Privacy Policy

1. Data Controller Information

The data controller responsible for your personal information is:

For any privacy-related questions or to exercise your rights, please contact us at the email address above.

2. Data We Collect

2.1 Authentication Data

• Google account email address
• Unique user ID
• Profile picture URL (if provided via Google account)

2.2 Task & Productivity Data

• Task titles and descriptions
• Due dates, priorities, and topics
• Completion status and history
• Task creation and modification timestamps
• Ideas and notes you create

2.3 Memory Data (Optional)

If you choose to provide context for personalization:

• Professional context and preferences
• Project information
• Task organization preferences

2.4 Usage Data

• Access timestamps and patterns
• IP addresses (for security and fraud prevention)
• Device and browser information (user agent)
• Error logs and performance metrics

2.5 Third-Party Integration Data (Optional)

• API tokens for external task management services (encrypted, only if you enable integration)
• Imported tasks from external services

3. How We Use Your Data

3.1 Legal Basis for Processing (GDPR Article 6)

3.2 Specific Uses

We use your data to:

• Provide the service: Store and sync your tasks across devices
• AI processing: Send task content (title, priority, dates) to third-party AI service providers for intelligent organization and suggestions
• Improve quality: Analyze usage patterns to improve features and fix bugs
• Security: Detect and prevent unauthorized access, abuse, and fraud
• Communication: Send service updates, security notices, and respond to your requests

4. Data Sharing and Sub-Processors

We share your data only with the following trusted sub-processors necessary to provide the service:

4.1 Google Cloud Platform

• Purpose: Infrastructure, database (Cloud SQL for PostgreSQL), authentication
• Data shared: All data (tasks, authentication, usage)
• Location: nam5 (North America - United States multi-region)
• Data Processing Agreement: Google Cloud DPA

4.2 OpenAI (AI Service Provider)

• Purpose: AI-powered task inference and organization (only if you consent)
• Provider: OpenAI, L.L.C.
• Data shared: Task title, priority, due dates, topics (NOT personal memory data)
• Location: United States
• Data Processing Agreement: OpenAI Enterprise Privacy
• Retention: Zero-day retention for API calls (OpenAI does not store API data)

5. Your Rights (GDPR & PIPA)

Under GDPR (European Union) and PIPA (South Korea), you have the following rights:

5.1 Right to Access (GDPR Art. 15, PIPA Art. 35)

How to exercise:

1. Log into NowDo.AI
2. Go to Settings → Privacy & Data
3. Click "Export My Data"
4. Download your complete data in JSON format

Or email us at privacy@nowdo.ai with subject "Data Access Request".

5.2 Right to Rectification (GDPR Art. 16, PIPA Art. 36)

How to exercise:

• Edit tasks directly in the app (changes are saved automatically)
• For bulk corrections, export your data, make changes, and email us the corrected file

5.3 Right to Erasure / "Right to be Forgotten" (GDPR Art. 17, PIPA Art. 36)

How to exercise:

1. Log into NowDo.AI
2. Go to Settings → Privacy & Data → Danger Zone
3. Click "Delete Account"
4. Confirm deletion (this action is permanent and irreversible)

All your data will be deleted immediately (hard delete is permanent and instant).

5.4 Right to Data Portability (GDPR Art. 20)

Same as Right to Access above. Your data export is in machine-readable JSON format, which can be imported into other services.

5.5 Right to Object (GDPR Art. 21)

You can object to AI processing. However, since AI processing is core to NowDo.AI's functionality, objecting means you must delete your account. There is no "AI-free" mode available.

5.6 Right to Withdraw Consent (GDPR Art. 7(3))

You may withdraw consent at any time by deleting your account. Note that without consent, we cannot provide the service.

5.7 Response Time

• GDPR: Within 30 days of your request
• PIPA: Within 10 days of your request

We will respond within 10 days to comply with both regulations.

6. Data Retention

We retain your data only as long as necessary to provide the service and comply with legal obligations:

After these periods, data is permanently deleted and cannot be recovered.

7. International Data Transfers

7.1 Primary Data Storage

Your primary data (tasks, ideas, memory) is stored in:

• Service: Google Cloud SQL for PostgreSQL
• Region: nam5 (North America - United States multi-region)
• Physical Locations: Data centers in Iowa and South Carolina, USA

7.2 Authentication Data

Google Cloud Authentication is managed globally by Google for performance and reliability. Your authentication tokens may be processed in multiple regions.

7.3 AI Processing

When you consent to AI processing, task data (titles, priorities, dates) is sent to third-party AI service providers. This transfer is based on:

• Your explicit consent (GDPR Art. 49(1)(a))
• Standard Contractual Clauses (GDPR Art. 46(2)(c))
• Enterprise-grade data processing safeguards from our AI providers

7.4 EU-US Data Privacy Framework

Our infrastructure and AI service providers participate in recognized data privacy frameworks (such as the EU-US Data Privacy Framework), providing additional safeguards for international data transfers.

8. Data Security

We implement industry-standard security measures to protect your data:

8.1 Technical Measures

• Encryption in transit: TLS 1.3 for all connections
• Encryption at rest: Google Cloud SQL encryption (AES-256)
• Authentication: Google Cloud Authentication with secure session management
• Access control: User data isolation (you can only access your own data)
• Security headers: CSP, HSTS, X-Frame-Options to prevent attacks

8.2 Organizational Measures

• Regular security updates and dependency patches
• Access monitoring and logging
• Incident response plan for data breaches

8.3 Your Responsibility

9. Cookies

We use cookies for essential functionality and analytics:

9.1 Managing Cookies

You can control cookies through your browser settings:

• Chrome
• Firefox
• Safari

Note: Blocking essential cookies will prevent you from using NowDo.AI.

10. Children's Privacy

For Parents: If you believe your child under the minimum age has created an account, please contact us immediately at privacy@nowdo.ai with subject "Child Account Deletion". We will delete the account within 24 hours.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect:

• New features or services
• Changes in legal requirements
• Improvements to our practices

11.1 Notification Process

For material changes (e.g., new data collection, new third parties), we will:

1. Notify you via email 30 days before the changes take effect
2. Display a prominent banner on the website
3. Update the "Last Updated" date at the top of this policy

11.2 Your Options

After notification:

• Accept: Continue using the service (acceptance is implied by continued use)
• Reject: Delete your account before the effective date if you do not agree with the changes

12. Contact & Complaints

12.1 Privacy Questions

For any questions about this Privacy Policy or how we handle your data:

12.2 Filing a Complaint

If you are not satisfied with our response, you have the right to file a complaint with your data protection authority:

For EU Residents (GDPR)

Contact your national Data Protection Authority:

• Directory: European Data Protection Board

For South Korean Residents (PIPA)

Contact the Personal Information Protection Commission:

• Website: www.pipc.go.kr
• Phone: 118 (within Korea) or +82-2-2100-3343 (international)
• Email: privacy@pipc.go.kr

Korea Internet & Security Agency (KISA)

• Website: www.kisa.or.kr
• Phone: 118 or +82-2-405-5118

Effective Date

This Privacy Policy is effective as of November 1, 2025 and applies to all data collected from this date forward.

Document Version History