Tidebox Privacy Policy

1. Data controller

Eigensource S.L.
NIF: B55497267
Carrer d'Avila, 32 - 08005 Barcelona, Spain
Email: privacy@tidebox.ai

For enterprise privacy, procurement, or data protection questions, contact us at the email address above.

2. Data we collect

When you submit the Tidebox early-access form or contact us, we may collect:

• Work email address
• First name, if you choose to share it
• Company name
• Team size
• Your described use case or project context
• Pricing-plan interest when inferred from the CTA you clicked (for example Builder or Teams)
• Technical and attribution metadata such as page path, referrer, UTM values, language, and timestamp
• Security and anti-abuse metadata such as request origin, referer, and user agent

3. Why we process your data

• To review and prioritize early-access requests
• To contact you about your Tidebox request, waitlist status, onboarding, or a relevant demo
• To understand which channels, plans, and messages generate qualified interest
• To generate concise internal fit summaries or recommended first workflows for the waitlist experience
• To prevent spam, abuse, or fraudulent submissions
• To keep internal records of inbound business leads and conversations

4. Legal bases

We process personal data on the following bases under the GDPR:

• Consent: when you tick the waitlist checkbox and submit your details so we can review your request and contact you about Tidebox early access.
• Legitimate interests: to protect the site from abuse, measure aggregate demand, and manage inbound B2B lead operations responsibly.
• Legal obligations: where we must retain or disclose data to comply with applicable law.

You can withdraw your consent at any time by emailing privacy@tidebox.ai.

5. Analytics and measurement

Tidebox uses a consent preference center and a consent registry for optional website analytics and advertising measurement. Optional analytics and advertising storage are denied by default until you actively accept them through the cookie settings control.

After consent, we currently use Plausible Analytics for website analytics and Google Ads / gtag.js for conversion measurement and campaign attribution. We also record time-stamped consent events, policy version, and selected categories in our consent registry.

We may also use AI assistance to summarize the use case you submit and generate a suggested first workflow or fit explanation inside the waitlist success experience. This is used only to personalize the landing flow and support internal lead review. It does not produce legal or similarly significant effects.

6. Processors and recipients

We may share data with service providers that help us run the landing and waitlist, including:

• Supabase for database and serverless processing
• Plausible Analytics for website analytics
• Google Ads / Google Tag for conversion measurement and attribution after advertising consent
• Zapier for workflow notifications and internal routing
• Google Workspace / Gmail for business communications
• OpenAI for optional AI-assisted summarization and fit copy generation

We only share data to the extent necessary for these services to perform their role for us. See our Subprocessors page for the current public website vendor list.

7. International transfers

We are EU-based, but some service providers may process limited data outside the European Economic Area. Where this happens, we rely on appropriate safeguards such as contractual protections and equivalent transfer mechanisms where required.

8. Retention

We keep waitlist and inbound lead data only for as long as needed to run the early-access program, evaluate demand, and follow up on genuine business interest. As a working rule, we aim to delete or review stale waitlist records within 12 months of the last meaningful interaction, unless a longer retention period is required for legal, security, or dispute reasons.

Consent-registry events and related audit metadata may be kept longer where needed to demonstrate consent state, investigate abuse, or respond to privacy, legal, or security requests.

9. Your rights

Subject to applicable law, you may request:

• Access to your personal data
• Correction of inaccurate data
• Deletion of your data
• Restriction of processing
• Objection to processing based on legitimate interests
• Data portability where applicable
• Withdrawal of consent at any time

To help us locate your request quickly, include the email address you used, any relevant website interaction details, and if available, your consent reference from the cookie settings panel.

You also have the right to lodge a complaint with the Spanish Data Protection Authority (AEPD) if you believe your data has been handled unlawfully.

10. Updates to this policy

We may update this Privacy Policy as Tidebox evolves, our tooling changes, or legal requirements change. We will publish the latest version on this page and update the date above.