Privacy Policy

Overview

HelloYaYa ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use our neurodivergent-friendly task management application.

Our core principle: We collect only what's necessary to provide a great experience, and we're transparent about what stays on your device vs. what's stored in our systems.

Information We Collect

Account Information

• Sign in with Google: Email address, name, and profile photo
• Sign in with Apple: Email address (may be a private relay address), name

Task & Productivity Data

• Tasks: Titles, descriptions, due dates, contexts, difficulty, and completion status
• Win Wall: Your accomplishments and victories you choose to record
• Progress: XP earned, streaks, and completion history
• Focus Sessions: Timer durations and break patterns

Personalization Data

• Neurodivergent profile: Details you choose to share (such as ADHD, autism, anxiety, or other support needs) — used to personalize your experience
• Preferences: Theme, notification settings, focus timer durations, accessibility options

Calendar Integrations (Optional)

Connecting a calendar lets HelloYaYa display your events alongside your tasks and create, update, or delete events from inside HelloYaYa (for example, when you turn a task into a calendar event). Calendar integrations are optional and can be disconnected at any time from Settings.

Google Calendar

• Scopes requested: calendar.events (read & write events on selected calendars), calendar.calendarlist.readonly (list your calendars to populate the picker), and userinfo.email + userinfo.profile (record which Google account is connected).
• What we do: read your calendar list, read events in the visible date range, and — only on your explicit action — create, update, or delete events.
• What we store on our servers: the connected account's email and display name, the list of calendars you have access to (calendar IDs, display names, colors, and your enabled-for-display selection), and your OAuth access + refresh tokens (encrypted with AES-256-GCM and decrypted only inside server-side proxy code that you cannot read directly).
• What we DON'T store: calendar event content. Events are fetched in real time when you view them and are never persisted to our database.

Microsoft Outlook

• Scopes requested: Calendars.ReadWrite, User.Read, offline_access.
• Behavior is the same as Google Calendar above: read calendar list and events; create, update, or delete events only on your explicit action.
• Your calendar list is stored on our servers; event content is not. OAuth tokens are encrypted server-side.

Apple Calendar (iCloud)

• Connects via CalDAV using an app-specific password you generate at appleid.apple.com. We never see your iCloud account password.
• Same read & write behavior as Google and Microsoft above.
• Your app-specific password is encrypted server-side; calendar list metadata is stored; events are fetched live and never persisted.

Information We DON'T Collect

Your privacy matters. Here's what stays on your device:

• Energy Levels: Your daily energy check-ins are session-only and never stored or transmitted
• Gentle Mode: Whether you're in Gentle Mode stays on your device
• Breathing/Grounding Exercises: We don't track when or how often you use wellness features
• Keystroke Data: We don't log what you type in Brain Dump before you save

How We Use Your Information

• Provide, maintain, and improve HelloYaYa
• Sync your tasks across devices
• Personalize the app based on your optional neurodivergent profile
• Send notifications and reminders you've opted into
• Generate your Win Wall and progress statistics
• Parse natural language task input using AI

AI & Task Parsing

When you use Brain Dump or natural language task entry, your input is processedby Google's Gemini AI to extract task details (title, due date, difficulty, etc.).

• AI processing happens in real-time and is not stored by Google for training
• We use Gemini's API with data privacy protections enabled
• Your neurodivergent profile is NOT sent to AI services

Data Storage & Security

Your data is stored securely using Google Firebase infrastructure with:

• Encryption in transit (TLS 1.3)
• Encryption at rest (AES-256)
• Firebase Security Rules limiting access to your own data
• Regular security audits and monitoring

Third-Party Services

HelloYaYa uses the following third-party services:

• Google Firebase: Authentication, database, and hosting
• Google AI (Gemini): Natural language task parsing
• Resend: Email notifications (welcome emails, reminders)
• Stripe: Payment processing and subscription management
• Sentry: Error tracking to improve app stability (user ID and email for error correlation)
• Google/Microsoft OAuth: Calendar integrations

Each service operates under their own privacy policy. We've selected partners with strong privacy practices.

Google API Services User Data Policy

HelloYaYa's use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We use information from Google APIs only to provide the user-facing calendar features described above (display events alongside tasks; create / update / delete events on your explicit action).
• We do not transfer this information to third parties except as needed to provide or improve those user-facing features, comply with applicable law, or as part of a merger or acquisition with notice to you.
• We do not use this information for advertising and we do not allow it to be used for advertising by third parties.
• We do not allow humans to read this information unless we have your affirmative consent for specific items, do so for security purposes (such as investigating abuse), to comply with applicable law, or for internal operations where the information has been aggregated and anonymized.

Data Sharing

We do not sell your data. Ever.

We may share your information only in these circumstances:

• With your explicit consent
• To comply with legal obligations
• To protect our rights and prevent fraud
• With service providers under strict confidentiality agreements

Your Rights

You have the right to:

• Access: View all data we have about you
• Export: Download a portable JSON copy of your account data, or export your tasks as CSV
• Correct: Update inaccurate information
• Delete: Remove your account and all associated data
• Disconnect: Revoke calendar or account connections anytime
• Opt out: Disable any notifications or data collection

You can exercise most of these rights directly in Settings. For additional requests, contact us at privacy@helloyaya.app.

Data Retention

• Active accounts: Data retained while your account is active
• Deleted accounts: All data permanently deleted within 30 days
• Session data: Energy levels and Gentle Mode cleared when you close the app

Children's Privacy

HelloYaYa is designed for users 13 and older. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us immediately at privacy@helloyaya.app.

Parents and guardians may create accounts to help manage tasks for younger family members under their supervision.

International Users

HelloYaYa is operated from the United States. If you're accessing the app from the European Union, UK, or other regions with data protection laws, please note that your information will be transferred to and processed in the United States.

We comply with applicable data protection laws including GDPR for EU users.

Changes to This Policy

We may update this Privacy Policy as we add features or as laws change. We'll notify you of significant changes through the app or via email. The "Last updated" date at the top shows when this policy was last revised.

Contact Us

Questions about this Privacy Policy or your data? Reach out:

privacy@helloyaya.app

Mabry Ventures LLC
Nolensville, TN 37135
United States