Privacy Policy
Last updated: 23 April 2026
Reckon is operated by Carrotly Pte. Ltd., a company incorporated in the Republic of Singapore ("Reckon", "we", "us", "our"). This policy explains how we collect, use, share, and protect personal data. It is written to satisfy our obligations under Singapore's Personal Data Protection Act 2012 ("PDPA"), the EU General Data Protection Regulation 2016/679 and the UK GDPR (collectively "GDPR"), and the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act ("CCPA/CPRA").
1. Summary
- We never sell your personal data. We do not run advertising.
- Task content (titles, notes, dates) stays in Notion. Our servers proxy API calls; they do not persist your task data.
- Notion OAuth tokens are AES-256-GCM encrypted at rest.
- You can disconnect your workspace and delete your account at any time. We honour deletion within 60 seconds for tokens and 30 days for residual logs.
- Contact us at hello@usereckon.com for any privacy request.
2. Data controller and contact
The data controller for the purposes of GDPR, and the organisation responsible under the PDPA, is Carrotly Pte. Ltd. (UEN: TODO: insert UEN), registered office TODO: insert registered office address, Singapore. You can reach our privacy contact (also our Data Protection Officer for PDPA purposes) at hello@usereckon.com.
We do not currently meet the thresholds that require an EU or UK representative under Article 27 GDPR. If that changes we will update this section.
3. Categories of data we collect
| Data | Purpose | Lawful basis (GDPR) |
|---|---|---|
| Notion account email address | Identify the linked Notion workspace and communicate service notices | Contract (Art. 6(1)(b)) |
| Notion OAuth access & refresh tokens (AES-256-GCM encrypted at rest) | Make Notion API calls on your behalf to read and write tasks | Contract (Art. 6(1)(b)) |
| Apple Push Notification Service (APNS) device tokens | Deliver real-time sync notifications to your devices | Contract (Art. 6(1)(b)) |
| Operational API logs (timestamps, HTTP status codes) | Service reliability, debugging, security monitoring | Legitimate interests (Art. 6(1)(f)) |
| Crash reports and diagnostic traces (Sentry) | Detect and fix crashes or unhandled errors. Personal identifiers and task content are scrubbed before submission. | Legitimate interests (Art. 6(1)(f)) |
| Pseudonymous product-usage events (PostHog): app opens, feature activations, performance timings | Understand which features are used so we can improve the product. Events are keyed to a random device ID, never your Notion account or email, and never include task content. | Legitimate interests (Art. 6(1)(f)) |
| Session cookie (httpOnly, first-party) | Maintain your authenticated web session | Strictly necessary — no consent required |
We do not sell or share your data for targeted advertising, run profiling with legal or similarly significant effects, or use your task content to train AI models.
4. How we use your data
We use personal data only for the purposes listed in the table above. Specifically:
- To deliver the Reckon service you signed up for
- To communicate with you about service notices, security updates, and account changes
- To diagnose, prevent, and fix technical issues
- To detect, investigate, and prevent fraud, abuse, or violations of our terms
- To meet legal obligations under applicable law
We do not use your data for automated decision-making that produces legal or similarly significant effects on you (GDPR Art. 22). We do not engage in profiling.
5. International transfers
Reckon is operated from Singapore. Personal data may be processed in Singapore, the United States (for hosting and crash diagnostics), and the European Union (for some PostHog infrastructure). Where we transfer personal data of EU or UK residents outside the EEA/UK, we rely on the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, supplemented by technical measures including TLS in transit and encryption at rest. For PDPA transfers we ensure each recipient is bound to a standard of protection comparable to the PDPA.
6. Third-party service providers (sub-processors)
The following providers process personal data on our behalf:
- Notion Labs, Inc. (USA) — your tasks and workspace data are accessed via the Notion API at your request
- Vercel Inc. (USA) — web hosting and edge delivery
- Microsoft Azure (Singapore region) — PostgreSQL database and Redis cache for encrypted tokens and rate-limit state
- Apple Inc. (USA) — APNS endpoint receives device tokens to deliver push notifications
- Functional Software, Inc. d/b/a Sentry (USA) — receives scrubbed crash reports and diagnostic traces
- PostHog Inc. (USA, EU) — receives pseudonymous product-usage events keyed to a random device ID
The canonical list (with regions and processing purposes) is published at /sub-processors. Each provider is contractually bound to protect personal data to a standard no less stringent than the PDPA and (where relevant) the GDPR.
7. Data retention
- OAuth tokens — deleted within 60 seconds of disconnecting your workspace or deleting your account
- APNS device tokens — removed when you sign out or uninstall the app
- API logs — retained for 90 days, then automatically purged
- Sentry crash reports — retained for 90 days
- PostHog usage events — retained for 12 months
- Email address — deleted when you delete your account
- Backups — encrypted backups are retained for 30 days after the underlying record is deleted, then expire automatically
8. Your rights — PDPA (Singapore)
Under the PDPA, you have the right to:
- Access the personal data we hold about you
- Correct inaccurate or incomplete data
- Withdraw consent by disconnecting your workspace or deleting your account
- Data portability — request a machine-readable copy of your personal data for transfer to another service
If you are not satisfied with our response, you may lodge a complaint with the Personal Data Protection Commission of Singapore at www.pdpc.gov.sg.
9. Your rights — GDPR (EU/EEA & UK)
If you are in the EU, EEA, or UK, you have the right to:
- Access your personal data (Article 15)
- Rectification of inaccurate data (Article 16)
- Erasure("right to be forgotten") (Article 17)
- Restriction of processing (Article 18)
- Data portability (Article 20)
- Object to processing based on legitimate interests (Article 21)
- Withdraw consent at any time where processing is based on consent — this does not affect the lawfulness of processing before the withdrawal
- Lodge a complaintwith your local supervisory authority. For UK residents this is the Information Commissioner's Office (ICO) at ico.org.uk.
10. Your rights — CCPA/CPRA (California)
If you are a California resident, you have the right to:
- Know what personal information we collect, the sources, the purposes, and the categories of third parties we share it with (the disclosures in sections 3, 4, and 6 above satisfy this notice obligation)
- Delete your personal information, subject to certain exceptions
- Correct inaccurate personal information
- Opt out of the sale or sharing of personal information — we do not sell or share personal information as defined by the CCPA, so there is nothing to opt out of
- Limit the use of sensitive personal information — we do not collect sensitive personal information for purposes that would require this right
- Non-discrimination — we will not deny service, charge different prices, or provide a different level of service for exercising any of these rights
We have not sold or shared personal information, and we have not disclosed personal information for a business purpose other than to the sub-processors listed in section 6 and at /sub-processors, during the 12 months preceding the date of this policy.
To exercise any CCPA/CPRA right, email hello@usereckon.com. We may need to verify your identity using the email address or device associated with your Reckon account. Authorised agents may submit requests on your behalf with written authorisation.
11. Children's data
Reckon is not directed to children under 13 (under 16 in the EEA/UK). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.
12. Cookies
We use a single first-party, httpOnly session cookie that is strictly necessary to maintain your authenticated session. We do not use analytics, advertising, or third-party tracking cookies on this website. The full breakdown is at /cookies.
13. Security
We protect personal data with technical and organisational measures, including encryption in transit (TLS 1.2+) and at rest (AES-256-GCM for OAuth tokens), least-privilege access, secret management, dependency scanning, and audit logging. Our security overview is at /security. To report a vulnerability, email hello@usereckon.com.
14. Data breach notification
In the event of a personal data breach that is likely to result in significant harm, we will (a) notify the PDPC within 3 calendar days of our assessment and notify affected individuals as soon as practicable, in accordance with the PDPA; and (b) notify the competent supervisory authority within 72 hours and affected individuals without undue delay where required by GDPR Articles 33 and 34.
15. Changes to this policy
We may update this policy from time to time. Material changes will be communicated via an in-app notice or email at least 14 days before they take effect. The "last updated" date at the top of this page reflects the most recent revision.
16. Contact
For any privacy request — access, correction, deletion, portability, objection, or a complaint — email hello@usereckon.com. We will respond within 30 days.