Privacy Policy

WhatFits is a task management app built for people with fluctuating energy — chronic illness, disability, and neurodivergence. This policy explains clearly what data we collect, how we use it, and what rights you have.

Who is responsible for your data

WhatFits is the data controller for personal data you provide when using this service. You can reach us at hello@whatfits.today.

What data we collect

Account data

Your email address and a hashed password. We never store your password in plain text.

Profile data

Display name, timezone, and your capacity unit preference.

App data

Tasks, capacity settings, journal entries, daily check-ins, and reflections you create.

Billing data

Stripe processes payments on our behalf. We only see your billing status — not your full card details.

We don't use analytics services, tracking pixels, or behavioral profiling.

Why we're allowed to process your data (legal basis)

Under GDPR, we need a lawful basis for processing personal data. Ours are:

• Contract performance — we process account and app data to provide the service you signed up for.
• Legitimate interests — we process security-relevant data (e.g. authentication logs) to protect the service and our users.

How we use your data

• To operate the app — your data lives in our database so things work.
• To send transactional emails: password reset, billing receipts.

That's it. We don't use your data for advertising, profiling, or any purpose beyond operating the service.

What we don't do

• We don't sell your data. Ever.
• We don't share your data with third parties, except Stripe for payment processing.
• We don't run analytics on your content.
• We don't track you across other sites.

Where your data is stored

Your data is stored on servers located in Finland. It does not leave the EU except when Stripe processes payment information on our behalf (Stripe is certified under the EU–US Data Privacy Framework).

How long we keep your data

Your data is retained while your account is active.

After you cancel your subscription, we keep your data for 90 days before deleting it. This gives you time to come back or export first. After 90 days, it's gone.

If you delete your account through Settings → Data & Privacy, deletion happens right away.

Your rights

If you're in the EU or UK, you have the following rights under GDPR:

Access

You can request a copy of the personal data we hold about you.

Rectification

You can correct inaccurate data about you.

Erasure

You can request deletion of your data. You can do this yourself via Settings, or email us.

Portability

You can export your data at any time from Settings → Data & Privacy.

Restriction

You can ask us to limit how we use your data in certain circumstances.

Objection

You can object to processing based on legitimate interests.

Supervisory authority

You have the right to lodge a complaint with a data protection authority. Our lead supervisory authority is the Finnish Office of the Data Protection Ombudsman (tietosuoja.fi). You may also contact the data protection authority in your own country.

To exercise any of these rights, email hello@whatfits.today. We'll respond within 30 days.

How to delete your data

Two ways:

1. Settings → Data & Privacy → Delete account. Deletion is immediate.
2. Email us at hello@whatfits.today and we'll handle it manually, usually within a few days.

You can export all your data before deleting — the export option is in the same place.

Cookies and local storage

• A session cookie to keep you logged in.
• Local storage for preferences like theme and UI state.

No third-party cookies. No tracking cookies.

Security

• Passwords are hashed using bcrypt.
• All data is transmitted over HTTPS.
• We take reasonable precautions to secure your data.

If you find a security issue, please email hello@whatfits.today.

Changes to this policy

If we make material changes, we'll let you know by email before the change takes effect.

Questions

Email us at hello@whatfits.today.