Privacy Policy

Data Controller

Do It is operated by Derek Fidler (“we”, “us”, “our”). For purposes of the UK GDPR and EU GDPR, Derek Fidler is the data controller for personal data processed through this Service.

Contact: derek@do-it.derekfidler.com

Information We Collect

We collect only the information necessary to provide the Service:

• Your name, email address, and profile picture (from Google sign-in)
• Tasks, notes, and associated metadata you create in Do It
• Google Calendar events (only if you grant access)
• Google Calendar OAuth tokens (when you connect Google Calendar)
• Device information: model, operating system version, and app version (used for analytics and crash reporting)
• Approximate location country (derived from IP address by our analytics provider)
• A pseudonymous identifier (a randomly generated UUID) used to link your activity across sessions

We do not collect your name or email for analytics purposes. Your pseudonymous identifier is not linked to your name or email in our analytics systems.

Lawful Basis for Processing

We process your personal data on the following legal bases under Article 6 of the UK/EU GDPR:

• Performance of a contract — to create and maintain your account, store and sync your tasks, and provide the Service.
• Legitimate interests — to monitor app stability (crash reporting) and understand how users interact with the Service (analytics), in a way that does not override your rights.
• Legal obligation — where required to comply with applicable law.

How We Use Your Information

• Create and maintain your account
• Store and sync your tasks across devices
• Import and display Google Calendar events as tasks (with your permission)
• Send push notifications to remind you of tasks (with your permission)
• Monitor app performance and fix crashes
• Understand how users activate and return to the Service

We do not sell, rent, or share your personal information with third parties for marketing purposes.

Third-Party Data Processors

We use the following sub-processors to operate the Service. Each is bound by a data processing agreement:

Google Calendar Access

If you choose to connect Google Calendar, Do It requests a single OAuth scope:

https://www.googleapis.com/auth/calendar.readonly

This grants read-only access to your Google Calendar events.

What we read. Calendar event titles, descriptions, start and end times, and the calendar each event belongs to, for a window of 30 days in the past to 90 days in the future.

How we use it. Events are imported as read-only tasks inside Do It and shown alongside your other tasks on the appropriate date. We never write to, modify, or delete entries in your Google Calendar.

How it's stored. OAuth access and refresh tokens, and a copy of imported events, are stored in your encrypted row in our Supabase database (AWS eu-west-1). They are protected by row-level security and accessible only to your authenticated session.

What we don't do. We never share, sell, transfer, or use Google Calendar data for advertising, training models, or any purpose other than displaying tasks to you. No human at Do It reads your calendar data.

Retention. Imported calendar events and stored OAuth tokens are deleted within 30 days of you disconnecting Google Calendar in Do It's Settings, or within 30 days of deleting your Do It account.

Revoking access. You can revoke Do It's access at any time from Settings → Calendar → trash icon, or directly from your Google Account permissions page.

Limited Use. Do It's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Data Retention

• Account and task data — retained while your account is active. Deleted within 30 days of an account deletion request.
• Analytics data — retained for 12 months in PostHog, then automatically purged.
• Crash reports — retained for 90 days in Sentry.

International Transfers

Your data is primarily stored and processed within the European Economic Area (EEA). Where transfers outside the EEA occur (for example, Sentry's infrastructure), they are governed by Standard Contractual Clauses approved by the European Commission.

Your Rights Under the GDPR

If you are located in the UK or EEA, you have the following rights:

• Right of access (Art. 15) — request a copy of the personal data we hold about you.
• Right to rectification (Art. 16) — request correction of inaccurate personal data.
• Right to erasure (Art. 17) — request deletion of your personal data (“right to be forgotten”).
• Right to restriction (Art. 18) — request that we restrict processing of your data in certain circumstances.
• Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
• Right to object (Art. 21) — object to processing based on legitimate interests.
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, email derek@do-it.derekfidler.com with the subject line “GDPR Request”. We will respond within 30 days.

Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with your local supervisory authority:

• UK: Information Commissioner's Office (ICO)
• Ireland: Data Protection Commission
• Other EU countries: Your national DPA

Cookies and Sessions

Do It is an iOS application; the app uses secure local storage instead of cookies. This site (do-it.derekfidler.com) is informational only and does not set tracking cookies.

Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of significant changes by updating the date at the top of this page. Continued use of the Service after changes are posted constitutes acceptance of the updated Policy.

Contact

For privacy-related questions or data requests: derek@do-it.derekfidler.com