Privacy policy.

Resett's use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.

Concretely, in the order Google's policy enumerates the allowed-uses categories:

• Allowed Applications. We use Google user data only to provide and improve user-facing features visible in Resett — primarily, placing focus blocks and breaks on your calendar and producing the cognitive-calendar diagnostic. We do not use it for any other purpose.
• Allowed Transfers. We do not transfer Google user data to third parties except as necessary to provide or improve those user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with users notified.
• Allowed Human Access. We do not allow humans to read Google user data unless we have your affirmative agreement for specific messages, doing so is necessary for security purposes (such as investigating abuse), to comply with applicable law, or for our internal operations and even then only when the data has been aggregated and anonymised.
• Allowed Advertising. We do not use Google user data for serving advertisements, including retargeting, personalised, or interest-based advertising.
• Allowed Machine-Learning Use. We do not use Google user data, or data derived from it, to develop, improve, or train generalised machine-learning or large-language models. No Google API data ever leaves our infrastructure to train any third-party model.

When you click “Connect Google Calendar”, Resett requests the following OAuth scopes. You can review and revoke them at any time at myaccount.google.com/permissions.

• .../auth/calendar (restricted)
  Read your calendar events to compute meeting load, identify free space for deep-work blocks, and detect peak-window leaks. Write back only the focus blocks and breaks Resett places, each tagged with our resett_plan_id marker so you can undo a plan in one click. Resett never edits, deletes, or modifies events it did not create.
• .../auth/userinfo.email + openid
  Verify that the Google account you authorise matches the Resett account you signed up with — we reject mismatches. Required for sign-in via Google.
• .../auth/userinfo.profile
  Read display name only, used for the in-app user header.
• .../auth/gmail.metadata (restricted, opt-in only)
  Off by default. Only requested if you opt in explicitly in /app/settings. We read only message timestamps and label identifiers — never subject lines, never message bodies, never recipient addresses. Used to derive after-hours messaging volume for the personal recovery-debt indicator and the aggregate “telepressure” signal in Brain OS.

We never share the underlying calendar or Gmail data with anyone. Aggregate metrics derived from these scopes are gated behind a cohort threshold of N ≥ 5 before they appear in any leader-facing view.

Resett is operated by the Resett team. Contact for any privacy matter: privacy@resett.dev. For an EU-specific contact, write to the same address with “EU representative request” in the subject and we will route the request through our designated representative.

• Account data: your email and a salted hash of your password. We never store the password itself.
• Calendar event metadata: start time, end time, duration, organizer self-flag, and attendee count bucket (1, 2-3, 4+) for events on your connected Google Calendar. We do not ingest event titles, descriptions, attendee names, attendee emails, or attachments.
• Plan metadata: events Resett places (deep work, breaks, opt-in protected windows) and the canonicalplan_idhash that lets you undo a plan.
• (Opt-in) Slack signals: daily counts and timestamps of your messages — never the message content, never recipients, never channel names. Off until you connect.
• (Opt-in) Gmail metadata: message counts and send timestamps — never subject lines, never content, never recipients. Off by default.
• (Opt-in) GitHub PR metadata: PR titles, merge timestamps, repo names. Used only to correlate PRs with your deep-work blocks for the wow-moment + retro views.
• Product analytics: page views and a small set of named activation events (signed up, connected Google, viewed report, applied first plan), routed through PostHog with IP anonymization on. Used only to fix the product. Disabled in EU/UK/CH unless you accept the cookie banner.
• Operational logs: access logs (IP + user-agent) and audit-log rows for security-sensitive actions (registration, login, leader dashboard views, data export, account deletion).

• Event titles, descriptions, attendee names, or attendee emails.
• Email subject lines, content, or recipient addresses.
• Slack message content or channel names.
• We do not sell or share data with third parties for advertising. We do not track you across other sites.

• Performance of contract (GDPR Art 6(1)(b)) for everything required to provide the service you signed up for: account, calendar reads, plan placement.
• Consent (Art 6(1)(a)) for any optional integration: Slack, Gmail metadata, GitHub PR correlation, product analytics in EU/UK/CH, and the manager-visibility burnout flag in EU/UK/CH. Withdrawn at any time from /app/settings.
• Legitimate interest (Art 6(1)(f)) for security logs, fraud prevention, and the manager-visibility flag in non-EU jurisdictions where you can turn it off in one click. We have completed a balancing test for each of these uses; ask us for a copy.

Resett can show your direct manager only a single sharply_worsening flag derived from your calendar (and Slack, if connected). It never shows the underlying numbers, never your dashboard, never your name standing alone — flags are gated by a cohort threshold (N ≥ 5) before any aggregate leaves your team.

EU / UK / Switzerland: off by default, requires explicit opt-in. We treat employer-context consent as conservatively as Article 7(4) demands and never set it silently.

Outside EU / UK / CH: on by default with a plain-language disclosure at signup, off in one click from/app/settings. Turning it off is honored on the next read pass; we do not queue a final “goodbye” flag.

The Brain OS dashboard is aggregate-only. Individual identity never appears in the response — not as a name, not as an ID, not as an email. Aggregates are gated at a cohort size of five; below that threshold the dashboard greys out entirely. Every leader dashboard view is recorded in an audit log against the leader's account.

Application data is hosted in the European Union — Fly.io Frankfurt (fra) for the API, Postgres, and background workers; Vercel's EU edge for the web front-end. Encryption at rest uses AES-256; in transit uses TLS 1.3. OAuth tokens are encrypted with a per-deployment key separate from the database's storage encryption. Access to production is principle-of-least-privilege and time-limited; every access is logged.

For EU/UK/CH customers, data is processed in the EEA by default. Some of our subprocessors (Stripe for billing, Sentry for error reporting) are headquartered in the United States; those flows are covered by the European Commission's Standard Contractual Clauses (2021/914) and a Transfer Impact Assessment we will share on request.

• Google LLC — Google Calendar API (read + write of Resett-created events only), OpenID Connect for sign-in, and (opt-in) Gmail API metadata scope. Use bound by Google API Services User Data Policy Limited Use requirements (see top of this page). Located: US.
• Fly.io, Inc. — application hosting (API, Postgres, Redis, background workers). Region: Frankfurt (fra) for EU/UK/CH customers.
• Vercel Inc. — front-end hosting and edge CDN. EU edge functions are pinned to EU regions for EU/UK/CH customers.
• Stripe, Inc. — payment processing for paid subscriptions. We do not store card numbers; Stripe tokenizes everything and we keep only the customer ID. Located: US (under SCCs).
• Sentry (Functional Software, Inc.) — application error reporting. PII scrubbed in transit by an allow-list filter; payloads sampled. Located: US (under SCCs).
• PostHog Inc. — product analytics (page-views and named activation events). EU instance for EU customers, IP anonymization on. Disabled until consent in EU/UK/CH.
• Twilio SendGrid (or equivalent SMTP provider) — transactional email (password reset, daily morning brief summary headers). Email body content is generated by Resett; never customer business content. Located: US (under SCCs).

We notify customers of new subprocessors at least 14 days before they are added.

• Account & calendar event metadata: for the lifetime of your workspace; deleted within 30 days of workspace closure or deletion request.
• Audit logs: 12 months. Required for security incident review.
• Backups: 30 days, encrypted, deleted on rolling schedule.
• Billing records: 7 years (statutory accounting retention).

Under GDPR (and equivalent regimes — UK GDPR, Swiss FADP, CCPA/CPRA, LGPD), you have the right to:

• Access a copy of your data — one click in /app/settings produces a JSON export of every user-owned row.
• Rectify any incorrect personal data — most fields are user-editable; for anything you can't edit yourself, write to privacy@resett.dev.
• Erase your account and all user-owned rows — one click in /app/settings after typing your email to confirm. Backups age out within 30 days.
• Restrict or object to processing for a specific purpose — toggle off the relevant consent in /app/settings, or write to us.
• Portability — the same JSON export is machine-readable and structured.
• Withdraw consent at any time without affecting service for the things you signed a contract for.
• Lodge a complaint with your supervisory authority. EU residents: your national DPA (e.g. BfDI in Germany, CNIL in France). UK: ICO. Switzerland: FDPIC.

We set a small number of strictly-necessary cookies for authentication. We also load PostHog for product analytics (page views and named activation events). In the EU/UK/CH PostHog is disabled until you accept the cookie banner; outside, it loads with IP anonymization on by default and you can disable it via your browser's Do-Not-Track signal, which we honor.

In the event of a personal-data breach, we notify affected customers within 72 hours of becoming aware of it, consistent with GDPR Art 33 / 34. We maintain an incident response runbook and review it after every drill.

Resett is a workplace tool and not directed at children under 16. We do not knowingly process data from anyone under 16. If you believe we have, write to us and we will delete the data.

Material changes are notified to the workspace admin email at least 30 days before they take effect. The version number in the header changes when the document changes.