Privacy Policy

1. Who we are

weekkii is operated by FestivLabs ("we", "us"). This policy explains what data we collect when you use weekkii.com and the weekkii web, iOS, and Android apps (the "Service").

2. Data you give us

Email address — required to create an account and receive 6-digit sign-in codes. We never sell or share it. Subscription metadata — when you upgrade through Dodo Payments, we receive a customer ID, plan, billing cycle, and status. We do not see or store your full card number; that stays with Dodo Payments.

3. Data weekkii uploads on your behalf

Encrypted task content as opaque ciphertext: task titles, notes JSON, the tag array, recurrence rules, and your settings blob. Plaintext metadata required for sync and ordering: which day a task is on, its LexoRank position string, the completion timestamp, and your Argon2id salt + parameters so the same passphrase derives the same key on every device. We can't read the encrypted parts.

4. Data we collect automatically

Standard server logs (timestamp, IP, user-agent) generated by Vercel and Supabase, retained for up to 30 days for fraud and abuse prevention. We do not run analytics SDKs, ad pixels, chat widgets, or session replay anywhere in the Service.

5. How we use data

Sync your encrypted tasks across devices, authenticate you (sending the 6-digit sign-in code to your email each time you sign in), process subscriptions and refunds via Dodo Payments, send transactional email, and prevent abuse. We do not sell or rent your data and we do not use it to train models.

6. Subprocessors

We rely on:

• Supabase — auth, database, edge functions
• Vercel — web hosting and serverless functions
• Resend — transactional email (sign-in codes)
• Dodo Payments — Merchant of Record for Pro and Lifetime billing

7. Data retention

Sign out wipes your local device data. Account deletion permanently removes your account row and your encrypted entries within 30 days, including from backups. Billing records retained by Dodo Payments and tax records we are legally required to keep may persist longer.

8. Your rights

You can export, correct, or delete your data at any time from Settings. Residents of the EEA, UK, and California have additional rights under GDPR / CCPA, including the right to lodge a complaint with your local supervisory authority. Email privacy@weekkii.com from the address on file; we respond within 30 days.

9. Security

Content is encrypted client-side with XSalsa20-Poly1305 (NaCl secretbox via tweetnacl), with a random 24-byte nonce per encryption. Keys are derived from your master passphrase with Argon2id (OWASP 2024 interactive parameters: m=19,456 KiB, t=2, p=1). Transport uses TLS 1.3 with HSTS preload. We cannot recover your content if you forget your master passphrase — there is no backdoor and no reset path.

10. Children

weekkii is not directed at children under 13 (or under 16 in the EEA). Do not create an account if you are below the applicable age.

11. Changes

We will update the "Last updated" date at the top of this page when we change this policy. Material changes will be announced via in-app notice or email.

12. Contact

Privacy questions: privacy@weekkii.com. Security questions: security@weekkii.com.