Privacy Policy

1. Who we are

weekkii is operated by FestivLabs ("we", "us"). This policy explains what data we collect when you use weekkii.com and the weekkii web, iOS, and Android apps (the "Service").

2. Data you give us

Email address — required to create an account and receive 6-digit sign-in codes. We never sell or share it. Subscription metadata — when you upgrade through Dodo Payments, we receive a customer ID, plan, billing cycle, and status. We do not see or store your full card number; that stays with Dodo Payments.

3. Data weekkii uploads on your behalf

Encrypted task content as opaque ciphertext: task titles, notes JSON, the tag array, recurrence rules, the per-task metadata (day, position, completion and archive times, recurrence links, timestamps) for every new or edited task, and your settings blob. We necessarily see your random row ids, your user id, an opaque write counter, the padded ciphertext size, and your Argon2id salt + parameters so the same passphrase derives the same key on every device. For tasks created before this rollout that you have not edited since, the day/position/completion/recurrence metadata stays in plaintext until you next edit them (see our threat model). We can't read the encrypted parts.

4. Data we collect automatically

Standard server logs (timestamp, IP, user-agent) generated by Vercel and Supabase, retained for up to 30 days for fraud and abuse prevention. We do not run analytics SDKs, ad pixels, chat widgets, or session replay anywhere in the Service.

5. How we use data

Sync your encrypted tasks across devices, authenticate you (sending the 6-digit sign-in code to your email each time you sign in), process subscriptions and refunds via Dodo Payments, send transactional email, and prevent abuse. We do not sell or rent your data and we do not use it to train models.

6. Subprocessors

We rely on:

• Supabase — auth, database, edge functions
• Vercel — web hosting and serverless functions
• Resend — transactional email (sign-in codes)
• Dodo Payments — Merchant of Record for subscription and Lifetime billing

7. Data retention

Sign out wipes your local device data. Account deletion permanently removes your account row and your encrypted entries within 30 days, including from backups. Billing records retained by Dodo Payments and tax records we are legally required to keep may persist longer.

8. Your rights

You can export, correct, or delete your data at any time from Settings. Residents of the EEA, UK, and California have additional rights under GDPR / CCPA, including the right to lodge a complaint with your local supervisory authority. Email weekkii@festivlabs.com from the address on file; we respond within 30 days.

9. Security

Content is encrypted client-side with XSalsa20-Poly1305 (NaCl secretbox via tweetnacl), with a random 24-byte nonce per encryption. Keys are derived from your master passphrase with Argon2id (OWASP 2024 interactive parameters: m=19,456 KiB, t=2, p=1). Transport uses TLS 1.3 with HSTS preload. We cannot recover your content if you forget your master passphrase — there is no backdoor and no reset path.

10. Children

weekkii is not directed at children under 13 (or under 16 in the EEA). Do not create an account if you are below the applicable age.

11. Changes

We will update the "Last updated" date at the top of this page when we change this policy. Material changes will be announced via in-app notice or email.

12. Contact

Privacy and security questions: weekkii@festivlabs.com.