You wrote a contract with yourself. The reason you wrote is the most sensitive thing in here. We treat it that way.
This page tells you, in plain language, what we collect and why, where it goes, how long we keep it, and how to get rid of it. If you want the legal hooks — lawful basis, sub-processors, retention windows, your statutory rights — they’re all in here too. We tried to write it the way we’d want to read it.
At a glance
- We collect the contracts you write, the slips you log, and the email you sign in with. Nothing else about you.
- We never sell, share, or train models on your data.Not even “anonymized aggregate.” Not for our product. Not for anyone else.
- We never email or notify the witness you name. The witness field exists so you read their name at the moment of decision — that’s it.
- Payments are handled by Paddleas Merchant of Record. We don’t see or store card numbers.
- Your database row lives on Supabase in AWS us-east-1, covered by the DPF and Standard Contractual Clauses.
- Delete your account anytime by emailing us; once the in-product dashboard ships, you’ll be able to do it in one click. After a 30-day grace window where you can change your mind, everything is gone except a financial record of paid slips that EU and UK accounting law obliges us to keep for 7 years — and even that record is anonymized.
Who’s responsible
Commitmentor is operated by Or Iscovici (sole proprietor), based in Israel. We’re the data controller for everything described here.
For correspondence and statutory requests, the primary channel is [email protected] — email is the fastest route and what we recommend. If you need a postal address (e.g. for a formal legal notice that requires paper service), we’ll provide one in our acknowledgement reply. We don’t publish a personal residential address; the postal contact we provide is either a business mailbox we maintain for that purpose or, for EU and UK residents, the statutory representative listed below.
There is no formal Data Protection Officer; the company is below the GDPR thresholds that require one. Privacy questions go to the email above and are handled by Ori personally.
Where to reach us by region
Depending on where you live, your data-protection rights are backed by different authorities. We try to point you at the right one and to maintain proper statutory representation where the law requires it.
European Union / EEA. Under Art. 27 GDPR, we designate an EU representative to handle statutory matters for EU residents. To be named before public launch. Once designated, their legal name and EU postal address will appear here and on our acknowledgement replies. The lead supervisory authority for EU residents is the data-protection authority of your member state of residence; you may lodge a complaint there directly without going through us.
United Kingdom. We designate a UK representative under UK GDPR Art. 27 for UK residents. To be named before public launch (the same provider commonly serves both EU and UK roles). The supervisory authority is the Information Commissioner’s Office (ICO).
California, USA. The supervisory authority is the California Privacy Protection Agency and the California Attorney General. CCPA-specific commitments are in the California section below.
Israel. The supervisory authority is the Israeli Privacy Protection Authority.
Elsewhere.If your jurisdiction has a data protection authority and we’re processing your data, you can lodge with them. We’ll cooperate with any formally constituted authority that contacts us about a specific user’s data.
What we collect
This is the complete list. If we ever add anything, the change will appear in updates below before any new collection starts.
Your email. Used for magic-link sign-in and to email you about your account. Lawful basis: contract (Art. 6(1)(b)).
Your contracts.The hostname pattern, the reason in your own words, the charge amount, and an optional witness name. The reason text is the most sensitive item in the database — we treat it as such. Lawful basis: contract.
Your slip log (intercepts). When the intercept fires, we record which contract triggered, the hostname that actually matched, your decision (kept or continued), the time, and a snapshot of the contract terms that were in effect at that moment. The snapshot exists so the charge record is honest even if you later edit the contract. Lawful basis: contract.
Your charge events.When you continue past an intercept and a real payment fires, we record an immutable log of the charge’s lifecycle — initiated, pending, paid, failed, disputed, refunded — plus Paddle’s reference. This is the audit trail; it’s also what accounting law requires us to keep. Lawful basis: legal obligation (Art. 6(1)(c)).
Your timezone offset. A technical IANA timezone (e.g. Europe/Berlin) so streaks reset at your midnight, not ours. Not a location. Lawful basis: contract.
Your streak counter. Kept vs. slipped totals plus when the streak began. Derivable from your intercepts; cached for the UI. Lawful basis: contract.
Account deletion timestamp. When you request account deletion, we stamp deletion_requested_at and freeze the account for 30 days so you can change your mind. Lawful basis: legal obligation (right to erasure under Art. 17).
Operational logs.Web server access logs (for security and debugging) and Content Security Policy violation reports (for the marketing site). Both rotate on a 7-day window. Never tied to your account; we don’t query them for product purposes. Lawful basis: legitimate interest (Art. 6(1)(f)) for site security.
Encrypted database backups. Supabase keeps point-in-time recovery snapshots for 7 days. Lawful basis: legitimate interest in disaster recovery.
What we don’t collect
We don’t use device fingerprinting (no canvas, font, WebGL, AudioContext probing). The extension sees every site you visit because it has to, but it only records the hosts you’ve configured a contract for. The rest passes through.
We don’t track your behavior inside the product session-by-session. No session recording. No per-user time-on-field analytics. No funnel tracking tied to your identity. No persistent A/B experiment buckets.
We don’t collect demographics beyond the timezone above. No age, gender, income, profession, or location. We don’t log your IP address as a product signal; web servers necessarily see request IPs at the edge for fraud detection, and those logs rotate out within 7 days.
We don’t load third-party SDKs into the extension. No Sentry, no PostHog, no analytics-of-any-shape. The extension has visibility into every tab you open; putting third-party JavaScript in that context is a non-starter regardless of any vendor’s privacy claims.
We don’t train machine-learning models on your data. Not your reasons, not your patterns, not your charge behavior. Not for us. Not for anyone else.
We don’t serve advertising. There are no retargeting pixels on the marketing site; the Content Security Policy enforces this technically.
Where it lives
Your contracts and slip log live in Supabase (us-east-1, AWS). Data transferred to the US is covered by the EU–US Data Privacy Framework and Standard Contractual Clauses. The marketing site origin runs on a Hetzner VPS in the EU.
These are the third parties (sub-processors) that touch account data in some capacity. Each is engaged for the listed purpose only; we don’t feed them anything else.
- Supabase(us-east-1) — Postgres database, authentication, Realtime sync. Holds everything listed under What we collect.
- Resend(us-east-1) — outbound email (magic-link sign-in, account notifications). Sees recipient addresses and message bodies in transit. 30-day default retention at Resend.
- Paddle(UK) — Merchant of Record for payments. Sees card details (we never do), charge amount, and the customer email tied to the charge. Their retention is governed by their MoR agreement; account deletion propagates to Paddle on request via their API.
- Cloudflare— DNS, TLS termination on the marketing site, and inbound email routing to our Gmail. Sees request metadata at the edge; doesn’t persist inbound mail beyond delivery.
- Hetzner(EU) — marketing site origin server. Standard nginx access logs, 7-day rotation.
- GitHub— source code, CI runners. We deliberately never put user data into the repo or into CI.
- Plausible— anonymous, cookieless marketing analytics for this site only. Not currently active. When we turn it on, this page will say so and the event list will be in this section.
Adding a new processor requires us to update this page first. We won’t add one quietly.
How long we keep it
- Active contracts: while you have an account.
- Archived contracts (after you remove one): kept for your reflection until you hard-delete the account.
- Intercepts where you kept the contract or continued without a paid charge: while you have an account.
- Intercepts where you continued and paid: 7 years from the charge date, per EU and UK accounting law (Directive 2013/34/EU and national implementations). After the 7-year window, hard-deleted automatically.
- Streak counter, timezone: while you have an account.
- Web server access logs, CSP reports: 7-day rotation.
- Database backups: 7 days (Supabase point-in-time recovery).
When you delete your account and the 30-day grace window passes, the only surviving record is the paid-intercept accounting tail above — and that tail is anonymized. We sever the Paddle reference, blank out the reason and hostname, and detach the user id. What’s left is a standalone financial fact (date, amount, decision) with no way back to you.
About witnesses
The witness field is for you. You read the name at the intercept moment so the cost of continuing feels social, not just monetary. That’s the whole purpose.
We never email the witness.We never notify them, message them, or contact them in any way. We don’t store an email or phone number for them. Only the name string.
You’re responsible for the relationship and the disclosure. If you write down a person’s name, you should make sure they know — or that you’d be comfortable if they found out. We don’t verify this, but the terms of service require it.
If a future feature introduces actual witness notifications, that will appear in the updates section before it ships, and it will require explicit consent from both you and the witness.
If someone you named contacts us directly to invoke their rights, we generally cannot identify the row from the name alone — there’s no index on witness names. We document the request and respond accordingly. This is the correct posture for processing that’s strictly minimal, display-only, and never communicated outward.
Your rights
Under GDPR and equivalent laws elsewhere, you have the rights below. Our response targets:
- Acknowledgement:within 24 hours that we received your request and what we’re going to do.
- Fulfillment:within 7 calendar days for the standard requests (access, export, deletion, rectification). Most are scripted on our side and take minutes — the wait is queue time, not work time.
- Legal maximum: one month under Art. 12(3). We don’t treat this as our target; it’s a ceiling for unusually complex cases (rare for a product of our shape).
Right to access (Art. 15) and portability (Art. 20). Email [email protected] and we’ll send you a JSON export of everything we have on you. Today this runs from a one-command script on our side; when the in-product dashboard lands (Phase 6 of our roadmap), it becomes a one-click export you trigger yourself.
Right to erasure (Art. 17). Once the in-product account screen ships, delete it from there. Until then, email [email protected] and we’ll start the process. Your account locks immediately. After a 30-day grace window — during which you can change your mind — everything is hard-deleted except the anonymized paid-intercept tail described above. To restore during the grace window, email [email protected]; we’ll re-open the account within 24 hours.
Right to rectification (Art. 16). Edit your contracts directly in the popup or the web dashboard. For other fields (your email on record, system-recorded hostnames in intercepts), email [email protected].
Right to restriction (Art. 18) and right to object (Art. 21). Both via [email protected]. For processing we do on legitimate-interest grounds (security logs, CSP reports), you can object with documented reasons and we’ll honor it where lawful.
Right to charge-history access during deletion grace. Once your account is in the 30-day grace window you can’t log in. To get a copy of your charge history during that window, email [email protected] and we’ll send it within 24 hours.
Right to lodge a complaint.If you think we’ve mishandled your data, you can complain to a data protection authority. We’d rather you wrote to us first, but you don’t have to. See the regional contacts section for the right authority in your jurisdiction.
California (CCPA)
California residents have rights under the California Consumer Privacy Act and California Privacy Rights Act. In our case:
We do not sell your personal information. We’ve never sold it, we don’t plan to. The monetization model is subscription + slip charges — not data.
We do not share your personal information for cross-context behavioral advertising. No retargeting, no ad networks, no audience syndication.
Right to knowwhat we’ve collected about you and the right to deleteit: same path as the GDPR rights above — email [email protected].
18+ only
Commitmentor is for adults. You confirm you’re 18 or older when you sign up. There are two reasons for this:
- Paddle’s terms of service require the payer to be 18+.
- Self-binding contracts with real money are an adult choice. Asking minors to commit money on their habits is not the business we want.
We don’t collect a birthdate; the confirmation is by attestation at signup. If we learn we’ve collected data from a user under 18, we’ll delete the account.
Law enforcement
We comply with valid legal process within the jurisdictions where we operate. We’ll notify you about any request for your data unless we’re legally prohibited from doing so. We push back on overbroad requests and require proper jurisdiction and scope.
The product processes self-binding contracts about habits you chose to write down. We don’t maintain “framing data” on illegal activity because there isn’t any such data structure in the system. There’s no realistic scenario where our data interests law enforcement.
Security
Database content is encrypted at rest (AES-256, managed by Supabase). All connections to our infrastructure use TLS in transit. The marketing site enforces HSTS with two-year preload. The extension reads its session from cookies set by the web app under sandbox; nothing is stored in chrome.storage that isn’t also on Supabase.
We don’t use end-to-end encryption with user-held keys today. The encryption above is server-managed. If we ever serve sectors that need user-held keys (health, regulated finance), we’ll revisit and announce it before onboarding those users.
Contact
For anything privacy-related: write to [email protected]. For account recovery during the deletion grace window: [email protected]. For payment questions: [email protected]. General questions get a reply within a few days. Formal statutory requests follow the targets in Your rightsabove — 24-hour acknowledgement, 7-day fulfillment.
Updates
We’ll re-date this page every time it changes. Anything material gets sent by email to everyone with an account before it takes effect.
7 June 2026.Corrected the operator’s legal name (Or Iscovici) in the controller section to match registration records.
20 May 2026. Full rewrite to align with the data-minimization architecture (ADR-0009). Changes against the previous version:
- Payments processor corrected from Stripe to Paddle (Merchant of Record).
- Witness handling clarified: we store only the name and never contact the witness. The previous version described introduction and notification emails that aren’t part of the product.
- Data residency clarified: us-east-1 under DPF and SCCs (the previous version said “EU”).
- Removed “we’d shut down before responding to law enforcement” language. Replaced with the standard posture: comply with valid process, notify you when legally permitted, push back on overbroad scope, never built “framing data” in the first place.
- Added the lawful-basis tag for each category of processing, sub-processor list, retention windows by category, complete GDPR rights list with response paths, California (CCPA) section, 18+ minimum.
- Added “Where to reach us by region” section with supervisory authorities for EU, UK, California, and Israel. EU and UK statutory representative designations under Art. 27 are pre-launch action items; their names and addresses will appear here once designated.
- Calibrated response targets: 24-hour acknowledgement, 7-day fulfillment for standard requests (replacing the previous “legally required windows” framing). The legal one-month maximum under Art. 12(3) remains as a ceiling for unusually complex cases only.
- Clarified postal-address posture: we don’t publish a residential address; for paper service we provide a business mailbox or the relevant statutory representative in the acknowledgement reply.
17 May 2026.Added the “Witness contacts” section. (Superseded by the rewrite above.)
16 May 2026. Initial publication alongside the public beta.