Privacy Policy
This Privacy Policy explains what information Persona collects, how we use it, who we share it with, and the rights and choices you have. It applies to the Persona website, web application, and mobile application. We collect only what we need to run the Service well, and we do not sell your personal data.
1. Information we collect
- Account information — your email address and, optionally, a display name and avatar. If you sign in with Google, we receive your name, email, and profile picture from your Google account.
- Your Content — tasks, projects, sections, notes, labels, and the XP / skill / progress data generated from them.
- Payment information — handled entirely by our payment provider (Razorpay). We receive confirmation of a purchase, a transaction/subscription reference, and your plan status — never your full card number, CVV, or banking credentials.
- Device identifier (mobile app) — the mobile app generates a random device ID stored on your device, used solely to link a Premium purchase to your device. The mobile app requires no account and stores your tasks locally on your device.
- Usage & analytics data — with your consent (see the Cookie Policy), we collect page views and product events (e.g. "task created", "upgrade clicked") via analytics tools, along with approximate location (from IP), browser, and device type.
- Technical & log data — IP address, timestamps, and request metadata processed transiently for security, rate limiting, and abuse prevention.
- Support communications — messages you send us by email or through the in-app chat widget.
2. How we use your information — and our legal bases
Under the EU/UK GDPR, we must have a legal basis for each use of your data:
- To provide the Service (accounts, cloud sync, task storage, plan management) — performance of a contract.
- AI task classification — when you create a task, its title text is sent to our AI provider (Google Gemini) to assign a category, skill, and XP value — performance of a contract. Task text is not used by us to train AI models.
- Payment processing and billing records — performance of a contract and legal obligation (tax and accounting law).
- Security, fraud prevention, rate limiting — legitimate interests in keeping the Service safe.
- Analytics and marketing measurement — your consent, given via the cookie banner and withdrawable at any time.
- Responding to support requests — legitimate interests / performance of a contract.
3. Third-party processors
We rely on a small number of providers to operate Persona. Each processes data only as needed for its function, under its own privacy terms and a data-processing agreement where applicable:
- Supabase — authentication, database, and cloud storage of your account and content (hosted on AWS).
- Google (Gemini API) — AI classification of task title text.
- Razorpay (Razorpay Software Pvt. Ltd., India) — payment and subscription processing.
- Vercel — hosting of the web application. Cloudflare — hosting and delivery of our website.
- PostHog — product analytics (consent-based).
- Google Analytics — website/app analytics (consent-based).
- Meta (Meta Pixel) — advertising measurement (consent-based).
- Crisp — in-app support chat widget, where enabled.
- Upstash — transient rate-limiting infrastructure (processes hashed identifiers/IP briefly).
We never sell your personal data, and we do not share it with third parties for their own independent marketing except as described above with your consent (e.g. Meta Pixel).
4. International data transfers
We operate from India and use providers in the United States, the EU, and India, so your data may be transferred outside your country. Where data of EU/UK residents is transferred to countries without an adequacy decision, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses and, for certified US providers, the EU–US Data Privacy Framework.
5. Data retention & deletion
- Account data and Your Content are kept for as long as your account is active.
- You can delete your account at any time from the app's settings — this removes your account and stored content from our database. Residual copies may persist briefly in encrypted backups before being purged.
- Payment and billing records are retained as required by tax and accounting law.
- Analytics data is retained per the retention settings of the relevant tool and deleted or aggregated thereafter.
6. Security
We use industry-standard measures — encryption in transit (TLS), encryption at rest at our database provider, row-level security, scoped API keys, and server-side payment signature verification — to protect your information. No method of transmission or storage is perfectly secure, but we work continuously to safeguard your data, and we will notify you and the relevant authority of a data breach where the law requires it.
7. Your rights
European Union / United Kingdom (GDPR/UK GDPR): you have the right to access, rectify, erase, and receive a portable copy of your personal data; to restrict or object to processing; and to withdraw consent at any time (without affecting prior processing). You also have the right to lodge a complaint with your local supervisory authority.
United States (California CCPA/CPRA and similar state laws): you have the right to know what personal information we collect, to delete it, to correct it, and to opt out of "sale" or "sharing" of personal information. We do not sell personal data; you can opt out of sharing for advertising analytics (Meta Pixel) at any time via the cookie settings. We honor Global Privacy Control (GPC) signals as an opt-out. We will not discriminate against you for exercising your rights.
India (DPDP Act 2023): you have the right to access a summary of your personal data, to correction and erasure, to grievance redressal, and to nominate a person to exercise your rights. Consent-based processing can be withdrawn at any time.
To exercise any right, email aaradhya.badal@gmail.com — we respond within the timelines required by applicable law (and in any case aim for 7 business days). Account deletion and data export are also available directly in the app.
8. Grievance redressal (India)
For the purposes of the DPDP Act 2023 and the Information Technology Act 2000, the grievance officer is Aaradhya Anurag Badal (aaradhya.badal@gmail.com, +91 90169 84965). Grievances are acknowledged promptly and resolved within the statutory period.
9. Children's privacy
Persona is not directed to children. You must be at least 13 to use the Service — or older where your local law requires it (for example, 16 in some EEA countries and 18 in India for consent-based processing without parental consent). We do not knowingly collect personal data from children; if you believe a child has provided us data, contact us and we will delete it.
10. Changes to this policy
We may update this policy as the Service evolves. We will revise the "Last updated" date above and, for material changes, notify you by email or an in-app notice before they take effect.