Privacy Policy

Wait. What? — operated by Vince Shewmaker / Wild & Western
Last updated: May 2026

Your privacy matters. This policy explains what information Wait. What? collects, how it is used, and your rights regarding your data.

What We Collect

When you use Wait. What?, we collect the following information:

• Account information — your email address and display name, provided when you sign in with Google or Apple.
• Task data — task names, categories, due times, cadences, notes, and completion dates that you create within the app.
• Streak and progress data — your completion history used to calculate streaks and weekly insights.
• Group data — group membership, shared tasks, private nudges, and chat messages when you use the Groups feature.
• App preferences — your chosen theme, ADHD settings, and other in-app preferences.
• Device token — a push notification token stored to deliver task reminders to your device.
• Google Calendar events (read-only, optional) — if you choose to connect your Google Calendar via Settings, we read your upcoming calendar events to display them alongside your tasks in the Plan view. We use the https://www.googleapis.com/auth/calendar.readonly scope only. We do not create, modify, or delete events. Calendar events are fetched on-demand and are not stored on our servers — only your refresh token is stored, encrypted at rest in Firestore, so we can fetch fresh events on each app open. You can disconnect at any time from Settings, which revokes the token at Google immediately.

How We Use Your Data

Your data is used solely to provide the app's features:

• To display your tasks, categories, and progress
• To calculate streaks and weekly insights
• To enable group features like shared tasks and nudges
• To send push notifications for task reminders you have set
• To save your preferences across devices
• To power AI-assisted task capture when you use the brain dump feature

We do not sell your data. We do not use your data for advertising.

Data Storage

Your data is stored securely using Google Firebase (Firestore), hosted on Google servers in the United States. You can review Google's privacy practices at policies.google.com/privacy.

Data Protection & Security

We take the following measures to protect your data, including sensitive data such as authentication credentials and third-party tokens:

• Encryption in transit — all data transmitted between the app and our servers uses HTTPS (TLS 1.2 or higher). No sensitive data is transmitted over unencrypted connections.
• Encryption at rest — all data is stored in Google Cloud Firestore, which encrypts data at rest by default using AES-256. This includes your task data, account information, and any OAuth tokens.
• OAuth token security — if you connect Google Calendar, your OAuth refresh token is stored encrypted in Firestore and is only accessible to your authenticated account. It is never logged, cached in the browser, or transmitted to any third party other than Google's OAuth servers. You can revoke access at any time from Settings, which immediately deletes the token from our database and calls Google's token revocation endpoint.
• Access controls — Firestore security rules enforce that each user can only read and write their own data. No user can access another user's tasks, tokens, or account information. Group data is restricted to authenticated group members only.
• Minimal data collection — we request only the permissions necessary for each feature. Google Calendar access requires explicit opt-in; we do not request it by default.
• No server-side storage of event data — Google Calendar events are fetched on-demand and displayed in the app. They are never written to our database or logs.

If you believe your account has been compromised, please contact us immediately at vince@wait-what.app.

Use of Google User Data (Limited Use Disclosure)

Wait. What?'s use of information received from Google APIs adheres to Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We only request the minimum scope necessary to display your calendar events alongside your tasks (calendar.readonly).
• We do not transfer Google user data to third parties except as necessary to provide or improve user-facing features that are prominent in the app's user interface.
• We do not use Google user data for serving advertisements.
• We do not allow humans to read Google user data unless we have your affirmative consent for specific support requests, or as required by applicable law.

Third Parties

We work with the following third-party processors:

• Google Firebase — stores and syncs your task data, handles authentication, and delivers push notifications. Google Privacy Policy
• Anthropic — when you use the AI brain dump feature, your input text is sent to Anthropic's API to parse it into a structured task. Only the text you type into the brain dump field is sent — no account information, no task history. Anthropic does not use this data to train models. Anthropic Privacy Policy
• Google Calendar API (optional) — when you connect Google Calendar from Settings, we use the Google Calendar API to read your events and display them alongside your tasks. Read-only access. Events are not stored on our servers. Google Privacy Policy.

We do not share your personal information with any other third parties, display ads, or work with advertising networks.

Your Rights

You have the right to:

• Access your data — use the Export feature in Settings to download a copy of your tasks and completion history.
• Delete your data — you can delete your account and all associated data by contacting us at the email below. We will permanently delete your data within 30 days.
• Correct your data — you can edit or delete any task, category, or note directly within the app at any time.

California Residents (CCPA)

If you are a California resident, you have the right to know what personal information we collect, request deletion of your personal information, and opt out of the sale of your personal information. We do not sell personal information. To exercise your rights, contact us at the email below.

Children's Privacy

Wait. What? is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us and we will delete it promptly.

Changes to This Policy

We may update this privacy policy from time to time. When we do, we will update the "last updated" date at the top of this page. Continued use of the app after changes constitutes acceptance of the updated policy.

Contact

Questions about this privacy policy or requests to delete your data:
vince@wait-what.app

© 2026 Wild & Western. All rights reserved.