1. Information We Collect

We collect the following categories of data:
A. Account and Identity Data
When you sign in with Google or Apple via Firebase Authentication, we collect:
* Name (if provided by your identity provider)
* Email address
* Unique account/user ID
* Authentication provider (Google or Apple)
We do not collect your Google or Apple password.B. Device and Technical Data
To operate and secure the service, we collect:
* Device timezone (IANA timezone string)
* Push notification tokens (FCM/APNs)
* Firebase App Check tokens / attestation state
* App version, OS version, device type
* Limited security and operational logs (including internal user ID where needed for security/abuse prevention)C. User Content
You may create and store:
* Tasks
* Notes
* Checklists/subtasks
* Reminders
* Optional voice transcript text (if you use voice input)
For voice features:
* Raw voice recordings are used transiently for speech recognition and are not stored by Thinkii after transcription.
* The resulting transcript text is treated as user content.
* Unsaved transcript/suggestion content is not retained as persistent account content.D. Usage and Engagement Data
Depending on your settings and feature use, we collect:* Feature usage events (e.g., task creation/completion, reminder setup, voice feature usage)
* In-app lifecycle/engagement state used for app messaging and UX logic (for example: active days count, prompt-shown flags, first-task-created state)
* Subscription/entitlement state (via RevenueCat integration)
* Onboarding session data, including which screens were viewed, actions taken at each step, timestamps, and selections made during setup (such as category preferences and initial task choices)This engagement state and onboarding data is stored as part of core app functionality and is distinct from optional analytics data. It is collected regardless of your analytics preference setting and is linked to your account.E. Waitlist Data (if applicable)
If you join a waitlist form, we may collect:
* Name
* Email address

2. Analytics

We use Firebase Analytics to understand how Thinkii is used and to improve the app.* Analytics is off by default.
* We request analytics consent in-app after onboarding (typically on your second day of use).
* You can change this preference at any time in Profile settings.
* If analytics is disabled, Thinkii disables Firebase Analytics collection and does not send custom analytics events.What We Collect
When analytics is enabled, Firebase Analytics may collect non-content usage data such as:
* App opens and session duration
* Features used (e.g., creating tasks, setting reminders, using voice input)
* General usage patterns (e.g., which categories or planning views are used)
* Device type, operating system version, and app version
* Country and languageWhat We Do Not Collect
Analytics data does not include:
* Your name or email address
* The text of your tasks, notes, reminders, checklists, or voice content
* Any personal content you enter into the appHow It Works
Analytics events are associated with a device-level identifier (such as a Firebase App Instance ID). When you have an active subscription, we may link this identifier with subscription status information through RevenueCat for the purpose of managing entitlements and understanding feature usage patterns.Analytics data is used solely to improve Thinkii's functionality and performance. We do not sell analytics data. We do not use analytics to access or analyze your task content. Analytics data is not used for targeted advertising.Analytics data is processed by Google. For details, see Google's Privacy Policy

3. How We Use Your Information

We use your information to:
* Create and manage your account
* Provide core features (tasks, reminders, recurring logic, calendar view support)
* Send push reminders and optional product/system messages
* Provide optional AI-assisted task structuring features
* Synchronize data across your devices
* Prevent abuse, fraud, unauthorized access, and service misuse
* Maintain reliability, debugging, and operational monitoring
* Manage subscriptions and entitlements
* Comply with legal obligationsWe do not sell personal information. We do not use your content for ad personalization.

4. AI Data Processing and Third-Party Sharing

Thinkii offers optional AI features that can convert your input into structured tasks.When you use these features, Thinkii may send:
* Voice transcript text
* Text you manually submit
* Minimal technical metadata needed to process the request — to Google Gemini API services (Google LLC).Important clarifications*
Thinkii does not include your name or email in AI prompts.
* AI requests are authenticated in Thinkii systems and may be associated with an internal account identifier (e.g., user ID) for security, abuse prevention, and rate-limiting.
* In normal operation, Thinkii is designed not to store full prompt/response content in server logs.
* In limited error/debug/security scenarios, short excerpts or derived diagnostics may be logged in secure infrastructure for reliability and abuse prevention.What is stored
* Voice recordings: not stored by Thinkii after transcription.
* Unsaved AI suggestions/transcripts: not retained as account content.
* Saved tasks: stored in your account like any other task content.
User control
* AI features are optional.
* Thinkii presents AI disclosure before first AI use.
* If you do not consent, AI features remain disabled unless you later opt in.

5. Legal Basis for Processing Personal Data

Thinkii is operated in Canada under the Personal Information Protection and Electronic Documents Act (PIPEDA). We collect, use, and disclose personal information based on:
- User consent
- Contractual necessity (to provide services)
- Legitimate interests, such as maintaining service security, preventing fraud or abuse, supporting customer service, and improving Thinkii's functionality and performance
- Legal obligation (where required)If you are located in a jurisdiction with its own data protection laws — including but not limited to Brazil (LGPD), South Korea (PIPA), Japan (APPI), Australia (Privacy Act 1988), New Zealand (Privacy Act 2020), South Africa (POPIA), Mexico (LFPDPPP), or the United Kingdom (UK GDPR) — Thinkii processes your personal data in accordance with those applicable local laws in addition to PIPEDA. The legal bases under those frameworks include consent, contractual necessity, and legitimate interests as described in this policy.We collect only the minimum data necessary for each purpose, and we do not use personal data for purposes that are incompatible with the reason it was originally collected.- Account creation and authentication is processed on the basis of contractual necessity, in accordance with PIPEDA, GDPR/UK GDPR (where applicable), LGPD, PIPA, APPI, POPIA, LFPDPPP, and the Privacy Acts of Australia and New Zealand.
- Task, note, reminder storage and sync is processed on the basis of contractual necessity, under the same frameworks listed above.
- Push reminders (user-enabled) are processed on the basis of consent and contractual necessity, under the same frameworks listed above.
- Analytics (Firebase, optional) are processed on the basis of consent, under the same frameworks listed above.
- AI feature processing (optional) is processed on the basis of consent, under the same frameworks listed above.
- Optional Google Calendar display is processed on the basis of consent, under the same frameworks listed above.
- Fraud and abuse prevention, and App Check security are processed on the basis of legitimate interests, under the same frameworks listed above.
- Service reliability and operational logging is processed on the basis of legitimate interests, under the same frameworks listed above.
- Subscription and entitlement management is processed on the basis of contractual necessity, under the same frameworks listed above.
- Legal compliance, audits, and legal claims are processed on the basis of legal obligation and legitimate interests, under the same frameworks listed above.

6. Consent

You provide consent when you:
- Sign in and create an account
- Enable optional permissions (microphone, notifications)
- Enable analytics
- Use optional AI features
- Connect Google Calendar (optional)You can withdraw consent by:
- Turning off analytics in-app
- Declining AI features / stopping AI feature use
- Revoking app permissions on your device
- Disconnecting optional integrations where available
- Deleting your account

7. Third-Party Services

We use trusted third-party providers to operate Thinkii’s core features.Authentication, Database, and Core Backend (Google Firebase / Google Cloud)
- Firebase Authentication — account sign-in and identity management
- Cloud Firestore — secure storage of account data and user-created content
- Cloud Functions for Firebase — secure backend processing (including reminders, subscription checks, and AI request handling)
- Firebase App Check — helps prevent unauthorized or abusive access to backend services
- Firebase Cloud Messaging (FCM) and Apple Push Notification service (APNs) — delivery of reminders and system notifications
- Google Cloud infrastructure and logging — service operation, security monitoring, diagnostics, and reliability
- Device-level identifiers (including Firebase Installation ID) are shared with Google LLC as part of Firebase infrastructure, analytics, and App Check security services.AI-Powered Features (Optional)
- Google Gemini API services (Google LLC) — processes user-submitted voice transcripts or text when you choose to use AI featuresAnalytics (Optional; Consent-Based)
- Firebase Analytics (Google LLC) — usage analytics only when enabled by user consent in-appCalendar Integration (Optional)
- Google Calendar API (read-only) — displays your existing calendar events when you connect Google Calendar; Thinkii does not create, edit, or delete calendar eventsSubscription and Entitlements
- RevenueCat — subscription status, entitlement management, and purchase validation. Purchase history metadata is shared with RevenueCat by Apple App Store and Google Play for the purpose of subscription validation and entitlement management.
- Apple App Store and Google Play — payment processing, billing, and platform subscription servicesPayment Information
Payments are processed directly by Apple and Google through their billing systems. Thinkii does not receive full payment card details.Provider Roles
Provider roles may vary depending on the processing context and applicable law. Some providers act as processors/service providers on our behalf, while others (such as app stores or platform operators) may act as independent controllers for certain processing activities under their own terms and privacy policies.More Information
For more information about how these providers process personal data, please review their privacy policies and applicable data processing terms.

8. Google Authentication

Thinkii supports Google Sign-In through Firebase Authentication on supported platforms (including iOS and Android).During standard Google account sign-in, Thinkii requests only these Google OAuth scopes:- Email address scope (userinfo.email)
- Basic profile scope (userinfo.profile)These scopes are used only to create and manage your Thinkii account and display basic profile information in-app.Thinkii does not access or store your Google password.Thinkii does not request additional Google Account permissions during standard sign-in.
If you choose to connect Google Calendar, Thinkii requests an additional optional scope as described in Section 9.You may revoke Thinkii’s access to your Google account at any time in your Google Account settings under Security → Third-party apps with account access.

9. Optional Google Calendar Access

If you choose to connect Google Calendar, Thinkii requests an additional optional Google OAuth scope:- Calendar Read Only Scope (calendar.readonly)This permission is used only to read and display your existing Google Calendar events in Thinkii to support planning views.Calendar connection is optional and uses incremental consent.
You can decline calendar access and continue using Thinkii without calendar features.
Thinkii does not create, edit, or delete Google Calendar events.
Thinkii does not use calendar event data for advertising or marketing.
Calendar event data is accessed from Google when needed for in-app display. Thinkii may store limited connection metadata (for example, whether calendar access is connected and connection status timestamps) to maintain account state and user experience.You can remove Thinkii’s calendar access at any time through your Google Account permissions settings. If you encounter any issues disconnecting calendar access within the app, you can manage all Thinkii permissions directly in your Google Account settings under Security → Third-party apps with account access.

10. Voice and AI Feature Processing

When you use voice input or AI-assisted task creation:- Speech may be transcribed on-device or through device-level speech recognition services.
- The resulting transcript text may be sent to Thinkii’s secure backend and then to Google Gemini API services (Google LLC), as described in Section 4.
- Thinkii does not retain raw voice recordings after transcription.
- AI-generated suggestions are shown to you for review and are not saved to your account unless you choose to save them.
- Only content you explicitly save (for example, tasks, notes, reminders, or checklists) is retained in your Thinkii account.Thinkii maintains limited technical and operational logs for reliability, abuse prevention, and security. These logs are designed to avoid storing full AI prompt/response content in normal operation; in limited error/debug scenarios, short excerpts or derived diagnostics may be recorded for troubleshooting and then retained only for a limited period.

11. Push Notifications

Thinkii may send:
- Task reminders
- Morning planning reminders (if enabled)
- Product/system lifecycle messages (based on app engagement and subscription state)
- Service updatesYou can disable push notifications in device settings. Some notification categories are also controllable in-app where available.

12. Data Retention

We retain personal data only as long as necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by applicable law.Account data (including your name, email address, and user ID) is removed from active systems after your account deletion request is completed.
Tasks, notes, checklists, and reminders are removed from active systems after your account deletion request is completed.
Unsaved voice transcripts are transient — they are processed only to produce a transcript and are not retained as account content.
Unsaved AI suggestions are session-only — they are shown to you for review and are not retained as account content unless you choose to save them.
Analytics data (if enabled) is retained according to Firebase and Google Analytics retention configuration.
Security and operational logs are retained for limited periods needed for security, abuse prevention, diagnostics, and reliability — typically short-term and often up to approximately 90 days, depending on system configuration.
Push notification tokens are retained until account deletion, logout, a change in account state, or token refresh/invalidation.
Subscription and entitlement metadata is retained as needed for subscription management, accounting, legal compliance, and dispute handling.
Waitlist data (if applicable) is retained until you unsubscribe or until the end of the applicable campaign retention window.Backups and processor-side systems may retain copies for a limited period under their own retention schedules before secure deletion or de-identification.

13. Data Security

We apply technical and organizational safeguards designed to protect your personal data, including:- Encryption in transit and at rest (through our cloud service providers)
- Firebase App Check and related request validation controls
- Periodic re-authentication for sensitive account sessions (currently targeted at approximately every 30 days)
- Thinkii is hosted on Google Cloud infrastructure, which maintains industry-recognized security and compliance standards.We also limit internal access to personal data to authorized personnel with a legitimate business need (for example, support, maintenance, and security operations), subject to confidentiality obligations.While we take reasonable steps to protect your information, no method of transmission or storage is completely secure.

14. International Users

Thinkii is operated from Canada and is available in supported regions. By using the app, you acknowledge that your information may be processed in Canada, the United States, and other jurisdictions where our service providers (including Google Cloud Platform, Firebase, and RevenueCat) operate.Authorized team members (for example, founders or support personnel) may access personal data only where necessary for support, maintenance, security, or legal compliance, and subject to confidentiality and access controls.We seek to handle personal data in accordance with applicable privacy laws, including Canadian law (PIPEDA) and, where applicable, the laws of your country of residence.Australia: If you are located in Australia, your data is handled in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles. You may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
New Zealand: If you are located in New Zealand, your data is handled in accordance with the Privacy Act 2020. You may lodge a complaint with the Office of the Privacy Commissioner at privacy.org.nz.
Brazil: If you are located in Brazil, your data is handled in accordance with the LGPD. You have the right to access, correct, delete, and port your data. You also have the right to be informed about the consequences of refusing consent for optional features — declining consent for optional features does not affect your access to Thinkii's core functionality. You may contact the ANPD at gov.br/anpd.
South Korea: If you are located in South Korea, your data is handled in accordance with PIPA. You may have rights including access, correction, deletion, suspension of processing, and portability where applicable. You may lodge a complaint with the PIPC at privacy.go.kr.
Japan: If you are located in Japan, your data is handled in accordance with APPI. You may request disclosure, correction, addition, deletion, or suspension of use by contacting [email protected]. You may also contact the PPC at ppc.go.jp.
South Africa: If you are located in South Africa, your data is handled in accordance with POPIA. You may have rights including access, correction, and deletion requests. You may lodge a complaint with the Information Regulator at inforegulator.org.za.
Mexico: If you are located in Mexico, your data is handled in accordance with LFPDPPP. You may exercise ARCO rights (Access, Rectification, Cancellation, Objection) by contacting [email protected]. We will respond to ARCO requests within 20 business days as required by Mexican law.
Israel: If you are located in Israel, your data is handled in accordance with the Protection of Privacy Law and applicable regulations. You may contact the Privacy Protection Authority (PPA) at gov.il/en/departments/ppa.
United Kingdom: If you are located in the UK, your data is handled in accordance with the UK GDPR and Data Protection Act 2018. You may lodge a complaint with the ICO at ico.org.uk.
European Economic Area: If you are located in the EEA, your data is handled in accordance with the EU GDPR. You have the right to lodge a complaint with the data protection authority in your country of residence. A full list of EU DPAs is available at edpb.europa.eu.Where personal data is transferred outside your country of residence, we rely on appropriate safeguards where required by applicable law, including contractual protections such as Standard Contractual Clauses and provider data processing terms.

15. International Data Transfers

Thinkii is operated from Canada and uses service providers that may process personal data in other countries, including the United States and other regions where those providers operate infrastructure.When personal data is transferred across borders, we use safeguards appropriate to the transfer and required by applicable law. Depending on your location and the processing context, these safeguards may include:- Contractual protections, including Standard Contractual Clauses (or equivalent approved mechanisms)
- Data Processing Agreements and related contractual commitments from our service providers
- Technical and organizational safeguards designed to protect data in transit and at restOur primary providers for cross-border processing include Google services (such as Firebase, Google Cloud, and Gemini API services) and RevenueCat.For users in the EEA and UK, where required, transfers outside those regions are protected using recognized transfer mechanisms (including Standard Contractual Clauses and UK-equivalent measures).For users in Australia, Brazil, South Korea, and other jurisdictions with cross-border transfer rules, we apply transfer arrangements intended to meet applicable local legal requirements.You may request additional information about applicable transfer safeguards by contacting us at [email protected] with the subject line “Privacy Request — Transfers”.

16. Your Rights

Depending on your location and applicable law, you may have some or all of the following rights regarding your personal data:- Access — request a copy of the personal data we hold about you
- Correction — request correction of inaccurate or incomplete data
- Deletion — request deletion of your personal data
- Restriction — request restriction of processing in certain circumstances
- Portability — request a copy of your personal data in a structured, commonly used, machine-readable format, where applicable
- Objection — object to certain processing, including processing based on legitimate interests, where applicable
- Withdraw consent — withdraw consent for processing based on consent at any time (this does not affect processing already carried out lawfully before withdrawal)
- Consent consequences — request information about the consequences of declining optional consent-based features
- Automated processing review — in jurisdictions that provide this right (including South Korea, where applicable), request human review of relevant AI-assisted outputsYou can exercise some controls directly in the app (for example, account deletion, permission settings, and optional feature toggles).
For rights requests beyond in-app controls, contact us at [email protected] with the subject line “Privacy Request.”We may request identity verification before fulfilling certain requests.
We respond within timelines required by applicable law (or within 30 days where no shorter legal deadline applies).Regulatory Contacts by Region
If you believe your data has been handled improperly, you may lodge a complaint with your local privacy/data protection authority, including:Australia: Office of the Australian Information Commissioner (OAIC) — oaic.gov.au
New Zealand: Office of the Privacy Commissioner — privacy.org.nz
Brazil: Autoridade Nacional de Proteção de Dados (ANPD) — gov.br/anpd
South Korea: Personal Information Protection Commission (PIPC) — privacy.go.kr
Japan: Personal Information Protection Commission (PPC) — ppc.go.jp
South Africa: Information Regulator — inforegulator.org.za
Mexico: INAI — inai.org.mx
Israel: Privacy Protection Authority (PPA) — gov.il/en/departments/ppa
United Kingdom: Information Commissioner’s Office (ICO) — ico.org.uk
European Economic Area: Your local EU data protection authority — full list at edpb.europa.eu

17. Children's Privacy

Thinkii is not intended for children. Minimum age requirements vary by jurisdiction:- General (Canada and most countries): 13 years old. Users below the age of majority in their province, state, or country should use Thinkii only with parental or guardian consent where required by law.
- South Korea: 14 years old. Users under 14 must have parental or guardian consent as required by PIPA.
- Japan: Users under approximately 15 years old should obtain parental or guardian consent, consistent with guidance under APPI.
- South Africa: Under POPIA, processing personal information of persons under 18 generally requires parental or guardian consent.
- Brazil: Under LGPD, users under 18 generally require parental or guardian consent.If we become aware that we have collected personal data from a child below the applicable minimum age without required consent, we will delete that data as required by applicable law.If you believe we may have collected data from a child without appropriate consent, please contact us at [email protected] with the subject line “Child Privacy Request.”

18. Regional Contacts and Representatives

Thinkii takes its privacy obligations seriously across all supported markets. Regional contact details are below.All regions: For privacy-related requests, questions, or complaints, contact [email protected] with the subject line "Privacy Request." We aim to respond within 30 days, or within any shorter period required by applicable law.- South Korea: Thinkii is in the process of appointing a domestic representative under applicable PIPA requirements. This section will be updated once appointed. In the interim, contact [email protected].
- Brazil (LGPD): Thinkii's privacy contact (encarregado) is reachable at [email protected]. If a separate DPO/encarregado is formally appointed, this section will be updated.
- South Africa (POPIA): Thinkii's Information Officer is Alysha Vazquez, reachable at [email protected].
- Mexico (LFPDPPP): For ARCO requests (Access, Rectification, Cancellation, Objection), contact [email protected] with subject "ARCO Request." We respond within timelines required by applicable Mexican law.
- Japan (APPI): For requests concerning disclosure, correction, addition, deletion, or suspension of use, contact [email protected].
- United Kingdom (UK GDPR): UK users may contact [email protected] for privacy matters. If a UK representative becomes required, this section will be updated with representative details.
- EEA (EU GDPR): Thinkii is in the process of appointing an EU representative as required under Article 27 of the EU GDPR. This section will be updated with full representative details prior to or upon launch in EEA markets. In the interim, EEA users may contact [email protected] with the subject line "Privacy Request."

19. Compliance with Google API Policies

Thinkii’s use and transfer of information received from Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements where applicable.We access only the minimum Google API data necessary to provide user-enabled features (such as Google Sign-In and optional Google Calendar read-only display).Google API data is not used for advertising, marketing, or sale of data. We do not use Google API data to create advertising profiles.Where analytics is enabled by user consent, analytics processing is handled as described in this Privacy Policy and is not based on Google Calendar content or other Google API user content.

20. Changes to This Policy

We may update this Privacy Policy from time to time to reflect product, operational, or legal changes.If we make material changes, we will provide notice through appropriate channels, such as an in-app notice, account notification, or other reasonable means.We encourage you to review this page periodically for the latest version.

21. Contact Us

For any questions or to exercise your privacy rights, contact our support team at [email protected] — please include 'Privacy Request' in the subject line.Email: [email protected]
Website: https://thinkii.app

Last Updated: May 2026