Who RobinFocus is
RobinFocus is the controller for the personal data described in this notice when it decides why and how product data is processed. If you need privacy help, you can use the support page or contact RobinFocus at hello@robinfocus.app.
This notice is written for how RobinFocus works in practice: some parts of the product can run locally before sign-in, while other parts are deliberately backend-backed, public, collaborative, or paid.
Data RobinFocus handles
RobinFocus does not handle every category of data on every visit. What RobinFocus stores depends on which surfaces you use.
Account and profile data
If you sign in, RobinFocus can store your email address, user id, display name, handle, profile avatar choices, and account-facing settings.
Local workspace data
Timer state, task lists, planning notes, review notes, onboarding choices, and other workspace preferences can stay only on your device until you choose sign-in or sync-backed features.
Synced productivity and room data
When sync, rooms, or shared social features are used, RobinFocus can store focus history, room events, room membership state, follows, public profile snapshot data, and related audit or moderation records.
Billing and entitlement data
RobinFocus stores the minimum subscription and entitlement state needed to keep paid access accurate, including billing events, entitlement status, checkout attempts, and provider subscription identifiers.
Support and diagnostics data
Support requests can include reply email, message content, contextual notes, account linkage, browser or device note, referer URL, and user-agent details when those are needed to diagnose a problem.
Public and social surfaces
RobinFocus includes social and public-facing surfaces such as leaderboards, public profile snapshots, room presence, follows, and room activity. If you use those surfaces, other RobinFocus users can see the public parts of your profile, visible equipment or loadout, leaderboard-facing progress signals, room participation state, and similar social context needed for the feature to work.
RobinFocus does not intend those public surfaces to expose private planning notes, billing details, support records, or hidden account controls. Private planning and support surfaces stay with the account owner and authorized admin paths.
Why RobinFocus uses data
RobinFocus uses personal data for concrete product reasons rather than for vague "business purposes."
Contract
RobinFocus relies on contract necessity to provide the core product you ask it to run, including sign-in, timer functionality, sync-backed workspace behavior, rooms, paid access handling, and support requested through the service.
Legitimate interests
RobinFocus may rely on legitimate interests for service reliability, fraud prevention, moderation, abuse handling, security monitoring, admin audit trails, and troubleshooting that keeps the product stable and safe.
Consent
RobinFocus uses consent for optional attribution cookies and similar non-essential referral tracking. Optional connected surfaces that require you to click through and connect a third-party service are also started at your request.
Legal obligations
Billing, accounting, dispute handling, tax, security, and lawful response obligations can require RobinFocus to retain or disclose limited records where the law requires it.
Processors and connected services
RobinFocus uses a named set of processors and connected services rather than an open-ended vendor list. Some are core infrastructure for the hosted app, while others only receive data if you choose a paid, AI, referral, or connected-service feature.
This inventory names the services RobinFocus is configured to use today. Separate account-level paperwork such as vendor DPAs, subprocessor notices, or transfer annexes still has to be accepted and maintained by the RobinFocus operator where the vendor requires it.
Supabase
Role: Authentication, database, realtime, storage, edge functions, and synced product records
Data involved: Account identity, synced workspace state, room and social records, billing events, support intake records, observability logs, and server-side Ask Robin execution data.
When used: Whenever RobinFocus uses sign-in, backend-backed sync, rooms, public social surfaces, support intake, billing, admin tools, or the Ask Robin execution path.
Relationship: Supabase acts as RobinFocus's backend processor for product data stored through the hosted platform.
Transfer route: RobinFocus data may be processed through Supabase-hosted infrastructure and its subprocessors where the project, auth, database, realtime, or edge-function surfaces run.
Safeguards and limits: RobinFocus expects Supabase processing to sit under the provider's DPA and platform security controls. Product safety still depends on RobinFocus keeping row-level security, private schemas, and service-role access scoped correctly.
Vercel
Role: Application hosting, server rendering, API routes, deployment infrastructure, and optional analytics/performance observers
Data involved: Request metadata, deployment and runtime logs, and optional aggregated analytics or speed-insight data when those product flags are turned on.
When used: Whenever RobinFocus pages or API routes are served from the hosted app. Vercel Web Analytics and Speed Insights only run when their environment flags are explicitly enabled.
Relationship: Vercel acts as RobinFocus's hosting processor for the deployed web application.
Transfer route: Hosting and operational data may pass through Vercel infrastructure and its cloud subprocessors as part of the deployed application runtime.
Safeguards and limits: RobinFocus expects Vercel hosting to rely on the provider's DPA and listed subprocessors. Optional analytics remain configuration-dependent and are not treated as always-on product behavior.
PayPal
Role: Subscription checkout, payment processing, billing events, and subscription lifecycle management
Data involved: Checkout identifiers, subscription identifiers, payer email when provided, transaction amounts, and billing event metadata needed to honor entitlements.
When used: Only when a RobinFocus user starts or manages a paid subscription through the PayPal billing flow.
Relationship: PayPal receives payment-side data under its own payment terms and generally acts as an independent controller for the payment service it provides.
Transfer route: Payment and fraud data may move through PayPal's global payment infrastructure and service providers as part of the subscription transaction.
Safeguards and limits: RobinFocus keeps only the billing and entitlement records needed to reconcile paid access, while PayPal's own payment-side privacy notice governs the broader payment processing it performs.
Mistral AI
Role: Model provider for Ask Robin planning and coaching through RobinFocus's server-side edge-function path
Data involved: Scoped task titles, short notes excerpts, goal values, planning context, and request metadata sent only when a user asks RobinFocus for AI help.
When used: Only when Ask Robin is enabled, the user requests AI assistance, and the server-side provider secret is configured. RobinFocus keeps a deterministic local fallback when AI is unavailable.
Relationship: Mistral AI acts as the downstream AI processor behind RobinFocus's owned server-side Ask Robin execution surface.
Transfer route: Ask Robin prompt data leaves RobinFocus's Supabase edge function and is sent server-side to the configured Mistral API endpoint.
Safeguards and limits: RobinFocus keeps provider keys server-side and treats the provider contract, DPA, and transfer terms as account-level operational paperwork that must stay current outside the shipped frontend code.
RevShare
Role: Affiliate attribution reconciliation and referred sale reporting
Data involved: Referral codes, referrer origin when available, and server-side sale reports including transaction id, amount, currency, and customer id when available.
When used: Only after a visitor accepts attribution cookies and RobinFocus later reports a confirmed referred sale from the server-side billing webhook path.
Relationship: RobinFocus is the controller for first-party attribution storage and RevShare acts as a processor for referral reconciliation and sale reporting.
Transfer route: Referral and conversion data is processed through RevShare when RobinFocus sends a confirmed referred sale from the server-side billing webhook path.
Safeguards and limits: RobinFocus keeps referral capture same-origin, gates attribution behind an explicit attribution-cookie choice, and avoids loading RevShare's browser tracking script on product pages.
Slack
Role: Connected workspace install, channel browsing, test sends, and live room-update delivery
Data involved: Connected workspace identity, selected channel metadata, and the room-update or test-send content the user explicitly chooses to send.
When used: Only when a signed-in RobinFocus user connects Slack and chooses to use the connected delivery path.
Relationship: Slack receives the connected-workspace and message data needed to perform the requested delivery and then processes that data under Slack's own terms.
Transfer route: Connected message delivery can transfer user-selected content into Slack's systems and any regions Slack uses to provide the service.
Safeguards and limits: RobinFocus does not treat Slack as a required processor for the core timer product. The service only receives data after an explicit user connection and send action.
Google Tasks
Role: Optional task import, export, and list mapping for connected task workflows
Data involved: Selected task titles, notes, list mapping, completion state, and related account connection metadata needed for the chosen sync or export action.
When used: Only when a user connects Google Tasks and asks RobinFocus to read or send task data there.
Relationship: Google receives connected task data under its own service terms once the user authorizes the connection.
Transfer route: Connected task data can move through Google's infrastructure and any regions Google uses to provide the Tasks-connected experience.
Safeguards and limits: RobinFocus treats Google Tasks as an optional connected service, not as always-on infrastructure. No Google Tasks data is sent until the user authorizes that connection.
Todoist
Role: Optional task import, export, relinking, and reconciliation for connected task workflows
Data involved: Selected task titles, notes, priorities, project mapping, completion state, and the identifiers needed to keep linked tasks aligned.
When used: Only when a user connects Todoist and asks RobinFocus to import, export, or resync linked tasks.
Relationship: Todoist receives connected task data under its own service terms once the user authorizes the integration.
Transfer route: Connected task data can move through Todoist's systems and any regions Todoist uses to provide the requested sync or export path.
Safeguards and limits: RobinFocus treats Todoist as an optional connected service. The core timer and local planning features do not require Todoist to run.
When RobinFocus connects you to an external service at your request, that service may also act as its own controller for data it receives under its own terms and privacy practices.
International transfers
RobinFocus and its processors may process data outside your country. Because RobinFocus uses hosted infrastructure, payments, affiliate attribution, AI, and optional connected services, some processing can involve cross-border transfers.
Core product infrastructure
RobinFocus runs on hosted web and backend infrastructure, so account, sync, room, billing, support, and admin records may be processed outside a visitor's home country through Vercel and Supabase infrastructure.
Payments
Paid subscriptions use PayPal, which runs its own payment and fraud systems. Payment-side data may therefore move through PayPal's global payment infrastructure independently from RobinFocus's product database.
AI requests
Ask Robin requests go through RobinFocus's owned server-side execution path and, when enabled, onward to the configured Mistral API. RobinFocus keeps a local fallback precisely so AI is optional rather than required for the product to function.
Affiliate attribution
Referral attribution stays in RobinFocus first-party storage unless and until RobinFocus later reports a confirmed referred sale to RevShare from the billing webhook path.
Connected services
Slack, Google Tasks, and Todoist only receive data after a user explicitly connects the service and performs a connected action. Those services then process the data under their own terms and infrastructure footprint.
RobinFocus aims to rely on each provider's published privacy terms, DPA, and transfer mechanisms such as standard contractual clauses or equivalent contractual safeguards where those are offered. Separate account-level paperwork and vendor review still need to be maintained by the RobinFocus operator outside the shipped app code.
Retention
RobinFocus now uses named retention targets for the main product data categories rather than leaving retention as a generic promise to keep data "only as long as necessary."
Browser-only local workspace state
Target window: Until the visitor clears browser storage or resets the local workspace
Why: Local timer state, local task notes, onboarding state, and similar browser-only preferences can remain on the device until the visitor clears storage, resets the workspace, or signs in to use backend-backed sync instead.
Current cleanup mode: User-controlled browser storage
Account, profile, and synced productivity records
Target window: Account lifetime and target removal within 30 days after a verified deletion request
Why: Signed-in account identity, profile state, synced focus history, saved settings, and ordinary synced workspace records are kept while the account is active, then targeted for removal after a verified deletion request unless a narrower subset must be held for security, abuse prevention, or legal defense.
Current cleanup mode: Manual baseline with future automation target
Public profile, follows, room activity, and collaboration records
Target window: Account or room lifetime, then target review within 90 days after closure or deletion
Why: Room events, room membership state, social follow records, public profile snapshots, and moderation-linked room context can remain while the related room or account is active. After closure or deletion, RobinFocus targets review and cleanup within 90 days unless the record is needed for an abuse, moderation, or security investigation.
Current cleanup mode: Manual review baseline
Billing events, checkout attempts, and entitlement records
Target window: 7 years from the relevant transaction or longer if law, dispute, or fraud handling requires it
Why: Billing events, subscription identifiers, entitlement history, checkout attempts, and related financial audit fields are kept longer than ordinary workspace data because finance, tax, dispute handling, and fraud review need a longer audit trail.
Current cleanup mode: Long-form compliance retention
Support notes and privacy-rights requests
Target window: 24 months after closure, unless linked to an open legal, security, or abuse matter
Why: Support messages, device notes, reply-email context, and privacy-rights request records are kept long enough to manage follow-up, spot repeat issues, and show what RobinFocus did in response to the request.
Current cleanup mode: Manual review baseline
AI runs and operational observability logs
Target window: 30 days rolling unless a live reliability or security investigation requires a longer hold
Why: Ask Robin run records and operational observability events are intended to stay short-lived. Their main job is to help diagnose current failures, investigate abuse, and verify integrations rather than create a long-term profile of the user.
Current cleanup mode: Targeted rolling retention baseline
Affiliate attribution and referred sale records
Target window: 13 months from the attribution event or sale report, unless a commission dispute requires a longer hold
Why: Referral attribution should stay long enough to validate commissions, resolve payout or fraud disputes, and reconcile referred sales without keeping marketing attribution data indefinitely.
Current cleanup mode: Manual review baseline with future automation target
Connected service tokens, install handoffs, and pending integration records
Target window: Until disconnect, token expiry, or handoff expiry, with a 30-day cleanup target for stale records
Why: Connected integration state should expire or be removed when the user disconnects the service, the token expires, or the handoff record times out. RobinFocus targets stale integration records for cleanup within 30 days unless a shorter expiry already applies.
Current cleanup mode: Expiry-backed plus stale-record review
Admin approvals, step-up sessions, access grants, and security audit trails
Target window: 12 months from creation unless an incident or legal hold requires a longer audit trail
Why: Admin step-up records, security approvals, support grants, and related audit notes need a retained audit trail even after the live grant itself expires, so RobinFocus keeps those records longer than the temporary session they authorize.
Current cleanup mode: Audit retention baseline
These windows are RobinFocus's current retention targets, not a promise that every purge is already fully automated. Where cleanup is still manual or tied to expiry-backed product behavior, RobinFocus uses these windows as the operational review baseline until scheduled cleanup work is in place.
Your rights
Depending on where you live and the law that applies, you may have rights such as the following:
- Ask for access to the personal data RobinFocus holds about you.
- Ask for correction of inaccurate or incomplete personal data.
- Ask for deletion where RobinFocus no longer needs the data or must stop processing it.
- Ask for restriction or object to certain processing where applicable law gives you that right.
- Ask for portability of data you provided where portability applies.
- Withdraw consent for optional attribution cookies without affecting prior lawful processing.
RobinFocus does not yet provide a self-serve export or deletion control. For now, use the guided request links above or the support page or email hello@robinfocus.app. RobinFocus may need to verify identity before completing a request and aims to respond within applicable legal timelines.
Security, breach response, and admin access
RobinFocus uses role-based admin and audit surfaces to limit who can inspect sensitive account, billing, room, support, or moderation data. Admin inspection is meant to be purposeful, temporary, and auditable rather than casual browsing.
Retention schedule with review dates
RobinFocus now has named retention targets for the main product data categories and should review those targets whenever a new data-heavy feature ships.
Processor and transfer inventory
Named processors, connected services, transfer routes, and safeguard notes should be kept in sync with the app's actual integrations, not left as generic legal placeholders.
Role-based admin access and step-up
Admin access should stay scoped, time-bounded where appropriate, and backed by step-up or grant flows so sensitive inspection is purposeful and auditable.
Privacy-rights intake workflow
Access, correction, export, and deletion requests should enter through a guided intake path so RobinFocus can verify identity, log the request, and prove what follow-up happened.
Incident and breach logging
RobinFocus should record personal-data incidents even when they are not reportable, document the risk assessment, and keep the follow-up steps visible for later review.
Vendor paperwork and review
DPAs, subprocessor notices, and transfer safeguards still need account-level maintenance outside the frontend repo. The product notice can describe them, but the operator still has to keep the paperwork current.
Personal-data incident baseline
Contain and preserve evidence
Stabilize the affected surface first: stop the leak, revoke or expire access where needed, preserve logs, and avoid destroying evidence that will be needed for later review.
Assess scope and risk quickly
Identify what personal data was involved, how many people may be affected, what systems or processors were involved, and whether the incident creates a risk to people's rights and freedoms.
Record the incident even if it is not reportable
Create an internal incident log entry with the timeline, systems touched, categories of personal data involved, and the immediate containment measures taken.
Decide on escalation and notification
If the breach may be reportable, escalate immediately so RobinFocus can assess supervisory-authority notification and any required affected-user notice within the GDPR's 72-hour window.
Coordinate with processors
Where a processor or connected service was involved, pull the provider's logs, support channels, and contractual notice path into the response without waiting until the end of the investigation.
Close the loop
Document the root cause, the fix, the data-protection impact, and the lessons learned so the same issue does not stay as a silent repeat risk.
No product can promise perfect security. RobinFocus tries to reduce risk through authenticated server-side flows, auditable admin actions, and limited data sharing with optional processors, but you should still avoid storing secrets in general planning or AI prompt surfaces.
If RobinFocus discovers a personal-data breach that may create a risk to people, the goal is to assess, log, and escalate it immediately so any required supervisory-authority notification can still be considered within the GDPR's 72-hour window.
RobinFocus does not intentionally use solely automated decisions that produce legal or similarly significant effects about you in the ordinary course of the service.