Privacy Policy

Last updated: April 27, 2026

1. Introduction

Welcome to KeyResults.io ("we," "our," or "us"). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our goal tracking and productivity platform.

By using KeyResults.io, you agree to the collection and use of information in accordance with this policy. If you do not agree with the terms of this privacy policy, please do not access or use our services.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address
  • Full name (optional)
  • Authentication credentials (securely hashed)
  • Profile information you choose to provide

2.2 User Content

When you use our services, you may provide content including:

  • Tasks, subtasks, goals, and project information
  • Journal entries, personal notes, and mood tracking data
  • Comments and descriptions
  • Inspirations and highlights
  • Team collaboration data (if using shared features)

2.3 Payment Information

When you subscribe to a paid plan, our payment processor (LemonSqueezy) collects:

  • Payment card or payment method details
  • Billing address
  • Transaction history

We do not store your complete payment card information on our servers. LemonSqueezy acts as our Merchant of Record and handles all payment processing in compliance with PCI-DSS standards.

2.4 Usage Data

We automatically collect certain information when you use our services:

  • Device information (browser type, operating system)
  • IP address and approximate location
  • Pages visited and features used
  • Date and time of access
  • Referring website or source

2.5 Optional Integration Data

If you enable optional integrations, we may collect additional data:

  • Slack Integration: Channel name for sending weekly summaries
  • Google Calendar:OAuth tokens (encrypted at rest), the email of the connected Google account, the IDs of the calendars you choose to display, your sync preferences, and the events on those calendars (fetched on demand and not persisted on our servers). See Section 6 for the full disclosure required under Google's API Services User Data Policy.
  • Google OAuth (sign-in): Basic profile information (name, email, profile picture) when signing in with Google. This is a separate authorization from the Google Calendar integration.

2.6 API Access

If you use our API or MCP (Model Context Protocol) integration with tools like Claude Desktop:

  • API key identifiers and usage statistics
  • Requests made through the API
  • IP addresses of API clients

2.7 Cookies and Tracking Technologies

We use the following types of cookies and tracking:

  • Essential cookies: Required for authentication and core functionality
  • Analytics cookies: Help us understand how you use our service (via Google Analytics and Vercel Analytics)

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our services
  • Process your requests, transactions, and subscription payments
  • Send you service-related communications (welcome emails, weekly summaries, trial reminders)
  • Calculate productivity analytics (Health Score, velocity metrics, momentum tracking)
  • Respond to your inquiries and support requests
  • Analyze usage patterns to improve user experience
  • Detect, prevent, and address technical issues or abuse
  • Comply with legal obligations

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), we process your personal data based on the following legal grounds:

  • Contract: Processing necessary to provide our services to you
  • Legitimate interests: Processing for our legitimate business interests, such as improving our services and preventing fraud
  • Consent: Where you have given explicit consent for specific processing activities
  • Legal obligation: Processing necessary to comply with applicable laws

5. Data Sharing and Third Parties

We share your information only with trusted service providers who assist us in operating our platform:

Service ProviderPurposeData Shared
SupabaseDatabase and authenticationAccount data, user content
LemonSqueezyPayment processing (Merchant of Record)Payment info, billing address, email
VercelHosting and analyticsUsage data, IP address
Google AnalyticsWebsite analyticsUsage data, device info
Google OAuthAuthentication (Sign in with Google)Profile info, email address
ResendEmail deliveryEmail address
CloudflareSecurity and bot protectionIP address, device info
UpstashRate limiting and cachingUser identifiers

5.1 Optional Integrations

The following services only receive your data if you explicitly enable the integration:

Service ProviderPurposeData Shared
SlackWeekly progress notificationsGoal/project summaries, progress metrics
Google CalendarDisplay events alongside tasks; create/edit events when you drag tasks onto your scheduleRead-only access to your calendar list; read/write access to events on calendars you select. See Section 6.

We do not sell, trade, or rent your personal information to third parties for marketing purposes.

5.2 Shared Spaces

If you use Shared Spaces to collaborate with others, tasks, projects, and goals within a space are visible to all space members. Personal data — including journals, moods, focus priorities, highlights, and personal analytics — is never shared and remains private by architecture. You control which content you move into a Shared Space.

6. Google API Services User Data Policy

KeyResults.io's use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

6.1 OAuth Scopes We Request

When you connect your Google Calendar to KeyResults.io, we request the following OAuth scopes — and only these:

ScopeWhat it authorizesWhy we need it
.../auth/calendar.readonlyRead-only access to the list of your calendars and their metadata.To populate the calendar picker so you can choose which calendars to display in your weekly view.
.../auth/calendar.eventsRead and write access to events on the calendars you select.To display your events alongside tasks, and to create, move, or update events when you drag tasks onto your schedule.

We do not request, and the app does not exercise, any scope that would let us create, share, rename, or delete calendars themselves, access Gmail, Drive, Contacts, or any other Google product.

6.2 What We Access

  • Calendar metadata: calendar IDs, display names, colors, and primary-calendar status — used only to populate the calendar picker.
  • Events on calendars you choose to display: titles, start/end times, descriptions, locations, and attendees, fetched only for the time range you are currently viewing.

6.3 What We Store

  • OAuth tokens (access token + refresh token), stored in our database and encrypted at rest. They are used solely to authenticate API calls back to Google on your behalf.
  • The email of your connected Google account, stored at connection time so we can identify the linked account.
  • Your selected-calendar IDs and sync preferences (e.g. whether to display tasks as events).

We do not persist your calendar event content on our servers. Events are fetched from Google on demand when you view a week, briefly cached in-memory or in our short-lived cache to reduce API calls (typically a few minutes), and then discarded.

6.4 Limited Use Commitments

In line with Google's Limited Use policy, KeyResults.io commits that:

  • We use Google user data only to provide and improve the user-facing calendar features described above.
  • We do not use Google user data to serve advertisements.
  • We do not use Google user data to train, develop, or improve generalized AI/ML models.
  • We do not sell, rent, or transfer Google user data to data brokers, advertisers, or any other third party for unrelated purposes.
  • No human at KeyResults.io reads your Google user data, except (a) with your explicit consent, (b) for security investigations or to address abuse, (c) to comply with applicable law, or (d) when the data has been aggregated and anonymized for internal operations such as service-quality monitoring.

6.5 Disconnecting and Deleting Your Google Data

You can disconnect Google Calendar at any time, and you have two ways to do so:

  • Inside KeyResults.io: Settings → Integrations → Google Calendar → Disconnect.
  • From your Google account, by visiting myaccount.google.com/permissions and revoking access to KeyResults.io.

When you disconnect, we immediately delete your stored OAuth tokens, your selected-calendar IDs, your sync preferences, and the cached email of the linked Google account. Any cached event data is purged as soon as the cache expires (within minutes). If you delete your KeyResults.io account, all Google integration data is deleted along with the rest of your account.

7. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you services. We will retain and use your information as necessary to:

  • Comply with legal obligations
  • Resolve disputes
  • Enforce our agreements

If you request deletion of your account, we will delete your personal data within 30 days, except where retention is required by law.

8. Your Privacy Rights

8.1 Rights for EU Residents (GDPR)

If you are located in the European Economic Area, you have the following rights:

  • Right to Access: Request a copy of your personal data
  • Right to Rectification: Request correction of inaccurate data
  • Right to Erasure: Request deletion of your personal data
  • Right to Restrict Processing: Request limitation of processing
  • Right to Data Portability: Receive your data in a portable format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent at any time

8.2 Rights for California Residents (CCPA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act:

  • Right to Know: Request information about the categories and specific pieces of personal information we collect
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out: Opt out of the sale of personal information (note: we do not sell personal information)
  • Right to Non-Discrimination: We will not discriminate against you for exercising your rights

8.3 Exercising Your Rights

To exercise any of these rights, please contact us at support@keyresults.io. You can also export your data at any time through the Settings page in your account.

9. Data Security

We implement layered technical and organizational measures to protect your personal information:

  • Encryption in transit: All traffic between your browser, our servers, and our subprocessors is encrypted using TLS/HTTPS.
  • Encryption at rest: Sensitive user-generated content — including the titles and descriptions of goals, projects, tasks, subtasks, milestones, comments, and journal entries — is encrypted at the application layer using a vault-managed secret before being written to the database. The underlying database storage is also encrypted at rest by our hosting providers (Supabase for Postgres, Upstash for Redis).
  • Encrypted secrets: Third-party access tokens (such as the Google Calendar OAuth tokens) are stored encrypted at rest and decrypted only in-memory at the moment of an authenticated API call.
  • Bot protection: Sign-up, login, and other public endpoints are protected by Cloudflare Turnstile (a privacy-respecting CAPTCHA replacement) to prevent automated abuse and credential stuffing.
  • Rate limiting: All write operations and sensitive endpoints enforce per-user rate limits to mitigate abuse.
  • Access control: Database access is governed by row-level security policies so that users — and members of a Shared Space — see only the data they are authorized to see.
  • Secure authentication: Auth credentials are handled by Supabase Auth with industry-standard hashing; OAuth flows use signed, short-lived state parameters to prevent CSRF.
  • Ongoing review: We continuously monitor our dependencies for known vulnerabilities and patch promptly.

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws. When we transfer your data internationally, we ensure appropriate safeguards are in place, such as standard contractual clauses approved by the European Commission, to protect your information.

11. Children's Privacy

Our services are not intended for children under the age of 16. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@keyresults.io, and we will take steps to delete such information.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. We encourage you to review this Privacy Policy periodically for any changes. Your continued use of our services after any modifications indicates your acceptance of the updated Privacy Policy.

13. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

KeyResults.io

Email: support@keyresults.io

For GDPR-related inquiries, EU residents may also lodge a complaint with their local data protection authority.