Legal

Privacy Policy

Effective date: June 20, 2026  ·  Last updated: June 20, 2026

Defrag ("we," "us," or "our") operates the Defrag application and website at defrag.day (collectively, the "Service"). This Privacy Policy explains what information we collect, how we use it, who we share it with, and your rights regarding your data.

By using the Service, you agree to the practices described in this policy. If you do not agree, please do not use the Service.

1. Information We Collect

Account Information

When you create an account, we collect your email address and, optionally, your name, display name, and profile photo. If you sign in with Apple or Google, we receive basic profile information from those providers according to the permissions you grant.

If you enable phone-based authentication or SMS two-factor authentication, we collect your phone number.

Content You Create

The Service stores the content you actively enter, including:

  • Fragments (tasks, thoughts, and to-dos) and their priority, status, and timestamps
  • Focus session records (duration, associated task)
  • Mood check-ins
  • ADHD trigger logs and notes
  • Journal entries

This content is stored on your behalf to provide the Service and is not used for advertising.

Usage and Device Data

We automatically collect limited technical information when you use the Service, including your device type, operating system version, app version, and general error or crash information. This is used solely to maintain reliability and diagnose issues.

Payment Information

If you subscribe to a paid plan, payment is processed by Stripe. We do not store your full credit card number or payment card details — Stripe handles all payment data under their own privacy policy and PCI-DSS compliance program. We retain only non-sensitive billing information such as your subscription tier and renewal dates.

2. How We Use Your Information

  • Provide the Service — store and sync your fragments, sessions, moods, and journal entries across your devices.
  • Authentication — verify your identity when you sign in, including sending one-time passcodes via email or SMS.
  • Transactional communications — send account-related emails such as password resets, subscription confirmations, and important service notices. We do not send marketing emails without your opt-in consent.
  • Error tracking and reliability — diagnose crashes and technical issues using anonymized error reports.
  • Billing and subscriptions — manage your paid plan, renewals, and cancellations.
  • Legal obligations — comply with applicable laws and respond to lawful requests from authorities.

We do not sell your personal data. We do not use your content to train AI models. We do not display advertising.

3. Third-Party Service Providers

We share data with the following sub-processors only to the extent necessary to operate the Service:

  • Supabase — database, authentication, file storage, and real-time sync. Data is stored on servers in the United States.
  • Sentry — application error monitoring. Crash reports may include device metadata and anonymized stack traces.
  • Twilio — SMS delivery for one-time passcodes and MFA verification codes.
  • Resend — transactional email delivery (account confirmations, password resets).
  • Stripe — payment processing for Pro and Family subscriptions.
  • Apple / Google — optional third-party sign-in. Subject to Apple's and Google's respective privacy policies.

We do not share your data with any other third parties for marketing or analytics purposes.

4. Data Retention

We retain your account data and content for as long as your account is active. If you delete your account, we will delete or anonymize your personal data within 30 days, except where we are required to retain it for legal or financial compliance reasons (e.g., billing records for up to 7 years).

You can export or delete your content at any time from within the app.

5. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you.
  • Correction — update inaccurate or incomplete information.
  • Deletion — request deletion of your account and associated data.
  • Portability — receive your data in a machine-readable format.
  • Objection / Restriction — object to or restrict certain processing activities.
  • Withdraw consent — where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at privacy@defrag.day. We will respond within 30 days. You will not be discriminated against for exercising your privacy rights.

California Residents (CCPA)

California residents have the right to know what personal information we collect, to delete it, and to opt out of its sale (we do not sell personal information). To make a request, contact privacy@defrag.day.

EEA / UK Residents (GDPR)

If you are located in the European Economic Area or United Kingdom, our legal basis for processing your data is performance of a contract (to provide the Service), compliance with legal obligations, and, where applicable, your consent. You have the right to lodge a complaint with your local data protection authority.

6. Children's Privacy

The Service is not directed to children under 13. We do not knowingly collect personal information from anyone under 13. If you believe a child under 13 has provided us with personal information, please contact us and we will delete it promptly.

7. Security

We implement industry-standard security measures including encryption in transit (TLS), encryption at rest, row-level security on our database, and access controls limited to authorized personnel. No method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

8. International Data Transfers

Our infrastructure is primarily based in the United States. If you access the Service from outside the US, your data will be transferred to and processed in the US. We rely on standard contractual clauses and other appropriate safeguards for international transfers where required by law.

9. Not Medical Advice

Defrag is a productivity and organization tool. It is not a medical device, clinical service, or substitute for professional ADHD treatment, therapy, or medical advice. Nothing in the Service constitutes medical advice. Always consult a qualified healthcare provider for medical guidance.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or via an in-app notice before the changes take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

11. Contact Us

For privacy-related questions or requests:

Email: privacy@defrag.day
Website: defrag.day/contact