We collect only what we need to help you function better.
Your data is personal—we keep it that way.
1. Data Controller
The data controller is:
For data protection inquiries, contact our Data Protection Officer at dpo@execufunction.com.
2. Information We Collect
2.1 Account Information
When you sign up using Google OAuth, we collect:
- Email address — for account identification and communication
- Name and profile photo — for personalization within the app
2.2 Google Calendar Data
When you connect your Google Calendar, we access:
- Calendar events — titles, times, locations, and recurrence patterns
- Free/busy information — to find available time slots
We request read and write access to create focus blocks and scheduled tasks on your calendar.
2.3 Information You Provide
- Tasks — titles, descriptions, due dates, and status
- Notes — content you create in the knowledge base
- People — contacts and relationships you add to the CRM
- Projects — project details, milestones, and linked code repositories
- Vault secrets — API keys and credentials you store (encrypted at rest with AES-256-GCM)
2.4 Chat and Voice Session Data
- Text conversations — messages exchanged with the AI assistant
- Voice transcripts — text transcriptions of voice check-ins (we do not store raw audio)
- Actions taken — a log of tasks created, updated, or scheduled during sessions
2.5 Daemon (Autonomous Operator) Data
- Configuration — operator instructions, capabilities, and approval policies
- Execution logs — tool calls, reasoning chains, and outcomes
- Approval records — your decisions on daemon-requested actions
2.6 Usage Data
We collect anonymous usage metrics to improve the service, including feature usage patterns and error reports.
3. Purposes and Legal Basis for Processing
| Processing Activity |
Purpose |
Legal Basis (GDPR Art. 6) |
| Account management |
Create/maintain your account |
Contract (Art. 6(1)(b)) |
| Core features (tasks, calendar, notes, projects) |
Provide the service you signed up for |
Contract (Art. 6(1)(b)) |
| AI assistant processing |
Provide intelligent assistance via LLM providers |
Consent (Art. 6(1)(a)) |
| Daemon execution |
Run autonomous operators on your behalf |
Consent (Art. 6(1)(a)) |
| Analytics |
Improve service quality and performance |
Legitimate interest (Art. 6(1)(f)) |
| Security monitoring |
Detect and prevent unauthorized access |
Legitimate interest (Art. 6(1)(f)) |
| Billing |
Process payments and manage subscriptions |
Contract (Art. 6(1)(b)) |
| Marketing communications |
Product updates and announcements |
Consent (Art. 6(1)(a)) |
4. Data Sharing and Recipients
4.1 Service Providers (Sub-Processors)
We share data with the following categories of service providers only as necessary to operate the service:
- AI/LLM providers (Anthropic, OpenAI, Google AI) — process your queries to provide intelligent assistance. Data is processed in real-time and not retained for model training per our data processing agreements.
- Cloud infrastructure (Google Cloud Platform) — hosting, database, and storage.
- Payment processing (Stripe) — billing data only.
- Email delivery (SendGrid) — email addresses for transactional emails.
- Error monitoring (Sentry) — scrubbed error data for debugging.
- Sandbox execution (E2B) — daemon code execution in isolated environments.
- Job scheduling (Inngest) — job metadata for background processing.
4.2 No Sale of Data
We do not sell, rent, or trade your personal information to third parties.
4.3 Legal Requirements
We may disclose your information if required by law, court order, or government request.
5. International Data Transfers
Your data is hosted on Google Cloud Platform in the United States (us-central1). When your data is processed by our AI providers (Anthropic, OpenAI, Google AI), it is transferred to and processed in the United States.
For transfers of personal data from the European Economic Area (EEA) or the United Kingdom, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our data processing agreements with each provider.
- Supplementary measures including encryption in transit and at rest, access controls, and contractual commitments against government access requests.
6. Google User Data
6.1 What Google Data We Access
When you connect your Google account, we request access to:
- Basic profile information (openid, email, profile) — your name, email, and profile picture
- Google Calendar (calendar scope) — read and write access to your calendar events
6.2 How We Use Google Calendar Data
We use your Google Calendar data to:
- Display your schedule within ExecuFunction
- Find available time slots for task scheduling
- Create calendar events for focus blocks and scheduled tasks
- Avoid scheduling conflicts with existing commitments
Calendar event titles and times may be processed by AI services to provide personalized scheduling suggestions.
6.3 How We Store Google Data
- OAuth tokens — encrypted at rest using AES-256-GCM
- Calendar events — cached locally and re-synced from Google Calendar periodically
- Deletion — all Google data is deleted when you disconnect your calendar or delete your account
6.4 Limited Use Disclosure
ExecuFunction's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically, we commit to the following:
- We only use Google user data to provide and improve user-facing features within ExecuFunction.
- We do not transfer Google user data to third parties except as necessary to provide the service, for security purposes, or to comply with applicable law.
- We do not use Google user data for advertising, including retargeting, personalized advertising, or interest-based advertising.
- We do not allow humans to read Google user data unless you have given affirmative consent, it is necessary for security purposes (e.g., investigating abuse), or it is required by law.
7. Data Retention
| Data Category |
Retention Period |
| Account data | Until account deletion |
| Calendar cache | Refreshed periodically; deleted on disconnect |
| Tasks, notes, projects, people | Until deleted by you or account deletion |
| Chat messages | Until account deletion |
| Vault secrets | Until deleted by you or account deletion |
| Daemon execution logs | 90 days, then automatically deleted |
| Audit logs | 12 months (anonymized on account deletion) |
| Consent records | Duration of account + 3 years after deletion (legal obligation) |
| Error monitoring data | 90 days (Sentry default retention) |
8. Automated Decision-Making and Daemons
ExecuFunction includes autonomous operators ("daemons") that can take actions on your behalf, such as creating tasks, scheduling calendar events, and managing projects. Under GDPR Article 22, you have the right to:
- Opt out of fully autonomous actions — You can require human approval for all daemon actions in your daemon settings. When enabled, every action a daemon wants to take requires your explicit approval before execution.
- Receive an explanation — Every daemon action includes a reasoning chain explaining why the action was taken or proposed.
- Contest decisions — You can reject any proposed daemon action and provide alternative instructions.
By default, daemons require approval for dangerous or irreversible actions (e.g., deleting data, sending emails). You can increase this to require approval for all actions at any time.
9. Your Rights
Under the General Data Protection Regulation (GDPR) and applicable data protection laws, you have the following rights:
- Right of access (Art. 15) — Request a copy of all personal data we hold about you. Use the data export feature in Settings, or contact us.
- Right to rectification (Art. 16) — Correct any inaccurate personal data. You can edit your data directly in the app.
- Right to erasure (Art. 17) — Request permanent deletion of your account and all associated data. Available in Settings > Data Rights, or by contacting us.
- Right to restriction (Art. 18) — Restrict AI processing of your data. Your data is stored but not processed by AI features. Available in Settings > Data Rights.
- Right to data portability (Art. 20) — Export your data in a structured, machine-readable JSON format.
- Right to object (Art. 21) — Object to processing based on legitimate interest.
- Right to withdraw consent (Art. 7(3)) — Withdraw consent for AI processing, analytics, or marketing at any time via Settings > Data Rights. Withdrawal is as easy as granting consent.
To exercise any of these rights, use the self-service options in Settings > Data Rights, or contact us at privacy@execufunction.com. We will respond within 30 days.
9.1 Right to Lodge a Complaint
If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. In the EU, you can contact the supervisory authority in your country of residence. A list of EU supervisory authorities is available at edpb.europa.eu.
9.2 Disconnect Google Calendar
You can disconnect your Google Calendar at any time from the Settings page. This revokes our access and deletes cached calendar data. You can also revoke access directly from your Google Account permissions.
10. Security
We implement industry-standard security measures:
- All data encrypted in transit (TLS 1.3) and at rest
- OAuth tokens and vault secrets encrypted with AES-256-GCM
- Row-level security on all user-owned database tables
- Regular security reviews, vulnerability scanning, and monitoring
- Comprehensive audit logging with immutable audit trails
- Personal access tokens hashed with SHA-256 (plaintext never stored)
11. Consent Management
When you create an ExecuFunction account, we ask for your consent for the following processing activities:
- Core service — Required for the service to function (account management, task/calendar features).
- AI processing — Sending your data to AI providers for intelligent assistance. You can withdraw this consent and still use core features.
- Analytics — Anonymous usage analytics to improve the service.
- Marketing — Product updates and announcements via email.
You can manage your consent preferences at any time in Settings > Data Rights. Withdrawing consent does not affect the lawfulness of processing performed before withdrawal.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice on our website or sending you an email. The consent version is tracked, and you may be asked to re-consent when material changes are made.
13. Contact Us
Questions about this Privacy Policy? Contact us at: