Privacy Policy

Last updated: March 3, 2026

1. What data we collect

Slidoro collects and stores the following data to provide its core functionality:

  • Account information — email address (via Supabase Auth) used for login.
  • Timer sessions — focus/break duration, timestamps, and XP earned to track your progress.
  • Categories — custom category names and durations you create.
  • Website whitelist — domains you choose to allow during focus sessions (stored on our server to sync between your devices).
  • Settings — theme preference, notification preferences, timer configuration.
  • Telegram numeric ID — if you optionally link our Telegram bot to your account, we store only your Telegram numeric user ID and bot chat ID to deliver outbound timer notifications. We do not access your Telegram username, phone number, contacts, messages, or any other Telegram account data.

2. How we use your data

Your data is used solely to:

  • Synchronise timer state across your devices in real time.
  • Track your productivity progress (XP and levels).
  • Manage which websites are blocked or allowed during focus sessions.
  • Deliver notifications when a session completes.
  • Send outbound timer notifications via Telegram bot — only if you have explicitly linked it.

We do not use your data for advertising, profiling, or analytics.

3. Data storage & security

Your data is stored in two places:

  • Supabase (PostgreSQL) — primary persistent storage for your account, sessions, categories, settings, whitelist, and Telegram link. Data is encrypted at rest and in transit via TLS. Row-level security ensures each user can only access their own data.
  • Our application server (pomodoro.milmanart.win) — maintains a local SQLite database as a real-time working copy of your data to support instant WebSocket synchronisation across devices. This includes: active timer state, categories and XP, settings, whitelist domains, completed sessions pending sync, and Telegram chat IDs. This is a mirror of data in Supabase, kept in sync automatically. All communication is over TLS.

Both the web application and the Chrome Extension communicate with our server via an encrypted WebSocket connection. Only timer control commands and authentication tokens are transmitted — no browsing history or page content is sent.

4. Data sharing

We do not sell, share, or transfer your personal data to any third parties. No data is shared with advertisers, data brokers, or analytics services.

5. Browser Extension permissions

The Slidoro browser extension (available for Chrome and Firefox) requests the following permissions:

  • Access to all websites (host_permissions: <all_urls>) — required to display a blocking overlay on any website during a focus session. The extension does not read, collect, log, or transmit the content of any webpage you visit.
  • Storage — stores your server URL, authentication token, and user ID locally in the browser so you stay logged in. This data never leaves your device except to authenticate with your own Slidoro server.
  • Tabs — reads the URL of the active tab to determine whether the current site should be blocked during a focus session. Page content is never accessed.
  • Notifications — to alert you when a focus or break session completes.
  • Alarms — to keep the background script active for real-time timer synchronisation.
  • Offscreen (Chrome only) — to play an alarm sound when a session completes (required because Chrome service workers cannot use the Web Audio API directly). Firefox plays the sound directly in the background page without this permission.

The content script injected into pages is used solely to render the focus overlay UI. It does not interact with, scrape, or record any page content.

6. Telegram bot integration

Linking our Telegram bot is entirely optional. It is a one-way notification channel — the bot sends you messages, it does not read or process anything you send.

What we collect: when you initiate the /start command in the bot, Telegram provides us with your numeric user ID and the bot chat ID. We store only these two identifiers.

What we do not collect: we do not access your Telegram username, display name, phone number, contact list, profile photo, messages, or any other Telegram account data.

Deletion: your Telegram IDs are removed immediately when you unlink the bot or delete your Slidoro account. You can also block the bot on the Telegram side at any time to stop all notifications.

7. Your rights

You have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Correction — request correction of inaccurate or incomplete data.
  • Deletion — request deletion of your account and all associated data at any time by contacting us.
  • Portability — request an export of your data in a machine-readable format.
  • Objection — object to processing of your personal data in certain circumstances.

To exercise any of these rights, contact us at [email protected].

8. Data retention & deletion

Your data is retained as long as your account exists. When you delete your account, all associated data (sessions, categories, settings, whitelist, Telegram link) is permanently deleted via cascading database rules. Archived categories are scheduled for automatic deletion after 3 months. You may request manual deletion of your account and data by contacting us at the address below.

9. Contact

For privacy concerns, data requests, or account deletion, please contact: [email protected]