Privacy Policy

1. Introduction

This Privacy Policy describes how Granola Tasks, operated by Floofy Labs LLC (“Floofy Labs,” “we,” “us,” or “our”), at granolatasks.com, collects, uses, and protects your information when you use our Service. We are committed to protecting your privacy and handling your data transparently.

2. Information We Collect

Account Information: When you sign in with Granola, we receive and store your Granola user identifier. We do not receive or store your Granola password. We may receive a display name or identifier associated with your Granola account.

OAuth Tokens: We store OAuth access tokens and refresh tokens for Granola and your connected task management provider (Todoist, Linear, or Microsoft To Do). All tokens are encrypted at rest using AES-256-GCM encryption.

User Settings: We store your configuration preferences, including your name, name aliases, internal email domain, preferred task management provider, and selected task list.

Meeting Data: We access your Granola meeting data (titles, participants, dates, and transcripts) to extract action items. Meeting transcripts are processed in real time and are not permanently stored. We store only a record of which meeting IDs have been processed to avoid duplication, with a 30-day expiration.

Payment Information: If you subscribe to a paid plan, payment information is collected and processed by Stripe. We do not store credit card numbers or payment details directly. We store your Stripe customer ID and subscription status.

Usage Analytics: We use Vercel Analytics to collect anonymized usage data such as page views and performance metrics. This data does not include personally identifiable information.

3. How We Use Your Information

We use your information to:

• Authenticate you and maintain your session.
• Access your Granola meetings and extract action items using AI (Claude by Anthropic).
• Create tasks in your connected task management provider.
• Display your task history and activity within the Service.
• Process subscription payments and manage billing.
• Improve the Service and diagnose technical issues.

4. AI Processing

Meeting transcripts are sent to Anthropic's Claude API for task extraction. This processing occurs in real time and we do not retain transcripts after processing is complete. Anthropic's data handling is governed by their privacy policy. Anthropic does not use data sent through their API to train models.

5. Data Sharing and Third Parties

We do not sell, rent, or trade your personal information. We share data with third parties only as necessary to provide the Service:

• Granola: To access your meeting data via their MCP API.
• Anthropic (Claude AI): To process meeting transcripts and extract tasks.
• Task Providers (Todoist, Linear, Microsoft): To create tasks in your chosen app.
• Stripe: To process subscription payments.
• Upstash: To store encrypted user data and application state (Redis).
• Vercel: To host the Service and collect anonymized analytics.

6. Data Security

We take security seriously and implement the following measures:

• All OAuth tokens and credentials are encrypted at rest using AES-256-GCM with a 256-bit encryption key.
• OAuth flows use PKCE (Proof Key for Code Exchange) to prevent authorization code interception.
• Session cookies are encrypted and HTTP-only.
• OAuth state parameters are stored with a 10-minute expiration to prevent replay attacks.
• All communication occurs over HTTPS/TLS.

7. Data Retention

We retain your data as follows:

• Account data and settings: Retained while your account is active. Deleted upon account termination.
• OAuth tokens: Retained while your account is active, encrypted at rest. Deleted upon account termination.
• Processed meeting IDs: Retained for 30 days, then automatically expired.
• Meeting transcripts: Not retained. Processed in real time and discarded immediately after task extraction.
• Activity logs: Retained while your account is active for display in the dashboard.

8. Your Rights

You have the right to:

• Access: Request a copy of the data we hold about you.
• Correction: Update your account settings at any time through the Settings page.
• Deletion: Request deletion of your account and all associated data by contacting us or disconnecting through Settings.
• Portability: Request your data in a machine-readable format.
• Revoke Access: Disconnect your Granola or task provider accounts at any time through Settings, which revokes our access to those services.

9. Cookies

We use a single encrypted session cookie to maintain your authentication state. We do not use tracking cookies or advertising cookies. Vercel Analytics uses privacy-friendly, cookieless analytics.

10. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly.

11. International Data Transfers

Your data may be processed in the United States and other jurisdictions where our service providers operate. By using the Service, you consent to the transfer of your information to these jurisdictions, which may have different data protection laws than your country of residence.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised effective date. We encourage you to review this policy periodically.