Privacy policy

SmittyHQ, LLC ("Smitty," "we," "us") provides a privacy-first assistant for family and household logistics. You can interact with Smitty over SMS/text, WhatsApp, email, and our authenticated web app. Supported AI-powered conversational features, including Q&A, are available in messaging channels where enabled; the web app is used for setup, viewing your plans, and managing your account and settings.

The data controller responsible for your information is SmittyHQ, LLC, 1869 Catalina Ave, Berekely CA 94707.

This policy explains what data we collect, why, how long we keep it, who processes it, and how you can access or delete it.

Account data: your email address, optional phone number, household name, and authentication identifiers. We support passwordless sign-in (magic link / one-time code) and email-and-password sign-in; depending on the method you choose, we process the corresponding credentials and login identifiers.

Content you share with us: emails (and their attachments) you forward to your private Smitty address; messages you send over SMS, WhatsApp, or the web app; and questions you ask our assistant through supported channels. This content often includes information about other people in your household — see Section 3.

Sensitive information: because Smitty helps run a family's life, the content you share may include sensitive details such as health or medical appointments, information about children, and school or care arrangements. We treat all such information as confidential and use it only to provide the features you've asked for. We do not use it for advertising and we never sell it.

Derived data: events, action items, reminders, lists, and other structured information we generate from the content you share.

Operational metadata: timestamps, delivery receipts, error logs, and usage telemetry needed to operate and debug the service. Our logs use strict allowlists and never include message bodies, chat content, attachments, or family-profile fields.

Web app data: for authentication/session, we use Supabase session tokens to keep you signed in. For local browser storage, we store certain preferences and operational values in your browser's localStorage/sessionStorage, including your household identifier, onboarding progress flags, timezone reporting, view/display preferences, beta access code, and calendar debug flags. These stay on your device and are used to run the app.

Product analytics: we use Google Analytics only if you opt in, and it is off by default. You can change your choice at any time in the Privacy choices link in our website footer or in authenticated app settings. If you opt in, Google Analytics runs across our website and signed-in app and sets cookies that share certain device and usage identifiers with Google, to help us understand how Smitty is used so we can improve it. We do not intentionally send the contents of your household — your messages, forwarded emails, attachments, or family profiles — to Google Analytics.

Smitty is built to help you manage your family's life, so you will often share information about other people — children, partners, caregivers, and household contacts — and that information may include health, school, or other sensitive details.

Children: Smitty is intended for adults managing a household. We do not knowingly allow anyone under 13 (or the minimum age in your country) to create an account, and we do not knowingly collect data directly from children. We never use information about children for advertising or behavioral targeting.

• By sharing this information, you confirm you have the authority to do so on those individuals' behalf.
• We use it only to provide the service to you, for example reminders, updates, calendars, and packing lists.
• We do not build advertising or marketing profiles of anyone, we do not show ads, and we never sell or share this data.
• If someone whose information appears in your household wants it corrected or deleted, you can do this directly in the app, or they (or you) can contact privacy@smittyhq.com.

We process the content you share to extract events, action items, and context, and to deliver the morning update, just-in-time pings, and supported Q&A responses you've signed up for.

We use account and operational data to authenticate you, deliver and secure the service, debug problems, and meet legal obligations.

We do not sell or "share" your data, including as those terms are defined under California law.

We do not allow Anthropic, PBC, our AI provider, to retain or train on your messages (see Section 5).

Legal bases (for EU/UK users). Where GDPR or UK GDPR applies, we process your data to perform our contract with you (delivering the service), to comply with legal obligations, and on the basis of our legitimate interests in securing, debugging, and operating Smitty. Where we process sensitive information (such as health-related details), we rely on your explicit consent.

Withdrawing consent for sensitive information. You can withdraw your consent at any time. Because deleting an individual item in the app removes it from your plans and lists but does not necessarily purge the original email or attachment it came from, the way to fully remove your sensitive information is to delete your household (Section 9) or to let your content reach the end of its retention period, after which it is purged automatically.

To turn your messages and forwarded content into useful plans, we send the relevant content to Anthropic, PBC, our vetted large-language-model (LLM) provider, which processes it to generate updates, reminders, and supported answers.

• Anthropic, PBC acts under contract as our processor and is prohibited from retaining your content beyond the time needed to return a result, and from using it to train its models.
• We send only the information needed to perform the task and minimize personal details where we can.
• AI output can occasionally be incomplete or incorrect. Please don't rely on Smitty as a substitute for professional medical, legal, or financial advice, and double-check anything important.

We rely on a small number of vetted vendors to operate Smitty, including:

• Supabase — database and authentication
• Railway — backend hosting
• [Vercel — web hosting, to confirm]
• Twilio — SMS and WhatsApp message delivery
• Anthropic, PBC — AI processing
• Google Analytics — product analytics (only if you opt in)
• All vendors operate under signed data-processing agreements. WhatsApp messages are delivered via Twilio and Meta's WhatsApp platform, whose handling of message delivery is subject to their own terms. A current subprocessor list is available on request at privacy@smittyhq.com.

Some of our subprocessors may process data outside your home country, including outside the EEA or UK. Where we transfer personal data internationally, we use appropriate safeguards such as Standard Contractual Clauses (SCCs) or the UK International Data Transfer Addendum. You can request more detail at privacy@smittyhq.com.

When you sign up to receive messages from Smitty, you consent to receive service and transactional messages — such as updates, reminders, confirmations, command responses, and support replies — at the number you provide, over SMS and/or WhatsApp. Message and data rates may apply. We do not send marketing messages.

• Reply STOP at any time to opt out of all Smitty messaging, including both SMS and WhatsApp. Reply HELP for help.
• You can also manage or revoke messaging in the web app.

Deleting your household. To permanently delete everything, text DELETE to Smitty (or use the delete control in the web app). This starts a 24-hour confirmation window: to complete the deletion you must reply DELETE CONFIRM. Once confirmed, we permanently remove your household, including messages, calendar feed, attachments, derived items, and account.

• Forwarded emails and attachments (raw content) are retained for 30 days or less, then automatically purged. Retention is not user-configurable.
• Derived items (events, lists, reminders) are kept until you delete them or close your household. Deleting an individual item marks it as deleted and removes it from your plans and lists; the original inbound email or attachment it was created from is removed when it reaches the end of its retention period (above) or when you delete your entire household.
• Operational logs are retained for 90 days and then purged.

Depending on where you live, you may have the right to access, correct, export, delete, or restrict your personal data, to object to certain processing, and to withdraw consent. Email privacy@smittyhq.com to exercise any of these rights, and we'll respond within the timeframes required by law.

Because Smitty contains information about other household members, requests from a non-account holder will be handled directly and may require us to verify identity and authority.

• California residents (CCPA/CPRA): you have the right to know, delete, correct, and to limit the use of sensitive personal information. We do not sell or share your personal information, and we do not use sensitive information for purposes beyond providing the service.
• EU/UK residents (GDPR/UK GDPR): the rights above apply, and you may lodge a complaint with your local supervisory authority (in the UK, the ICO; in the EU, your national data protection authority).

We commit to notifying affected users within 72 hours of confirming a security incident that materially affects their data, regardless of whether the law requires it.

If we make material changes, we'll notify you by email and in the web app at least 30 days before they take effect.

Privacy questions: privacy@smittyhq.com. Security questions: security@smittyhq.com. General hello: hello@smittyhq.com.