Last Updated: January 13, 2026
Effective Date: January 13, 2026
Do What ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application ("App"). Please read this policy carefully.
1. Information We Collect
1.1 Information You Provide
When you use Do What, you may provide us with:
- Account Information: Email address and password when you create an account
- Profile Information: Display name you choose for your family
- Content: To-do items, shopping lists, notes, and chat messages you create
- Location Data: Addresses and coordinates for location-based reminders (only when you explicitly add them)
- Calendar Data: Calendar event information when you enable calendar sync (read-only access)
1.2 Information Collected Automatically
When you use the App, we may automatically collect:
- Device Information: Device type, operating system version, and unique device identifiers for app functionality
- Usage Data: App feature usage for improving the user experience
- Crash Reports: Technical information when the app crashes, to help us fix bugs
1.3 Permissions We Request
| Permission |
Purpose |
When Requested |
| Camera |
Scan barcodes for shopping list items |
Only when you tap the scan button |
| Location |
Location-based reminders (geofencing) |
Only when you create a location reminder |
| Background Location |
Trigger reminders when you arrive/leave locations |
Only after you enable location reminders |
| Calendar (Read Only) |
Display device calendar events alongside family activities |
Only when you enable calendar sync |
| Notifications |
Send reminders, chat messages, and family updates |
During app setup |
2. How We Use Your Information
We use the information we collect to:
- Provide, maintain, and improve the App
- Sync your data across your devices
- Enable family collaboration features
- Send you notifications and reminders you've requested
- Provide location-based reminder functionality
- Respond to your inquiries and support requests
- Detect, prevent, and address technical issues
- Protect against unauthorized access and abuse
What We DO NOT Do
- We do NOT sell your personal information to third parties
- We do NOT track your location continuously
- We do NOT share your data with advertisers
- We do NOT use your data for targeted advertising
- We do NOT store images from your camera (barcode scanning only)
3. Location Information
3.1 Background Location Usage
Do What uses background location access exclusively for location-based reminders (geofencing). This feature allows you to receive notifications when you arrive at or leave specific locations you've chosen.
Examples:
- "Buy milk" reminder triggers when you arrive at the grocery store
- "Pick up package" reminder triggers when you leave work
3.2 What Location Data We Collect
- Location coordinates only when you explicitly add them to a reminder
- Favorite location names and addresses you save
- Geofence trigger events (arrival/departure)
3.3 What We DO NOT Do With Location
- We do NOT track your location continuously
- We do NOT log your location history
- We do NOT sell or share your location data with third parties
- We do NOT use your location for advertising purposes
3.4 Your Location Rights
- Decline location permissions - location features are completely optional
- View all stored location data in Settings
- Export your location data
- Delete all location data with one tap
- Revoke location permissions anytime in your device settings
4. Data Storage and Security
4.1 Where Your Data is Stored
| Data Type |
Storage Location |
| App preferences and settings |
Your device (encrypted) |
| Cached data for offline access |
Your device (encrypted) |
| Account and authentication data |
Firebase (Google Cloud) |
| Family data (todos, shopping, notes, chat) |
Firebase (Google Cloud) |
| File attachments |
Firebase Cloud Storage (Google Cloud) |
4.2 Security Measures
We implement industry-standard security measures to protect your data:
- Encryption at Rest: Local database is encrypted using SQLCipher with device-backed keys
- Encryption in Transit: All data transmitted over HTTPS/TLS
- Authentication: Firebase Authentication with optional two-factor authentication (2FA)
- Access Controls: Family data is only accessible to verified family members
- App Verification: Firebase App Check with Play Integrity API prevents unauthorized access
- No Backups: Encrypted database files are excluded from cloud backups to prevent offline attacks
5. Data Sharing
5.1 Within Your Family
When you join a family in Do What:
- Family members can see shared to-dos, shopping lists, notes, and chat messages
- Your display name and email are visible to family members
- Your activity status may be visible to family admins
5.2 Third-Party Services
We use the following third-party services to operate the App:
- Firebase (Google): Authentication, database, storage, and cloud functions
- Google Play Services: Location services for geofencing
- Firebase Cloud Messaging: Push notifications
These services are governed by their own privacy policies. We do not share your personal data with any other third parties.
5.3 Legal Requirements
We may disclose your information if required by law, such as in response to a subpoena, court order, or government request.
6. Your Rights and Choices
6.1 Access and Export
- View all your data within the App settings
- Export your data in standard formats (JSON)
6.2 Correction
- Update your profile information anytime in Settings
- Edit or delete any content you've created
6.3 Deletion
- Delete individual items (todos, notes, shopping items)
- Delete all location data
- Delete your entire account (Settings > Account > Delete Account)
6.4 Opt-Out
- Disable location features by revoking location permissions
- Disable notifications in your device settings
- Use the App in local-only mode without an account
7. Data Retention
- Active Data: Retained while your account is active
- Deleted Items: Moved to trash for 30 days, then permanently deleted
- Account Deletion: All personal data is deleted within 30 days of account deletion
- Expired Tokens: Authentication and invite tokens are automatically deleted when expired
8. Children's Privacy
Do What is designed for family use and may be used by children under parental supervision. We do not knowingly collect personal information from children under 13 without parental consent. If you believe we have collected information from a child under 13, please contact us immediately.
9. International Data Transfers
Your information may be transferred to and processed in countries other than your country of residence, including the United States where our service providers (Google/Firebase) maintain servers. We ensure appropriate safeguards are in place for such transfers.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy in the App and updating the "Last Updated" date. You are advised to review this Privacy Policy periodically for any changes.
11. California Privacy Rights
If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA):
- Right to know what personal information is collected
- Right to delete personal information
- Right to opt-out of sale of personal information (we do not sell your data)
- Right to non-discrimination for exercising your rights
12. European Privacy Rights (GDPR)
If you are in the European Economic Area (EEA), you have rights under the General Data Protection Regulation (GDPR):
- Right of Access: Request a copy of your personal data
- Right to Rectification: Correct inaccurate personal data
- Right to Erasure: Request deletion of your personal data
- Right to Portability: Receive your data in a portable format
- Right to Object: Object to processing of your personal data
- Right to Withdraw Consent: Withdraw consent at any time