Privacy Policy.

Three commitments sit above everything else in this policy:

1. We do not sell your personal information. We have never sold user data and we will not sell it. We do not share it with data brokers, advertisers, or other third parties for monetary or other valuable consideration. This applies in all jurisdictions, whether or not the legal definition of "sale" applies to you.
2. Your data is encrypted in transit and at rest. All communication between you and the Service is encrypted using industry-standard Transport Layer Security (TLS 1.2 or higher). All user data stored on our systems, including your goals, rituals, reflections, and account details, is encrypted at rest using AES-256 or equivalent encryption. Passwords are never stored in plain text; they are hashed using bcrypt or a comparably strong algorithm.
3. You can delete your entire account and data with one click. A one-click Account deletion control is available directly within your dashboard. Confirming the action immediately deactivates your Account and permanently deletes your User Content from our active production systems, with limited residual data retention as described in Section 6. You do not need to contact support, justify your decision, or wait for approval.

The rest of this policy explains the detail behind these commitments and your other rights.

We collect several types of information from and about users of the Service.

1.1 Personal Information You Provide

We collect:

• Account Information: name, email address, password (stored only as a hash), profile picture, username.
• Goal and Planning Data: life goals, selected dimensions, confidence levels, obstacles, quarterly OKRs, and ritual selections.
• Ritual and Progress Data: daily ritual completions, weekly scores, streaks, reflections, and lagging metrics.
• Communication Data: messages, feedback, bug reports, and survey responses provided to us in connection with the Open Beta.
• Social Features Data (where you opt into them): accountability group memberships, peer connections, and any content you choose to share within the Service.

Because the Service is currently free of charge during the Open Beta, we do not collect or store payment card information. If and when paid tiers are introduced, payment information will be handled by a regulated third-party payment processor and will not be stored on our systems.

1.2 Information Collected Automatically

We collect:

• Device and Usage Information: IP address, browser type, operating system, device type, time zone, language preferences.
• Usage Data: pages accessed, time spent, click patterns, feature usage, and error logs.
• Location Information: general location based on IP address. We do not collect precise GPS location.

1.3 Information from Third Parties

• Connected Services: if you connect third-party services (for example, calendar or fitness providers), we receive only the data scopes you explicitly authorise.
• Social Sign-In: if you register using Google or Apple, we receive your name, email, and profile picture as permitted by those providers and your privacy settings.
• Referrals: if you were referred by another user, we receive the referrer's identifier so that we can credit the referral.

2.1 Direct Collection

We collect information directly from you when you create an Account, complete the onboarding wizard, use features of the Service, contact us for support, or participate in surveys, interviews, or Open Beta feedback sessions.

2.2 Automated Collection

We collect information automatically through cookies and similar technologies, server logs, and product analytics tools.

2.3 Third-Party Sources

We receive information from integrated services you choose to connect and from social sign-in providers, limited to the scopes you authorise.

We use collected information for the following purposes.

3.1 Provide and Maintain the Service

• Create and manage your Account
• Generate personalised plans and rituals using our AI features
• Track your progress, streaks, and levels
• Enable any social features you opt into

3.2 Improve and Personalise the Service

• Analyse usage patterns to improve features and AI quality
• Personalise coaching, recommendations, and reflections
• Develop new features and capabilities
• Conduct research and analytics using anonymised, aggregated data

3.3 Communicate With You

• Send account-related notifications
• Deliver weekly summaries, progress reports, and reminders
• Respond to inquiries, bug reports, and Open Beta feedback
• Send product update communications (you can unsubscribe from non-essential messages at any time)
• Notify you of changes to our Terms or this Privacy Policy

3.4 Ensure Safety and Security

• Detect, prevent, and address fraud and abuse
• Monitor for violations of our Terms and Conditions
• Protect the security and integrity of the Service
• Verify user identity when reasonably necessary

3.5 Legal Compliance

• Comply with applicable laws and regulations
• Respond to lawful legal requests, subpoenas, and court orders
• Enforce our Terms and Conditions
• Protect our legal rights and interests

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds.

4.1 Contract Performance

Processing necessary to provide the Service you requested: Account creation and management, plan generation and tracking, and core Service functionality.

4.2 Legitimate Interests

Processing necessary for our legitimate business interests, balanced against your rights: Service improvement and analytics, fraud prevention and security, customer support, and product update communications to existing users.

4.3 Consent

Processing based on your explicit consent: marketing communications, optional third-party integrations, non-essential cookies, and any processing of special category data.

4.4 Legal Obligation

Processing necessary to comply with legal requirements, including responses to lawful legal requests and regulatory compliance.

We do not sell your personal information. We share your information only in the circumstances set out below.

5.1 Service Providers

We share information with vetted third-party vendors who provide services on our behalf, including cloud hosting and database providers, email delivery services, product analytics and error monitoring, and AI model providers used to generate plans, rituals, and coaching content.

All service providers are bound by written contractual obligations to protect your data, to process it only on our instructions, and to apply appropriate security measures. We use vendors that themselves apply industry-standard encryption in transit and at rest.

5.2 Other Users (Social Features)

Where you opt into any social feature, certain limited information becomes visible to other users you connect with, for example a username, your progress score, your streak, your level, or content you have explicitly chosen to share. Your specific goals, rituals, and reflections are never visible to other users unless you explicitly share them.

5.3 With Your Consent

We may share your information with third parties where you give us explicit consent to do so.

5.4 Business Transfers

If we are involved in a merger, acquisition, restructuring, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership or in the use of your personal information that materially affects you.

5.5 Legal Requirements

We may disclose your information where required to do so by law or in response to valid legal process (such as subpoenas or court orders), to protect our rights, privacy, safety, or property, or to protect against legal liability.

5.6 Aggregated and Anonymised Data

We may share aggregated, anonymised data that cannot reasonably be used to identify you, for purposes such as benchmarking, research, and public communications about Service usage trends.

6.1 One-Click Account Deletion

You can delete your Account and User Content at any time using the one-click deletion control in your dashboard. Confirming the action results in:

• Immediate deactivation of your Account
• Permanent removal of your User Content from active production systems
• Removal of your data from search and personalisation systems

Deletion is irreversible. We strongly recommend exporting any data you wish to keep before triggering deletion.

6.2 Standard Retention Periods

Where you have not deleted your Account, we retain your data as follows:

• Account Information and Goal/Progress Data: until Account deletion, plus up to 30 days for routine processing.
• Support and Feedback Communications: up to 3 years after resolution.
• Product Usage Analytics: up to 26 months in identifiable form, anonymised thereafter.
• Server Logs: up to 90 days.

6.3 Inactive Accounts

As described in our Terms and Conditions, we reserve the right to delete Accounts that have not been accessed for six (6) months or more. Where reasonably practicable, we will send a reminder email before deletion.

6.4 Backups and Residual Copies

Backup copies of deleted data may persist in encrypted backup systems for up to 90 days before being purged in the ordinary course. During that window, deleted data is not used for any active processing.

6.5 Data Minimisation

We retain data only for as long as necessary to fulfil the purposes described in this policy or as required by law.

7.1 Data Location

Your data may be transferred to and processed in countries other than your country of residence, including the United Arab Emirates, the European Union, the United Kingdom, and the United States, depending on the location of our service providers.

7.2 Transfer Safeguards

When transferring data internationally, we apply appropriate safeguards:

• Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EEA and Switzerland
• Equivalent transfer mechanisms for transfers from the United Kingdom
• Reliance on adequacy decisions where available
• Contractual protections, technical security measures, and access controls applied across all transfers

7.3 Information on Safeguards

You have the right to request information about the safeguards we apply to international transfers. Contact us at support@annualplan.ai.

Depending on your location, you have certain rights regarding your personal information.

8.1 Universal Rights

All users have the right to:

• Access a copy of the personal data we hold about you
• Correct inaccurate or incomplete data
• Delete your personal data
• Port your data in a structured, machine-readable format
• Withdraw consent for any processing based on consent
• Opt out of non-essential communications

8.2 Exercising Your Rights

You can exercise these rights in three ways:

• In-app: use the export and one-click deletion controls in your Account settings.
• Email: contact us at support@annualplan.ai with the subject line "Privacy Rights Request."
• Escalation: for complex requests or where in-app controls do not meet your need, contact vishal@annualplan.ai.

We will respond within 30 days, or sooner where required by applicable law.

8.3 Verification

For security reasons, we may need to verify your identity before processing certain requests. We will only request the minimum information necessary for this purpose.

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR) and equivalent laws.

9.1 Your GDPR Rights

• Right of Access (Article 15)
• Right to Rectification (Article 16)
• Right to Erasure or "Right to be Forgotten" (Article 17)
• Right to Restriction of Processing (Article 18)
• Right to Data Portability (Article 20)
• Right to Object (Article 21)
• Rights Related to Automated Decision-Making (Article 22)

Our AI features generate recommendations only. They do not make legally significant or similarly significant decisions about you. You retain full control over how to act on any AI-generated content.

9.2 Data Protection Authority

You have the right to lodge a complaint with a supervisory authority in your country of residence if you believe our processing infringes applicable data protection law.

9.3 Contact for GDPR Matters

For GDPR-related inquiries, contact us at support@annualplan.ai. Complex matters may be escalated to vishal@annualplan.ai, who is our designated point of contact for privacy and data protection.

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

10.1 Categories of Personal Information Collected

In the past 12 months, we have collected the following categories of personal information:

• Identifiers: name, email, IP address, username
• Customer Records: name, contact information
• Commercial Information: Service usage history and feature interaction
• Internet Activity: browsing history within the Service, usage data
• Geolocation Data: general location derived from IP address
• Professional Information: career goals if provided by you
• Inferences: preferences, behavioural patterns drawn from Service usage
• Sensitive Personal Information: Account credentials (in hashed form)

We do not currently process the categories of biometric information, precise geolocation, or government identifiers.

10.2 Your CCPA/CPRA Rights

• Right to Know: the categories and specific pieces of personal information we have collected about you
• Right to Delete: request deletion of your personal information (which you can also do via the one-click in-app control)
• Right to Correct: request correction of inaccurate information
• Right to Opt-Out of Sale or Sharing: not applicable in practice, as we do not sell or share personal information for cross-context behavioural advertising
• Right to Limit Use of Sensitive Personal Information
• Right to Non-Discrimination for exercising your privacy rights

10.3 Exercising Your Rights

Email support@annualplan.ai with the subject line "California Privacy Request" and include your name, registered email, and the specific right you are exercising. We will verify your identity before processing the request.

10.4 Response Timing

We will respond to verifiable requests within 45 days. If we need additional time (up to 90 days total), we will notify you.

11.1 Brazil (LGPD)

If you are located in Brazil, you have rights under the Lei Geral de Proteção de Dados, including rights to access, correction, deletion, portability, and information about sharing. Contact support@annualplan.ai to exercise your rights.

11.2 Canada (PIPEDA)

If you are located in Canada, you have rights under the Personal Information Protection and Electronic Documents Act, including rights to access and correction. Contact support@annualplan.ai.

11.3 Australia (Privacy Act 1988)

If you are located in Australia, you have rights under the Privacy Act 1988, including rights to access and correction. You may also lodge complaints with the Office of the Australian Information Commissioner.

11.4 United Arab Emirates

As a company established in the UAE, we process personal data in accordance with applicable UAE data protection regulations, including Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data and any applicable free zone data protection rules.

11.5 Other Jurisdictions

We comply with applicable data protection laws in jurisdictions where we operate. Contact support@annualplan.ai for jurisdiction-specific information.

12.1 What Are Cookies?

Cookies are small text files stored on your device when you visit a website. We use cookies and similar technologies to operate and improve the Service.

12.2 Types of Cookies We Use

• Essential Cookies (Required): authentication, session management, security features. These cannot be disabled because the Service will not function without them.
• Functional Cookies: remember your preferences, language, and timezone settings.
• Analytics Cookies: help us understand how users interact with the Service and where to improve it.
• Marketing Cookies (Only with Consent): we do not currently use marketing cookies. If this changes, we will request your consent before any such cookies are set.

12.3 Cookie Management

• Browser Settings: most browsers allow you to control cookies through their settings. Disabling cookies may affect Service functionality.
• In-Service Preferences: where required by law, you can manage your cookie preferences through our cookie consent banner or your Account settings.

12.4 Other Tracking Technologies

• Local Storage: we use browser local storage to cache preferences and improve performance.
• Pixels and Beacons: we may use pixel tags in emails to measure open rates and engagement.
• Session Replay (Limited): if and where deployed, session replay tools are configured to mask sensitive fields and never capture passwords or payment data.

13.1 Third-Party Integrations

When you connect third-party services, their privacy policies apply to data they collect. Please review their policies before connecting.

13.2 Social Sign-In

When you sign in using Google or Apple, we receive only the information permitted by your privacy settings with those providers.

13.3 Analytics and AI Providers

We use analytics and AI model providers to deliver and improve the Service. These providers are bound by contractual obligations to protect your data and to process it only on our instructions.

13.4 Payment Processors

The Service is free during the Open Beta and we do not currently use a payment processor for user-facing transactions. If we introduce paid tiers, payment processing will be handled by a regulated third-party processor, and we will update this policy accordingly.

14.1 Age Restriction

The Service is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16.

14.2 Parental Notification

If we learn that we have collected personal information from a child under 16 without verifiable parental consent, we will delete that information promptly and notify the parent or guardian where contact information is available.

14.3 Parental Concerns

If you believe we have collected information from your child, please contact us immediately at support@annualplan.ai.

14.4 Users 16-18

Users between 16 and 18 may use the Service with parental or guardian consent. Parents and guardians are responsible for supervising their child's use of the Service.

15.1 Encryption

• In Transit: all traffic between you and the Service is protected by Transport Layer Security (TLS 1.2 or higher).
• At Rest: all User Content and Account data stored on our systems is encrypted at rest using AES-256 or equivalent.
• Credentials: passwords are never stored in plain text. They are hashed and salted using bcrypt or a comparably strong algorithm.

15.2 Additional Technical Measures

• Network-level firewalls and access controls
• Principle of least privilege for internal system access
• Logging and monitoring of administrative actions
• Regular dependency and security patching
• Periodic security reviews of our infrastructure and code

15.3 Organisational Measures

• Confidentiality obligations for all personnel and contractors
• Vendor security due diligence
• Documented incident response procedures
• Internal access on a need-to-know basis

15.4 No System Is Perfect

While we apply industry-standard safeguards, no method of transmission or storage is 100% secure. We cannot guarantee absolute security, and our liability in the event of a security incident is governed by our Terms and Conditions and applicable law.

15.5 Your Responsibilities

You play a role in keeping your data secure:

• Use a strong, unique password
• Do not share your login credentials with anyone
• Notify us promptly if you suspect unauthorised access to your Account
• Keep your contact information up to date

15.6 Security Incidents

If a data breach affecting your personal information occurs, we will notify affected users and relevant regulatory authorities as required by applicable law, take steps to contain and remediate the incident, and document and learn from the event. To report a suspected security vulnerability, contact support@annualplan.ai with the subject line "Security."

16.1 DNT Response

Some browsers offer a "Do Not Track" (DNT) feature. Because there is no uniform industry standard for responding to DNT signals, we do not currently respond to them.

16.2 Your Alternatives

You can control tracking through your cookie preferences in the Service, browser privacy settings, and industry opt-out tools listed in Section 12.

17.1 Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, new features or services, changes in applicable law, or feedback from users and regulators.

17.2 Notification of Material Changes

When we make material changes, we will:

• Update the "Last Updated" date
• Notify you by email or through the Service
• Where required, request your acknowledgement of the updated policy

17.3 Review

We encourage you to review this Privacy Policy periodically.

17.4 Continued Use

Your continued use of the Service after changes take effect constitutes acceptance of the updated Privacy Policy.

18.1 General Privacy Inquiries

For questions about this Privacy Policy or our privacy practices:

• Email: support@annualplan.ai
• Subject line: "Privacy Inquiry"

18.2 Data Subject Requests

To exercise your privacy rights (access, correction, deletion, portability, objection, restriction):

• Email: support@annualplan.ai
• Subject line: "Privacy Rights Request"

18.3 Escalation and Legal Contact

For complex privacy or data protection matters, or where in-app controls and support escalation do not resolve your concern:

• Vishal Sachar, Chief Executive Officer
• Email: vishal@annualplan.ai

18.4 Security Concerns

To report a security vulnerability or suspected unauthorised access:

• Email: support@annualplan.ai
• Subject line: "Security"

18.5 Company Details

• CLRT LLC-FZ
• License Number: 2648102.01
• United Arab Emirates

18.6 Complaints

If you are not satisfied with our response, you may contact us again with further details, lodge a complaint with your local data protection authority, or seek a judicial remedy.