Privacy Policy
Effective 15 June 2026
This Privacy Policy explains how DeggahTask collects, uses, and protects your information when you use our web app, iOS app, and related services. DeggahTask is operated by Majed Almugairin, an individual sole operator based in Riyadh, Saudi Arabia. If you have any questions, contact us at contact@deggahtask.com.
DeggahTask is a voice command layer for task tools you already use. We do not store your tasks, projects, calendars, or emails — those live in the third-party services you choose to connect (such as Todoist, Google Tasks, Google Calendar, or Gmail). We only store what is needed to route your voice and text commands to those services on your behalf.
1. Information we collect
Account information. When you sign up, we collect your email address, the password hash if you create one, and any display name your sign-in provider returns. If you use Sign in with Apple or Continue with Google, we receive the identifier and email those providers share with us — including the private relay address when you choose 'Hide My Email'.
Connected service credentials. When you connect Todoist, Google Tasks, Google Calendar, or Gmail, we store the OAuth refresh and access tokens those services issue to us. Tokens are encrypted at rest and are never exposed to other users.
Voice and text commands. When you tap to speak or type a command, we send the audio to Deepgram for transcription, then send the transcription to Anthropic for intent parsing. We store the transcription, the parsed intent, the service we routed it to, whether the action succeeded, latency, and an estimated cost. We do not store the raw audio recording itself.
Survey responses. If you complete the onboarding questionnaire, we store the tools you selected, your stated use case, your input preference (voice or typing), how you heard about us, and your 'must-have' free-text answer. You can skip the survey and the only thing we store is the skip timestamp.
Technical data. Our hosting provider (Vercel) logs basic request information such as IP address, user agent, and timestamps for security and abuse prevention. We also store a session cookie issued by Supabase Auth to keep you signed in.
2. How we use your information
To provide the service: authenticate you, route commands to your connected services, return results, and keep a 30-day history of your commands so you can review them.
To operate and improve the product: aggregate analytics on which intents and services are used most, error rates, and latency. We use this to prioritize fixes and new integrations.
To communicate with you: send transactional emails such as waitlist confirmations, approval notifications, password resets, and important service announcements.
To comply with legal obligations and protect against fraud, abuse, and security incidents.
We do not use your information to train AI models, and we do not sell or rent your personal information to anyone.
3. Third parties we share data with
Supabase (database, authentication, file storage) — hosts your account, profile, encrypted OAuth tokens, command history, survey, and event analytics. Servers located in the EU (Frankfurt).
Vercel (hosting + edge functions) — runs our web app and API routes. Stores short-lived request logs.
Anthropic (LLM) — receives your command transcription and conversation context to parse intent. Anthropic does not retain inputs for model training by default for API customers.
Deepgram (speech-to-text) — receives your audio to transcribe it. The audio is processed and discarded; Deepgram does not retain it for training by default for API customers.
Resend (email) — sends transactional emails on our behalf.
Apple Sign in — verifies your identity when you choose this option.
Google APIs (Tasks, Calendar, Gmail) — only when you explicitly connect them. We exchange OAuth tokens with Google to execute the actions you request.
Todoist API — only when you explicitly connect it. We exchange OAuth tokens with Todoist to execute the actions you request.
We do not share your personal information with advertising networks, data brokers, or analytics platforms beyond the operational providers listed above.
4. Where your data is stored
Account data and command history are hosted in Supabase's EU (Frankfurt) region. Web requests are served via Vercel's global edge network and may be processed in the nearest edge region to you. Voice transcription and intent parsing happen at Deepgram and Anthropic, which may process data outside your region.
5. How long we keep your data
We keep your account, profile, tokens, and command history for as long as your account exists. Voice command history is automatically capped at the most recent 30 days. When you delete your account from Settings, we delete your auth record, profile, encrypted tokens, OAuth state, voice command history, and analytics events from our database. Backups are retained by Supabase under their retention schedule and rolled off within 30 days.
6. Security
We use HTTPS for all client–server traffic. OAuth tokens are stored encrypted at rest. Database access is gated by Supabase Row Level Security policies so users can only read their own data. We never log secrets such as access tokens. Apple and Google identity verification is delegated to those providers. Despite these measures, no system is perfectly secure, and we encourage you to use a strong unique password and enable any available device-level protections.
7. Your rights
Access — you can view your profile and connected services from inside the app at any time.
Correction — update your display name, integrations, and preferences from Settings.
Deletion — Settings → Danger zone → Delete Account permanently removes your account, profile, tokens, command history, and survey answers. This action is irreversible.
Withdrawal of consent — disconnecting an integration from Settings revokes our access to that third-party service.
Data portability and additional requests — email contact@deggahtask.com and we will respond within 30 days.
8. Rights for users in the European Economic Area (GDPR)
If you are in the EEA, you have additional rights under the General Data Protection Regulation, including the right to access, rectify, erase, restrict, port, and object to processing of your personal data, and the right to lodge a complaint with your local supervisory authority. The legal basis for our processing is your consent (when you sign up and connect services), our contract with you to provide the service, and our legitimate interest in operating and securing the product.
9. Rights for users in Saudi Arabia (PDPL)
If you are in Saudi Arabia, your personal data is protected under the Personal Data Protection Law (PDPL). You have the right to know about, access, request correction or deletion of, and withdraw consent for processing of your personal data. Contact us at contact@deggahtask.com to exercise any of these rights.
10. Children
DeggahTask is not directed to children under 13, and we do not knowingly collect personal information from anyone under 13. If you believe a child under 13 has provided us information, email contact@deggahtask.com and we will delete it.
11. Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top and, for material changes, notify signed-in users by email or in-app. Continued use after a change means you accept the updated policy.
12. Contact
Questions, requests, or complaints about this Privacy Policy: contact@deggahtask.com. Operated by Majed Almugairin, Riyadh, Saudi Arabia.