Account information: Name, email address, username, and password (hashed)
Content you create: Goals, habits, journal entries, notes, time blocks, and other data you enter
Usage data: Features used, session duration, and interactions (for product improvement)
Third-party connections: OAuth tokens for Google or Todoist when you connect those services
Payment information: Processed by Stripe; we do not store credit card numbers
2. How We Use Your Information
To provide and improve the Goal OS service
To generate AI coaching responses using Anthropic's Claude (your goals and context are sent to the AI for personalized coaching)
To send service-related communications (account verification, billing)
To process payments through Stripe
To sync data with connected services (Todoist, Google Calendar) at your request
3. AI Data Processing
Goal OS uses Anthropic's Claude AI to provide coaching features. When you use AI coaching, your goals, habits, and relevant context are sent to Anthropic's API for processing. Anthropic does not use your data to train their models. See Anthropic's Privacy Policy.
4. Data Sharing
We do not sell your personal information. We share data only with:
Anthropic: For AI coaching (as described above)
Stripe: For payment processing
Google: When you connect Google Calendar or sign in with Google
Todoist: When you connect your Todoist account
5. Data Security
We protect your data with:
HTTPS encryption for all data in transit
Scrypt password hashing (passwords are never stored in plain text)
HttpOnly, SameSite cookies with CSRF protection
Rate limiting and security headers
Regular database backups
6. Your Rights
You have the right to:
Export your data: Settings > Data > Export JSON
Delete your account: Settings > Profile > Delete Account (permanently removes all your data)
Access your data: All your data is visible within the app
Correct your data: Edit any information in your profile or goals
7. Data Retention
We retain your data for as long as your account is active. When you delete your account, all data is permanently removed within 30 days. Audit logs are retained for 90 days. Backups containing deleted data are overwritten within 30 days.
8. Cookies
We use only essential cookies:
Session cookie: Keeps you logged in (HttpOnly, 30-day expiry)
CSRF token: Prevents cross-site request forgery
Theme preference: Stored in localStorage (not a cookie)
We do not use tracking cookies or third-party analytics cookies.
9. Children's Privacy
Goal OS is not intended for children under 16. We do not knowingly collect personal information from children.
10. Changes to This Policy
We may update this privacy policy from time to time. We will notify you of significant changes via email or in-app notification.