Privacy Policy

2. Information We Collect

2.1 Information You Provide Directly

• WhatsApp Messages: All text, images, videos, audio files, and documents you send through WhatsApp to the app
• Personal Data: Any personal information you share in conversations (thoughts, tasks, links, events, reminders, notes)
• Contact Information: Your WhatsApp phone number (used as your unique user identifier)
• Authentication Data: Information required to verify and maintain your WhatsApp session

2.2 Information Collected Automatically

• Message Metadata: Timestamps, delivery status, read receipts, and message IDs
• Device Information: Device type, operating system, and WhatsApp client version
• Usage Data: Interaction patterns, feature usage, response times, and error logs
• Session Information: Session duration, connection details, and IP addresses (for security purposes only)
• AI Processing Logs: Intent classification results, data extraction patterns, and model inference details

2.3 Information from Third-Party Integrations

• Google Calendar: Event details, calendar access permissions, and scheduling data (when you authorize integration)
• Meta WhatsApp Business API: User authentication, message delivery confirmations, and WhatsApp account status

3. How We Use Your Information

3.1 Core Service Delivery

• Processing your messages to classify intent (CREATE_TODO, CREATE_REMINDER, CREATE_NOTE, SAVE_LINK, CREATE_EVENT, etc.)
• Extracting structured data from natural language conversations
• Organizing and storing your personal information in your memory database
• Retrieving relevant information when you query your memory
• Sending reminders and notifications at appropriate times
• Integrating with Google Calendar for event management

3.2 Service Improvement & Development

• Analyzing patterns in intent detection to improve AI accuracy
• Identifying common use cases and optimizing responses
• Debugging issues and improving error handling
• Conducting A/B testing on features (with your consent)
• Training and fine-tuning our models (see section 3.4)

3.3 Security & Fraud Prevention

• Detecting and preventing unauthorized access to accounts
• Monitoring for suspicious activity patterns
• Investigating security incidents
• Protecting against abuse and maintaining service integrity

3.4 AI Model Training & Learning

By default, the app does NOT use your personal conversation data to train or fine-tune AI models without explicit opt-in. However, we may use: anonymized and aggregated data patterns (with personal identifiers removed); intent classification patterns to improve model accuracy; non-personal metadata to optimize system performance. If you opt-in to our Learning Machine program, we may use your interactions to train specialized models for your personal use, learn your preferences and communication style for better responses, and improve the system's understanding of your specific domain knowledge. You can opt-out at any time by contacting support.

3.5 Communication & Support

• Responding to your support inquiries
• Sending service updates and important notices
• Notifying you about changes to this policy or our service

4. Information Sharing & Disclosure

4.1 What We Don't Share

4.2 Limited Sharing for Service Delivery

• Meta WhatsApp Business API: Your WhatsApp phone number and messages (necessary to deliver the service via WhatsApp)
• Google Calendar API: Calendar data and OAuth tokens (only if you authorize calendar integration)
• OpenAI/LLM Providers: Your messages are processed by our AI model providers (Claude, GPT-4, etc.) to generate intelligent responses. See section 4.3 for details.

4.3 AI Model Provider Disclosures

To provide intelligent responses, your messages are sent to third-party LLM providers. Anthropic (Claude): Messages may be processed by Anthropic's models. Review their privacy policy. OpenAI (GPT-4): If selected, messages may be processed by OpenAI. Review their privacy policy. We send only the minimum necessary information to these providers. Personal identifiers are not explicitly shared, but your message content is processed by their systems.

4.4 Legal Requirements & Law Enforcement

We may disclose your information when required by law or to protect our legal rights: compliance with court orders, subpoenas, or government requests; protection against illegal activity or violations of our Terms of Service; enforcement of our legal agreements; protection of user safety and public interest. We will notify you of legal requests where possible and permitted by law.

4.5 Business Transfers & 4.6 Service Providers

If the app is acquired, merged, or involved in a bankruptcy proceeding, your information may be transferred as part of that transaction. We may share limited information with service providers (cloud infrastructure, payment processors, analytics, customer support) who perform functions on our behalf. All service providers are bound by confidentiality agreements and data processing contracts.

5. Data Storage & Security

5.1 Storage Infrastructure

• Database: Your data is stored in PostgreSQL with PgVector extension for semantic search capabilities
• Encryption in Transit: All data transmitted between your device and our servers uses TLS 1.2 or higher
• Encryption at Rest: Database encryption is enabled for sensitive data fields
• Backup & Redundancy: Regular automated backups with geographically distributed redundancy
• Access Controls: Role-based access control (RBAC) limits employee access to your data

5.2 Security Measures

• Regular security audits and penetration testing
• Automated intrusion detection systems
• Firewall and DDoS protection
• Session-based authentication with unique user IDs
• Rate limiting and abuse detection
• Logging and monitoring of all data access attempts

5.3 Message Processing Pipeline

Your messages flow through: (1) Message received via WhatsApp API (2) Validated and authenticated (3) Intent classification (local or via LLM) (4) Data extraction and structuring (5) Storage in PostgreSQL with encrypted connection (6) Response generation and delivery. Messages are not stored on Meta's servers beyond normal WhatsApp retention policies.

5.4 Data Isolation & 5.5 Security Incident Response

Each user's data is isolated in the database using user IDs. No cross-user data leakage is possible. In the event of a data breach, we commit to notifying affected users within 30 days of discovery, providing details of the incident and steps taken, and cooperating with regulatory authorities.

6. Data Retention

6.1 Personal Memory Data

• Todos, Reminders, Notes, Links, Events: Retained indefinitely until you explicitly delete them
• Completed Tasks: Moved to archive; retained for 1 year then automatically deleted
• Conversation History: Retained for context; summarized after 6 months for performance optimization

6.2 System & Operational Data

• Message Metadata: Retained for 90 days for troubleshooting
• Usage Analytics: Aggregated and anonymized after 6 months
• Error Logs: Retained for 30 days
• Access Logs: Retained for 90 days for security purposes

6.3 Account Termination & 6.4 Right to Deletion

Upon termination of your account: all personal memory data can be exported within 30 days; all data is deleted within 90 days of account termination (or immediately upon request); backups may retain data for up to 90 additional days before destruction. You can request deletion of your data at any time. We will process requests within 30 days. See section 7 (Your Rights & Choices) for details.

7. Your Rights & Choices

7.1 Access & Portability

• Right to Know: You can request what personal data we hold about you
• Data Export: You can request your data in a portable format (JSON, CSV) for use with other services
• Timeline: Requests processed within 30 days

7.2 Correction, 7.3 Deletion & 7.4 Objection

You can modify or correct information in your memory directly through WhatsApp commands. Selective Deletion: Delete individual items. Complete Account Deletion: Request complete erasure of your account and all associated data (complies with GDPR Article 17). You can opt-out of Learning Machine, analytics, and non-essential notifications.

7.5 Regulatory Rights & 7.6 How to Exercise

GDPR (EU): Right to access, rectify, erase, restrict processing, object, and lodge complaints. CCPA (California): Right to know, delete, opt-out of sale, non-discrimination. India (DPDPA): Right to access, correct, erase, and data portability. To exercise any of these rights, email privacy@tuesday.com with your WhatsApp phone number, description of your request, and proof of identity. We will respond within 30 days.

8. Third-Party Services

8.1 External Links & Services

Our WhatsApp service may contain links to external services. This Privacy Policy does not apply to: Google Calendar (for calendar integration), external websites referenced in your notes or links, or third-party apps you integrate with. We are not responsible for the privacy practices of external services.

8.2 OAuth & Third-Party Permissions

When you authorize the app to access Google Calendar or other services: you grant us permission to access specific data; tokens are stored securely and encrypted; you can revoke access at any time through your service account settings; we only request the minimum permissions necessary.

8.3 Meta WhatsApp Business API

Communication through WhatsApp is governed by WhatsApp Privacy Policy and Meta Privacy Policy. We do not control Meta's data practices. Your WhatsApp communications are also subject to their policies.

9. International Data Transfers

9.1 Data Location

Your data may be stored and processed in multiple geographic regions depending on your location and system architecture: Primary Processing in our primary data center; Backups geographically distributed for redundancy; AI Processing may be in different regions depending on LLM provider (Anthropic, OpenAI).

9.2 GDPR & International Transfers

For users in the EEA: Data transfers outside the EEA are protected by Standard Contractual Clauses (SCCs). We comply with the EU-U.S. Data Privacy Framework where applicable. Your rights are protected regardless of transfer location.

9.3 India & Other Jurisdictions

Data transfers comply with local regulations: India Digital Personal Data Protection Act (DPDPA) compliance; local data residency requirements where applicable.

10. Children's Privacy

We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information: we will delete such information immediately; we will notify the parent/guardian; we may terminate the account.

For users aged 13-18 (minors in some jurisdictions): parental consent may be required based on local law; enhanced privacy protections apply; right to deletion available upon request. If you believe a child has provided us with information, please contact us immediately at privacy@tuesday.com.

11. Updates to This Privacy Policy

11.1 Policy Changes

We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. When we make material changes: we will notify you via WhatsApp message (for significant changes); we will update the "Last Updated" date at the top of this policy; for major changes affecting your rights, we will request your explicit consent.

11.2 Your Continued Use & 11.3 Version History

Continued use of the app after policy updates constitutes acceptance of the updated terms. If you disagree with changes, you have the right to delete your account and all associated data. Previous versions of this policy are available upon request at privacy@tuesday.com.

12. Contact Us

12.1 Privacy Inquiries

12.2 Data Protection Officer (DPO)

For GDPR-related inquiries, contact our Data Protection Officer: dpo@tuesday.com. Response time: within 10 business days.

12.3 Regulatory Authorities & 12.4 Support

If you believe your rights have been violated, you may file a complaint with your local data protection authority (EU: local DPA; UK: ICO; California: CPPA; India: DPBI). For general questions, send a message to our Tuesday WhatsApp number with "PRIVACY" as the subject.

12.5 Response Guarantees

• General Inquiries: Response within 5 business days
• Rights Requests: Response within 30 days (legal requirement)
• Privacy Complaints: Escalated immediately; response within 10 business days

© 2025 Tuesday. All rights reserved. This Privacy Policy is available in English. For translations, contact privacy@tuesday.com.