TWTomorrow Wall

Privacy Policy

Last updated: June 23, 2026

This policy explains how Tomorrow Wall ("we", "us") processes personal data when you visit tomorrowwall.com, create an account or buy a tile. It is written to comply with the EU General Data Protection Regulation (GDPR) and is maintained by us — feel free to reach out at info@tomorrowwall.com with any question.

1. Data controller

Tomorrow Wall is the controller of your personal data. Contact for any privacy request, including access, rectification, deletion, restriction, portability or objection: info@tomorrowwall.com.

2. What we collect and why

  • Account data — email address, username and display name. Used to identify you and let you sign in. Legal basis: performance of contract (Art. 6(1)(b) GDPR).
  • Tile content — the text, image, link, color and message you publish on a tile. Visible to all visitors by design. Legal basis: performance of contract.
  • Payment data — handled directly by Stripe. We only receive a Stripe customer id, the amount, currency and a session id. We never see or store card numbers. Legal basis: performance of contract and legal obligation (accounting).
  • Authentication metadata — sign-in timestamps, IP address at sign-in, OAuth provider (when you use Google). Legal basis: legitimate interest in keeping the service secure (Art. 6(1)(f) GDPR).
  • Email delivery logs — minimal records of transactional emails we send to you (confirmation of purchase, password reset) so we can troubleshoot deliverability. Legal basis: legitimate interest.
  • Cookies and similar storage — see our Cookie Policy. Non-essential cookies are only set after you give consent via the cookie banner.

3. Who we share data with (processors)

We use a small number of trusted processors to operate the site:

  • Lovable Cloud — hosting, database, authentication and file storage (EU region where available).
  • Stripe — payment processing.
  • Mailgun (via Lovable Email) — sending transactional emails.
  • Google — only if you choose "Continue with Google" to sign in.

Each of these processors is bound by a data-processing agreement and is permitted to process your data only on our instructions. We never sell your data and we do not use it for advertising.

4. International transfers

Some of our processors (notably Stripe and Google) may transfer data outside the European Economic Area. When they do, the transfer is covered by the European Commission's Standard Contractual Clauses or an adequacy decision.

5. How long we keep your data

  • Account and profile data: until you delete your account.
  • Tile content: until you delete the tile or the account that owns it.
  • Authentication and email logs: up to 12 months for security and deliverability.
  • Stripe payment records: retained by Stripe under their own retention schedule and applicable accounting law.

When you delete your account from your profile page, we immediately remove your profile, your role assignments, your authentication record and we release every tile you owned back to the wall. No refunds are issued for previously purchased tiles.

6. Your rights under the GDPR

If you are in the EEA, the UK or Switzerland, you have the following rights:

  • Access — get a copy of the data we hold on you. You can download it yourself from your profile.
  • Rectification — correct inaccurate data by editing your profile or contacting us.
  • Erasure ("right to be forgotten") — delete your account from your profile page, or email us.
  • Restriction and objection — ask us to stop or limit certain processing.
  • Portability — export your data in a machine-readable JSON format from your profile.
  • Withdraw consent — change your cookie choices any time via the "Manage cookie preferences" button.
  • Lodge a complaint — with the data protection authority of your country (in Belgium: the Gegevensbeschermingsautoriteit / Autorité de protection des données, dataprotectionauthority.be).

7. Security

Data is transmitted over HTTPS and stored on infrastructure with row-level access control. Passwords are hashed; we never see them in clear text. Access to administrative tools is restricted and audited.

8. Children

Tomorrow Wall is not directed at children under 16. If you believe a child has created an account, contact us and we will delete it.

9. Changes to this policy

We may update this policy from time to time. Material changes will be announced on the site or by email. The "Last updated" date above always reflects the current version.

10. Contact

For any privacy-related question or to exercise your rights, email us at info@tomorrowwall.com. We respond within 30 days.