Privacy Policy

This Privacy Policy explains what What Deficit? (“the app,” “we”) collects, why, and how to control or delete your data.

1. What we collect

• Account. Your email, used to send sign-in codes and account-related notifications.
• Tasks & preferences. The tasks you write, their quadrants, due dates, focus-timer settings, theme, and similar app state.
• AI conversation. Messages you send to your AI companion (default name “Penny”) and her replies, so you can scroll back through the conversation. We also store a private memory document Penny maintains about you to personalize her replies.
• Usage signals. Aggregate, anonymous behavior signals we query ourselves from the database (e.g. how many tasks were completed across all users last week). We don’t use third-party analytics or trackers.
• Payment info (if you subscribe). Handled by Stripe — we don’t store your card number; we store a Stripe customer ID, subscription status, and billing email.

2. What we don’t collect

• Medical or diagnostic information. We assume our users have ADHD; we don’t ask you to confirm a diagnosis, list medications, or share clinical detail. The AI companion is configured to refuse medical, psychiatric, or pharmaceutical advice and redirect you to your doctor.
• Third-party tracking. No Google Analytics, Meta Pixel, Mixpanel, Segment, PostHog, or similar.
• Location, contacts, microphone, camera. The app doesn’t request these.

3. How we use it

• To run the app you signed up for — show your tasks, route your AI conversation, run focus timers.
• To send transactional email (sign-in codes, billing receipts, account-deletion confirmation, trial-ending reminders).
• To improve the app from our own anonymous, aggregate behavior queries — never per-user profiles sold or shared.

Lawful basis (GDPR Art. 6). We process your data to perform the contract you signed up for (Art. 6(1)(b)) or, where you’ve given it, with your consent (Art. 6(1)(a)).

4. AI & your content

The AI companion is powered by Anthropic’s Claude API. Anthropic does not train its models on the content sent through their API per their commercial terms (see Anthropic Commercial Terms). When you chat with Penny, your messages are sent to Anthropic for processing and a response is returned. We pass through only what’s needed to generate a useful reply.

5. Sub-processors

We rely on a small number of vendors to operate the service. They process data on our behalf under their own terms:

• Supabase — database, authentication, file storage.
• Anthropic — AI replies (does not train on your content).
• Cloudflare — site hosting and DNS.
• Amazon Web Services (SES) — transactional email delivery.
• Stripe — payment processing (only used if you subscribe).

6. Retention

We keep your data while your account is active. When you delete your account (see Section 8), we delete it within 30 days, except where law requires us to keep payment records (Stripe retains those independently).

7. Security

Data is encrypted in transit (HTTPS) and at rest (Supabase managed). Row-level security ensures your data is only readable by you. We do not claim end-to-end encryption — the app team can technically access database rows for support and engineering purposes, and we audit such access.

8. Deleting your account

You can delete your account at any time from Settings → Danger zone → Delete account inside the app. This permanently erases your tasks, chat history, AI memory of you, focus-timer data, attachments, and account record. You may also request deletion by emailing [email protected].

9. Your rights (GDPR / CCPA)

If you live in the EU, UK, or California (or other regions with comparable laws), you have the right to: access the personal data we hold about you; ask us to correct or delete it; restrict or object to processing; and receive a copy of your data in a portable format. Email [email protected] to exercise any of these. We respond within 30 days.

California (CCPA / CPRA). We do not sell or share your personal information for cross-context behavioral advertising. There is nothing to opt out of, but California residents can confirm by emailing [email protected]. You also have the right to know what we collect, request deletion, and not be discriminated against for exercising these rights.

EU / UK supervisory authority (GDPR Art. 13(2)(d)). If you believe we’ve mishandled your data, you have the right to lodge a complaint with your local data-protection authority (in the UK that’s the ICO; in the EU that’s your country’s data protection authority).

10. Children

What Deficit? is not intended for users under 18. Account creation requires confirmation that you are 18 or older. If we learn we have collected data from a minor, we will delete it.

11. Changes

We’ll update this policy when our practices change. Material changes will be announced in-app or by email before they take effect.

12. Contact

Questions, concerns, or requests: [email protected].