Privacy Policy — TisreoCare

Effective date: October 22, 2025

1.1) Who we are & scope

TisreoCare (“TisreoCare”, “we”, “us”) provides educational content on everyday wellbeing and care. This Privacy Policy explains how we collect, use, disclose, and protect personal data when you visit our sites, subscribe to newsletters, comment, or contact us (the “Services”).

Controller: Tisreocare.com. Contact: contact@tisreocare.com.

1.2) What we collect (by category)

A. Identifiers & contact

Name, email, country/region; account credentials (hashed), support messages.
Source: you (forms, newsletter signup), or—if you are mentioned in UGC—other users.

B. Device & usage

IP address (truncated where feasible), user agent, pages viewed, referrer/UTM, approximate geolocation from IP, cookie IDs/consent state.

C. Community/UGC

Comments, likes, replies, timestamps, and moderation metadata.

D. Preference & accessibility

Language, text-size preference, dark mode, motion-reduction, cookie choices.

E. Wellbeing context you choose to share

Self-described routines/constraints related to our content areas (e.g., heat comfort, sleep set-ups, mobility routes, budgeting, caregiving reflections).
We do not request medical records and our Services are not HIPAA-covered entities. If you choose to post health-related details in comments, you are responsible for that disclosure; we process such data only with your consent and for the specific purpose (publish/display/moderate).

Children: Our Services are not directed to children under 13 (COPPA). We do not knowingly collect their data. EU/UK users under 16 should only use the Services with parental consent; in Québec, we do not collect personal information from minors under 14 without parental authorization (or unless clearly for the minor’s benefit).

1.3) Purposes & legal bases (GDPR/UK-GDPR)

Purpose	Examples	Legal basis
Provide Services	Load pages, remember preferences, deliver newsletters	Contract (Art 6(1)(b)) / Legitimate interests (site operation)
Community & moderation	Host comments, detect spam/abuse, handle reports	Legitimate interests (safety & integrity)
Communications	Respond to contact requests; product/feature notices	Legitimate interests; Consent where required
Analytics & performance	Page engagement, errors, performance metrics	Consent for non-essential cookies; Legitimate interests for strictly necessary measurement
Compliance & security	Logs, fraud prevention, legal requests	Legal obligation; Legitimate interests
Optional wellbeing inputs	If you post/share wellbeing context	Consent (you can withdraw any time)

We provide all disclosures required by GDPR Arts. 13–14 at or before collection.

1.4) Cookies, tracking & your choices

We use a consent banner for non-essential cookies in the EEA/UK, in line with the ePrivacy Directive. You can accept, reject, or granularly choose categories at any time from the “Cookie Settings” link in our footer.
We honor Global Privacy Control (GPC) signals as a valid “Do Not Sell or Share” request for California users. Look for the “Do Not Sell/Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” links in our footer.

Cookie/tech categories & default retention

Strictly necessary (session security, consent state): session to 12 months.
Functional & accessibility (text size, motion, theme): up to 12 months.
Analytics (page views, referrer): 13–26 months (aggregated where feasible).
UGC protection (anti-spam, abuse): up to 24 months.

1.5) “Sell” / “Share” disclosures (California)

We do not sell personal information and do not “share” it for cross-context behavioral advertising as defined by the CPRA. If this ever changes, we will: (a) update this policy, (b) provide opt-out/GPC enforcement, and (c) present a clear “Do Not Sell or Share” link. California consumers also have the right to limit the use/disclosure of sensitive personal information.

1.6) Regional rights & how to exercise them

EU/UK (GDPR/UK-GDPR) – access, rectification, erasure, restriction, portability, objection, and rights related to automated decisions; we respond within 1 month (extendable by 2 for complexity).

California (CCPA/CPRA) – know/access, correct, delete, opt-out of sale/sharing, limit sensitive PI use, non-discrimination; we generally respond within 45 days (extendable once by 45).

Québec (Law 25) – access, rectification, data portability, and confidentiality-incident notices; we respond within 30 days. Minors <14 require parental consent to collect personal information. Légis Québec

India (DPDP Act) – right to information access, correction/erasure, grievance redressal, and nomination; rights flow through our grievance process described below. (Note: nationwide enforcement depends on Government notification of rules.)

Submit a request: email contact@tisreocare.com with the subject “Privacy Request”. We may verify identity (e.g., email confirmation or minimal metadata match). Agents may act on your behalf where permitted by law.

1.7) International transfers

We operate from India and use service providers in multiple regions. When transferring EEA/UK personal data outside your region, we rely on:

EU-US Data Privacy Framework where a US recipient is certified; otherwise EU Standard Contractual Clauses (2021/914) with supplementary measures.
UK: IDTA or the UK Addendum to the EU SCCs.

1.8) Retention (specific schedule)

We keep data only as long as needed for the stated purposes or as required by law:

Data	Typical retention
Account basics (name, email)	Lifetime of account + 24 months
Support & contact threads	24 months after last interaction
Newsletter lists & consent logs	Until you unsubscribe + 24 months (consent logs 5 years for audit)
UGC (comments)	While published; moderation logs 24 months
Security & application logs	12–18 months
Analytics events	13–26 months (aggregated thereafter)
Rights-request records	24 months from closure (or longer if required by law)

1.9) Sharing with service providers (processors)

We use trusted vendors for: hosting/CDN, email delivery/newsletters, analytics/performance, anti-spam/abuse, consent management, and customer support. We require contracts with confidentiality, purpose limitation, security, deletion on termination, and breach-notification terms. (Québec requires specific protective clauses for mandates; we follow those where applicable.)

We do not disclose your personal data to third parties for their independent marketing.

1.10) Security

We apply layered controls: TLS 1.2+ in transit; encryption at rest via our cloud providers; least-privilege access; MFA for admin panels; regular patching; content-security policies; and periodic risk assessments. No system is 100% secure.

Breach response: We investigate, mitigate, and notify as required—e.g., GDPR/UK-GDPR 72-hour authority notification (where risk to rights/freedoms), and Québec confidentiality incident notices to the CAI and affected individuals where “risk of serious injury.”

1.11) Automated decision-making (ADM)

We do not make decisions with legal or similarly significant effects based solely on automated processing. If that changes, we will describe the logic, significance, and consequences and provide applicable opt-out/appeal rights.

1.12) Grievances & appeals (India DPDP; EU/UK; CA/QC)

India (DPDP): You may use our grievance channel first; then escalate to the Data Protection Board once operational under the Act.
EU/UK: You may lodge a complaint with your supervisory authority (e.g., ICO in the UK or your EU DPA).
Québec/Canada: You may contact the Commission d’accès à l’information (CAI).

1.13) Accessibility & language

We aim for WCAG 2.2 AA. If you need this policy in an accessible format or different language, write contact@tisreocare.com

1.14) Changes

We’ll post updates here with a new Effective date and note material changes in-product (e.g., banner/email) where legally required.

1.15) Contact

Privacy requests: contact@tisreocare.com

Annex A — CPRA signals, links & timelines (California)

We recognize GPC signals. You can also use footer links: “Do Not Sell/Share My Personal Information” and “Limit the Use of My Sensitive Personal Information.” We respond to requests generally within 45 days (one 45-day extension permitted).

Annex B — Legal references (for transparency)

GDPR Arts. 13–14 (disclosures), Art. 12 (1-month response), Art. 33 (72-hour breach). GDPR+3GDPR+3GDPR+3
EU ePrivacy Directive (cookies/consent). EUR-Lex
EU-US Data Privacy Framework (adequacy); EU SCCs 2021/914; UK IDTA/Addendum. European Commission+2EUR-Lex+2
CCPA/CPRA (sell/share opt-out; GPC). California Attorney General+1
Québec Law 25 (minors <14; 30-day rights; confidentiality incidents). Légis Québec+2Légis Québec+2
India DPDP Act text & status (rights; grievance; rules pending full enforcement)

2. DO NOT SELL OR SHARE MY PERSONAL INFORMATION (California)

Effective date: October 22, 2025

Under the California Consumer Privacy Act as amended by the CPRA, California residents can opt out of the sale or sharing of personal information for cross‑context behavioral advertising.

2.1 Our current status

We do not sell personal information.
We do not share personal information for cross‑context behavioral advertising by default. If this changes, we will update this page and request your consent.

2.2 Opt‑out options

One‑click browser signal: If your browser sends the Global Privacy Control (GPC) signal, we treat it as a valid opt‑out for this browser.
Cookie Settings: Use the Cookie Settings link in the footer and switch off the Advertising/Personalization category. This places an opt‑out cookie on your browser.
Form request: If you believe we have shared your data in another way, submit a request to contact@tisreocare.com with subject “CPRA Opt‑Out”. Include your name, email, and the nature of your request. Authorized agents may act on your behalf with written permission.

We will honor verified opt‑outs within legally required timelines (typically within 15 business days for sale/share).

2.3 What the opt‑out covers

Advertising/retargeting cookies and similar tracking for cross‑context behavioral ads.
Disclosure of identifiers to third parties for their advertising purposes.

2.4 What the opt‑out does not cover

Essential operations (security, fraud prevention, service delivery, measurement strictly necessary to run the site).
First‑party analytics that are de‑identified/aggregated or strictly necessary.

2.5 Proof & verification

To protect your privacy, we may verify requests by confirming access to your email or by matching limited account metadata. We maintain an auditable log of your opt‑out status.

2.6 Appeals & questions

If we deny your request, you may appeal by replying to our decision email with “Appeal – CPRA” in the subject.

3) LIMIT THE USE AND DISCLOSURE OF MY SENSITIVE PERSONAL INFORMATION (California)

Effective date: October 22, 2025

California residents may direct us to limit the use and disclosure of sensitive personal information (SPI) to what is necessary to perform the services you requested.

3.1 How TisreoCare treats SPI

We do not seek SPI (e.g., precise geolocation, government IDs, financial account numbers, union membership, genetic/biometric data). If you voluntarily disclose health‑related details in comments or community spaces, we process that content only to host, display, moderate, and secure the Services. We do not use SPI to build profiles for advertising.

3.2 Submit a “Limit SPI” request

Email contact@tisreocare.com with subject “Limit SPI”. We will:

restrict use and disclosure of your SPI to the minimum necessary to provide the requested Services;
turn off any non‑essential processing tied to SPI; and
confirm completion within required timelines.

You may also delete your comments containing SPI or ask us to remove them.

3.3 Verification and scope

We may verify identity via email confirmation. Requests do not require account creation and will not result in discriminatory treatment.