Privacy Policy

Effective date: May 18, 2026

1. Introduction

Planist AI (“we”, “our”, “us”) respects your privacy. This Privacy Policy explains how we collect, use, and protect your personal information when you use our Service.

2. Information We Collect

Account Information

  • Email address (for authentication and communication)
  • Language preference

Content You Create

  • Notes, tasks, comments, and subtasks
  • Voice input transcriptions (processed client-side)
  • Custom templates

Usage Data

  • Focus session durations and timestamps
  • Device tokens for push notifications
  • General usage patterns

3. How We Use Your Information

  • AI Analysis — Your notes and chat messages are sent to Google Gemini AI to extract tasks, detect mood, and generate insights. See Section 4 for full detail.
  • Notifications — Device tokens are used solely to deliver push notifications you have opted into.
  • Communication — Your email is used for authentication (magic links) and important service updates.
  • Improvement — Aggregated, anonymized usage data may be used to improve the Service.

4. AI Analysis & Google Gemini

Planist AI relies on Google’s Gemini AI service to turn natural-language notes and chat messages into structured tasks, timelines, and mood insights. This is the only AI provider we use, and your data is only sent when you take an AI-triggering action (saving a note for analysis, asking the chat assistant a question, or generating a digest preview).

What is sent

  • The text of the specific note, chat message, or digest you are working on at that moment.
  • A short system prompt that tells Gemini how to structure its response (e.g. return JSON, prefer your selected language).
  • Your selected language code (e.g. en, tr, de) so the response comes back in the same language.

What is not sent

  • Your name, email address, phone number, or any other account-identifying field.
  • Text from other notes, chats, or files in your account.
  • Your location, contacts, photos, calendar, or device identifiers.

Who receives it

Google LLC, operating the Gemini API (terms, privacy policy). The request is sent server-to-server from our backend over an encrypted (TLS / HTTPS) connection. Per Google’s paid API terms, content sent through the Gemini API is not used to train Google’s AI models.

Retention

  • On Google’s side: we do not store request content with Google. Per Google’s policies, paid API traffic is retained only as long as needed for abuse detection (a short rolling window) and is not added to training data.
  • On our side: we store the AI’s structured output (the extracted tasks, summary, mood label) on our server so you can see your analyzed notes later. Deleting a note from inside the app also deletes its analysis. Deleting your account permanently removes everything within 30 days.

Your control

  • Explicit opt-in. The first time you take an AI-triggering action in our iOS app, Planist shows a consent screen explaining what will be sent. AI features are blocked until you tap “Allow & Continue”.
  • Use without AI. Every screen offers a “Quick Note” option that saves your text directly to our server without ever sending it to Gemini.
  • Revoke at any time. Settings → Privacy → “AI data sharing” lets you revoke consent. Future AI features will require permission again.
  • Delete content. Deleting a note or chat thread also deletes the AI output stored alongside it.

5. Data Storage & Security

  • Your data is stored in PostgreSQL databases with encryption at rest
  • All connections use HTTPS/TLS encryption
  • Authentication uses JWT tokens with short expiration times
  • Each user can only access their own data — strict server-side ownership verification on every API endpoint
  • OAuth state parameters are HMAC-signed to prevent tampering

6. Third-Party Services

We use the following third-party services:

  • Google Gemini AI — for note analysis and AI insights (see Section 4 for full disclosure)
  • Apple Push Notification Service / Firebase Cloud Messaging — for push notifications
  • Google Calendar API — for calendar sync (opt-in only)
  • Stripe — for payment processing on the web (subscription plans)
  • RevenueCat — for managing iOS in-app subscriptions

Each third-party service has its own privacy policy. We only share the minimum data necessary for each service to function.

7. Data Retention

  • Your data is retained as long as your account is active
  • Deleted content is permanently removed from our databases
  • You can export all your data at any time via the Settings page
  • Upon account deletion, all data is permanently deleted within 30 days

8. Your Rights

You have the right to:

  • Access — View and export all your data
  • Rectify — Edit or correct your information
  • Delete — Delete your account and all associated data
  • Portability — Export your data in JSON format
  • Withdraw consent — Disable push notifications or disconnect integrations at any time

9. Cookies & Local Storage

  • Authentication token — stored as an HTTP cookie for session management
  • Preferences — theme, language, timezone stored in localStorage
  • Focus timer state — stored in localStorage to survive page refresh

We do not use tracking cookies or third-party analytics cookies.

10. Children's Privacy

The Service is not intended for children under 13. We do not knowingly collect personal information from children under 13.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of significant changes via email or in-app notification.

12. Contact

For privacy-related questions, contact us at [email protected].