Privacy policy

Smitty ("Smitty," "we," "us") provides a privacy-first SMS assistant for family logistics. This policy explains what data we collect, why we collect it, how long we keep it, and how you can delete it. The plain-language version of our commitments lives on the security page; this is the legal version.

Account data: your email address, optional phone number, household name, and authentication identifiers from the magic-link sign-in flow.

Forwarded content: emails (and their attachments) you forward to your private Smitty address, plus content you share with us through the web app or by SMS.

Operational metadata: timestamps, delivery receipts, error logs, and usage telemetry needed to operate and debug the service. Logs use strict allowlists and never include message bodies, chat content, or family-profile fields.

We process forwarded content to extract events, action items, and context, and we use that to send you the morning digest, just-in-time pings, and Q&A responses you've signed up for.

We use account and operational data to authenticate you, deliver the service, and meet legal obligations.

We do not sell your data. We do not allow vendor LLMs to retain or train on your messages.

Forwarded emails and attachments are retained for 90 days by default. You can shorten or extend this in settings.

Text DELETE to Smitty (or use the delete control in the web app) to permanently remove your household, including messages, calendar feed, attachments, derived items, and account.

Operational logs are retained for 90 days and then purged.

Depending on where you live, you may have the right to access, correct, export, or delete your personal data, and to object to certain processing. Email privacy@smittyhq.com to exercise any of these rights and we'll respond within statutory timeframes.

California residents (CCPA) and EU/UK residents (GDPR) have specific rights described above. We do not knowingly serve users under 13.

We rely on a small number of vetted vendors to operate Smitty (cloud hosting, database, email/SMS delivery, LLM processing, error monitoring). All vendors operate under signed data-processing agreements. A current list is available on request.

We commit to notifying affected users within 72 hours of confirming a security incident that materially affects their data, regardless of whether the law requires it.

If we make material changes, we'll notify you by email and via the web app at least 30 days before they take effect.

Privacy questions: privacy@smittyhq.com. Security questions: security@smittyhq.com. General hello: hello@smittyhq.com.