Privacy Policy

Last updated: January 30, 2026

Red-Green ("we", "us", "our") is a workplace mood tracking application. This policy explains what data we collect, how we use it, and the rights you have over it.

1. Data We Collect

Account information: When you register, we collect your email address and a securely hashed password. If you sign in with Google or Facebook, we receive the name and email associated with that account.

Vote data: Each day you may record a single binary vote (red or green) along with the date. No free-text, location, or other contextual data is collected.

Technical data: We collect minimal technical information required to operate the service, such as session tokens and device type.

2. How We Use Your Data

• To provide and maintain the service, including syncing your votes across devices
• To display your personal vote history and analytics to you
• To generate anonymised, aggregated reports for employers — individual votes are never identifiable
• To send transactional emails (account verification, password reset, data export)

We do not sell your personal data. We do not use your data for advertising.

3. Aggregated Analytics

Employers receive only aggregated statistics (e.g., "72% green days this week across the organisation"). Individual votes cannot be traced back to any employee. Aggregated reports are only generated when a minimum group size is met to prevent identification.

4. Data Storage & Security

• All data in transit is encrypted with TLS
• Passwords are hashed with Argon2id and a per-application pepper
• Authentication uses short-lived JWT access tokens with rotating refresh tokens
• Infrastructure is hosted on AWS in the United States

5. Your Rights (GDPR)

You have the right to:

• Access — View all data we hold about you directly in the app
• Export — Download a complete copy of your data at any time from Settings
• Rectification — Update your profile information in the app
• Deletion — Permanently delete your account and all associated data from Settings
• Withdraw consent — You may withdraw data processing consent at any time; your account will be deactivated and data deleted

Deletion requests are processed promptly. Once deleted, your data cannot be recovered.

6. Data Retention

We retain your data for as long as your account is active. If you delete your account, all personal data and vote history are permanently removed from our systems.

7. Third Parties

We use the following third-party services solely to operate the application:

• Amazon Web Services — Infrastructure hosting and email delivery (SES)
• Google / Facebook — Optional OAuth sign-in (only if you choose to use it)

We do not share your personal data with any other third parties.

8. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email or an in-app notice. Continued use of the service after changes constitutes acceptance of the updated policy.

9. Contact

If you have questions about this privacy policy or your data, contact us at [email protected].