Privacy Policy
Last updated: July 10, 2026
This Privacy Policy explains what personal data Thiskle(“we”, “us”) collects, why, who we share it with, and the rights you have over it. It covers the Thiskle web app and the optional Outlook add-in.
1. Who is responsible for your data
The data controller for the purposes of the EU/UK General Data Protection Regulation (GDPR) and the business responsible under the California Consumer Privacy Act (CCPA/CPRA) is [Operator legal name — replace before publishing]. For any privacy question or to exercise your rights, contact us at privacy@thiskle.com.
2. Information we collect
We only collect what the app needs to work for you:
a. Account & identity
- Your email address (to sign in and to send the emails you enable).
- Your name, if you provide one.
- A one-way hash of your password (we never store the password itself), or, if you use the passwordless option, a short-lived hashed login code.
b. The content you create
Everything you put into your planner: tasks, events, goals, habits, notes, categories, checklists, focus sessions, reading lists, trips, meals, plants, bills and subscriptions, vehicles, documents you track (e.g. renewal dates), people and gift ideas, and — if you use shared spaces — your household membership and the email addresses you invite.
c. Sensitive information you choose to add
Some optional features let you record data that counts as special-category (sensitive) data under GDPR — for example a birth year and sex used to tailor preventive-care reminders, medications and health-screening logs, a mood and reflection journal, and pet-health logs. You are never required to enter any of this. If you do, our legal basis is your explicit consent (GDPR Art. 9(2)(a)), given by choosing to enter it, and we use it only to power the feature you entered it for. You can delete any of it at any time.
d. Location (only if you set it)
If you add a location for weather-aware chore timing, we store the place label and its coordinates and send those coordinates to our weather provider (see processors). We do not track your device location.
e. Email content you capture
The Capture feature and Outlook add-in turn an email into to-dos. Crucially, your email is not sent to any AI or to us automatically. You paste or open an email, the app builds a text prompt on your device, and you run it in whatever AI tool you choose. Only when you click to add the resulting tasks do we store the email's subject, sender, and body alongside the tasks it produced — so you can trace where a task came from. You can delete a capture at any time.
f. Technical & security data
- IP address, used transiently as a rate-limiting key to protect sign-in and other endpoints from abuse. It is not attached to your account or written to application logs.
- Diagnostic data from errors (e.g. an error message and technical context) via our error-monitoring provider, so we can fix crashes. This is only active in production.
- Essential cookies and local storage needed to keep you signed in and remember your appearance preference — detailed in our Cookie Policy.
We do not use advertising cookies, third-party analytics, cross-site trackers, or any technology that builds an advertising or behavioural profile of you.
3. How we use your information, and our legal bases
Under GDPR we must have a lawful basis for each use of your data. Here is how they map:
| What we do | Why | Legal basis (GDPR) |
|---|---|---|
| Run your account and store your planner data | To provide the service you asked for | Performance of a contract — Art. 6(1)(b) |
| Send login codes, password-reset and verification emails | To let you access and secure your account | Performance of a contract — Art. 6(1)(b) |
| Rate-limiting, abuse prevention, security logging | To keep the service and your account safe | Legitimate interests — Art. 6(1)(f) |
| Optional features: email digests, push notifications, weather, AI suggestions | Because you switched them on | Consent — Art. 6(1)(a); withdraw any time |
| Health, mood, and other sensitive entries you add | To power the feature you entered them for | Explicit consent — Art. 9(2)(a) |
| Meeting legal obligations | When the law requires it | Legal obligation — Art. 6(1)(c) |
4. AI features
AI-assisted suggestions (such as gift ideas, goal breakdowns, and weekly-review notes) are off by default. They work only if you enable them and provide your own third-party AI API key, which we store encrypted and never expose back to the browser. When a feature runs, only the specific content it needs is sent to that AI provider under your own account with them — their terms and privacy policy then also apply. If you don't enable AI, no data is ever sent to an AI provider.
The Capture feature and Outlook add-in are a separate, deliberately manual flow: the prompt is generated on your device and you run it in your chosen AI. Thiskle itself does not call any AI on your behalf for capture.
5. Who we share data with
We do not sell your personal information and we do not share it for advertising. We use a small number of service providers (“processors”) to run the app. Each receives only what it needs, and only for optional features you turn on:
| Provider | What it processes | When |
|---|---|---|
| Hosting & database provider (e.g. Vercel, and a managed PostgreSQL host) | Serves the app and stores your account and content | Always (core infrastructure) |
| Email provider (e.g. Resend) | Your email address and the message content of emails we send you (login codes, and the morning digest — which includes your own task/event titles) | When email is configured and you receive an email |
| Error monitoring (e.g. Sentry) | Technical diagnostic data from errors, which may incidentally include personal data present in an error | Production only, when an error occurs |
| Weather & geocoding (Open-Meteo) | Your coordinates, or a place name you search — sent without an account or identifier | Only if you set a location |
| AI provider (e.g. Anthropic / Claude) | Only the specific content for the AI feature you invoked, under your own API key | Only if you enable AI with your own key |
| Push-delivery services (Google, Apple, Mozilla, Microsoft) | An encrypted notification payload delivered to your device | Only if you enable push notifications |
| Microsoft (Outlook add-in) | The add-in loads Office.js from Microsoft and runs inside Outlook; your email is read on your device | Only if you install the Outlook add-in |
| Calendar providers you connect | If you import a calendar, we fetch it from the provider whose link you gave. If you enable the outgoing calendar feed, anyone you give that secret link to can read the events it contains | Only for calendars you connect or share |
We may also disclose data if required by law, or to protect the rights, safety, and security of our users and the service.
6. How long we keep your data
We keep your account data for as long as your account exists. You can delete individual items whenever you like, and they are removed from our active database. Security artefacts are short-lived by design (login codes expire in minutes, reset links in an hour). If you delete your account, all of your associated data is deleted along with it (see below). Backups are retained for a limited period and then cycle out.
7. Your rights
Depending on where you live, you have some or all of the following rights over your personal data. We honour these rights for everyone, regardless of location.
- Access — get a copy of the data we hold about you.
- Portability — export your data in a machine-readable format.
- Rectification / correction — fix data that is wrong.
- Erasure / deletion — delete your data or your whole account.
- Restriction & objection — limit or object to certain uses.
- Withdraw consent — turn off any optional feature at any time.
- Non-discrimination(CCPA) — we won't treat you differently for exercising your rights.
You can act on most of these yourself: edit or delete any item in the app, and use Settings → Your data to export everything or permanently delete your account. For anything else, or to make a formal request, email us at privacy@thiskle.com and we will respond within the timeframe the law requires (usually within one month). EU/UK users also have the right to complain to their local data-protection authority.
California “Do Not Sell or Share”: we do not sell or share personal information as those terms are defined under the CCPA/CPRA, and we do not engage in cross-context behavioural advertising, so no opt-out is necessary.
8. How we protect your data
- All traffic is encrypted in transit over HTTPS (with HSTS).
- Passwords are hashed with bcrypt; we never store them in plain text.
- Secrets you entrust to us — such as your AI API key and connected-calendar links — are encrypted at rest with AES-256-GCM.
- Single-use tokens and login codes are stored only as keyed (HMAC) hashes.
- A strict Content-Security-Policy, anti-abuse rate limiting, and server-side protection against malicious URLs are in place.
No system is perfectly secure, but we take reasonable measures to protect your data.
9. International data transfers
Our providers may process data in the United States and other countries. Where data is transferred out of the EEA or UK, we rely on the safeguards those providers offer (such as Standard Contractual Clauses). By using the service you understand your data may be processed in these locations.
10. Children
Thiskle is not directed to children. It is intended for users aged 16 and over (or the age of digital consent in your country). We do not knowingly collect data from children; if you believe a child has provided us data, contact us and we will delete it.
11. Changes to this policy
We may update this policy as the service evolves. We'll change the “last updated” date above and, for material changes, give you notice in the app or by email.
12. Contact
Questions, requests, or complaints: privacy@thiskle.com. See also our Cookie Policy and Terms of Service. This Privacy Policy is governed by the laws of [Your jurisdiction — e.g. England & Wales].