Willow Privacy Policy
Last updated: 25 June 2026
This Privacy Policy explains what personal data Willow collects, why we collect it, how we look after it, and the choices and rights you have. We have tried to write it in plain language. If anything is unclear, please email us at support@willow-day.com.
Willow ("Willow", "we", "us", "our") is a habit and day-planning app available at willow-day.com.
Quick summary
- We collect the information you give us (your account details and the habits, tasks and notes you create), plus a small amount of technical data needed to run the service.
- Your data is stored in the European Union.
- We do not sell your personal data, and we do not use it for advertising.
- We never see your card details; payments are handled by Stripe.
- Calendar access (if you choose to connect one) is read-only, and the access tokens are encrypted.
- Our website analytics are cookieless and do not track you across other sites.
- You can ask us to access, correct, export or delete your data at any time by emailing support@willow-day.com.
This summary is for convenience only. Please read the full policy below for the complete picture.
1. Who is responsible for your data
The data controller responsible for your personal data is:
Barbara Konopka, conducting business as Barbara Konopka Usługi Informatyczne, a sole proprietorship (jednoosobowa działalność gospodarcza) registered in Poland.
NIP:
[NIP]Registered address:[business address]Contact: support@willow-day.com
If you are in the European Economic Area (EEA) or the United Kingdom, the General Data Protection Regulation (GDPR) applies to the processing of your personal data, and Polish law governs this policy. If you are a California resident, please also see Section 13.
2. The information we collect
2.1 Account and profile information
When you create an account and use Willow, we collect and store:
- Email address (used to sign in and to send you essential account emails).
- Password, stored only as a salted cryptographic hash (PBKDF2). We never store your password in readable form and cannot recover it for you.
- Optional profile details you choose to add: a display name, your first and last name, your time zone, your typical waking hours, and a home address.
- Account timestamps: when you joined and when you last signed in.
Your home address, if you provide one, is used only to estimate travel time to a planned activity. When such an estimate is generated, your starting location and destination are sent to the Google Maps Directions API for that calculation.
2.2 The habits, tasks and content you create
This is the core of what Willow stores on your behalf so it can plan your day and track your progress:
- Habits and tasks: names, descriptions, categories, colours, expected durations, preferred time windows, locations, recurrence rules and deadlines.
- Completions and tracking: when you complete or skip something, how long it took, and any notes you write.
- Categories and time targets, reserved time blocks, and timer activity.
- Generated schedule data: the time slots Willow computes to place your habits and tasks during the day.
This content is created by you, for your own use. Please see Section 2.6 about sensitive information.
2.3 Calendar information (only if you connect a calendar)
Willow can show your external calendar events alongside your plan, so it can schedule around them. Connecting a calendar is optional. If you do:
- Google Calendar (OAuth): we request read-only access (scopes
openid,email, andhttps://www.googleapis.com/auth/calendar.readonly). We store your Google account email and your OAuth access and refresh tokens. The tokens are encrypted at rest. We read your calendar list and the events in the date ranges Willow needs, and cache the resulting event details (such as title, start and end time) to display them. We do not write to, change or delete anything in your Google Calendar. - iCal / ICS feeds: if you subscribe Willow to a calendar feed URL, we store that URL and cache the events it contains so we can show them.
We do not publish your Willow data outward as a calendar feed. The flow is one-way: Willow reads your calendars, it does not export to them.
2.4 Payment and billing information
Payments and subscriptions are handled by Stripe. Stripe collects and processes your card details directly. We never receive or store your full card number or security code.
What we do store is limited subscription information: your Stripe customer ID, your subscription status (for example trialing, active or canceled), your plan tier, and your current billing period end date. We use this only to know what features your account can access.
2.5 Technical and usage information
- Authentication tokens: to keep you signed in, Willow stores access and refresh tokens in your browser's local storage. For the admin area we use standard session and CSRF cookies.
- Website analytics: we use Cloudflare Web Analytics, which is cookieless and does not fingerprint you or track you across other websites. It records aggregate page views and referrers. See Section 6.
- Error and security logs: when something goes wrong, our servers log technical error information so we can diagnose and fix problems. By default these logs do not include your IP address or the contents of your requests.
2.6 Sensitive information
Willow lets you write whatever you like into habit names, task descriptions and notes. Some people record things that could be considered sensitive, for example anything relating to health, medication, therapy or wellbeing. Under GDPR this can be "special category" data.
You provide any such information voluntarily, and by entering it you ask us to store and process it solely to provide the service to you. We do not analyse it, profile you, or use it for any other purpose. If you would rather not have sensitive details stored, please avoid entering them.
3. How and why we use your information
We only process your personal data where we have a legal basis to do so under GDPR. The table below sets out what we do and why.
| What we do | Why | Legal basis (GDPR Art. 6) |
|---|---|---|
| Create and run your account; store and display your habits, tasks, notes and schedule | To provide the service you signed up for | Performance of a contract (Art. 6(1)(b)) |
| Read and display your connected calendars | To provide the calendar feature you chose to enable | Performance of a contract; your consent for the Google connection |
| Process subscriptions and payments via Stripe | To provide paid features and manage billing | Performance of a contract; legal obligation for invoicing and tax records |
| Send essential account emails (verification, password reset) | To secure and operate your account | Performance of a contract; legitimate interests |
| Keep the service secure, diagnose errors, prevent abuse | To keep Willow working and protect users | Legitimate interests (Art. 6(1)(f)) |
| Measure aggregate, cookieless website usage | To understand and improve the service | Legitimate interests (Art. 6(1)(f)) |
| Comply with legal and accounting obligations | Because the law requires it | Legal obligation (Art. 6(1)(c)) |
Where our basis is legitimate interests, we have considered your rights and interests and you can object at any time (see Section 12).
4. Cookies and local storage
Willow uses as little browser storage as possible:
- Authentication tokens in local storage, so you stay signed in. These are essential to the service.
- A dashboard cache in local storage, so the app loads quickly. It holds your habits, tasks and categories, not detailed records, and never leaves your device.
- Admin session and CSRF cookies, used only for the administrative back end.
- An analytics opt-out flag in local storage, set only if you choose to opt out (see Section 6).
We do not use advertising cookies or cross-site tracking cookies. Because our analytics are cookieless and the storage above is strictly necessary, Willow does not show a cookie consent banner.
5. Analytics
We use Cloudflare Web Analytics to understand how many people visit and which pages they use. It is privacy-first: it does not use cookies, does not fingerprint your device, and does not build a profile of you. It collects aggregate information such as page views and referring sites.
If you prefer not to be counted, you can disable the analytics beacon on a given device by setting willow_no_analytics to 1 in your browser's local storage.
6. Google Calendar data and Limited Use disclosure
Willow's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically:
- We request read-only access to your Google Calendar and use it only to display your events inside Willow so we can plan around them.
- We do not transfer Google user data to others except as necessary to provide or improve this feature, to comply with the law, or as part of a merger that you are notified of.
- We do not use Google user data for advertising.
- We do not allow humans to read your Google data, except with your explicit consent for support, where required by law, or in aggregated and anonymised form for operations and troubleshooting.
You can disconnect Google Calendar at any time from within Willow, or revoke access in your Google account permissions. When you disconnect, we delete the stored tokens.
7. How we share your information
We do not sell your personal data and we do not share it for advertising. We share data only with the service providers (sub-processors) that help us run Willow, and only as needed to provide the service. Each provider is bound to protect your data and use it only on our instructions.
| Provider | Purpose | Data involved | Location and safeguard |
|---|---|---|---|
| Neon | Database hosting | All your account and app data | European Union |
| Google Cloud (Cloud Run, Cloud Tasks, Secret Manager) | Application hosting and background jobs | All data in transit; encrypted secrets | EU region; EU-US Data Privacy Framework / SCCs for any transfer |
| Stripe | Payment processing | Card details (held by Stripe), customer ID, subscription status | USA; EU-US Data Privacy Framework / SCCs |
| Google Calendar API | Read-only calendar sync | OAuth tokens, calendar events | EU-US Data Privacy Framework / SCCs |
| Google Maps Platform | Travel-time estimates | Start and destination location for a planned activity | EU-US Data Privacy Framework / SCCs |
| Resend | Sending account emails | Your email address and the email content | USA; Standard Contractual Clauses |
| Cloudflare | Cookieless website analytics | Aggregate page-view data | Global; EU-US Data Privacy Framework / SCCs |
| Sentry (only if enabled) | Error monitoring | Technical error data, without personal identifiers by default | USA; Standard Contractual Clauses |
We may also disclose personal data if required by law, to protect our rights or the safety of users, or in connection with a business transfer (such as a merger or acquisition), in which case we will notify you.
8. International data transfers
Your data is stored in the European Union. Some of the providers listed above are based in, or may process limited data from, countries outside the EEA, primarily the United States. Where that happens, the transfer is protected by an appropriate safeguard under GDPR, namely the provider's certification under the EU-US Data Privacy Framework and/or the European Commission's Standard Contractual Clauses. You can ask us for more detail using the contact in Section 17.
9. How long we keep your data
- Account and app data: we keep it for as long as your account exists. If you ask us to delete your account, we remove your personal data within 30 days, except where we must keep some of it to meet a legal obligation.
- Billing and invoice records: retained for the period required by Polish accounting and tax law (currently five years from the end of the relevant tax year). Stripe also retains payment records under its own policy.
- Calendar tokens and cached events: kept while the connection is active, and deleted when you disconnect that calendar or delete your account.
- Error and security logs: kept for a short period (around 30 days) and then discarded.
- Backups: data you delete may persist in encrypted backups for a limited time before those backups are overwritten.
10. How we protect your data
We take security seriously and use measures appropriate to the data we hold, including:
- Encryption of all data in transit (HTTPS).
- Passwords stored only as salted PBKDF2 hashes.
- Calendar OAuth tokens encrypted at rest.
- Secrets stored in a dedicated secret manager, not in code.
- Data residency in the European Union, with access limited to what is necessary to operate the service.
No method of storage or transmission is completely secure, but we work to protect your data and to address any issues promptly.
11. Account deletion, access and export
Willow does not yet offer a self-service "delete my account" or "export my data" button. Until it does, you can exercise these rights simply by emailing support@willow-day.com, and we will action your request manually and without charge. When we delete your account, all associated data (habits, tasks, completions, categories, calendar connections, settings and billing profile) is removed from our database.
12. Your privacy rights (EEA and UK)
If you are in the EEA or the UK, you have the right to:
- Access the personal data we hold about you.
- Rectify data that is inaccurate or incomplete.
- Erase your data ("right to be forgotten").
- Restrict or object to certain processing, including processing based on legitimate interests.
- Data portability: receive your data in a structured, commonly used, machine-readable format.
- Withdraw consent at any time, where we rely on consent (for example, your Google Calendar connection). This does not affect processing carried out before withdrawal.
To exercise any of these rights, email support@willow-day.com. We will respond within one month. There is no charge for a reasonable request.
You also have the right to lodge a complaint with a supervisory authority. In Poland this is the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych, UODO), uodo.gov.pl. You may also contact the authority in your country of residence.
13. Your California privacy rights (CCPA / CPRA)
If you are a California resident, you have the right to know what personal information we collect, to access and delete it, to correct it, and to not be discriminated against for exercising these rights.
We do not sell your personal information, and we do not share it for cross-context behavioural advertising.
In the past 12 months we have collected the following categories of personal information, as defined by the CCPA: identifiers (such as your email address), customer records (such as your name and billing status), commercial information (your subscription), internet or network activity (aggregate analytics), and the content you create in the app. We collect these for the business purposes described in Section 3 and share them only with the service providers in Section 7.
To exercise your California rights, email support@willow-day.com. We will not discriminate against you for doing so.
14. Automated scheduling
Willow automatically arranges your habits and tasks into time slots during your day. This is a convenience feature to help you plan. It does not make any decision that produces a legal or similarly significant effect on you, and you remain free to change, pin or ignore any suggested time.
15. Children's privacy
Willow is not directed at children. You must be at least 16 years old to use Willow. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.
16. Changes to this policy
We may update this policy from time to time, for example if we add a feature or change a provider. When we make a material change, we will update the "Last updated" date above and, where appropriate, notify you by email or within the app. Please review it periodically.
17. How to contact us
For any privacy question or request, or to exercise any of your rights, contact:
Barbara Konopka Usługi Informatyczne Email: support@willow-day.com