Legal

Privacy Policy

This page provides the public privacy notice for AssistantBud and is intended to be the stable policy URL for web and app distribution.

Last updated: March 1, 2026

AssistantBud ("AssistantBud," "we," "our," or "us") provides a productivity and planning service available on the web and through a Capacitor-based mobile app shell. This Privacy Policy explains what information we collect, how we use it, when it is shared, and the choices available to you.

If you do not agree with this Privacy Policy, do not use AssistantBud.

Summary

In plain English:

We collect the account information needed to sign you in and run your account, such as your email address.
We store the content you create in AssistantBud, such as tasks, notes, habits, events, places, workspaces, and sharing records.
Google Calendar and Outlook calendar connections are optional. If you connect them, AssistantBud stores encrypted tokens and imports calendar metadata so it can show your calendars inside the app.
The Places feature does not collect your device's precise location in the current codebase. It works from places you search for or save.
Sharing in the current implementation is account-based. Shared items are available only to the invited account after that person signs in and accepts, not through anonymous public links.
We did not find third-party advertising SDKs, analytics SDKs, or cross-app tracking SDKs in the current codebase reviewed on March 1, 2026.
You can delete your account in the app from Settings -> Danger Zone -> Delete account. Deletion requires password confirmation and permanently removes your AssistantBud account and the data tied to it, except for copied items that already exist in another user's account.

Data We Collect

Category	Examples	How we get it	Why we collect it
Account and authentication data	Email address, Supabase user ID, session/auth tokens, password reset flow data	When you create an account, sign in, or use the app	To authenticate you, secure your account, and keep you signed in
Profile data	Username, normalized username, display name, avatar URL field	When you create or edit your profile	To identify your account in the app and make sharing/friends features work
Planner and productivity content	Tasks, categories, subcategories, goals, habits, habit entries, recurring templates, task pages	When you create or edit content	To provide the core planner and productivity features
Events content	Event titles, dates/times, locations, notes, labels, RSVP fields, checklist items, templates, recurrence details	When you create or edit events	To let you plan and manage events
Notes content	Note titles, rich content JSON, plain-text note content, pinned/template status, note links	When you create or edit notes	To provide note-taking and note-linking features
Places content	Saved place names, addresses, place IDs, latitude/longitude, website URLs, Google Maps URLs, phone numbers for places, ratings, tags, labels, notes, collections, checklist items	When you save a place or import place details from Google Maps/Places	To provide saved places, collections, and map views
Workspace and collaboration data	Workspace name, join code, member nickname, member initials, member color, membership role, workspace tasks, comments, notifications	When you create, join, or use a workspace	To provide shared workspace and collaboration features
Sharing data	Owner ID, recipient ID, recipient lookup by existing account email, object type, object ID, share mode, optional message, invite status, timestamps, copied object ID	When you send, accept, decline, revoke, or duplicate a share	To deliver sharing features and enforce permissions
Friends/social graph data	Friend requests, request status, usernames/display names used in search and friend lists	When you search for users or send/respond to friend requests	To support friend-based sharing
Optional calendar integration data	Connected account email, encrypted access token, encrypted refresh token, token expiry, calendar IDs, calendar names, time zones, calendar selection preferences	When you connect Google Calendar or Outlook	To import and display your external calendar data
Imported calendar event data	Event ID, title, description/body preview, location, start/end time, all-day flag, recurrence, sync timestamps, status	From Google Calendar API or Microsoft Graph after you connect an account	To display imported calendar events inside AssistantBud
Technical and security data	IP address used for rate limiting, request metadata needed to validate sessions, basic error logs	Automatically when you use the app or its API routes	To secure, operate, and troubleshoot the service
Browser/device storage data	Supabase auth cookie on web, theme preference, theme mode, active workspace ID, planner view/jump state, migration/import markers, some preference fallbacks in local storage	Automatically in your browser or webview while you use the app	To keep the app working and remember your preferences
Optional widget token data	Token hash, token prefix, token name, write permission flag, created/last-used/revoked timestamps	If you generate a widget token in Settings	To support widget/feed integrations and token rotation

You may also choose to include personal information in free-text fields you write yourself, such as notes, task details, event notes, workspace comments, and place notes.

How We Use Data

We use personal information to:

Create and manage your account.
Authenticate users and keep sessions secure.
Provide the planner, tasks, habits, events, recurring items, notes, places, workspaces, sharing, and tour features.
Sync optional calendar integrations and display imported calendar events.
Let you search for other users by username, connect with friends, and share content with specific accounts.
Store your settings and preferences, such as theme, planner preferences, and selected workspace.
Prevent abuse, enforce rate limits, debug problems, and protect the security and integrity of the service.
Comply with legal obligations and respond to valid legal requests.

AssistantBud does not use third-party advertising SDKs or analytics SDKs in the current codebase reviewed on March 1, 2026. We also do not sell personal information.

Where Data Is Stored / Processed

AssistantBud currently uses:

Supabase for authentication and database storage.
Cloud hosting for the web app and API routes.
Google APIs for optional Maps/Places features and optional Google Calendar imports.
Microsoft Graph for optional Outlook calendar imports.

Security and storage notes:

Data is intended to be transmitted over encrypted HTTPS/TLS connections.
Calendar OAuth tokens stored by AssistantBud are additionally encrypted at the application layer before being written to the database.
Data at rest is generally protected using the security controls offered by the relevant cloud provider and Supabase. Exact at-rest encryption details may depend on the provider and your deployment configuration.
Some technical/security data, such as rate-limit entries, may be processed temporarily in server memory.

Calendar Integrations (Google / Outlook)

Calendar integrations are optional.

Google Calendar

If you connect Google Calendar, AssistantBud requests read-only calendar access in the current implementation. AssistantBud uses that access to:

identify your Google account email for display inside Settings;
list your calendars;
let you choose which calendars to import; and
import event metadata into AssistantBud so the events can appear in the app.

Data stored for a Google connection may include:

encrypted access token;
encrypted refresh token;
token expiry;
connected Google account email;
calendar IDs, names, colors, and time zone data; and
imported event metadata such as title, description, location, start/end time, all-day flag, recurrence, provider event ID, and sync timestamps.

Outlook

If you connect Outlook, AssistantBud requests Microsoft scopes needed to identify the account and read calendars in the current implementation, including openid, profile, email, offline_access, User.Read, and Calendars.Read.

Data stored for an Outlook connection may include:

encrypted access token;
encrypted refresh token;
token expiry;
connected Microsoft account email;
calendar IDs, names, and time zone data; and
imported event metadata such as subject/title, body preview/description, location, start/end time, all-day flag, provider event ID, and sync timestamps.

Important integration notes

Calendar imports are optional.
Imported calendar data is used to show calendar information inside AssistantBud.
In the current implementation, calendar imports are read-only from AssistantBud's perspective. The code reviewed does not write changes back to Google Calendar or Outlook calendars.
You can disconnect a calendar account in Settings at any time.
Disconnecting removes the stored connection from AssistantBud and removes imported calendar data associated with that connection from AssistantBud's database.
If you want to revoke AssistantBud's provider-level access as well, you should also remove AssistantBud from your Google or Microsoft account permissions.

Sharing

AssistantBud includes account-based sharing features.

In the current implementation:

You can share certain content types, including place collections, events, places, and notes.
Shares are tied to specific AssistantBud accounts, not anonymous public access.
A recipient must sign in and accept the share before accessing it.
Sharing by email currently works by looking up an existing AssistantBud account associated with that email address. The reviewed code did not show external email delivery for share invites.
The owner can revoke a share. A recipient can accept or decline a pending invite.

There are two high-level share modes:

live_view: currently used for collection sharing. The recipient can view the owner's current shared collection in AssistantBud while access remains active.
copy: used for collections, events, places, and notes. When accepted, AssistantBud copies the shared content into the recipient's own account.

What may be shared:

the item or collection itself;
related metadata such as titles, notes, locations, tags/labels, dates, or checklist details, depending on the item type;
the sender's and recipient's display information in sharing screens; and
invite status and timestamps.

Permission model at a high level:

shares are limited to the invited account;
only the owner and recipient can view the share record;
live collection access ends if the owner revokes the share or deletes the source collection; and
copies created in another user's account may remain in that user's account even after the original share is revoked or the sender deletes their own copy.

Places / Location Data

AssistantBud includes place-saving and map features, but the current codebase reviewed on March 1, 2026 does not show collection of your device's precise location.

Specifically:

no browser geolocation calls were found in the reviewed codebase;
the Android app manifest reviewed includes internet access but no location permission;
the iOS app plist reviewed does not include location usage permission strings; and
the Places feature works from user-entered searches, URLs, place IDs, and Google place details returned by the Google Places/Maps APIs.

AssistantBud may store place coordinates, addresses, and related business details for places you choose to save. Those coordinates describe the saved place, not your device's live location.

If AssistantBud later adds a "near me" or live-location feature, this Privacy Policy should be updated before that feature is released.

Cookies / Local Storage

AssistantBud uses limited cookies and browser storage to make the app work.

Examples in the current codebase include:

web authentication cookies used by Supabase session handling;
local storage for theme and theme mode preferences;
local storage for active workspace selection;
local storage for planner view and jump-state preferences;
local storage used for migration/import markers from older planner storage; and
local storage fallback for some user preference flags.

Additional notes:

We did not find dedicated sessionStorage usage in the reviewed codebase.
We did not find advertising cookies or third-party tracking cookies in the reviewed codebase.
If you block or clear cookies/local storage, parts of AssistantBud may stop working correctly or may forget your preferences.

Data Retention

We keep data for as long as needed to provide AssistantBud, maintain your account, comply with law, resolve disputes, and protect the service.

In general:

account and profile data are retained while your account remains active;
tasks, notes, places, habits, events, workspace content, and other app content remain until you delete them or your account is deleted;
sharing records may remain while needed to operate sharing, keep invite history, enforce permissions, and resolve disputes;
calendar connection data and imported calendar event data remain until you disconnect the integration or your account is deleted;
local browser storage remains until you clear it, the browser clears it, or the app overwrites/removes it; and
short-lived technical/security data such as in-memory rate-limit entries may be retained only temporarily.

We may also retain backup or recovery copies for a limited period after deletion requests are processed.

Account Deletion

You can delete your account from inside AssistantBud:

go to Settings;
open Danger Zone;
select Delete account;
re-enter your password; and
type DELETE to confirm permanent deletion.

When deletion succeeds, AssistantBud permanently deletes the account data we control that is associated with your account, including your profile, planner data, notes, habits, events, places, sharing records, workspace memberships, optional calendar connections, imported calendar data, widget tokens, and other user-linked settings and records. AssistantBud also deletes workspaces you own, which removes workspace data tied to those workspaces.

After deletion, the app signs you out and redirects you to the login screen. You should no longer be able to sign in with that deleted account.

Important limits:

if content was copy-shared into another user's account, that copied content remains in the recipient's account;
some limited information may be retained where necessary for legal compliance, security, abuse prevention, dispute resolution, or backup recovery windows; and
if you also want to revoke AssistantBud's provider-level access to Google or Microsoft accounts, you can remove AssistantBud from those provider account permission settings.

User Rights

Depending on where you live, you may have rights regarding your personal information, including the right to:

access the personal information we hold about you;
correct inaccurate or incomplete personal information;
request deletion of your personal information;
object to or request restriction of certain processing;
withdraw consent where processing is based on consent; and
request a copy of certain data in a portable format where applicable.

Users in the UK, EEA, or similar jurisdictions may also have the right to complain to their local data protection authority.

To exercise rights, contact us at support@assistantbud.com. We may need to verify your identity before acting on a request.

Children's Privacy

AssistantBud is not intended for children under 13, or under the minimum digital-consent age in the user's jurisdiction. We do not knowingly collect personal information from children in a manner that requires parental consent under applicable law.

If you believe a child has provided personal information to AssistantBud, contact us at support@assistantbud.com so we can review and delete the information if appropriate.

Security Measures

We use reasonable technical and organizational measures designed to protect personal information, including:

authenticated access through Supabase;
database access controls and row-level security for many app tables;
encryption in transit over HTTPS/TLS;
application-layer encryption for stored calendar OAuth tokens;
access controls around sharing flows; and
rate limiting and other measures intended to reduce abuse.

No system is perfectly secure, and we cannot guarantee absolute security.

International Transfers

AssistantBud may use service providers and infrastructure located in countries other than your own. As a result, your information may be transferred to, stored in, or processed in other jurisdictions where privacy laws may differ.

Where applicable, we take steps intended to use appropriate safeguards for international transfers, such as contractual protections and provider security measures.

Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date above. If changes are material, we may provide additional notice inside the app or on the website.

Contact

For privacy questions or support requests, contact:

support@assistantbud.com

If you use a different monitored support or privacy email in production, replace the address above before publishing this policy.