for email recipients

If you received an email from a Tomicc Watch user, that email may contain a tracking pixel — a 1×1 transparent image that loads from our servers when you open the email. This page explains what we collect, why, and what your rights are.

what we collect

  • Hashed IP address HMAC-SHA256 with a daily-rotated salt; we cannot reverse this to your raw IP after the salt rotates 24 hours later.
  • Country-level geolocation No city, no precise location.
  • Coarse user-agent class e.g., Apple Mail iOS, Gmail Web. The full User-Agent string is never stored.
  • Open timestamp

what we do not collect

Your name. Your email address contents. Your precise location. Your raw IP address. Any cookie identifier.

lawful basis (EU / UK)

If you appear to be located in the EU or UK, we automatically suppress tracking for emails sent to you. No pixel is loaded, no data is collected. This is enforced at the moment the sender composes their email, before the message leaves their browser.

For all other recipients, we rely on the legitimate interest of the sender in confirming delivery and read-receipt of their own correspondence (Article 6(1)(f) GDPR), balanced against your reasonable expectations.

retention

Per-event rows are retained for 90 days, after which they are aggregated and the per-event rows are hard-deleted. Hashed IPs become non-reversible 24 hours after collection.

your rights

  • Opt out permanently across all senders.
  • Set DNT: 1 or Sec-GPC: 1 in your browser. We honor both as automatic opt-out.
  • Email privacy@tomicc.me for access, deletion, or objection. We respond within 30 days.

see also

What Watch can and can’t see — the literal table of every classification we produce, why it’s labeled the way it is, and what we filter out.

This notice is the public expression of the policy. The internal source of truth is docs/recipient-privacy.md in the Tomicc repo. Last updated April 2026.