Legal
Privacy Policy
Effective June 13, 2026
What we collect, why, who we share it with, and the choices you have. We've tried to keep it plain.
Gumhop ("Gumhop," "we," "us") is a task-capture and rewards app operated by an independent maker.
Who we are
Gumhop is operated by an independent maker. For the information described here, we are the data controller.
What we collect
We only collect what we need to run the app.
You give us
- Account email — to sign you in (one-time code, magic link, or email + password) and to send service email.
- Password (if you use email + password sign-in) — we never see or store your password in readable form. It is handled and hashed by our authentication provider. See Security.
- Your content — the tasks, notes, lists, folders, subtasks, and reward packs you create, including any text, links, dates, contacts, locations, or images you add.
- Profile and settings — optional display name, theme preference, your timezone, and your notification preferences.
Created automatically when you use Gumhop
- Timezone — so reminders, due dates, and the morning brief land at the right local time.
- Push subscription details — if you enable push, your browser provides a push endpoint and the cryptographic keys needed to deliver notifications, plus a short user-agent string.
- AI usage metadata — when AI parsing runs, we log the model, token counts, latency, and success/failure for monitoring and cost. We do not store your task text in these logs.
- API key metadata — if you create an API key, we store its name, a one-way hash, and a short display prefix. We never store the full key after it is shown to you once.
- Limited technical/usage data — standard server and network information such as IP address, browser type, and request logs, processed to operate, secure, and debug the service.
We do not
- Sell your data.
- Run third-party advertising or ad-tracking on you.
- Use cross-site tracking cookies or fingerprinting for advertising.
How AI processing works
Gumhop uses AI to read a task you type in plain language and pull out structured details (title, due date/time, priority, links, emails, locations, subtasks).
- When AI parsing is enabled, the text of the task you capture is sent to our third-party AI provider to be parsed. We send your task text (truncated to roughly 2,000 characters) along with the current date and your timezone. We do not send your email address, account ID, or other profile data with it.
- The AI returns structured fields, which we save to your task.
- You can turn AI parsing off any time in Settings. With it off, your task text is not sent to the AI provider.
- Treat AI output as a helpful guess, not a guarantee — always check important dates and details.
Why we use your data
| Purpose | Data used |
|---|---|
| Provide the core app (store and sync your tasks/lists/rewards) | Content, profile, settings |
| Sign you in and keep you signed in | Email, password (hashed), session cookies |
| Parse natural-language tasks into structured fields | Task text (when AI parsing is on), timezone |
| Send the daily brief and reward emails | Email, content, settings |
| Send push notifications | Push subscription, settings |
| Deliver reminders at the right local time | Timezone, due dates |
| Operate, secure, debug, and prevent abuse | Technical/usage data, AI usage metadata |
Where applicable (e.g. GDPR/UK GDPR), our legal bases are performance of a contract, legitimate interests (security, abuse prevention, reliability), and consent (e.g. push notifications).
Who we share it with (sub-processors)
We use a small set of trusted providers and share only what each needs:
- Authentication, database & storage provider — stores your account, content, profile, push subscription records, and reward media.
- AI provider — parses your task text into structured fields (only when AI parsing is enabled).
- Email provider — delivers account and notification email.
- Hosting provider — runs and serves the app (processes requests and standard server data, including IP address).
- Browser push services — when you enable push, notifications are delivered through your browser's own push service.
We don't sell your data or share it with advertisers. We may disclose information if required by law, to protect our rights, or to investigate fraud, abuse, or security issues.
Cookies and local storage
Gumhop uses cookies and browser storage only to keep you signed in and remember basic preferences. We set authentication/session cookies via our authentication provider. We do not use advertising or cross-site tracking cookies. See the Cookie Policy for details.
Data retention
- Your content and account are kept for as long as your account is active.
- AI usage logs (metadata only) and standard server logs are kept for a limited period, then deleted or aggregated.
- Push subscriptions are removed when you disable notifications or the push service reports them gone.
- When you delete your account, your profile, tasks, lists, folders, subtasks, rewards, push subscriptions, daily summaries, API keys, and uploaded reward media are deleted, generally within 30 days, except where we must retain limited records to comply with law.
Your rights and choices
Depending on where you live, you may have the right to access, correct, export, or delete your data, and to object to or restrict certain processing. In Gumhop you can already:
- Access and edit your tasks, lists, profile, and settings directly in the app.
- Turn AI parsing on/off, and turn each notification channel on/off, in Settings.
- Export your data — contact us to request a copy of your account data.
- Delete your account — contact us and we'll delete your account and associated data.
We may need to verify your identity (for example, that you control the account email). If you're in the EU/UK and unsatisfied, you may complain to your local data protection authority.
Children
Gumhop is not directed to children. You must be at least 13 (or the minimum age of digital consent in your country) to use Gumhop. If you believe a child has provided us data, contact us and we'll delete it.
International data transfers
Our providers may process data in countries outside where you live, including the United States. Where required, we rely on appropriate safeguards such as Standard Contractual Clauses. In particular, our AI provider may process task text outside your country when AI parsing is enabled; if you prefer otherwise, turn AI parsing off.
Security
We protect your data with encryption in transit, database access controls (row-level security so you can only reach your own data), and password hashing handled by our authentication provider. No system is perfectly secure. See the Security page for details and how to report a vulnerability.
Changes to this policy
We may update this policy as Gumhop evolves. We'll change the effective date above and, for material changes, make a reasonable effort to notify you.
Contact
For questions, requests, or concerns about this policy, contact us.