Privacy Policy

Last updated: 10 June 2026

This Privacy Policy explains how Planner ("we," "us") handles your personal information when you use this service. Planner is operated by Shohanur Rahman, a sole trader based in London, United Kingdom.

We aim to collect as little personal information as possible, encrypt what we do store, and never sell your data. This document is written in plain English because we want you to actually read it.

Who runs this service

Planner is operated by Shohanur Rahman, sole trader, located in London, United Kingdom. Contact: charliedude2008@gmail.com.

What we collect

To run Planner, we collect:

• Account information: your email address, name (if you provide one to Clerk, our authentication provider), and a unique account identifier.
• Plans, weeks, and tasks:the goals, weekly objectives, and tasks you create within Planner. These are encrypted in our database (see "How we protect your data" below).
• Briefing preferences: your time zone and the three times of day when you want briefings (morning briefing, accountability check, end-of-day review).
• Telegram identifier: if you choose to connect Telegram for briefing delivery, we store your Telegram chat ID (encrypted) so we can send you messages.
• Usage logs:standard server logs (IP address, browser type, timestamps) and aggregated counts of AI calls (no message content; see "AI processing" below).

We do not collect:

• Payment information (Planner is free during the v1 invite period).
• Precise location data (we only know your time zone, which you set).
• Browsing history, advertising identifiers, or any data from outside Planner.

Why we collect it (lawful basis under UK GDPR)

We process your data under the following lawful bases:

• Contract: account data, plans, and tasks are processed to provide the service you signed up for.
• Legitimate interests: server logs and aggregated AI usage counts are processed to operate, debug, and improve the service. We do not use these for advertising or profiling.
• Consent: connecting Telegram is optional and based on your active consent (you choose to generate the connect code and link your account).

How we protect your data

Field-level encryption: your plans, weekly objectives, task descriptions, and consequence statements are encrypted in our database using authenticated symmetric encryption (Fernet / AES-128-CBC + HMAC-SHA256). Encryption keys are stored separately from the database and rotated as needed. Even if our database were leaked, the encrypted fields would be unreadable without the keys.

Transport security: all traffic between you, our servers, and our processors is encrypted via TLS.

Access: only Shohanur Rahman (operator) has administrative access to production systems. The operator can see aggregated, non-identifying usage statistics (e.g., total active users, total tasks created per day) for the purpose of running the service, but does not read the contents of your plans, tasks, or messages.

AI processing

Planner uses AI models from Moonshot AI (Kimi K2.6) and DeepSeek to parse your natural-language inputs and generate accountability briefings.

Before any text is sent to an AI provider, we apply anonymization:

• Semantic masking: identifying details (project names, personal names, specific consequences) are replaced with generic placeholders before transmission.
• Template injection: AI responses use placeholder tokens (e.g., {{TASK_NAME}}) that we substitute locally on our servers. The AI sees the structure but not your real content.

We log only metadata about AI calls (provider, model, token counts, latency, success/error) — never the input or output content.

AI providers receive only anonymized content. Their respective privacy policies govern whatever they receive. Anonymization meaningfully reduces the risk that an AI provider could profile or identify you, but we cannot guarantee zero risk: sophisticated correlation across many requests could theoretically reveal patterns. If this concern applies to you, please consider whether to use the service.

Planner's AI is not a substitute for professional advice. Briefings, suggestions, and accountability messages are generated by language models and may be inappropriate for your specific circumstances. Do not rely on AI output for medical, legal, financial, mental health, or any other professional matter. Consult a qualified professional for those decisions.

Who we share data with

We share data only with the service providers necessary to run Planner:

• Clerk (authentication): email, name, account identifier.
• Moonshot AI, DeepSeek (AI processing): anonymized text only.
• Telegram(message delivery, if you connect it): briefing messages and your chat ID. Telegram's privacy policy applies to anything they receive.
• Neon, Railway, Vercel (infrastructure hosting): encrypted data passes through their systems.
• Sentry, Logfire (error tracking and observability): no personal content; only error metadata, stack traces with PII redacted, and aggregated performance data.

We do not sell, rent, or trade your data. We do not share with advertisers or data brokers.

How long we keep it

We keep your plans, tasks, and account data as long as your account is active. If you delete your account, we delete your account data within 30 days, except where legally required to retain certain records (e.g., aggregated financial logs if applicable). Server logs are retained for up to 90 days for security and debugging.

Your rights

Under UK GDPR you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Delete your account and the data we hold (subject to the retention rules above).
• Export your data in a portable format.
• Object to processing or restrict it.
• Withdraw consent (e.g., disconnect Telegram). Withdrawal does not affect processing already carried out.
• Lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these rights, email charliedude2008@gmail.com. We will respond within 30 days.

International transfers

Some of our processors (Clerk, Moonshot AI, DeepSeek, Sentry) are based outside the UK and EEA. Where data is transferred outside the UK, we rely on appropriate safeguards under UK GDPR, such as Standard Contractual Clauses, or the recipient's adequacy decision.

Children

Planner is not intended for users under 18. We do not knowingly collect data from children. If you believe a child has signed up, contact us and we will delete the account.

Changes to this policy

If we materially change how we handle your data, we will notify you by email and update the "Last updated" date above. Continued use after notification means you accept the updated policy.

Contact

Questions, requests, or complaints: charliedude2008@gmail.com