tldl.fm Sign In

Privacy Policy

tldl.fm · Effective: March 19, 2026

This Privacy Policy describes how tldl.fm ("we", "us", or "our") collects, uses, stores, and discloses your personal information when you use our Service. We are committed to handling your data transparently and in compliance with applicable privacy laws, including the General Data Protection Regulation (GDPR) for users in the European Economic Area, and applicable US state privacy laws.

By using the Service, you acknowledge that you have read and understood this Privacy Policy.

1. Data Controller

Surf Not Work, PO Box 1680 San Luis Obispo, CA 93401 is the data controller responsible for your personal data. Contact: privacy@tldl.fm

If you are in the EEA and have concerns about our data practices that we have not addressed satisfactorily, you have the right to lodge a complaint with your local data protection authority.

2. Information We Collect

2.1 Information you provide directly

When you sign in with Google OAuth, we receive and store your name, email address, and Google profile picture. When you sign in with Apple, we receive your name and email address; Apple may provide a relay email address if you choose to hide your real email, which we will use for all Service communications. You may also provide a custom profile description (Pro users) used to personalize your summaries — for example, "I am a software engineer interested in AI and startups."

2.2 Information generated by your use of the Service

We collect the podcast RSS feed URLs and Apple Podcasts links you add to your account. We store your digest schedule preferences, custom summary section configurations (Pro), episode queue and dismiss actions, and other in-app settings you configure.

2.3 Information collected automatically

We collect standard server and application logs that may include your IP address, browser type, operating system, referring URLs, and pages visited. These logs are generated by our hosting provider (Vercel) and are retained for security and debugging purposes. We may use privacy-preserving analytics tools to understand aggregate usage patterns.

2.4 Payment information

If you subscribe to the Pro tier, your payment is processed by Stripe. We do not receive or store your full credit card number. Stripe provides us with a token, last four digits of your card, card type, and billing status. Stripe's privacy policy is available at https://stripe.com/privacy.

3. How We Use Your Information

We use your personal information for the following purposes:

  • To provide and operate the Service: creating your account, fetching podcast feeds, generating summaries, and delivering digest emails.
  • To personalize summaries (Pro): your custom profile description is transmitted to our AI inference provider (Groq) to inform summary generation.
  • To send transactional and digest emails via our email delivery provider (Resend).
  • To process payments and manage your subscription via Stripe.
  • To maintain security, debug issues, and prevent abuse.
  • To comply with our legal obligations.

We do not sell your personal information. We do not use your personal information for third-party advertising.

4. Legal Bases for Processing (GDPR)

For users in the European Economic Area, we process your personal data under the following legal bases:

  • Contract performance: processing necessary to provide the Service you have signed up for (account creation, digest delivery, subscription management).
  • Legitimate interests: server logs and security monitoring, where our interest in maintaining a secure and functional service is not overridden by your rights.
  • Consent: where we rely on consent, such as for optional analytics, you may withdraw consent at any time without affecting the lawfulness of prior processing.
  • Legal obligation: where processing is required to comply with applicable law.

5. Third-Party Data Processors

We share your data with the following third-party processors, each bound by appropriate data processing agreements:

  • Supabase (supabase.com) — database and authentication infrastructure. Stores your account data, podcast subscriptions, preferences, and generated summaries. Data is stored in [SUPABASE REGION — e.g., US East].
  • Groq (groq.com) — AI inference provider. Receives podcast episode metadata, show notes, and (for Pro users) your custom profile description to generate summaries. Review Groq's data processing terms at groq.com/privacy.
  • Resend (resend.com) — email delivery. Receives your email address and digest content to deliver your scheduled emails. May collect email engagement data (opens, clicks) subject to Resend's privacy policy.
  • Stripe (stripe.com) — payment processing. Receives billing information for Pro subscribers. Subject to Stripe's privacy policy at stripe.com/privacy.
  • Vercel (vercel.com) — application hosting and infrastructure. Processes server requests and may log IP addresses in accordance with Vercel's privacy policy.

We do not share your data with any other third parties except as required by law or with your explicit consent.

6. Data Retention

We retain your account data and associated podcast subscriptions, preferences, and summaries for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where retention is required by law (e.g., billing records which may be retained for up to 7 years for tax purposes) or where data has been anonymized for aggregate analytics.

Server logs are retained for up to 90 days. Email engagement data is retained as described in Resend's data retention policy.

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: request a copy of the personal data we hold about you.
  • Rectification: request correction of inaccurate data.
  • Erasure: request deletion of your personal data ("right to be forgotten").
  • Portability: request your data in a structured, machine-readable format.
  • Restriction: request that we limit processing of your data in certain circumstances.
  • Objection: object to processing based on legitimate interests.
  • Withdraw consent: where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at privacy@tldl.fm. We will respond within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before processing your request.

US state residents: if you are a California resident, you have additional rights under the CCPA/CPRA, including the right to know, delete, and opt out of sale (we do not sell data). If you are a Virginia, Colorado, Connecticut, or Texas resident, similar rights may apply under applicable state law.

8. Data Security

We implement industry-standard technical and organizational measures to protect your personal data, including encrypted data transmission (TLS), access controls, and regular security reviews of our service providers. No method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

If we become aware of a data breach that affects your rights and freedoms, we will notify you and applicable regulators as required by law.

9. International Data Transfers

Our service providers may process your data in countries outside your own. For EEA users, transfers to countries without an EU adequacy decision are made subject to appropriate safeguards, including Standard Contractual Clauses. Our primary service providers (Supabase, Vercel, Stripe, Resend, Groq) are US-based. Contact us for more information about the specific transfer mechanisms we use.

10. Children's Privacy

The Service is not directed at children under 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will delete it promptly. If you believe we may have collected data from a child, contact us at privacy@tldl.fm.

11. Changes to This Policy

We may update this Privacy Policy periodically. For material changes, we will notify you by email at least 30 days before the change takes effect. The updated policy will be posted at tldl.fm/privacy with the revised effective date.

12. Contact

Privacy inquiries: privacy@tldl.fm
Physical address: PO Box 1680 San Luis Obispo, CA 93401

Also see: Terms of Service · Cookie Policy · Refund & Cancellation Policy