Privacy Policy

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

• Email address
• Name
• Password (stored as an encrypted hash using bcrypt), unless you sign in using Google Sign-In
• Timezone preference (IANA timezone identifier)

If you choose to sign in using Google Sign-In, we receive your name and email address from your Google account to create or link your Everwhen account. No password is stored in this case, as authentication is handled through Google's OAuth 2.0 protocol.

If you choose to sign in using Apple Sign-In, we receive your name and email address (if you choose to share them) from your Apple ID to create or link your Everwhen account. No password is stored in this case, as authentication is handled through Apple's identity service.

1.2 Calendar, Task, and User Content

To provide our scheduling and task management services, we collect and store:

• Tasks: Task names, descriptions, durations, deadlines, priorities, and completion status
• Events: Scheduled start and end times, event descriptions, locations, and event types
• Task Dependencies: Relationships between tasks and their predecessors/successors
• Categories and Habits: Custom categories, habit tracking data, frequency targets, and time windows
• User Preferences: Sleep schedule (bedtime and wake times), reschedule preferences, and timezone settings
• Reminders: Reminder titles and trigger times (stored locally on-device only — not synced to our servers)
• Saved Locations: Home, work, and custom locations stored on our servers for travel-time-aware scheduling
• Goals: Goal names, descriptions, target dates, and progress tracking

Tasks, events, goals, categories, and schedule preferences are synced to our servers to enable cross-device access and AI-powered features. Reminders are stored locally on-device only.

1.3 Health & Fitness Data (HealthKit)

If you grant HealthKit access on iOS, we read the following health and fitness data (read-only — Everwhen never writes to HealthKit):

• Activity: Step count, walking/running distance, active energy burned, exercise time, flights climbed, stand time, cycling distance
• Heart: Heart rate, resting heart rate, heart rate variability (HRV), blood oxygen saturation, walking heart rate average
• Body: Body mass, height, BMI, body fat percentage
• Nutrition: Dietary energy consumed, protein, carbohydrates, fat, water, caffeine, sugar, fiber, sodium
• Vitals: Respiratory rate, body temperature, blood pressure (systolic/diastolic)
• Mobility: Walking speed, step length, walking asymmetry, double support percentage, stair ascent/descent speed, six-minute walk test distance
• Fitness: VO2 max
• Hearing: Environmental audio exposure, headphone audio exposure
• Sleep: Sleep analysis (awake, core, deep, REM, in-bed stages)
• Mind: Mindful session duration
• Workouts: Workout type, duration, calories, distance (last 7 days)

Apple HealthKit Disclosure (Guideline 27.5):

• HealthKit data is used solely to provide personalized productivity insights within the app — helping you understand how your well-being affects your schedule and energy levels.
• HealthKit data is never sold, shared with advertisers, used for marketing, or transferred to data brokers.
• HealthKit data is never shared with third parties except as required to provide core app functionality to you.
• HealthKit data is processed on-device only and is not uploaded to our servers or any third-party service.
• HealthKit data is not used to serve advertising of any kind.
• You can revoke HealthKit access at any time via iOS Settings > Privacy & Security > Health > Everwhen.

1.4 Location Data

If you choose to add location information to tasks or events, we collect:

• Human-readable addresses (e.g., "123 Main Street, Toronto, ON")
• Geographic coordinates (longitude and latitude) obtained from Mapbox Geocoding API
• Structured location data for scheduling optimization

Note: Location data is optional and only collected when you explicitly provide it.

iOS GPS Location: On the iOS app, if you grant location permission, we access precise and coarse location via CoreLocation when the app is in use. Location accuracy is set to hundred-meter precision. Background location updates are disabled.

What we send to our servers: Latitude, longitude, and timestamp — used to provide weather-aware scheduling and home location detection. Saved locations (home, work, custom) are stored on our servers to enable travel-time-aware scheduling.

What stays on-device: Raw GPS coordinates are not persistently stored on-device beyond the current session.

1.5 Audio Data (Voice Assistant)

If you use the voice assistant feature, we access your device microphone during active voice sessions only.

• Processing: Audio is streamed in real-time to our voice agent infrastructure via LiveKit. Audio features echo cancellation, auto gain control, noise suppression, and highpass filtering.
• Storage: Audio is processed in real-time and is not recorded or stored after the session ends.
• Activation: You must explicitly start a voice session. The microphone is never accessed in the background or without your active engagement.

1.6 Identifiers

• User ID: A server-generated unique identifier assigned to your account for data synchronization and account management.
• Device Token (APNs): An Apple Push Notification service token registered with our backend to deliver push notifications. Stored in the iOS Keychain on-device and on our server. Deregistered on logout.

1.7 Usage Data & Screen Time

We may automatically collect:

• API request logs for debugging and performance monitoring
• Error reports and system diagnostics
• Session information (login times, active sessions)

Note: We do not currently use third-party analytics services. If we add analytics in the future, we will update this policy and notify you.

Screen Time (iOS): If you grant Screen Time authorization on iOS, we access app usage data via Apple's FamilyControls/DeviceActivity frameworks. Screen Time data is processed on-device only and is not uploaded to our servers.

1.8 External Calendar Synchronization

If you connect external calendar accounts, we access and sync:

• Event titles, descriptions, and times from your external calendars
• Event locations and attendees (if applicable)
• OAuth authentication tokens (stored securely)

Google Calendar: When you connect Google Calendar, we import your calendar events and support two-way synchronization so your schedules stay unified across both platforms. For complete details on how we handle Google user data, including Limited Use compliance, please see Section 3: Google API Services User Data.

Apple Calendar and Microsoft Outlook: These integrations function similarly, accessing event data you authorize through each provider's OAuth consent flow.

On the iOS app, Apple Calendar events are imported via the EventKit framework (read-only, covering a 3-month window). Imported events become Everwhen events stored on our servers.

We only access calendar data you explicitly authorize through each provider's OAuth consent flow.

1.9 Information We Do NOT Collect

The following categories of data are not collected by Everwhen:

• Financial Info — No payment, credit card, or financial data
• Sensitive Info — No racial/ethnic data, political opinions, religious beliefs, sexual orientation, biometric data (beyond HealthKit), or genetic data
• Contacts — No address book access
• Browsing History — No web browsing data
• Search History — In-app search queries are not logged or transmitted
• Diagnostics — No crash logs or performance data sent to our servers
• Purchases — No purchase history tracked
• Photos or Videos — No camera or photo library access

2. How We Use Your Information

We use the collected information for the following purposes:

2.1 Service Provision

• Task Scheduling: Using our scheduling engine to create efficient daily schedules based on your tasks, preferences, and constraints
• Calendar Management: Displaying and managing your tasks, events, and calendar data
• Scheduling Recommendations: Suggesting task scheduling based on your sleep schedule, energy patterns, preferences, and historical patterns
• External Calendar Sync: Synchronizing data with Google, Apple, and Outlook calendars
• Voice Assistant: Real-time AI-powered conversations for schedule management (audio not stored)
• Productivity Insights: HealthKit data (on-device only) and Screen Time data (on-device only) for personalized insights
• Push Notifications: Delivering task reminders, event alerts, and scheduling updates via APNs
• Calendar Import (iOS): Importing Apple Calendar events via EventKit (read-only, 3-month window)
• Weather-Aware Scheduling: Using location and weather data (via Apple WeatherKit) for context-aware scheduling

2.2 Service Improvement

• Debugging errors and improving system performance
• Understanding usage patterns to enhance features
• Developing new functionality based on user needs

2.3 Communication

• Sending account-related notifications (password resets, email verification)
• Responding to your support requests
• Notifying you of important service updates or policy changes

3. Google API Services User Data

Everwhen's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

3.1 Google User Data We Access

When you choose to connect your Google account, Everwhen accesses the following Google user data:

• Google Sign-In: Your Google account email address, name, and profile information, used solely to authenticate your identity and create or link your Everwhen account.
• Google Calendar Data: Event titles, descriptions, start and end times, locations, and attendee information from your Google Calendar. This data is imported so that your existing calendar events appear seamlessly within Everwhen, allowing our scheduling engine to work around your real-life commitments.

We only access Google user data that you explicitly authorize through Google's OAuth 2.0 consent flow. You can review and revoke Everwhen's access to your Google account at any time via your Google Account permissions page.

Google Calendar OAuth Scope

Everwhen requests the following Google OAuth scope:

• https://www.googleapis.com/auth/calendar: Full read and write access to Google Calendar. This scope is required because Everwhen provides two-way synchronization with your Google Calendar:
  • Read access is used to import your existing Google Calendar events into Everwhen, displaying them as fixed time blocks so our scheduling engine can plan your tasks around your real-life commitments.
  • Write access is used to create and update events on your Google Calendar when you schedule tasks or events within Everwhen, ensuring both calendars remain synchronized and you have a single unified view of your schedule regardless of which app you check.

We request only the minimum scope necessary to provide seamless two-way calendar synchronization. We do not access any Google data beyond what this scope provides, and all access is governed by the Limited Use requirements described in Section 3.6.

3.2 How We Use Google User Data

We use Google user data exclusively for the following purposes:

• Authentication: Google Sign-In data is used to verify your identity and provide secure access to your Everwhen account.
• Calendar Import (Read): Everwhen reads your Google Calendar events, including event titles, descriptions, start and end times, locations, recurrence rules, and attendee lists, so that your existing commitments appear inside the Everwhen interface. These imported events are treated as fixed time blocks that our ADHD-optimized scheduling engine uses to plan your tasks around your real-life schedule, avoiding double-bookings and respecting your existing commitments.
• Calendar Sync (Write): When you create or reschedule tasks and events within Everwhen, the app writes those changes back to your Google Calendar. This two-way synchronization ensures you always have a unified, up-to-date view of your complete schedule, whether you check Everwhen, Google Calendar, or any device where Google Calendar is available. This is essential for users who rely on multiple calendar surfaces throughout their day.
• Scheduling Optimization: Imported Google Calendar events are treated as fixed time blocks. Everwhen schedules your tasks around these events to avoid conflicts and build a realistic, workable day plan.

We do not use Google user data for serving advertisements, conducting market research, or any purpose unrelated to providing and improving the Everwhen application.

3.3 Sharing and Disclosure of Google User Data

Everwhen does not sell, rent, or trade your Google user data to any third party.

We do not share or transfer Google user data to third parties except in the following limited circumstances:

• Infrastructure Providers: Your data is stored on secure servers provided by our cloud hosting provider (Railway) solely for the purpose of operating the Everwhen service. These providers process data on our behalf under strict confidentiality obligations.
• Legal Requirements: We may disclose Google user data if required to do so by law, regulation, legal process, or enforceable governmental request.

We do not transfer Google user data to third parties for purposes unrelated to providing or improving the Everwhen application.

3.4 Data Retention and Deletion of Google User Data

Google Calendar data synced to Everwhen is retained only for as long as your account is active and you have an active Google Calendar connection.

• Disconnecting Google Calendar: You can disconnect your Google Calendar integration at any time through your Everwhen account settings. Upon disconnection, all synced Google Calendar data is removed from our systems.
• Account Deletion: When you delete your Everwhen account, all Google user data (including synced calendar events and authentication tokens) is immediately and permanently deleted from our production databases.
• Revoking Access: You can revoke Everwhen's access to your Google account at any time through your Google Account permissions.

3.5 Data Protection for Google User Data

We protect Google user data using the following security measures:

• All data is transmitted using HTTPS (TLS 1.2 or higher) encryption
• Data is stored with encryption at rest in secure PostgreSQL databases
• OAuth 2.0 tokens are stored securely and are never exposed to client-side code
• Access to user data is restricted through JWT-based authentication and row-level database security

3.6 Limited Use Disclosure

Everwhen's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We only use Google user data to provide and improve the Everwhen calendar and scheduling service.
• We do not transfer Google user data to third parties unless it is necessary to provide or improve the service, required by law, or done with your explicit consent.
• We do not use Google user data for serving advertisements.
• We do not allow humans to read Google user data unless we have your affirmative agreement, it is necessary for security purposes, it is necessary to comply with applicable law, or our use is limited to internal operations and the data has been aggregated and anonymized.
• We do not use Google user data to train artificial intelligence (AI) or machine learning (ML) models, whether personalized or generalized.

4. Third-Party Services

We use the following third-party services to provide and improve our application:

4.1 Mapbox Geocoding API

When you add location information to tasks or events, we use Mapbox to convert addresses to geographic coordinates. Please review Mapbox's Privacy Policy.

4.2 External Calendar Providers

When you connect external calendars, your data is shared with:

• Google Calendar: Google Privacy Policy
• Apple Calendar (iCloud): Apple Privacy Policy
• Microsoft Outlook: Microsoft Privacy Policy

4.3 Railway (Cloud Hosting)

Our backend infrastructure is hosted on Railway, a cloud platform. Data is stored in secure PostgreSQL databases with encryption at rest and in transit.

4.4 LiveKit (LiveKit Inc.)

LiveKit processes real-time audio streams during active voice assistant sessions. Audio is streamed in real-time, not recorded. Sessions are ephemeral — no audio data persists after the session ends. Please review LiveKit's Privacy Policy.

4.5 Apple Sign-In (Apple Inc.)

Apple Sign-In uses the AuthenticationServices system framework. Data shared includes your Apple ID token, and optionally your email address and name (first sign-in only). Purpose: OAuth-based account authentication. See Apple's Privacy Policy.

4.6 Apple WeatherKit (Apple Inc.)

WeatherKit is a system framework used to provide location-aware weather data for schedule context. Your device location is sent to Apple's weather servers. Weather data is cached locally for 15 minutes to minimize requests.

4.7 Apple HealthKit (Apple Inc.)

HealthKit is a system framework used to read health and fitness data for personalized productivity insights. No HealthKit data is shared — all data is read and processed on-device only.

4.8 Apple EventKit (Apple Inc.)

EventKit is a system framework used for one-way import of Apple Calendar events (3-month window). Calendar events are read on-device; imported events are synced to our servers as Everwhen events. No raw Apple Calendar data is shared externally.

4.9 Apple FamilyControls / DeviceActivity (Apple Inc.)

FamilyControls and DeviceActivity are system frameworks used for productivity insights via app usage statistics. No Screen Time data is shared — all data stays on-device.

4.10 Supporting Libraries

The following libraries are transitive dependencies and do not independently collect user data:

• JWT-Kit: Token parsing and validation
• swift-crypto: Cryptographic operations
• swift-asn1: Certificate handling
• swift-collections: Data structure utilities

5. Data Storage and Security

5.1 On-Device Storage (iOS)

• Access token, refresh token: iOS Keychain (hardware-encrypted)
• APNs device token: iOS Keychain
• User preferences: UserDefaults (app sandbox)
• Local database: CoreData/SQLite in app sandbox (tasks, events, goals, categories, reminders)
• HealthKit data: Apple Health (system-managed, never exported)
• Screen Time data: FamilyControls (system-managed, never exported)

5.2 Server Storage and Security

The following data is stored on secure servers provided by Railway cloud hosting, encrypted at rest and in transit (TLS 1.2+):

• Account info: Email address, name, encrypted password hash
• User content: Tasks, events, goals, categories, schedule preferences
• Saved locations: Home, work, and custom locations
• Device tokens: APNs tokens for push notifications
• OAuth tokens: External calendar authentication tokens

We implement industry-standard security measures:

• Encryption: All data is transmitted over HTTPS (TLS 1.2+) and stored with encryption at rest
• Password Protection: Passwords are hashed using bcrypt, a secure one-way cryptographic function
• Access Control: JWT (JSON Web Token) authentication ensures only authorized users can access their data
• Database Security: PostgreSQL databases with row-level security and connection encryption

API Security: All API communication uses HTTPS. Authentication tokens are attached as Bearer tokens. Tokens auto-refresh before expiry. Failed authentication triggers automatic token refresh with retry.

5.3 What Is NOT Stored on Our Servers

• HealthKit data (never leaves your device)
• Screen Time / app usage data (never leaves your device)
• Voice audio recordings (streamed in real-time, never stored)
• Apple Calendar raw data (imported events become Everwhen events)
• Microphone audio outside of active voice sessions

6. Data Retention

• Account data: Retained until you delete your account
• Tasks, events, goals: Retained until you delete them or your account
• Voice session audio: Not retained — real-time streaming only
• Device tokens (APNs): Retained until logout or account deletion
• Authentication tokens: Retained until logout, expiry, or account deletion
• HealthKit data: On-device only; governed by your iOS Health settings
• Screen Time data: On-device only; governed by your iOS settings

Account Deletion: When you delete your account, all associated data is immediately and permanently deleted from our production databases through CASCADE deletion. This deletion is irreversible.

Backups: Railway may maintain automated backups for disaster recovery. These are purged within 30 days.

7. Your Rights and Choices

7.1 Access & Portability

You can view all your data within the app (tasks, events, goals, profile). You can export your data in machine-readable formats (JSON) through your account settings and request transfer to another data controller where technically possible.

7.2 Deletion

You can delete your account at any time through your account settings. Account deletion permanently removes all associated server-side data. Backups are purged within 30 days.

7.3 Permission Revocation (iOS)

You can revoke any permission at any time via iOS Settings:

• Location: Settings > Privacy & Security > Location Services > Everwhen
• HealthKit: Settings > Privacy & Security > Health > Everwhen
• Microphone: Settings > Privacy & Security > Microphone > Everwhen
• Calendar: Settings > Privacy & Security > Calendars > Everwhen
• Screen Time: Settings > Screen Time (FamilyControls authorization)
• Notifications: Settings > Notifications > Everwhen

7.4 Opt-Out Options

• You can use Everwhen without granting HealthKit, Location, Microphone, Calendar, or Screen Time access. Core task, event, and goal functionality works without any optional permissions.
• Google Calendar sync can be disconnected at any time via your account settings.

7.5 Your Rights Under Turkish Privacy Law (KVKK)

Under the Law on Protection of Personal Data No. 6698 (KVKK), you have the following rights:

7.5.1 Right to Learn Whether Personal Data is Processed

You have the right to know whether we are processing your personal data and to request information about such processing.

7.5.2 Right to Access and Request Information

You have the right to access your personal information stored in our systems and request information about how it is processed. You can view and export your data through your account settings.

7.5.3 Right to Correction

You may request correction or update of incomplete or inaccurate personal information at any time through your account settings or by contacting us.

7.5.4 Right to Deletion or Destruction

You can request deletion of your personal data if the legal grounds for processing no longer exist. You can delete your account and all associated data at any time through account settings. Upon deletion, all your data is immediately and permanently removed from our systems.

7.5.5 Right to Object to Processing

You may object to data processing activities by:

• Disconnecting external calendar integrations in your settings
• Disabling location data collection
• Deleting your account entirely

7.5.6 Right to Data Portability

You can export your data in machine-readable formats (JSON) through your account settings and request transfer to another data controller where technically possible.

7.5.7 Right to Lodge a Complaint

If you have concerns about our privacy practices or believe your rights under KVKK have been violated, you may file a complaint with:

Turkish Data Protection Authority (Kişisel Verilerin Korunması Kurumu)
Nasuh Akar Mahallesi, Ziyabey Caddesi, 1407. Sokak No: 4
Balgat, Çankaya / Ankara, Turkey
Phone: +90 (312) 216 50 50
Website: www.kvkk.gov.tr

7.5.8 Right to Seek Damages

If you suffer damages due to unlawful processing of your personal data, you have the right to seek compensation in accordance with Turkish law.

7.6 GDPR Rights (EU Users)

If you are located in the European Union, you have the following rights under the General Data Protection Regulation:

• Right to access your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing

To exercise these rights, contact us at [email protected] with the subject line "GDPR Request".

7.7 CCPA Rights (California Users)

If you are a California resident, you have the following rights under the California Consumer Privacy Act:

• Right to know what personal data is collected about you
• Right to request deletion of your personal data
• Right to opt-out of the sale of your personal data (we do not sell personal data)
• Right to non-discrimination for exercising your privacy rights

To exercise these rights, contact us at [email protected] with the subject line "CCPA Request".

8. Children's Privacy

Our service is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us, and we will delete such information immediately.

9. International Data Transfers

Your personal data may be transferred to, stored, and processed outside of Turkey, including in countries where our service providers operate (such as cloud hosting services). We ensure that appropriate safeguards are in place to protect your data in accordance with KVKK requirements, including standard contractual clauses where applicable. By using our service, you consent to such transfer and processing.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by:

• Sending an email to your registered email address
• Displaying a prominent notice in the application
• Updating the "Effective Date" at the top of this policy

Your continued use of our service after changes indicates your acceptance of the updated policy.

11. Cookies and Tracking

We use essential cookies for authentication (JWT tokens) and session management. We do not currently use tracking cookies or third-party advertising cookies. If this changes in the future, we will update this policy and provide you with opt-out options.

12. Data Breach Notification

In the unlikely event of a data breach that poses a risk of significant harm to you, we will notify affected users and the relevant data protection authorities (including the Turkish Data Protection Authority and, where applicable, EU supervisory authorities) as required by applicable privacy law.