Privacy Policy

This Privacy Policy explains what What Deficit? (“the app,” “we”) collects, why, how your AI companion improves over time, and how to control or delete your data.

Where we’re available. What Deficit? is currently available to users in the United States only. We block signup from non-US IP addresses and limit our service to US residents until we’ve completed the per-region compliance work needed elsewhere. If we expand to your country, we’ll update this Privacy Policy and the geographic gate at the same time.

1. What we collect

• Account. Your email, used to send sign-in codes and account-related notifications.
• Where you live (Washington question). At signup we ask one yes/no question: whether you reside in Washington State. We rely on your answer in good faith — we don’t verify it. We use it only to honor Washington’s health-data law (see Section 6): if you answer yes, your data is excluded from the product-improvement uses described in Sections 5 and 6, while you keep full use of the app.
• Tasks & preferences. The tasks you write, their quadrants, due dates, focus-timer settings, theme, and similar app state.
• AI conversation. Messages you send to your AI companion (default name “Penny”) and her replies, so you can scroll back through the conversation. We also store a private memory document Penny maintains about you to personalize her replies to you.
• How you use the app (usage signals). We record what happens as you use the app — for example, which quadrant Penny suggested for a task versus where you put it, whether you accepted or edited her suggestion, and whether a task got completed. These signals are structural, not the words of your conversations (no message text, no task wording). We use them to make Penny’s suggestions smarter, as described in Section 5. We don’t use third-party analytics or trackers.
• Your conversations, if you opt in (Section 6). Improving how Penny actually talks — her phrasing and how she handles a messy brain-dump — requires learning from real conversations. We only ever use your conversation content for that if you explicitly turn it on. It’s off until you say yes.
• Payment info (if you subscribe). Handled by Stripe — we don’t store your card number; we store a Stripe customer ID, subscription status, and billing email.

2. What we don’t collect

• Diagnostic claims or treatment plans. We assume our users have ADHD; we don’t ask you to confirm a diagnosis or provide a treatment plan. Penny is configured to refuse medical, psychiatric, or pharmaceutical advice and to point you to your doctor. If you choose to discuss your medications, diagnoses, or therapy with Penny, that content lives in your chat history (which you can delete at any time) and is never used to improve the app unless you’ve opted in under Section 6 — and even then it’s scrubbed at the boundary.
• Third-party tracking. No Google Analytics, Meta Pixel, Mixpanel, Segment, PostHog, or similar.
• Precise location, contacts, microphone, camera. The app doesn’t request these. (We do read the country your connection comes from, via your IP address, at signup to enforce US-only availability — we don’t store precise location or keep your IP linked to your account after that check.)

3. How we use it

• To run the app you signed up for — show your tasks, power your conversations with Penny, run focus timers, and personalize Penny’s replies to you from your own history.
• To send transactional email (sign-in codes, billing receipts, account-deletion confirmation, and reminders such as when a free trial of Plus is ending).
• To improve the app and Penny’s suggestions, as described in Section 5 (from structural usage signals) and Section 6 (from your conversations, only if you opt in).
• We never sell or share your personal information, and we never use a per-user profile of you for advertising.

Lawful basis. We process your data to provide the service you signed up for (including personalizing Penny to you and the structural-usage improvement in Section 5, which is a standard, disclosed business purpose), and — for using your conversation content to improve Penny (Section 6) and for any health-related content you choose to share — with your consent.

4. Your AI companion & your content

Depending on capacity, Penny may run on our own self-hosted AI model (on infrastructure we control) or on Anthropic’s Claude API. Either way, your conversations are not used to train anyone’s model: Anthropic doesn’t train its models on content sent through their API per their commercial terms (see Anthropic Commercial Terms), and our own model is only ever fine-tuned on data you’ve opted in to share under Section 6. When Anthropic processes a message, they retain it up to 30 days for abuse-monitoring only, then delete it, and don’t link it to your identity beyond what abuse review requires.

Penny’s personality is human-curated. Penny’s persona — her tone, how she names herself, the topics she stays away from — is written and maintained by a human on our team. None of the improvement processes in Sections 5 and 6 can automatically change Penny’s personality; observations there go to a manual review queue a human decides on.

5. How the app improves from usage (everyone)

Like nearly every app, we learn from how the product is actually used so we can make it better — here, mostly so Penny’s suggestions (where a task belongs, when to nudge you, what to schedule) get sharper over time. This uses the structural usage signals in Section 1 — never the words of your conversations or the wording of your tasks. To keep this firmly on the safe side of the line:

• It’s content-free. Only structure and outcomes (e.g. “suggested Q2, user moved to Q1, task completed”) — no message text, no task text.
• It’s only used as grouped aggregates. Improvements are derived from patterns combined across a minimum number of users — below that group size nothing is used — never from a profile of you individually.
• We never sell or share it.
• Washington residents are excluded from this use (and from Section 6), out of respect for Washington’s health-data law.
• It honors deletion. The detailed records behind it are deleted when you delete your account; see Section 9 for how this applies to improvements already learned.

This is a disclosed business purpose and doesn’t require opt-in. If you’d rather Penny only ever improve from made-up practice scenarios we write ourselves (which involve no user data at all), tell us at [email protected] and we’ll exclude you from this use too.

6. Learning from your conversations (opt-in only)

Making Penny a better conversationalist — better phrasing, better at understanding a real ADHD brain-dump — can only come from real conversations. We only use your conversation content for this if you turn it on. It is off by default. You decide at signup and can change it any time in Settings → Help us improve What Deficit?. There are three settings: Off (the default) — your conversations are never used; Just Penny’s personality — your scrubbed conversations are used only to improve how Penny understands and phrases things; On (all signals) — that, plus broader product-friction and feature analysis. The two “on” settings both use your scrubbed conversations; only the scope of the analysis differs. When either is on, here’s exactly what happens:

• Scrubbing happens at the boundary. Before any conversation is used, it passes through a three-tier personal-information scrubber. Tier 1 is a deterministic pattern layer (medications, diagnoses, names, emails, phones, addresses, dates of birth, ZIP codes, dollar amounts, dose phrases). Tier 2 is a second-pass AI review (Anthropic Claude Haiku) that catches subtler personal information. Tier 3 is a structural backstop that rejects anything with residual high-entropy tokens, URLs, IPs, or phone-shaped numbers. Content that fails any tier is discarded, not used.
• Identifiers are one-way hashed; the data is pseudonymized, not anonymous. The user identifier on every retained item is a one-way HMAC keyed by a salt held in AWS Secrets Manager, separate from the main database. We describe this as pseudonymized rather than “anonymous” because we’re honest that re-identification is not provably impossible — so we treat this data carefully, never sell or share it, and delete it on request.
• Where it’s processed. The scrubbing and analysis run as a batch process on infrastructure we control; the scrubbed content is processed by Anthropic (Claude Haiku for the Tier-2 scrub, and a larger Claude model to group similar patterns) and by Voyage AI (to turn scrubbed text into numeric vectors for similarity grouping). We don’t authorize these providers to use your content to train their own models.
• What it’s used for. Improving Penny (including how she understands and phrases things), spotting product friction and bugs, and surfacing feature ideas. We may use the scrubbed, pseudonymized conversations to fine-tune our own AI model on our own hardware.
• What it can never do on its own. Nothing in this pipeline can automatically change the app, Penny’s personality, the security configuration, your subscription, or any user’s data. It only produces suggestions a human ships through our normal review-and-release process.
• Washington residents are excluded. If you told us at signup that you live in Washington — or didn’t tell us either way — your conversations are not used here, in keeping with Washington’s health-data law.
• Turning it off purges. Switch it back off and a database trigger deletes every scrubbed item tied to your account in the same step — no “30-day grace.” One narrow exception: the redaction patterns our scrubber keeps so it knows what to strip (for example, a nickname it learned to redact) are retained — they exist only to remove your details from data, and contain a pattern, not your conversations. Note that any general improvements our model already learned while it was on can’t be individually un-learned, but they contain no identifying content (see Section 9).
• Rights-request SLA. Email [email protected] about this data and we acknowledge within 14 days and complete within 30.

7. Retention

• Account, tasks, focus-timer history, chat history, Penny’s memory of you. Kept while your account is active. Deleted within 30 days of account deletion (Section 9).
• Structural usage signals (Section 5). The detailed event records are short-lived and used to compute grouped, aggregate improvements; they’re deleted when you delete your account.
• Scrubbed conversation data (Section 6, opt-in). Kept up to 12 months, then purged. Friction patterns and feature ideas we’ve acted on are kept as institutional memory but contain no identifying content. Deleted sooner if you opt out or delete your account.
• Anomaly logs (scrubber rejections, suspected injection attempts). Low/medium severity for 90 days; high severity for 24 months.
• Internal audit log. 36 months.
• Payment records. Stripe retains those independently per applicable law.

8. Security & data residency

Your data is stored in the United States (Supabase, AWS us-east-1). It’s encrypted in transit (HTTPS) and at rest. Row-level security ensures your account data is only readable by you. The Section-6 hashing salt lives in AWS Secrets Manager, isolated from the main database.

We don’t claim end-to-end encryption — our team can technically access database rows for support and engineering, and we audit such access.

9. Deleting your account

You can delete your account any time from Settings → Danger zone → Delete account. This permanently erases your tasks, chat history, Penny’s memory of you, focus-timer data, attachments, account record, the structural usage records behind Section 5, and any scrubbed conversation data from Section 6. Database records are erased within 30 days. You may also request deletion by emailing [email protected] (acknowledged within 14 days, completed within 30).

About improvements already learned. Improvements baked into our AI model from aggregate, content-free usage (Section 5) or from previously-scrubbed conversations (Section 6) can’t be individually pulled back out of the model — but they hold no identifying content. When we retrain or update the model on a regular cadence, deleted users’ data is no longer part of it.

10. Your rights (US state privacy laws)

Depending on your state (for example California’s CCPA/CPRA, and the comprehensive laws now in effect in many other states), you have rights over your personal information. You can:

• Know what we collect. Download a machine-readable copy of your data — profile, tasks, chat history, attachments, audit-log entries about your data — from Settings → Download my data.
• Delete it. Use the in-app delete (Section 9) or email us.
• Correct inaccuracies. Email [email protected].
• Opt out of “sale or sharing.” We don’t sell or share your personal information for cross-context behavioral advertising, so there’s nothing to opt out of — but you can confirm in writing at the same address.
• Limit use of sensitive data. You can ask us to limit use of any sensitive information; the opt-in in Section 6 and the Washington exclusion already build this in for conversation content.
• Not be discriminated against for exercising these rights.

We acknowledge within 14 days and respond within 30.

Washington residents. Because Washington’s My Health My Data Act treats data that could relate to health especially strictly, we exclude Washington residents from the product-improvement uses in Sections 5 and 6 entirely. You still get full use of the app and Penny.

11. Children

What Deficit? is not intended for users under 18. Account creation requires confirming you are 18 or older. If we learn we’ve collected data from a minor, we’ll delete it.

12. Changes

We’ll update this policy when our practices change. Material changes will be announced in-app or by email before they take effect. Previous versions are archived and available on request.

13. Contact

Questions, concerns, or requests: [email protected]. If you’re not satisfied with our response, you may contact your state attorney general’s office.