Privacy & Cookies Policy

LAST UPDATED: 16 APRIL 2026

1. Data controller

TOGETHER SOLUTIONS, S.L.

  • Tax ID (CIF): B-72792633
  • Registered address: Calle Los Juncos 11, 28223 Pozuelo de Alarcón (Madrid, Spain)
  • Contact email: help@together.day
  • Data Protection Officer: Not applicable (micro-company; Art. 37 GDPR).
  • Internal contacts: Walter Kobylanski (CEO) and Isabel Casero (COO).

2. Data processed, purposes, and legal bases

Data category Source Purpose Legal basis Retention
Account data (name, email, profile picture, authentication identifiers) Provided by the user at registration Create and manage your account; provide the Service Performance of contract (Art. 6.1.b GDPR) Duration of the account + 3 years after deletion
User-generated content (tasks, notes, lists, chat messages, calendar events created in-app) Created by the user within the App Provide and improve the Service; enable collaboration features Performance of contract (Art. 6.1.b GDPR) Duration of the account; deleted within 30 days of account deletion
Subscription and transaction data (subscription status, plan type, purchase date, renewal date, transaction identifiers) Apple App Store, Google Play Store, and RevenueCat Manage your subscription; grant access to paid features; billing support Performance of contract (Art. 6.1.b GDPR) Duration of the subscription + 5 years (Spanish tax and commercial law obligations)
AI interaction data (prompts sent to Chip and responses received) Generated when the user interacts with Chip Generate AI-assisted responses within the App Performance of contract (Art. 6.1.b GDPR) Processed in real time; not retained by Together beyond the session. Third-party AI providers may retain data according to their own policies (see Section 3)
Google Calendar data (events, titles, descriptions, schedules, reminders) Google account connected by the user Sync and display events inside the Together App Explicit consent granted via OAuth (Art. 6.1.a GDPR) Until the user revokes access or deletes their Together account
Traffic data and logs (IP address, device identifier, date, time, URL, HTTP headers) Automatic server and app logging Service security, maintenance, and debugging Legitimate interest (Art. 6.1.f GDPR) 12 months
Contact data (email and content provided by the user) Messages sent to help@together.day Responding to inquiries and support requests Consent / Pre-contractual measures (Art. 6.1.a/b GDPR) Up to 3 years from the last interaction
Browsing data collected via third-party analytics cookies User device (Website only) Produce anonymous statistics about Website usage Consent (Art. 6.1.a GDPR) See cookies table below

3. Recipients and processors

Data may be handled by the following providers under agreements compliant with Article 28 GDPR:

Provider / service Country Safeguard Purpose
AWS (Amazon Web Services) USA / EU Standard Contractual Clauses (SCC) Cloud hosting and infrastructure
Supabase USA SCC + DPA Database hosting and authentication
RevenueCat USA SCC + DPA Subscription management and purchase validation
Anthropic / OpenAI USA SCC + DPA AI model provider for Chip assistant
Expo (EAS) USA SCC App build and deployment services
Google Workspace EU (Ireland) Intra-group SCC Email and internal productivity
Mailchimp (Intuit) USA SCC + supplementary measures Email marketing (occasional)
Holded Spain EU processor agreement Internal accounting and management
Twilio / MessageBird USA / Netherlands SCC Communication services
Apple Inc. USA SCC App distribution and in-app purchase processing
Google LLC USA SCC App distribution, in-app purchase processing, and analytics

Regarding Google Calendar data

  • We do not share, sell, or disclose Google Calendar data to third parties for advertising or commercial purposes.
  • Access is strictly limited to the synchronisation purpose within the App.
  • The only recipients are our technology providers acting as processors (e.g., AWS, Supabase) under data protection agreements and Standard Contractual Clauses where required.

Regarding AI interaction data (Chip)

  • Data sent to Chip is transmitted to our third-party AI provider(s) solely to generate responses. We do not use your data to train AI models.
  • Our AI providers process data under contractual terms that prohibit use of your data for model training. Please note that providers may retain input/output data for a limited period for safety, abuse prevention, and debugging purposes, in accordance with their published data processing agreements.
  • We do not send personally identifiable information to AI providers beyond what you include in your prompts (e.g., content of your tasks and notes).

4. International transfers

Several of our processors are located in the United States. Transfers of personal data outside the EU/EEA are safeguarded through Standard Contractual Clauses (SCCs) adopted by the European Commission (Commission Implementing Decision (EU) 2021/914), supplemented where appropriate by additional technical and organisational measures in line with the EDPB’s recommendations.

5. Data subject rights

Under the GDPR and LOPDGDD 3/2018, you have the following rights:

  • Access — obtain confirmation of whether your personal data is being processed and, if so, receive a copy.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure (“right to be forgotten”) — request deletion of your data when it is no longer necessary.
  • Restriction — request that processing be limited under certain circumstances.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interest.
  • Withdrawal of consent — withdraw consent at any time (without affecting the lawfulness of processing prior to withdrawal).
  • Automated decision-making — not be subject to decisions based solely on automated processing that produce legal or similarly significant effects.

To exercise any of these rights, email help@together.day with the subject line “Data protection” and provide proof of identity.

If you believe your request has not been handled correctly, you can lodge a complaint with the Spanish Data Protection Agency (www.aepd.es).

6. AI transparency (Regulation (EU) 2024/1689)

In compliance with the EU AI Act, we inform you that the Together App includes an AI system — the Chip assistant — that interacts directly with users. When you use Chip, you are communicating with an artificial intelligence system, not a human.

Chip uses large language models provided by third-party providers (currently Anthropic and/or OpenAI). The AI processes data you provide within the App — such as tasks, notes, and calendar events — to generate personalised suggestions and responses. The AI does not make autonomous decisions that produce legal or similarly significant effects on you.

For more information about how Chip works and the limits of its outputs, please see Section 7 of our Terms of Service.

7. Security measures

Together applies access controls, in-transit encryption (HTTPS / TLS 1.2+), encryption at rest, regular backups, and periodic security reviews, proportionate to risk and in line with Article 32 GDPR.

8. Cookies policy

This section applies to the Website (together.day). The App does not use cookies.

Type Name Provider Purpose Duration Legal basis
Technical _cf_bm, etc. First-party / hosting Ensure operation and security Session Exempt (strictly necessary)
Analytics _ga, _gid Google Analytics Anonymous usage and performance metrics 1 day – 2 years Prior consent
Marketing _fbp Meta Pixel Measure ad campaign performance 90 days Prior consent

Consent management

  • On the first visit, users see a configurable banner where they can accept, reject, or customise analytics and marketing cookies.
  • We store the record of those choices for 24 months and will ask again if the policy changes or that period expires.

How to disable cookies in your browser

Every browser offers tools to block or delete cookies. Consult the help section of your browser (Chrome, Firefox, Edge, Safari) for instructions.

9. Data related to minors

The Service is not directed at children under the age of 14. We do not knowingly collect personal data from children under 14, in accordance with Article 7 of Spanish Organic Law 3/2018 (LOPDGDD). If we become aware that we have collected data from a child under 14 without parental consent, we will take steps to delete that data promptly.

10. Changes to this policy

We reserve the right to amend this Policy to reflect legal updates or changes in data processing. If a change materially affects how we process your data or requires renewed consent, we will notify you via the App or email and request your consent again where necessary.

11. Applicable regulations

This Privacy & Cookies Policy complies with:

  • Regulation (EU) 2016/679 (GDPR)
  • Organic Law 3/2018, of 5 December (LOPDGDD)
  • Law 34/2002, of 11 July (LSSI-CE)
  • Regulation (EU) 2022/2065 (Digital Services Act)
  • Regulation (EU) 2024/1689 (AI Act)