PRIVACY POLICY

LAST UPDATED: APRIL 18, 2026 — EFFECTIVE IMMEDIATELY

1. DATA CONTROLLER

The data controller for your personal data is:

app.kadence, a division of app.synerg

Republic of Estonia

Email: privacy@kadence.life

Pursuant to GDPR Article 37, we have determined that a Data Protection Officer is not required for our processing activities, as we do not carry out large-scale systematic monitoring of individuals nor process special category data at scale. All data protection inquiries should be directed to privacy@kadence.life.

2. PROCESSING PRINCIPLES

In accordance with GDPR Article 5, we process personal data lawfully, fairly, and transparently. We collect only data that is adequate, relevant, and limited to what is necessary. Data is kept accurate, stored no longer than necessary, and protected by appropriate security measures.

3. PERSONAL DATA WE PROCESS

The following table describes each category of personal data, the legal basis under GDPR Article 6, and the retention period.

DATA	LEGAL BASIS	RETENTION
Email address, password hash	Contract (Art. 6(1)(b))	Until account deletion
Name, profession, seniority	Consent (Art. 6(1)(a))	Until account deletion
Tasks (titles, descriptions, dates, priorities, tags)	Contract (Art. 6(1)(b))	Until account deletion
Scoring data (XP, levels, streaks, daily scores)	Contract (Art. 6(1)(b))	Until account deletion
Achievements	Contract (Art. 6(1)(b))	Until account deletion
Focus session data (duration, timestamps)	Contract (Art. 6(1)(b))	Until account deletion
Voice audio (real-time transcription)	Consent (Art. 6(1)(a))	Not stored; processed in real-time only
AI-extracted task data	Contract (Art. 6(1)(b))	Anthropic retains API logs for max 7 days
Push notification tokens	Consent (Art. 6(1)(a))	Until permission revoked or account deleted
Google OAuth profile (email, name)	Consent (Art. 6(1)(a))	Until account deletion

4. PURPOSE OF PROCESSING

— To provide and operate the Kadence productivity platform
— To calculate your Kadence Score, streaks, XP, and achievements
— To transcribe voice input into text using Deepgram
— To extract structured tasks from transcripts using Anthropic Claude
— To send push notifications you have explicitly opted into
— To authenticate your identity via email/password or Google OAuth
— To display your public profile if you choose to share it

We do not sell, rent, or share your personal data with third parties for marketing or advertising purposes. We do not use your data to train AI models.

5. SUB-PROCESSORS

We use the following sub-processors to deliver our service. Each operates under a Data Processing Agreement (DPA) with Standard Contractual Clauses (SCCs) where applicable per GDPR Articles 28 and 46.

PROCESSOR	LOCATION	PURPOSE	DATA STORED
Supabase Inc.	EU (Frankfurt)	Database, auth, edge functions	Yes, all user data
Cloudflare Inc.	Global (CDN)	Hosting, DNS, CAPTCHA	Static assets only
Deepgram Inc.	USA	Real-time voice transcription	No, real-time only
Anthropic PBC	USA	AI task extraction (Claude)	API logs retained max 7 days
Google LLC (Firebase)	USA/EU	Push notifications (FCM)	Device tokens only
Google LLC (OAuth)	USA/EU	Authentication (email, profile)	Managed by Google
PostHog Inc.	EU (eu.i.posthog.com)	Product analytics (opt-in only)	Pseudonymous events; no data without consent
Functional Software (Sentry)	USA / EU (SCCs)	Error + crash telemetry (opt-in only)	Stack traces, breadcrumbs; no data without consent
Stripe, Inc.	USA (SCCs)	Subscription billing, payments	Email, billing address, tokenized payment method

You have the right to object to any new sub-processor within 30 days of notification. Sub-processor changes will be communicated via email. A plain-text snapshot of the full processor list is maintained at /subprocessors.

5.1 THIRD-PARTY CLIENT TELEMETRY

Two additional processors operate on the client side and are enabled only with your explicit, withdrawable consent collected via our cookie banner:

—PostHog: pseudonymous product analytics hosted in the EU. Captures page views, feature interaction counts, and a pseudonymous distinct_id. Does not receive form values, task content, or voice audio.
—Sentry: error + crash telemetry. Captures stack traces, browser context, and navigation breadcrumbs. Form values and identifiers are scrubbed before transmission.

Neither processor receives any data until you choose "Accept all" or enable the respective toggle in Preferences. You can withdraw consent at any time via the footer "Cookie preferences" link or in-app Settings.

6. INTERNATIONAL DATA TRANSFERS

Your primary data is stored in the EU (Frankfurt, Germany) via Supabase. Where data is processed by US-based sub-processors (Deepgram, Anthropic, Google), transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, in accordance with GDPR Articles 44-46. Deepgram and Anthropic process data in real-time without persistent storage.

7. DATA SECURITY (ARTICLE 32)

We implement appropriate technical and organizational measures including:

— Encryption in transit (TLS 1.3) and at rest
— Row Level Security (RLS) on all database tables
— CAPTCHA protection (Cloudflare Turnstile) on authentication
— Rate limiting on API endpoints
— JWT-based authentication with session tokens
— Content Security Policy (CSP) headers
— SSRF prevention on webhook URLs
— Automated CI/CD pipeline with type checking and testing

8. YOUR RIGHTS UNDER GDPR

You may exercise any of the following rights at any time via your account settings or by contacting privacy@kadence.life:

RIGHT	ARTICLE	HOW
Access	Art. 15	Settings → Data → Export
Rectification	Art. 16	Edit your profile directly
Erasure	Art. 17	Settings → Account → Delete Account
Restrict processing	Art. 18	Contact privacy@kadence.life
Data portability	Art. 20	Export as JSON or CSV
Object to processing	Art. 21	Contact privacy@kadence.life
Withdraw consent	Art. 7(3)	Revoke via settings at any time

We will respond to all requests within 30 days. You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) or your local supervisory authority.

9. VOICE DATA & AI PROCESSING

Voice capture requires your explicit consent before activation. By enabling the voice feature, you consent to your audio being transmitted to Deepgram for real-time transcription. Audio is processed in a streaming WebSocket connection and is not stored by Kadence. Deepgram may retain audio data per their privacy policy.

AI task extraction sends your transcript text to Anthropic's Claude API. Anthropic retains API request logs for a maximum of 7 days for safety and abuse prevention. Your data is not used to train AI models.

Automated decision-making (Article 22): AI-generated task suggestions are recommendations only. All tasks require your review and confirmation before creation. No decisions with legal or significant effects are made solely by automated processing.

10. COOKIES & LOCAL STORAGE

We separate storage into two categories: strictly necessary (no consent required under ePrivacy Art. 5(3)) and opt-in (explicit consent captured via our cookie banner).

Strictly necessary, no consent required:

— Authentication session token: required for login persistence
— Theme + sidebar preferences: UI settings
— Active board selection: Work / Personal
— Cookie consent record: stored under kadence_cookie_consent so we don't re-prompt

Opt-in (consent via cookie banner):

— PostHog analytics (EU): pseudonymous usage metrics
— Sentry error reporting: crash and stack-trace telemetry

You can change your choice at any time via the "Cookie preferences" link in the footer or from Settings → Data while signed in. Declining or withdrawing consent keeps the app fully functional; opt-in categories power telemetry only, never the product itself. The full processor list lives at /subprocessors.

11. DATA BREACH NOTIFICATION

In accordance with GDPR Articles 33 and 34, in the event of a personal data breach:

— We will notify the Estonian Data Protection Inspectorate within 72 hours of becoming aware of the breach
— If the breach poses a high risk to your rights, we will notify you directly via email without undue delay
— Notification will include: nature of the breach, categories of data affected, likely consequences, and measures taken to mitigate

12. DATA RETENTION

We retain your data for as long as your account is active. If your subscription lapses, your account becomes read-only but data is preserved indefinitely until you choose to delete your account.

Account deletion permanently erases all personal data from our systems across all database tables. This action is irreversible. Third-party processors may retain residual data per their own retention policies (e.g., Anthropic API logs for up to 7 days).

13. CHILDREN

The Service is not intended for users under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will delete the account and associated data immediately.

14. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. Material changes will be communicated via email to all registered users at least 30 days before taking effect. The "last updated" date at the top of this page will always reflect the most recent revision. Continued use of the Service after changes constitutes acceptance.

15. CONTACT & COMPLAINTS

For privacy inquiries, data subject requests, or to exercise any of your rights:

Email: privacy@kadence.life

Response time: within 30 days

If you are unsatisfied with our response, you have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) at aki.ee, or with the supervisory authority in your country of residence.