Privacy Policy · Effective May 2, 2026

Privacy Policy

This Policy explains what personal data we collect, why we collect it, how we use and protect it, and the rights you have over it.

1. Who we are

This Privacy Policy (“Policy”) governs the processing of personal data through the doot website at dootit.com and the doot application at app.dootit.com (together, the “Service”). The Service is operated by Hum and Spark, a sole proprietorship registered in Bengaluru, Karnataka, India (“doot,” “we,” “us”).

For the purposes of the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), the UK GDPR, and India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”), doot is the controller / data fiduciary in respect of personal data processed through the Service.

2. Scope

This Policy applies to personal data we collect from or about (i) visitors to dootit.com, (ii) registered users of the doot application, and (iii) individuals who contact us by email or other means. It does not apply to third-party services that you may access through links or integrations from the Service; those services are governed by their own privacy policies.

3. Categories of personal data we collect

3.1 Account data

When you create an account, we collect your email address and an authentication credential. If you authenticate via Google, we receive the email address, display name, and avatar associated with the Google account; we do not receive your Google password.

3.2 Profile data

You may optionally provide a display name and avatar selection within the Service. These are stored in your user metadata.

3.3 Content you create

This includes (i) tasks, lists, recurrence rules, reminders, and notes that you create within the Service, and (ii) free-form text or audio you submit through the Brain Dump feature for processing into structured tasks.

3.4 Voice input

If you use voice Brain Dump, your audio is streamed to a third-party transcription provider (see Section 7). The audio is processed in real time for transcription and is not retained by us; the resulting transcript is processed by an AI provider to extract structured tasks (see Section 7) and is then discarded.

3.5 Subscription and billing data

If you subscribe to a paid plan through dootit.com or app.dootit.com, our payment processor Paddle (see Section 7) collects and processes your name, billing address, country, payment instrument, and tax identifiers as required for tax determination. We receive only the subset of this data necessary to manage your subscription: subscription identifier, plan, status, country, and event timestamps.

If you subscribe through the Apple App Store on an iOS device, Apple Inc. processes the transaction directly under its own privacy policy. We do not receive your payment instrument, billing address, or other financial details. Apple shares only the subscription identifier, status, and renewal events with our subscription-management provider (RevenueCat, see Section 7), which forwards the same data to us via webhook for the limited purpose of unlocking Pro features in your account.

3.6 Technical data

When you use the Service, our infrastructure providers automatically log technical information including IP address, user agent, request URLs, response codes, and timestamps. Our error-monitoring tooling (Sentry) captures uncaught exceptions, stack traces, and the URL, route, and user identifier associated with the error. By default, we suppress automatic capture of cookies, IP address, and authorization headers in error events.

3.7 Communications

If you email us, we retain the email and our reply for support, audit, and dispute-resolution purposes.

4. What we do not collect

5. Purposes and legal bases for processing

We process personal data for the following purposes and on the following legal bases (Article 6 GDPR):

We do not engage in profiling or solely-automated decisions that produce legal or similarly significant effects for you. The AI-assisted task extraction in Brain Dump is intended to assist your decisions, not replace them; you review and accept extracted tasks before they are saved.

6. Use of AI providers in the Brain Dump feature

When you use Brain Dump, doot relies on two third-party AI services that act as our sub-processors (see Section 7). Both are bound by contract to process content only on doot’s behalf, and not to retain it, use it to train or improve models, or share it with any further third party.

Before any data flows to either provider, you are shown an in-app consent screen during your initial onboarding of the doot mobile app — immediately before the Brain Dump feature becomes available — that names both providers explicitly and describes this data flow. You must accept that consent before any Brain Dump call can be made.

7. Sub-processors

We rely on the following sub-processors to provide the Service. Each is bound by a contract that imposes data-protection obligations consistent with GDPR Article 28 and equivalent provisions of the DPDP Act and other applicable laws.

This list is current as of the effective date above. We may add or replace sub-processors from time to time; material changes will be communicated by email to active users at least thirty (30) days in advance, save where a change is required for security or legal reasons.

8. International transfers

Some of the sub-processors listed above are established outside India and outside the European Economic Area (“EEA”). Where personal data is transferred from the EEA or the United Kingdom to a country that is not the subject of an adequacy decision, we rely on the European Commission’s Standard Contractual Clauses (Implementing Decision (EU) 2021/914) or equivalent UK International Data Transfer Agreement, supplemented where appropriate by additional technical and organisational measures.

Where personal data is transferred from India to a country outside India, the transfer is made in accordance with the requirements of the DPDP Act and any rules issued thereunder. By using the Service, you acknowledge and consent to such transfers.

9. Retention

We retain personal data only for as long as necessary for the purposes described in this Policy:

10. Security

We implement technical and organisational measures designed to protect personal data against unauthorised access, accidental loss, alteration, or destruction, including: encryption in transit (TLS) and at rest (AES-256 on the underlying infrastructure), one-way hashing of authentication credentials, role-based access controls limiting administrative access to a need-to-know basis, server-side row-level security on the database, secure secrets management, and regular review of access and audit logs.

No system can be guaranteed to be secure. In the event of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the competent supervisory authority within the timeframes required by applicable law.

11. Your rights

Subject to applicable law, you have the following rights in respect of your personal data:

To exercise any of these rights, email aditya@humandspark.com. We will respond within thirty (30) days. We may need to verify your identity before fulfilling certain requests.

You may also delete your account directly in the application at Settings → Delete account. Account deletion immediately removes your tasks, lists, profile, and other application data; data may persist in encrypted backups for up to seven (7) days as set out in Section 9.

12. Cookies and similar technologies

We use a small number of strictly-necessary cookies to maintain your authenticated session and remember your preferences. These cookies do not require consent under Regulation 6 of the UK Privacy and Electronic Communications Regulations or the equivalent provisions of the EU ePrivacy Directive (2002/58/EC). We do not use advertising, analytics, or cross-site tracking cookies. Should this change, we will update this Policy and obtain your consent in accordance with applicable law.

13. Children

The Service is not directed to, and we do not knowingly collect personal data from, children under the age of thirteen (13). In the European Economic Area, we do not knowingly collect personal data from children below the age of digital consent established by the relevant Member State (between 13 and 16). If we learn that we have inadvertently collected personal data from a child without verifiable parental or guardian consent, we will delete that data without undue delay.

14. Grievance Officer (India)

In accordance with the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and the DPDP Act, we have appointed a Grievance Officer to address concerns related to the Service:

The Grievance Officer will acknowledge complaints within twenty-four (24) hours and resolve them within fifteen (15) days. If you are not satisfied with the resolution, you may escalate to the Data Protection Board of India.

15. Changes to this Policy

We may amend this Policy from time to time. The version in force is identified by the effective date at the top of the page. Where amendments are material, we will notify active users by email at least thirty (30) days before the new version takes effect, save where a change is required by law to take immediate effect.

16. Contact

For questions about this Policy or the processing of your personal data, contact us at aditya@humandspark.com. For general support, contact aditya@humandspark.com.