Privacy Policy

Last updated: March 30, 2026

What we collect

When you sign in (via Google, Apple, email code, or passkey), we receive and store your name, email address, and profile photo (where provided). We use these so your friends can recognise you in their groups.

If you enable phone notifications, we store your phone number (verified via SMS) to send you event updates. If you text our notification number before signing in, we create an unlinked phone record that is linked to your account when you visit the link we send back.

If you enable push notifications in your browser, we store the browser push token provided by your device. If you provide a custom notification email address, we store and verify it separately.

We store the content you create: groups, events, votes, comments, and availability patterns. This is the data that makes the app work.

If you vote as a guest on a shared event link, we store only the name you provide and your vote. No account or email is collected for guest votes.

How we use your data

Your data is used to run doings — showing your events, votes, and groups to the people you share them with. That's it.

  • We do not sell your data.
  • We do not show ads.
  • We do not build profiles for advertising or analytics.
  • We do not track you across other sites.

Who sees what

Group members see your name, photo, votes, and comments within their group.

Shared event links show event details and a summary of group votes (first names only) to anyone with the link. This is by design — when you or someone in your group shares an event link, the recipient can see who's in.

Link previews in messaging apps (iMessage, WhatsApp, Slack, etc.) show the event title, date, location, and price. No member names or votes are included in link previews.

Third-party services

doings uses the following services to operate:

  • Cloudflare — hosts the application, database, and runs the AI models used for parsing event details from text, links, and uploaded poster images (vision model for scanning event posters). Your data is processed on Cloudflare's infrastructure.
  • Google — for sign-in (OAuth 2.0) and Firebase Cloud Messaging (push notifications). Google receives your authentication request and device tokens; we receive your profile and the ability to send notifications to your browser.
  • Apple — for Sign in with Apple (OAuth 2.0). Apple receives your authentication request; we receive your profile in return.
  • Resend — delivers email notifications (event updates, sign-in codes, email verification codes) on our behalf. Resend receives your email address and the notification content.
  • Twilio — sends SMS messages for phone verification codes and inbound SMS handling. Twilio receives your phone number and message content.
  • Jina AI — when you paste a link while creating an event, we may send the URL to Jina's reader service to extract page content. The URL and page content are processed but not stored by Jina.

We do not use any analytics, advertising, or tracking services.

Cookies

doings sets one cookie: a session cookie that keeps you signed in. It is signed (HMAC-SHA256), cannot be read by JavaScript (httpOnly), and expires after 30 days. A temporary nonce cookie is also used during the OAuth sign-in process and is deleted immediately after.

We do not use tracking cookies, third-party cookies, or fingerprinting.

Data retention

Your data is kept as long as your account exists. If you leave a group, your votes and comments in that group remain (attributed to your name) unless the group is deleted.

Deleted events are removed from the database. Deleted groups are soft-deleted — the group name is obscured and the invite link is invalidated, but event data is retained for members' calendar history.

Email and SMS verification codes (OTPs) are stored temporarily (10-15 minutes) and deleted after use or expiry. Sign-in sessions are created with a 30-day expiry.

Push notification tokens and phone records are retained until you disable notifications or delete your account. Invalid push tokens are automatically removed when a notification fails.

Your choices

  • You can change your display name in your profile at any time.
  • You can leave any group you've joined.
  • You can disable push notifications through your browser settings, and remove your phone number or custom notification email from your profile.
  • You can sign out at any time, which deletes your session.
  • You can delete your account and all associated data from your profile page. This is immediate and permanent.

Contact

doings is built and operated by slepp. For privacy questions or account deletion requests, email hello@doings.ca.