Privacy Policy
Last updated: April 14, 2026
TinyBridge ("we", "us", "our") operates the TinyBridge Choice Boards application (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.
Our Service is designed for non-verbal individuals, including children and people with disabilities, who use interactive choice boards to communicate. We recognize the sensitive nature of our users' needs and are committed to protecting their privacy with the highest standards.
1. Information We Collect
1.1 Account Information
When you sign in with Google, we receive and store:
- Email address — used to identify your account
- Display name — shown in the app interface
- Profile photo URL — used for your avatar
1.2 Photos and Images
The core function of TinyBridge is converting photos into choice boards. We collect:
- Photos you capture or upload — stored in full resolution for board creation and as thumbnails within board data
- AI-generated images — tile images generated from choice labels, cached to improve performance
1.3 Board Data
Choice boards you create, including:
- Board names and configuration
- Choice items (labels, descriptions, colors, images)
- Creation, modification, and last-used timestamps
1.4 Usage and Interaction Data
We collect interaction history to improve the Service, including:
- Board creation, opening, editing, and deletion events
- Choice selections (which tiles are tapped)
- Photo capture and upload events
- Sign-in and sign-out events
- Session identifiers and timestamps
1.5 Feedback and Support Data
When you submit feedback through the app, we collect:
- Your feedback message
- An app screenshot (for context)
- Recent application logs and errors
- Your browser/device user agent string
- Your email address (from your signed-in session)
1.6 Device and Technical Data
- Browser type and version (user agent)
- Device type and operating system
- Camera and microphone permission status
- Local storage identifiers
2. How We Use Your Information
We use the information we collect for the following purposes:
| Purpose | Data Used | Legal Basis (GDPR) |
|---|---|---|
| Provide the Service (create and manage boards) | Account info, photos, board data | Contract performance |
| Sync data across your devices | All board and interaction data | Contract performance |
| Generate choice board images | Choice labels, descriptions | Contract performance |
| Detect items in photos using AI | Photos you capture or upload | Contract performance |
| Respond to your feedback | Feedback content, technical context, email | Legitimate interest |
| Improve the Service | Usage and interaction data | Legitimate interest |
| Maintain security and prevent abuse | Technical data, session data | Legitimate interest |
3. Third-Party Services
We use the following third-party services to operate TinyBridge:
3.1 Google (Authentication)
We use Google OAuth for sign-in. Google receives your authentication request and provides us with your basic profile information. See Google's Privacy Policy.
3.2 Microsoft Azure (Infrastructure)
Our Service runs on Microsoft Azure. Your data is stored in Azure Cosmos DB (board and profile data) and Azure Blob Storage (photos and images). Azure Communication Services is used to deliver feedback emails. See Microsoft's Privacy Statement.
3.3 OpenAI (Photo Analysis)
Photos you submit are sent to OpenAI's Vision API to detect and identify items for your choice boards. Photos are processed in real-time and are subject to OpenAI's Privacy Policy. OpenAI's API data usage policy states that API inputs are not used to train their models.
3.4 Google Gemini (Image Generation)
Choice labels are sent to Google's Gemini API to generate tile images. These are text descriptions only (not photos). See Google's Privacy Policy.
4. Data Storage and Security
- Data is stored using Microsoft Azure infrastructure with encryption at rest and in transit
- All API endpoints enforce per-user data isolation — you can only access your own data
- The app uses an offline-first architecture with local IndexedDB storage, syncing to the cloud when online
- Session authentication uses secure, HTTP-only cookies
- Photos and boards are stored in per-user partitioned storage
5. Data Retention
- Board data: Retained as long as your account is active. Deleted boards are soft-deleted and can be recovered. Permanently removed upon account deletion request.
- Photos: Stored as long as the associated board exists. Removed upon account deletion.
- Usage history: Retained for up to 24 months for service improvement, then anonymized or deleted.
- Feedback data: Retained for up to 36 months for support purposes.
- Session cookies: Expire after the session ends or upon sign-out.
6. Data Sharing
We do not sell, rent, or trade your personal information. We share data only as described below:
- Service providers: With the third-party services listed in Section 3, solely to operate the Service
- Legal requirements: When required by law, regulation, or legal process
- Safety: To protect the rights, safety, or property of our users or the public
- Business transfers: In connection with a merger, acquisition, or sale of assets (with prior notice)
We do not use your data for advertising or marketing purposes. We do not share data with data brokers.
7. AI-Generated Image Caching
To improve performance and reduce costs, AI-generated tile images are cached in a shared storage layer. This means:
- If two users create a tile with the same label (e.g., "Apple"), they may share the same generated image
- Only the generated image is shared — not the board, user identity, or any personal information
- The shared cache contains only generic images with no personal data
8. Your Rights
Depending on your location, you may have the following rights:
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate data
- Deletion: Request deletion of your personal data
- Portability: Receive your data in a portable format
- Restriction: Request restriction of processing
- Objection: Object to processing based on legitimate interest
- Withdrawal of consent: Withdraw consent at any time
For EU/EEA residents, see our detailed GDPR Rights page. To exercise any right, contact us at info@tinybridge.ai.
9. Children's Privacy
TinyBridge Choice Boards is designed to be used by caregivers on behalf of non-verbal individuals, who may include children. We apply the following protections:
- The Service requires Google sign-in, which is restricted to users who meet Google's minimum age requirements
- We expect caregivers (parents, guardians, therapists, educators) to create and manage accounts
- We do not knowingly collect personal information directly from children under 13 (or the applicable age in your jurisdiction)
- If we learn that we have collected personal information from a child without appropriate consent, we will delete that information promptly
- Caregivers can request deletion of any data associated with their account at any time
If you believe a child has provided us with personal information without parental consent, please contact us at info@tinybridge.ai.
10. International Data Transfers
Your data may be processed in countries outside your own, including the United States, where our cloud infrastructure is hosted. We ensure appropriate safeguards are in place for international transfers, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data processing agreements with all third-party service providers
- Encryption of data in transit and at rest
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. For significant changes, we may also notify you through the app or by email.
12. Contact Us
If you have questions or concerns about this Privacy Policy, or wish to exercise your data rights, contact us:
- Email: info@tinybridge.ai
For GDPR-related inquiries, see our GDPR Rights page for information about our data protection practices and how to file a complaint with a supervisory authority.