AnnualPlan.ai
CLRT Venture Studio ("Company," "we," "us," "our") operates AnnualPlan.ai (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. We are committed to protecting your privacy and ensuring you understand how your personal data is handled. Please read this Privacy Policy carefully. By using the Service, you consent to the practices described in this policy. If you do not agree with this Privacy Policy, please do not access or use the Service.
We collect several types of information from and about users of our Service:
We collect Account Information (name, email address, password, profile picture, username), Goal and Planning Data (life goals, selected dimensions, confidence levels, obstacles, quarterly OKRs), Ritual and Progress Data (daily ritual completions, weekly scores, streaks, reflections, lagging metrics), Communication Data (messages, feedback, survey responses), Payment Information (processed by our payment processors, not stored by us directly), and Social Features Data (crew memberships, friends, leaderboard rankings, shared content).
We collect Device and Usage Information (IP address, browser type, operating system, device type, time zone, language preferences), Usage Data (pages accessed, time spent, click patterns, feature usage, error logs), and Location Information (general location based on IP address - we do not collect precise GPS location).
If you connect third-party services (e.g., Apple Health, Google Fit, Strava), we may receive activity, fitness, sleep, and health data. If you register using a social media account (Google, Apple), we may receive your name, email, and profile picture. If you were referred by another user, we receive the referrer's identifier.
We collect information through:
When you create an account, complete the onboarding wizard, use features of the Service, make purchases, contact us for support, or participate in surveys or promotions.
Through cookies and similar technologies, server logs, and analytics tools.
From integrated services you connect, social sign-in providers, and payment processors (limited transaction data).
We use collected information for the following purposes:
Create and manage your account, generate personalized plans using AI, track your progress and streaks, enable social features (Crews, leaderboards), and process payments and subscriptions.
Analyze usage patterns to improve features, personalize AI coaching and recommendations, develop new features and services, and conduct research and analytics (using anonymized data).
Send account-related notifications, weekly summaries and progress reports, respond to inquiries and support requests, send promotional communications (with your consent), and notify you of changes to our terms or policies.
Detect, prevent, and address fraud, monitor for Terms of Service violations, protect the security of our Service, and verify user identity when necessary.
Comply with applicable laws and regulations, respond to legal requests and court orders, enforce our Terms and Conditions, and protect our legal rights and interests.
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds:
Processing necessary to provide the Service you requested: account creation and management, plan generation and tracking, payment processing, and core Service functionality.
Processing necessary for our legitimate business interests: Service improvement and analytics, fraud prevention and security, customer support, and direct marketing to existing customers.
Processing based on your explicit consent: marketing communications, optional third-party integrations, non-essential cookies, and processing of special category data (if applicable).
Processing necessary to comply with legal requirements: tax and accounting obligations, responding to legal requests, and regulatory compliance.
We do not sell your personal information. We may share your information in the following circumstances:
We share information with third-party vendors who provide services on our behalf: Cloud Hosting (AWS or DigitalOcean), Payment Processors (Stripe), Email Services (Postmark or SendGrid), Analytics (Google Analytics), AI Services (Google Cloud AI / Anthropic), and Customer Support. All service providers are bound by contractual obligations to protect your data.
When you use social features, certain information is visible to other users: Leaderboard (username, weekly score, streak, level), Crews (username, weekly score, streak - to crew members only), and Profile (username, profile picture, level, badges). Note: Your specific goals, rituals, and reflections are NEVER visible to other users unless you explicitly share them.
We may share your information with third parties when you give us explicit consent to do so.
If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership or use of your personal information.
We may disclose your information if required to do so by law or in response to valid legal process (subpoenas, court orders), government requests, to protect our rights, privacy, safety, or property, or to protect against legal liability.
We may share aggregated, anonymized data that cannot identify you with research institutions, business partners, and publicly (e.g., blog posts about user trends).
Account Information and Goal/Progress Data: Until account deletion + 30 days. Payment Records: 7 years (legal/tax requirements). Support Communications: 3 years after resolution. Usage Analytics: 26 months (anonymized thereafter). Server Logs: 90 days.
When you delete your account, your personal data is deleted within 30 days. Anonymized, aggregated data may be retained. Data shared with others (e.g., in Crews) may persist in their view. Backup copies may persist for up to 90 days.
We only retain data for as long as necessary to fulfill the purposes described in this policy or as required by law.
Your data may be transferred to and processed in countries other than your own.
When transferring data internationally, we use appropriate safeguards. For transfers from the EEA/UK: Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions where applicable, and Binding Corporate Rules for intra-group transfers. For all transfers: contractual protections with service providers, technical security measures, and compliance with applicable data protection laws.
You have the right to request information about the safeguards we use for international transfers. Contact privacy@annualplan.ai for details.
Depending on your location, you may have certain rights regarding your personal information:
All users have the right to Access (request a copy of your personal data), Correction (request correction of inaccurate data), Deletion (request deletion of your personal data), Data Portability (export your data in a machine-readable format), Withdraw Consent (withdraw consent for optional processing), and Opt-Out (unsubscribe from marketing communications).
In-App: Use the settings and data export features. Email: Contact privacy@annualplan.ai. Response Time: We will respond within 30 days (or sooner where required by law).
We may need to verify your identity before processing certain requests to protect your privacy.
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):
Right to Access (Article 15), Right to Rectification (Article 16), Right to Erasure / "Right to be Forgotten" (Article 17), Right to Restriction (Article 18), Right to Data Portability (Article 20), Right to Object (Article 21), and Rights Related to Automated Decision-Making (Article 22). Our AI features provide recommendations only; you make all final decisions.
You have the right to lodge a complaint with a supervisory authority in your country of residence.
For GDPR-related inquiries, contact our Data Protection Officer at: dpo@annualplan.ai
If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
We collect: Identifiers (name, email, IP address, username), Personal Information (name, address, payment info), Protected Classifications (age for eligibility - limited), Commercial Information (purchase history, subscription status), Internet Activity (browsing history, usage data), Geolocation Data (general location from IP), Professional Information (career goals if provided), Inferences (preferences, characteristics), and Sensitive Personal Information (account credentials).
Right to Know (disclosure of categories and specific pieces of personal information), Right to Delete (request deletion of your personal information), Right to Correct (request correction of inaccurate information), Right to Opt-Out of Sale/Sharing (we do not sell your personal information), Right to Limit Use of Sensitive Personal Information, and Right to Non-Discrimination (we will not discriminate against you for exercising your privacy rights).
Email: privacy@annualplan.ai with Subject Line: "California Privacy Request". Include your name, email, and specific request. We will verify your identity before processing requests.
We will respond to verifiable requests within 45 days. If we need more time (up to 90 days total), we will notify you.
If you are located in Brazil, you have rights under the Lei Geral de Proteção de Dados (LGPD), including rights to access, correction, deletion, portability, and information about sharing. Contact privacy@annualplan.ai to exercise your rights.
If you are located in Canada, you have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA), including rights to access and correction. Contact privacy@annualplan.ai to exercise your rights.
If you are located in Australia, you have rights under the Privacy Act 1988, including rights to access and correction. You may also complain to the Office of the Australian Information Commissioner.
If you are located in the UAE, your data is processed in accordance with applicable UAE data protection regulations.
We comply with applicable data protection laws in all jurisdictions where we operate. Contact privacy@annualplan.ai for jurisdiction-specific information.
Cookies are small text files stored on your device when you visit a website. We use cookies and similar technologies to operate and improve the Service.
Essential Cookies (Required): Authentication, session management, security features, load balancing - cannot be disabled. Functional Cookies: Remember preferences, language and timezone settings, feature customization. Analytics Cookies: Understand how users interact, identify popular features and issues, improve performance. Marketing Cookies (Only with Consent): Track advertising effectiveness, personalize advertisements, cross-site tracking (limited).
Browser Settings: Most browsers allow you to control cookies through settings. Note that disabling cookies may affect Service functionality. Our Cookie Preferences: You can manage your cookie preferences through our cookie consent banner or in your Account settings.
Local Storage: We use browser local storage to store preferences and cached data. Pixels and Beacons: We may use pixel tags in emails to track open rates and engagement. Session Replay (Limited): We may use session replay tools to understand user experience issues. These tools do not capture sensitive data.
When you connect third-party services, their privacy policies apply to data they collect. Review their policies before connecting: Apple Health (apple.com/privacy), Google Fit (policies.google.com/privacy), Strava (strava.com/legal/privacy).
When you sign in using Google or Apple, we receive only the information permitted by your settings with those services.
Our payment processors (e.g., Stripe) handle your payment information according to their privacy policies. We do not store full credit card numbers on our servers.
We use analytics services that may collect information about your use of the Service, including Google Analytics.
The Service is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16.
If we learn that we have collected personal information from a child under 16 without parental consent, we will delete that information as quickly as possible and notify the parent or guardian if contact information is available.
If you believe we have collected information from your child, please contact us immediately at privacy@annualplan.ai.
Users between 16 and 18 may use the Service with parental or guardian consent. Parents/guardians are responsible for monitoring their child's use.
We implement appropriate technical and organizational measures to protect your personal information. Technical Measures: Encryption in transit (TLS/SSL), encryption at rest (AES-256), secure password hashing (bcrypt), regular security assessments, intrusion detection systems, access logging and monitoring. Organizational Measures: Employee security training, access controls and least privilege, vendor security assessments, incident response procedures, regular security audits.
While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.
You are responsible for maintaining the confidentiality of your password, using a strong, unique password, notifying us of any suspected unauthorized access, and keeping your contact information up to date.
In the event of a data breach that affects your personal information, we will notify affected users as required by law, notify relevant regulatory authorities as required, take steps to mitigate the breach, and document and learn from the incident. To report a security vulnerability, contact: security@annualplan.ai
Some browsers have a "Do Not Track" (DNT) feature that signals to websites that you do not want to be tracked. There is no uniform standard for responding to DNT signals.
Currently, we do not respond to DNT signals. However, you can control tracking through cookie preferences in the Service, browser privacy settings, and opt-out tools listed in the Cookies section.
We may update this Privacy Policy from time to time to reflect changes in our practices, new features or services, changes in applicable law, and feedback from users.
When we make material changes, we will update the "Last Updated" date, notify you via email or through the Service, and may require you to acknowledge the updated policy.
We encourage you to review this Privacy Policy periodically.
Your continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.
For questions about this Privacy Policy or our privacy practices: Email: privacy@annualplan.ai Address: CLRT Venture Studio
For GDPR and data protection inquiries: Email: dpo@annualplan.ai
To exercise your privacy rights: Email: privacy@annualplan.ai Subject Line: "Privacy Rights Request"
To report security vulnerabilities: Email: security@annualplan.ai
If you are not satisfied with our response, you may contact us again with further details, lodge a complaint with your local data protection authority, or seek judicial remedy.
By using AnnualPlan.ai, you acknowledge that you have read and understood this Privacy Policy.
