GDPR — Your Data Rights

Last updated: April 14, 2026

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have specific rights under the General Data Protection Regulation (GDPR) and related data protection laws. This page explains those rights and how to exercise them.

1. Who Is the Data Controller?

TinyBridge is the data controller for personal data collected through the TinyBridge Choice Boards application. This means we determine how and why your personal data is processed.

Contact: info@tinybridge.ai

2. Legal Bases for Processing

We process your personal data based on the following legal grounds under Article 6 of the GDPR:

Legal Basis	Processing Activities
Contract Performance (Art. 6(1)(b))	Creating and managing your account Storing and syncing your choice boards Processing photos for item detection Generating tile images Providing offline-first functionality
Legitimate Interest (Art. 6(1)(f))	Collecting usage data to improve the Service Processing feedback and support requests Maintaining security and preventing abuse Caching generated images for performance
Consent (Art. 6(1)(a))	Any future processing activities that require explicit consent You may withdraw consent at any time
Legal Obligation (Art. 6(1)(c))	Responding to lawful data access requests Complying with applicable data protection laws

3. Special Categories of Data

TinyBridge Choice Boards is used by non-verbal individuals, including people with disabilities. While we do not intentionally collect health data, the use of our Service may imply information about a user's communication needs.

We treat all data with heightened sensitivity and apply the following safeguards:

Strict per-user data isolation — no cross-user data access
Encryption at rest and in transit
Minimal data collection — we only collect what is necessary for the Service
No profiling or automated decision-making based on disability or health status

4. Your Rights Under GDPR

4.1 Right of Access (Art. 15)

You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data. We will provide:

Your account information (email, name)
All choice boards and associated data
Photos stored on your behalf
Usage history data
Any feedback submissions

4.2 Right to Rectification (Art. 16)

You have the right to correct inaccurate personal data. Your display name and profile photo are sourced from your Google account — to update these, update your Google profile. For other data corrections, contact us.

4.3 Right to Erasure ("Right to Be Forgotten") (Art. 17)

You have the right to request deletion of your personal data. Upon a valid erasure request, we will delete:

Your user profile and account data
All choice boards (including soft-deleted boards)
All photos stored in your account
Your usage history
Feedback submissions associated with your account
Local IndexedDB data (you should also clear your browser data)

Deletion will be completed within 30 days of a verified request. Some data may be retained in encrypted backups for up to 90 days before being permanently removed.

4.4 Right to Restriction of Processing (Art. 18)

You can request that we restrict processing of your data in certain circumstances, such as while we verify the accuracy of your data or evaluate an objection you have raised.

4.5 Right to Data Portability (Art. 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format. We will provide your data as a JSON export including:

Account profile
All choice boards with items and configuration
Photos (as downloadable files)
Usage history

4.6 Right to Object (Art. 21)

You have the right to object to processing based on legitimate interests. This includes the right to object to:

Collection of usage/interaction data
Processing for service improvement purposes

If you object, we will stop the relevant processing unless we demonstrate compelling legitimate grounds that override your interests.

4.7 Right Not to Be Subject to Automated Decision-Making (Art. 22)

We do not make any decisions based solely on automated processing that produce legal or similarly significant effects on you. Our AI features (photo analysis, image generation) are tools that assist with board creation — they do not make decisions about you.

5. How to Exercise Your Rights

To exercise any of the rights described above:

Email us at info@tinybridge.ai with your request
Include the email address associated with your TinyBridge account
Specify which right(s) you wish to exercise
We may need to verify your identity before processing your request

We will respond to your request within 30 days. If the request is complex, we may extend this by an additional 60 days, and we will inform you of any such extension.

All requests are processed free of charge unless they are manifestly unfounded or excessive.

6. International Data Transfers

Your data may be transferred to and processed in countries outside the EEA, including the United States. We ensure appropriate safeguards for such transfers:

Standard Contractual Clauses (SCCs): We use EU-approved SCCs with our service providers
Microsoft Azure: Microsoft provides SCCs and has obtained EU adequacy certifications for relevant data transfers
OpenAI: API data processing agreements are in place with appropriate transfer mechanisms
Google: Google provides SCCs for international data transfers

7. Data Protection Impact Assessment

Given the sensitive nature of our user base (non-verbal individuals, potential minors), we conduct Data Protection Impact Assessments (DPIAs) for:

New data processing activities
Changes to AI service providers
Introduction of new data collection features
Changes to data storage or transfer practices

8. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms:

We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach
If the breach poses a high risk to you, we will notify you directly without undue delay
Notifications will include: the nature of the breach, data affected, likely consequences, and measures taken

9. Complaints

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. You can file a complaint with:

The data protection authority in your country of residence
The data protection authority in the country where the alleged violation occurred

A list of EU/EEA data protection authorities is available at edpb.europa.eu.

We encourage you to contact us first at info@tinybridge.ai so we can address your concerns directly.

10. Children and GDPR

Under GDPR, processing of children's data requires parental consent for children under 16 (or the lower age set by member states, minimum 13). Our approach:

Accounts are created by caregivers (parents, guardians, therapists) — not by children
Google sign-in enforces age requirements at the authentication level
We apply heightened data protection to all user data, given that boards may be used by children
Caregivers can exercise data rights on behalf of minors in their care

11. Changes to This Page

We may update this GDPR information page to reflect changes in our practices or applicable law. Updates will be posted here with a revised "Last updated" date.