model, OS version, app state, stack traces)Diagnose and fix crashes and stability problemsLegitimate interest in app reliability (GDPR Art. 6(1)(f)) / legitimate use (DPDPA)
Purchase / entitlement data (via Adapty + Apple/Google: transaction and subscription/entitlement status, an anonymous purchaser ID)Process the Tidy Premium purchase and unlock and restore your entitlementPerformance of a contract (GDPR Art. 6(1)(b)) / DPDPA contractual necessity

We do not integrate a general product-analytics SDK (no Firebase Analytics, no Mixpanel, no Amplitude). We do not collect your name, email, contacts, social graph, precise GPS location, or account passwords.

4. Advertising and tracking — Google AdMob

Tidy's free tier is supported by ads served by Google AdMob. We want to be clear and correct here: where you have consented, Tidy serves personalised ads. We do not force "non-personalised only." Your consent is gathered through Google's UMP consent form (for EU/UK/Swiss and US-state privacy frameworks) and, on iOS, through Apple's App Tracking Transparency prompt. Personalised advertising means your advertising identifier (IDFA/GAID) and IP address are shared with Google and used for ad targeting and measurement, including cross-context behavioural advertising.

If you do not consent (or you deny tracking), Tidy still shows ads, but they are non-personalised. You can change your choice at any time:

Google's processing of this data is governed by Google's Privacy Policy and how Google uses data from apps that use its services. Buying Tidy Premium removes all ads.

5. "Sale" / "Sharing" of personal information (CCPA/CPRA)

California and several other US states give you the right to opt out of the "sale" and "sharing" of your personal information. Under those laws' broad definitions, our use of AdMob for personalised (cross-context behavioural) advertising counts as "sharing," and may count as a "sale," of personal information.

We do not sell or share any other category of data, and we never sell or share your photos or your voice profile. We do not knowingly sell or share the personal information of consumers under 16.

Do Not Sell or Share My Personal Information. You can exercise this right at no cost and without creating an account: open Settings → Privacy in the app and decline/withdraw advertising consent in Google's consent (UMP) form, and/or use the device controls in Section 4. Doing so stops the sharing of your advertising ID and IP for personalised advertising. We also honour the Global Privacy Control (GPC) and equivalent opt-out preference signals where they are transmitted to us as a valid opt-out of sale/sharing.

6. Your privacy rights

Depending on where you live, you have some or all of the rights below. They apply to the limited data in Section 3 (your on-device photos and voiceprint are already only in your hands).

How to exercise them:

For CCPA/CPRA requests we will confirm receipt and respond within 45 days (extendable by a further 45 days where permitted, with notice). For GDPR and DPDPA we respond without undue delay and within one month / the statutory period. Because most of our data is anonymous or pseudonymous, we may need additional information to locate or verify it; if we genuinely cannot identify you in our records, we will say so.

Complaints. If you are in the EU/EEA or UK, you may also complain to your local data protection supervisory authority. If you are in India, you may raise a grievance with our Grievance Officer at support@tidyupapp.online and, if unresolved, complain to the Data Protection Board of India. If you are in California, you may contact the California Privacy Protection Agency or Attorney General.

7. Sensitive / special-category data — your voice profile

The Voice Lock voiceprint is biometric data: it is "special category" data under GDPR Article 9, "Sensitive Personal Information (SPI)" under the CPRA, and sensitive personal data in spirit under the DPDPA. We treat it accordingly:

8. Who receives data (sub-processors / recipients)

We share the limited Section 3 data only with the service providers needed to run those features:

Each provider processes data under its own terms and privacy policy and, where it acts on our behalf, under data-processing terms that restrict use to providing the service.

9. International data transfers

We are based in India and use global services, so your data may be processed outside your country, including in the United States. Our Cloud Firestore data is stored in Google's us-central1 region; AdMob and Crashlytics operate globally. Where personal data is transferred out of the EEA/UK, the transfer relies on appropriate safeguards — principally Google's and our other processors' Standard Contractual Clauses (SCC)-based data transfer terms. You can request more detail on these safeguards by emailing us.

10. How long we keep data (retention)

You can exercise your right to erasure at any time as described in Section 6.

11. Children and minors

Tidy is a general-audience utility and is not directed to children. We do not knowingly collect personal data from children, and we do not knowingly serve personalised ads to, or "sell/share" the data of, minors.

If a user indicates they are a minor, the app disables personalised ads and tracking and switches to child-safe / non-personalised ad settings. If you believe a minor has provided us data (for example through the referral feature), email support@tidyupapp.online and we will delete it promptly.

12. Managing consent and ad/tracking choices

You are always in control. To grant or withdraw consent, or change personalised-ad and tracking choices, go to Settings → Privacy in the app (which re-opens Google's consent form), or use the iOS/Android device controls in Section 4. Withdrawing consent stops the relevant future processing; it does not undo processing already lawfully carried out.

13. Changes to this policy

If we make material changes, we will update the "Last updated" date above and, where appropriate, notify you in the app. Continued use of Tidy after an update means you accept the revised policy.

14. Contact

Privacy questions, requests, or complaints — and our data-protection contact and India Grievance Officer, as well as EU/EEA data-protection matters under GDPR Article 27 — all reach us at support@tidyupapp.online (see the Compliance page). We aim to respond within 48 hours and within the statutory deadlines noted in Section 6.