Privacy Policy
Sidekick ("we", "our", "the app") is built privacy-first. This policy explains what we collect, why, and how we keep it safe. If anything here is unclear, email hello@yoursidekick.ca.
What we collect
- Account data — your email, first name, last name (only what you give us at sign-up). Required for authentication.
- App data — your goals, tasks, calendar events, time blocks, life areas, energy logs, rewards. Stored in your private user space in our database. Used only to power the app's coaching, scheduling, and recap features.
- Calendar permissions — if you connect Google Calendar or your device calendar, Sidekick reads your events to schedule around them and (with your permission) writes new events you create. We don't read events you haven't authorized.
- OAuth tokens — for Google services you connect. Stored encrypted on-device.
- Push notification token — to deliver your morning brief and reminders.
- Subscription state — whether you're on the free or Pro plan. Managed via the App Store / Google Play (we don't see your card).
What we don't collect
- We don't sell your data to anyone. Ever.
- We don't use your data to train AI models.
- We don't show ads.
- We don't track you across other apps or websites.
How we use AI
Sidekick's coaching, natural-language input, and recap features are powered by OpenAI's API. When you use these features, the relevant context (goals, schedule, energy state) is sent to OpenAI through our backend so the model can generate a response. OpenAI does not retain this data for training under our API agreement. Free-tier users get template-based coaching that runs entirely on-device — no AI requests are made.
Google user data
If you connect Google Calendar or Google Tasks, Sidekick uses Google's OAuth to request access to those services. Here is exactly what we do with the data we receive from Google APIs.
What we access
- Calendar — events, their times, titles, descriptions, and locations on calendars you choose to sync.
- Tasks — your task lists and the items in them.
- Basic profile — your email address and display name, used to identify your account.
How we use it
- Calendar events are displayed alongside your Sidekick schedule so the AI scheduler can route around your existing commitments and find free time for goals you've defined. With your permission, Sidekick can write new events you create in the app back to the Google Calendar you choose. Events created elsewhere are read-only.
- Tasks sync two-way: items you have on Google Tasks appear in Sidekick's todo list, and tasks you create or complete in Sidekick are mirrored back to the same Google list.
- Profile identifies your account during sign-in.
Who we share it with
Google user data is only shared with the service providers we need to operate Sidekick's features:
- Google Cloud — your data is stored in a private, per-user space with security rules that prevent any other user from reading it.
- OpenAI — when you use AI-powered coaching, scheduling, or recap features, the relevant context (which may include calendar event titles, times, and your tasks) is sent to OpenAI through our backend so the model can generate a response. OpenAI does not retain this data for training under our API agreement.
We do not sell, rent, or trade Google user data. We do not transfer it to any other party except as listed above or where required by law.
What we never do with Google user data
- Use it for advertising, retargeting, or personalized marketing.
- Use it to train, develop, or fine-tune any generalized AI/ML model.
- Allow humans (including Sidekick staff) to read it, except where you have given explicit consent (e.g., debugging a specific issue you reported), where necessary for security, or to comply with applicable law.
Revoking access — you can disconnect Google at any time from Sidekick's Settings, or revoke access via your Google Account permissions page. Tokens stored on your device are deleted when you disconnect.
Limited Use disclosure
Sidekick's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. The use of raw or derived user data received from Workspace APIs will adhere to the Google User Data Policy, including the Limited Use requirements.
Where your data lives
- Authentication: Google Cloud (US/Canada regions)
- App data: Google Cloud, scoped per-user with security rules that prevent any user from reading another user's data
- AI processing: OpenAI API, called server-side through our backend (no data persisted there)
- Subscription: RevenueCat (handles App Store / Play Store receipts)
Your rights
- Access — you can view all your data inside the app at any time.
- Export — email us at hello@yoursidekick.ca and we'll send your full data within 30 days.
- Deletion — you can delete your account from Settings. Your data is permanently removed within 30 days. No backups retained beyond that window.
- Portability — your data export is JSON, openable in any text editor.
Security
All data is transmitted over TLS. Database security rules enforce per-user isolation — even our own staff cannot read your data without explicit access. OAuth tokens are stored on-device in the platform's secure keystore (iOS Keychain / Android Keystore). Email/password accounts require email verification before login.
Children
Sidekick is not directed at children under 13. We do not knowingly collect data from children. If you believe a child has signed up, contact us and we'll delete the account.
Changes to this policy
We'll update this page if anything changes and notify you in-app for material changes. Your continued use means you accept the updated policy.
Contact
Questions, concerns, data requests: hello@yoursidekick.ca