Privacy Policy
Last updated: March 29, 2026
This policy explains what data Wardesk collects, why we collect it, and how we protect it. We wrote it in plain language because you deserve to understand what happens with your information.
Wardesk is operated by Wardesk OÜ, a company registered in the Republic of Estonia (EU). Because we are based in the European Union, the General Data Protection Regulation (GDPR) applies to all data we process, regardless of where you are located.
Legal basis for processing
Under GDPR Article 6, we process your data on the following legal bases: performance of contract (providing the service you signed up for), legitimate interest (improving the product, preventing abuse), and consent (for optional features like AI-powered briefings, which you can choose not to use).
What we collect
When you create an account, we collect your email address and display name. These are required to identify your account and personalize your experience.
When you use Wardesk, we store the data you create: projects, tasks, milestones, weekly reviews, goals, and context notes. This is your content and it lives in your account.
We also collect basic usage data to keep the product working and improve it over time. This includes things like which features you use, how often you log in, and your device type. We do not track you across other websites.
We do not collect: your real name (unless you choose it as your display name), your location, your contacts, your calendar data, or any biometric information.
AI features and your data
Wardesk includes an AI advisor called The General, powered by Google Gemini. When you use The General, we send a snapshot of your project data (tasks, deadlines, progress, goals) to Google's API to generate personalized advice.
This data is sent only when you actively use AI features. It is not stored by Google beyond the time needed to generate a response. We do not use your data to train AI models, and we require the same commitment from our AI providers.
How we use your data
We use your data for three purposes: to run the product (storing your projects, generating briefings, calculating XP), to improve the product (understanding which features are used and where things break), and to communicate with you (account-related emails like password resets). That's it.
We do not sell your data to anyone. We do not share it with advertisers. We do not use it for profiling or behavioral targeting.
Where your data lives
Your data is stored in Supabase (built on PostgreSQL), hosted on infrastructure within the European Union. Supabase maintains SOC 2 compliance and encrypts data at rest and in transit.
Sub-processors
We use the following third-party services to operate Wardesk:
Supabase — Database hosting, storage, and authentication (EU region)
Google Gemini API — AI features (The General)
Each sub-processor is bound by a Data Processing Agreement. We will update this list if we add new sub-processors and notify users of significant changes.
International data transfers
Your primary data is stored in the EU via Supabase. When you use The General's AI features, project data is sent to Google's Gemini API, which may process it on servers outside the European Economic Area.
These transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, and by the EU-US Data Privacy Framework where applicable. We maintain Data Processing Agreements with all sub-processors.
Your rights under GDPR
As an EU-based service, we respect all rights granted by GDPR. You can:
Access your data at any time through the app or by contacting us.
Export your data in a portable format.
Correct any inaccurate information in your account.
Delete your account and all associated data permanently.
Restrict or object to certain types of processing.
You also have the right to lodge a complaint with your local data protection supervisory authority if you believe your rights have been violated. In Estonia, the supervisory authority is the Data Protection Inspectorate (Andmekaitse Inspektsioon).
To exercise any of these rights, email us at [email protected]. We will respond within 30 days.
Cookies
Wardesk uses only essential cookies required to keep you logged in and remember your preferences (like your selected theme). We do not use advertising cookies, tracking cookies, or third-party analytics cookies.
Data retention
We keep your data for as long as your account is active. If you delete your account, we permanently remove all your data within 30 days. Backup copies are purged within 90 days.
If your account is inactive for more than 12 months, we may send you a reminder email. We will not delete inactive accounts without notice.
Data breach notification
In the event of a personal data breach that poses a risk to your rights, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. If the breach is likely to result in a high risk to you personally, we will also notify you directly without undue delay.
Children
Wardesk is not intended for anyone under the age of 16. We do not knowingly collect data from children. If you believe a child has created an account, please contact us and we will remove it promptly.
Changes to this policy
If we make meaningful changes to this policy, we will notify you by email or through the app at least 14 days before the changes take effect. Minor clarifications or formatting changes may be made without notice.
Contact
If you have questions about this policy or how your data is handled, reach out to us at [email protected].
Wardesk OÜ
Tallinn, Republic of Estonia
Registry code: [To be assigned upon incorporation]