Privacy Policy

Last Updated: April 2, 2026

1. Introduction

SubTasks ("we", "our", or "us") is operated by Tony Howell, a sole proprietor based in Texas, United States. This Privacy Policy explains how we collect, use, and protect your personal information when you use SubTasks (the "Service"), a relationship management platform designed for couples practicing power-exchange dynamics (sometimes called Dominant/submissive or D/s).

We understand that the data you entrust to us is sensitive. Information about your relationship dynamics, roles, tasks, and personal content could cause real harm if exposed. We built our privacy and security practices with that risk in mind.

2. Information We Collect

Account Information

  • Email address - used for account creation, authentication via magic links, and service communications
  • Username - your chosen identifier within the Service
  • Timezone - used to display dates and times correctly
  • Notification preferences - your choices about which notifications to receive
  • Display settings - theme preferences and UI configuration

Relationship Data

  • Partner link - the connection between you and your partner, including which role each person holds (Dominant/submissive)
  • Relationship preferences - dynamic configuration such as pet names, point values, and demerit thresholds

User Content

  • Tasks - names, descriptions, completion notes, and validation notes
  • Rewards and punishments - names, descriptions, and acknowledgment notes
  • Points, demerits, and point adjustments - including descriptions and reasons
  • Notes - freetext notes, lists, and checklists shared between partners
  • Messages - chat messages exchanged between partners
  • Task Kits - template packages you create. If you publish a kit, its name, description, designer note, tags, and template content are visible to all SubTasks users alongside your username (or anonymous attribution, if you choose)

Photo Content

  • Photo proof - images you upload to prove task completion. Photos are stored encrypted in a dedicated storage bucket. Approved or rejected photos are deleted automatically. Orphaned uploads are removed within 7 days by an automated lifecycle policy

Device and Technical Data

  • Push notification tokens - web push (VAPID) and native (FCM) tokens, used solely to deliver notifications to your devices
  • Authentication tokens - session tokens stored in your browser's local storage

Subscription Data

  • Subscription tier and status - whether you are on the Free or Pro plan, and whether your subscription is active. We do not process or store payment card details; all payments are handled by Apple (App Store) or Google (Play Store) through RevenueCat

Usage Data

  • Product analytics - we use first-party analytics to understand how the Service is used. Analytics events may include your username, subscription tier, timezone, platform, attribution source, relationship identifier, and behavioral events (such as "task created" or "page viewed"). Analytics does not include task titles, reward names, note text, chat text, proof images or URLs, email addresses, partner identifiers, or other user-generated content

3. How We Use Your Information

  • Provide the Service - store and display your tasks, rewards, notes, messages, and other content to you and your linked partner
  • Authentication - send magic link emails to verify your identity
  • Notifications - deliver push notifications and in-app alerts about task activity, partner actions, and relationship events
  • Service communications - send transactional emails (account changes, security alerts) and product updates
  • Subscription management - process subscription events from Apple/Google to maintain your Pro status
  • Automated features - run scheduled processes including demerit calculation, recurring task creation, and task expiration checks
  • Analytics and improvement - understand usage patterns to improve the Service using first-party product analytics (see Section 2)
  • Error monitoring - detect and fix bugs (via Sentry, with personally identifiable information disabled)
  • Support - respond to your inquiries

4. Data Protection

Field-Level Encryption

All user-generated content is encrypted with AES-256-GCM before being written to our database. This includes task names and descriptions, completion and validation notes, reward and punishment details, demerit reasons, point adjustment descriptions, acknowledgment notes, messages, notes, and pet names.

Encryption keys are managed by AWS Key Management Service (KMS) with an explicit IAM Deny policy that prevents developer access to the decryption key by default. If someone obtained a raw copy of our database (through a backup theft, SQL injection, or other attack), they would see only ciphertext, not your content.

What this is not: This is server-side encryption at rest, not end-to-end encryption. Our application servers must decrypt your data to display it to you and your partner. The service operator retains administrative access to the AWS account and could, in an emergency or under legal compulsion, modify the key policy to grant decryption access. Any such change is logged by AWS CloudTrail.

Additional Measures

  • All data encrypted in transit via TLS
  • Database accessible only from application servers (no public access)
  • Least-privilege access controls on all infrastructure
  • Photo proof stored in a dedicated encrypted bucket with automatic lifecycle deletion
  • Error monitoring configured to exclude personally identifiable information
  • Regular security assessments

5. Data Sharing and Service Providers

We do not sell, trade, or share your personal information for advertising purposes.

Content you create within your relationship (tasks, notes, messages, etc.) is accessible only to you and your linked partner. If you publish a Task Kit, its content is visible to all SubTasks users (see Section 2).

We use the following service providers to operate the Service. Each processes data solely on our behalf:

  • Amazon Web Services (AWS) - hosting, database storage, authentication (Cognito), email delivery (SES), file storage (S3), encryption key management (KMS)
  • RevenueCat - subscription management. Receives your app user identifier to manage Pro subscription status via Apple/Google in-app purchases
  • Sentry - error monitoring. Configured with personally identifiable information disabled. Receives error context and stack traces to help us fix bugs
  • Firebase Cloud Messaging (Google) - push notification delivery for iOS and Android apps. Receives device tokens only
  • Apple/Google - process in-app purchases for Pro subscriptions. Governed by their respective privacy policies

6. Data Retention and Deletion

We retain your information only as long as your account is active or as needed to provide the Service.

You may delete your account at any time at subtasksapp.com/delete-account. When you delete your account:

  • All your data is removed from our active database (tasks, notes, messages, rewards, punishments, relationships, preferences, and all other user content)
  • Your authentication account is deleted
  • Your linked partner is notified
  • Photo proof files are deleted from storage

Backup retention: Encrypted database backups are retained for up to 30 days as part of our disaster recovery process, after which they are automatically deleted. Your data may persist in these backups during that window.

7. Your Rights

You have the right to:

  • Access your personal information
  • Correct inaccurate data through the Service
  • Delete your account and associated data
  • Export your data in a portable format
  • Object to processing of your data
  • Withdraw consent at any time

To exercise any of these rights, contact us at privacy@subtasksapp.com. We will respond within 30 days.

8. Sensitive Information

The Service processes data related to intimate relationship dynamics, including Dominant/submissive roles, tasks, punishments, and photo content. Under applicable privacy laws (including GDPR Article 9 and CCPA/CPRA), this may be classified as sensitive personal information or special category data relating to sex life or sexual orientation.

By creating an account and using the Service, you explicitly consent to the processing of this sensitive data as described in this policy. You may withdraw this consent at any time by deleting your account.

9. Cookies and Local Storage

We use your browser's local storage for authentication tokens and user preferences (such as theme settings and notification dismissals). These are essential for the Service to function.

SubTasks sets first-party local storage entries for analytics session tracking. You may opt out of analytics tracking by contacting us at privacy@subtasksapp.com.

No advertising or third-party tracking cookies are used.

10. Children's Privacy

SubTasks is not intended for anyone under the age of 18. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected personal information from a person under 18, we will delete that information and terminate the associated account. If you believe a minor is using our service, please contact us at privacy@subtasksapp.com.

11. International Data Transfers

SubTasks is operated from the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer. We rely on AWS's data processing agreements and standard contractual clauses for transfers from the European Economic Area. As a supplementary technical measure, all user-generated content is encrypted with AES-256-GCM at the field level before storage, meaning ciphertext (not plaintext) is what persists in our database.

12. Data Breach Notification

In the event of a data breach affecting your personal information, we will notify affected users via email within 72 hours of becoming aware of the breach. We will provide details about what data was affected, what we are doing to address the breach, and steps you can take to protect yourself.

13. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act and California Privacy Rights Act:

  • The right to know what personal information we collect, use, and disclose
  • The right to delete your personal information
  • The right to opt out of the sale or sharing of your personal information. We do not sell or share your personal information for advertising purposes
  • The right to limit the use of your sensitive personal information. We use sensitive personal information only to provide the Service as described in this policy
  • The right to non-discrimination for exercising your privacy rights

To exercise these rights, contact us at privacy@subtasksapp.com.

14. European Privacy Rights (GDPR)

If you are in the European Economic Area or United Kingdom, we process your personal data on the following legal bases:

  • Consent - for processing sensitive personal data (relationship dynamics, roles, intimate content) and analytics
  • Contract - for processing necessary to provide the Service you requested
  • Legitimate interest - for error monitoring and security

You have the right to access, rectify, erase, restrict processing, data portability, and to object to processing. You also have the right to lodge a complaint with your local data protection authority.

15. Changes to Privacy Policy

If we make material changes to this Privacy Policy, we will provide at least 30 days' advance notice via email and in-app notification before the changes take effect. For changes to how we process sensitive personal information, we will request your explicit consent.

16. Contact Us

If you have questions about this Privacy Policy or your data, please contact us at privacy@subtasksapp.com. We will respond within 30 days.