← Back to Handled

Privacy Policy

Last updated: February 28, 2026

In plain language:

We store your tasks, projects, notes, and settings on our servers to provide the Service.
When you use AI features, the text you submit (tasks, notes, coach messages) is sent to Anthropic for processing.
When you connect Gmail or Google Calendar, that data is transmitted to and stored on our servers.
We share data with service providers (Anthropic, Stripe, Vercel, Resend) solely to operate the Service. We do not sell your data.
You can delete your account, disconnect integrations, and delete coach conversations at any time.
File attachments you upload are stored on Vercel Blob Storage.

1. Data Controller

Crescendo Intelligence LLC
support@getthingshandled.com

2. Information We Collect

Account Information

When you create an account, we collect:

Email address
Display name (optional)
Password (stored securely using Argon2 hashing)
Account creation date

Usage Data

We collect data about how you use the Service:

Tasks, projects, and other content you create
AI feature interaction history and frequency of use
Feature usage patterns and preferences
Theme and display preferences

Device and Technical Data

We automatically collect:

IP address (for security and rate limiting)
Browser type and version
Device type, operating system, and version
App version (for mobile apps)

On-Device Data (iOS App Only)

The following data is accessed or stored on your device and is not transmitted to our servers unless stated otherwise:

Calendar data — With your permission, Handled reads and creates calendar events via Apple's EventKit framework. Calendar data stays on your device and is not sent to our servers.
Note: The Google Calendar integration available on the web app operates differently — see "Google Integrations" below. Google Calendar data accessed via the web app is transmitted to our servers.
Biometric data — If you enable app lock, Face ID or Touch ID is used for authentication. Biometric data is handled entirely by Apple's LocalAuthentication framework and never leaves your device.
Notifications — Handled schedules local notifications for reminders and due dates. Notification preferences are stored on your device.

Google Integrations (when enabled by you)

Gmail Integration: When you connect your Gmail account, we request permission to read your email and send email on your behalf. We access email subjects, senders, body content, and message metadata for emails you designate for GTD processing. This data is transmitted to and stored on our servers as part of your GTD inbox. We store OAuth authentication tokens securely on our servers to maintain the connection.

Google Calendar Integration: When you connect Google Calendar, we request permission to read and write calendar events. We send event details (title, date, time, description) to Google Calendar when you schedule actions. We store the calendar event ID and link on our servers. OAuth authentication tokens are stored securely on our servers to maintain the connection.

Our use of Google user data is limited to providing and improving user-facing features of the Service. We do not use Google user data for advertising or for any purpose unrelated to providing the Service.

Disconnecting an integration removes our stored tokens and stops further access. You can also revoke access directly in your Google Account security settings.

File Attachments

You may upload file attachments (images, PDFs, documents, spreadsheets, and text files, up to 20MB each) to tasks and items. Uploaded files are stored on Vercel Blob Storage, a cloud storage service provided by Vercel Inc. When you submit attachments for AI processing, text is extracted from the file and sent to Anthropic (see "AI and Third-Party Services" below). Files are deleted when you delete the associated item or your account, subject to standard backup retention.

3. How We Use Your Data

Purpose	Data Used
Provide the Service	Account info, your content
Process payments	Email, billing info (via Stripe)
AI features	Content you submit to AI features
Security	IP address, login attempts
Improvements	Aggregated, anonymized usage data

Administration: Designated administrators may access limited user information (email address, account status, last activity timestamp, and AI feature usage statistics) for customer support, security monitoring, and cost management. Administrators do not have access to the content of your tasks, notes, coach conversations, or files.

4. Legal Basis for Processing (EEA/UK Users)

If you are in the European Economic Area or United Kingdom, we process your personal data under the following legal bases:

Purpose	Data	Legal Basis
Provide the Service	Account info, tasks, projects, notes	Contract performance (Art. 6(1)(b))
AI features (triage, coach, insights)	Content you submit to AI features	Contract performance (Art. 6(1)(b))
Process payments	Email, billing info via Stripe	Contract performance (Art. 6(1)(b))
Security and fraud prevention	IP address, login attempts, rate limiting	Legitimate interest (Art. 6(1)(f))
Service administration	Aggregated usage data	Legitimate interest (Art. 6(1)(f))
Gmail and Calendar integrations	Email content, calendar events, OAuth tokens	Consent (Art. 6(1)(a))
Tax and billing records	Payment history	Legal obligation (Art. 6(1)(c))

Where we rely on consent, you may withdraw it at any time by disconnecting the integration or disabling the feature. Withdrawal does not affect the lawfulness of prior processing.

5. AI and Third-Party Services

Our AI features are powered by Anthropic's Claude. When you use AI features, the following data may be sent to Anthropic for processing:

The text of tasks, captures, and notes you submit for triage or processing
Your project names, context labels, and areas of focus
Your activity history, completion statistics, and productivity patterns (for weekly review insights)
Conversation history with the AI coach (recent messages for context)
Images you attach to captures or send to the coach
Text extracted from file attachments you submit for processing

Anthropic processes this data solely to generate responses. Per Anthropic's current API terms, data submitted via the API is not used for model training. For current details, see Anthropic's privacy policy.

Please note: AI-generated output may be inaccurate. You are responsible for reviewing any AI-generated content before relying on it. Avoid submitting highly sensitive personal information (such as government IDs, financial account numbers, or medical records) to AI features unless necessary.

We use the following third-party services:

Stripe — Payment processing
Anthropic — AI features
Vercel — Hosting, infrastructure, and file storage
Resend — Transactional emails
Apple — iOS app distribution and App Store services
Google — Gmail and Google Calendar integrations (when enabled by you)

6. Data Storage and Security

Your data is stored securely using industry-standard practices:

Passwords are hashed using Argon2id
Data is encrypted in transit (HTTPS)
Access is protected by authentication
We use secure, isolated infrastructure

If you are a business or organization that requires a Data Processing Agreement (DPA) under GDPR, CCPA, or other applicable data protection laws, please contact us at support@getthingshandled.com.

7. Security Incidents

In the event of a data breach that affects your personal information, we will notify you by email and any applicable regulatory authorities as required by law. We will provide notification without unreasonable delay and within the timeframes mandated by applicable law.

8. Data Retention

We retain your data for the following periods:

Account and content data (tasks, projects, notes): For the life of your account, deleted within 30 days of account deletion.
Coach conversations: Stored for the life of your account. You can delete individual conversations at any time through the coach interface. All conversations are deleted within 30 days of account deletion.
Payment records: Retained as required by tax and financial regulations (typically 7 years). Payment card data is handled entirely by Stripe and is never stored on our servers.
Security logs (IP addresses, login attempts): 90 days.
Gmail and Calendar sync data: Deleted when you disconnect the integration or delete your account.
File attachments: Deleted when you delete the associated item or your account, subject to standard backup retention.

We will process deletion requests for data under our control. Data held by third-party service providers is subject to their own retention and deletion policies.

9. Your Rights

You have the right to:

Access — Request a copy of your data
Correct — Update inaccurate information
Delete — Request deletion of your account and data
Export — Request a copy of your data in a portable format by contacting us
Object — Opt out of certain data processing

To exercise these rights, contact us at support@getthingshandled.com.

If you are in the EEA or UK, you also have the right to lodge a complaint with your local data protection supervisory authority if you believe we have not complied with applicable data protection laws.

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

Categories of personal information collected: Identifiers (email, name, IP address); internet activity (usage data, feature interactions); content you create (tasks, notes, projects); geolocation (derived from IP address).
Sources: Directly from you; automatically from your device; from third-party integrations you connect (Gmail, Google Calendar).
Purpose: To provide and improve the Service, process payments, operate AI features, and ensure security.
Third-party sharing: We share data with service providers (Anthropic, Stripe, Vercel, Resend) solely to operate the Service.

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.

You have the right to know, delete, correct, and port your personal information. You have the right to non-discrimination for exercising your rights. To exercise your rights, contact support@getthingshandled.com. You may designate an authorized agent to make requests on your behalf. We will respond to verifiable consumer requests within 45 days.

11. Cookies

We use minimal cookies for essential functionality:

Session cookies for authentication
Preference cookies for your settings

We do not use tracking cookies or third-party advertising cookies.

12. Children's Privacy

The Service is not intended for children under 16. We do not knowingly collect data from children. If you believe we have collected data from a child, please contact us.

13. International Data Transfers

Your data is primarily processed in the United States, where our infrastructure providers (Vercel, Anthropic, Stripe, Resend) operate. If you are located in the European Economic Area, United Kingdom, or Switzerland, we rely on Standard Contractual Clauses approved by the European Commission and, where applicable, vendor certifications under the EU-US Data Privacy Framework to ensure adequate protection for international data transfers. You may request a copy of these safeguards by contacting us at support@getthingshandled.com.

14. Changes to This Policy

We may update this policy from time to time. We will notify you of significant changes by email or through the Service.

15. Contact Us

For privacy-related questions or concerns, contact us at:
support@getthingshandled.com