Privacy Policy for whatcha-doin

Effective Date: 30 November 2025

This Privacy Policy describes how whatcha-doin ("the App," "we," "us," or "our") collects, uses, and discloses information when you use our habit and todo tracking application and related services (collectively, the "Service").

---

1. Information We Collect

We collect several types of information from and about users of our Service:

• Personal Identifiable Information (PII):
  • Email Address: Collected for account creation and login via Magic Link.
  • User ID: A unique identifier automatically assigned to your account by our authentication provider (Supabase).
  • Username: A unique handle you choose for your public profile (e.g., whatcha-doin.com/[your-username]).
  • Bio: Optional text you provide for your user profile.
• Usage Data:
  • Habits: Information about habits you create, including names, goals, public/private status, streak counts, and completion timestamps.
  • Actions (Todos): Information about tasks you create, including descriptions, nesting structure, public/private status, and completion timestamps.
  • Journal Entries: Text content of your journal entries, along with their creation date and public/private status.
  • Completion Details: For habits and actions, we collect mood scores, work values achieved, duration, and any free-form notes you provide upon completion.
  • Timezone: Your preferred local timezone, which you can set in your profile settings.
• Technical Data:
  • IP Address: Your IP address is logged by our backend provider (Supabase) for security, analytics, and debugging purposes.
  • Device Information: We may collect general, non-identifying information about the device you use to access the Service (e.g., operating system, browser type) through standard web server logs and analytics (Sentry).
• Aggregated Data: We may aggregate and anonymize data collected from users to analyze usage patterns and improve the Service. This aggregated data cannot be used to identify you personally.

---

2. How We Use Your Information

We use the information we collect for various purposes:

• To Provide and Maintain the Service: To operate our application, manage your account, track your habits and actions, and allow you to create journal entries.
• To Personalize Your Experience: To tailor the Service to your preferences, such as displaying content based on your chosen timezone.
• To Communicate with You: To send you Magic Links for login and other essential service-related communications.
• To Improve Our Service: To understand how users interact with the App, identify areas for improvement, and develop new features.
• For Security and Fraud Prevention: To protect the integrity and security of our Service and to detect and prevent unauthorized or illegal activities.
• For Analytics: To monitor and analyze usage trends and activities in connection with our Service. We use Sentry for frontend error tracking and performance monitoring, which may collect information about your device and how you interact with the App (without directly identifying you).

---

3. How We Share Your Information

We generally do not share your Personal Identifiable Information with third parties, except in the following circumstances:

• With Your Consent: We may share your information if you give us explicit permission to do so.
• Public Profile and Content: Information you designate as "public" (e.g., your username, bio, public habits, public actions, public journal entries) will be visible to other users and accessible via your public profile URL. Please be mindful of what you choose to make public.
• Service Providers: We engage third-party service providers to perform functions on our behalf, such as:
  • Supabase: Our backend provider for database (PostgreSQL), authentication, real-time functionality, and storage. Supabase processes your data as necessary to provide these services.
  • Vercel: Our hosting provider for the application.
  • Sentry: For error tracking and performance monitoring.
• Legal Requirements: We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court order or government agency).
• Business Transfers: In the event of a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction.

---

4. Data Security

We implement reasonable technical and organizational measures designed to protect your information from unauthorized access, use, alteration, and disclosure. These measures include:

• Encryption: Data is encrypted at rest (in our PostgreSQL database) and in transit (via TLS/SSL for all communication).
• Row Level Security (RLS): We utilize RLS at the database level to ensure that users can only access and modify their own data, and to strictly control access to public/private content.
• Authentication: We use secure Magic Link authentication.
• Access Control: Access to your data by our personnel is strictly limited and subject to internal policies.

However, no method of transmission over the Internet or method of electronic storage is 100% secure. Therefore, while we strive to use commercially acceptable means to protect your information, we cannot guarantee its absolute security.

---

5. Your Data Protection Rights

Depending on your location, you may have the following data protection rights:

• Access: The right to request copies of your personal data.
• Rectification: The right to request that we correct any information you believe is inaccurate or complete information you believe is incomplete.
• Erasure: The right to request that we erase your personal data, under certain conditions.
• Restriction of Processing: The right to request that we restrict the processing of your personal data, under certain conditions.
• Object to Processing: The right to object to our processing of your personal data, under certain conditions.
• Data Portability: The right to request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions.

To exercise any of these rights, please contact us using the details provided in the "Contact Us" section below.

---

6. Data Retention

We retain your personal information for as long as necessary to provide the Service, fulfill the purposes outlined in this Privacy Policy, or as required by law. When your information is no longer needed, we will securely delete or anonymize it.

---

7. Children's Privacy

Our Service is not directed to individuals under the age of 13. We do not knowingly collect personal identifiable information from children under 13. If you are a parent or guardian and you learn that your child has provided us with personal data, please contact us. If we become aware that we have collected personal data from a child under 13 without verification of parental consent, we take steps to remove that information from our servers.

---

8. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Effective Date" at the top of this Privacy Policy. You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

---

9. Contact Us

If you have any questions about this Privacy Policy, please contact us at hammaadworks@gmail.com.