Privacy Policy

Service Provider: asktodo.ai

Operating jurisdiction: Karnataka, India

Website: https://asktodo.ai

Contact / Data Protection inquiries: hi@asktodo.ai

asktodo.ai provides AI-powered productivity tools, a resume builder, and a self-service email outreach platform. We are based in India and do not actively target the European Economic Area, but EU/EEA residents who choose to use the service retain the data-protection rights described in this policy.

2.1 Account Data

Authentication is provided by Supabase Auth. When you register, we collect:

• Sign-in identifier: Email address (and, if you sign in with Google or GitHub OAuth, your provider profile email and display name)
• Credentials: Password is never stored in plaintext — Supabase hashes it server-side
• Profile: Optional name, avatar, preferences, language and theme settings
• Onboarding answers: The reason you signed up and your primary tool category, stored in user_data_storage to personalize the dashboard

2.2 Billing Information

Subscriptions and credit purchases are processed by Razorpay (which exposes multiple payment methods including cards, UPI, net-banking, and PayPal). We log:

• Transaction IDs, plan, amount, currency, status, and timestamps
• Subscription events (created, charged, paused, cancelled)
• Razorpay customer ID and subscription ID

We do not store raw card numbers, CVV, or full bank account details — those remain with Razorpay.

2.3 First-Party Telemetry (Dashboard)

The authenticated dashboard runs only first-party server-side telemetry — no Google Analytics, no third-party trackers. We record:

• Sessions: Login start/end, device hash, IP-region (country level), browser family
• Activities & navigation: Pages visited, tools opened, buttons clicked (coarse stream)
• Tool usage: Every AI tool invocation is logged to a centralized history table with tool name, credits used, input length, output length, success/failure
• Performance & errors: Response times, error messages, and stack traces for debugging

This telemetry is operational — it is what powers your usage history, credit accounting, security monitoring, and platform reliability. It is not shared with any third party.

2.4 Tool Inputs & Outputs

When you use any of our AI tools (we operate over thirty), the prompts you submit and the responses you receive are stored in a centralized history table so you can review past generations and so we can accurately bill credits. Inputs and outputs are tied to your user ID and stored encrypted at rest.

2.5 Files You Upload

• Resume builder: Resume content (JSON), profile photos, exported PDFs/DOCX/LaTeX — stored in Supabase Storage buckets resume-exports and resume-images
• Background removal: Original and processed images — stored in the background-removal bucket
• General AI tools: PDF / DOCX / TXT uploads (when you choose to save them) — stored in the tool-files bucket
• Email outreach: Campaign attachments and CSV contact imports — stored in the email-outreach bucket
• Avatars: Your profile picture — stored in the avatars bucket
• Feedback: Screenshots attached to feedback submissions

Buckets are private by default with row-level security restricting access to the owning user; only avatars, blog images, and resume templates are publicly readable.

2.6 Connected Email Accounts (Outreach)

If you use the email outreach platform, you may connect a Gmail account (via OAuth) or any custom SMTP server. We store:

• Your OAuth refresh + access tokens, encrypted at rest, scoped to send-only
• Custom SMTP credentials (host, port, username, password), encrypted at rest
• The account email and display name returned by the provider

What we do not do: We do not read your inbox. We do not access mail you have already received. The OAuth scope we request is the minimum needed to send messages on your behalf. (We do not currently support Microsoft Outlook integration.)

2.7 Technical Data

• Device: Browser family, operating system, viewport size
• Network: IP address (truncated to country/region for analytics; raw IP retained 24 h for abuse detection)
• Security logs: Authentication events, rate-limit hits, suspicious-input flags, brute-force attempts

When you use the email outreach platform you may upload CSV files or paste contact lists containing third-party personal data (names, email addresses, company, role, custom fields).

You warrant that you have a lawful basis to process every contact you upload (consent, contract, or legitimate interest) and that you will honor unsubscribe requests promptly. The legal responsibility for the contact data itself rests with you as the controller — see our Terms of Service.

We process your personal data on the following legal grounds (GDPR Article 6, DPDP Section 7, equivalents in other jurisdictions):

• Contract performance: To provide the AI tools, process payments, manage your account, and deliver outreach campaigns
• Legitimate interest: To improve our service, prevent fraud and abuse, and ensure platform security
• Consent: For non-essential cookies, optional marketing communications, and any feature explicitly gated behind an opt-in
• Legal obligation: To comply with applicable laws, regulations, tax requirements, and binding legal process

When you submit a prompt to any AI tool, the request is sent to Groq, a high-speed inference provider that runs open-source language models on our behalf. Groq processes the input, returns a response, and we relay it back to you.

Inputs and outputs are stored in your private history (Section 2.4) so you can revisit past generations. You can delete any history item at any time.

6.1 Service Provision

• Provide AI tool responses, content generation, and resume drafting
• Process and respond to your requests
• Manage your account, subscription, and credits
• Process payments and issue receipts via Razorpay
• Provide customer support

6.2 Service Improvement

• Analyze aggregated, anonymized usage patterns to identify popular tools and broken flows
• Develop new features and tools
• Optimize platform performance and credit cost calibration
• Process contact imports and run automated field mapping
• Generate AI-powered email content suggestions inside the outreach builder
• Maintain unsubscribe and suppression lists per user

6.3 Communication

• Send service-related notifications (account changes, billing receipts, security alerts)
• Respond to support requests
• Send marketing communications (only with your consent — you can opt out anytime)
• Notify you of material policy changes

6.4 Security & Abuse Prevention

• Detect and block brute-force, credential-stuffing, scraping, and suspicious-user-agent traffic
• Rate-limit per IP / per user to protect the platform
• Automatically scan outgoing email-campaign content for known spam, scam, phishing, and malware patterns — campaigns matching those patterns may be paused for review
• Comply with legal obligations and protect our rights

We retain your data only as long as needed for the purposes above:

• Account data: Until account deletion + 30 days for backup recovery
• Generated content (tool history): Until you delete it, or until account deletion
• Usage analytics: 24 months for service improvement, then aggregated/anonymized
• Payment records: 7 years for tax, accounting, and statutory compliance (India retention norms)
• Support communications: 3 years
• Security logs: 12 months
• Email campaign analytics (open/click counts): 365 days
• Email queue jobs: 30 days after completion
• Suppression lists (per-user): Retained indefinitely so unsubscribed contacts are never re-contacted
• Temporary processing files: 24 hours

You can delete your account from Dashboard → Settings → Delete Account. You will be asked to type DELETE MY ACCOUNT to confirm.

On deletion, the platform performs the following automatically:

• Cascading delete across 30+ database tables — activities, sessions, navigation, errors, performance, chat, history, credits, transactions, payment orders, subscriptions, resumes, preferences, audit logs, security events, and outreach data
• Active Razorpay subscriptions are cancelled immediately (no further charges)
• All your files in every Supabase Storage bucket (resume exports, resume images, background-removal images, tool uploads, outreach attachments, CSV imports, avatars, feedback screenshots) are permanently purged within 30 days
• The authentication record in Supabase Auth is removed

To minimize the personal data we retain, we reserve the right to delete accounts that remain inactive for 24 or more consecutive months. Before any deletion we will:

• Email the registered address at least 30 days in advance
• Provide a one-click reactivation link in that email
• Only delete if the account is still inactive after the warning period

If you reside in the EU/EEA or UK, you have these rights regardless of where we operate:

10.1 Right of Access

Request a copy of the personal data we hold about you.

10.2 Right to Rectification

Correct inaccurate or incomplete personal data.

10.3 Right to Erasure (“Right to be Forgotten”)

Delete your personal data — available directly via Dashboard → Settings → Delete Account, or by emailing us.

10.4 Right to Restrict Processing

Limit how we process your data in specific situations.

10.5 Right to Data Portability

Receive your data in a machine-readable format (JSON export of history, resumes, contacts).

10.6 Right to Object

Object to processing based on legitimate interests or for direct marketing purposes.

10.7 Right to Withdraw Consent

Withdraw consent for any processing that relies on consent, including cookie tracking (via the cookie banner) and marketing emails.

California residents have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to know what personal information we collect and how we use it
• Right to delete the personal information we hold about you
• Right to correct inaccurate personal information
• Right to limit use and disclosure of sensitive personal information
• Right to opt out of the sale or sharing of personal information
• Right to non-discrimination for exercising any of these rights

If you are a Data Principal under the Digital Personal Data Protection Act, 2023 (India), you have the right to:

• Obtain a summary of the personal data we are processing about you and the processing activities undertaken (Section 11)
• Request correction, completion, updating, and erasure of your personal data (Section 12)
• Nominate another individual to exercise your rights in the event of death or incapacity (Section 14)
• Withdraw consent at any time (Section 6)
• Grievance redressal — we will respond to grievances within 30 days. After exhausting our process you may also approach the Data Protection Board of India

To exercise these rights or raise a grievance, email hi@asktodo.ai.

13.1 What we track in your sent campaigns

• Open tracking: An optional invisible 1×1 pixel inserted in the email HTML to detect opens
• Click tracking: Optional link rewriting that records when a recipient clicks a link
• IP hashing: Recipient IPs are SHA-256 hashed before storage — never stored in raw form
• User agent: Browser/email-client family for engagement insight
• Bounce + reply detection: The system reads bounce-notification headers (DSN/NDR) so it can suppress invalid addresses. Reply content is not pulled into our database; replies stay in your own Gmail/SMTP mailbox.

Open and click tracking can be disabled per campaign in the campaign builder. As the sender you are responsible for disclosing tracking to recipients where the law requires it (e.g. some EU jurisdictions).

13.2 Integrations

• Gmail (Google) OAuth: Used only to send campaigns through your account. We request the minimum scope needed.
• Custom SMTP: Direct connection from our server to the SMTP host you configure.

14.1 Dashboard (authenticated app)

The dashboard sets only essential cookies (Supabase session tokens, CSRF). It does not load Google Analytics, AdSense, or any third-party tracking script. Internal usage telemetry is server-side (see Section 2.3) and not based on cookies.

14.2 Public marketing site

The marketing site (asktodo.ai) loads Google Analytics 4 and Google AdSense under Google Consent Mode v2. By default, before you make a choice on the cookie banner:

• Analytics, advertising, personalization, and functional storage are all set to denied
• GA still sends a cookieless ping so we get aggregate page counts — no identifiers are stored
• AdSense loads but serves only non-personalized ads (NPA)
• Ad-data redaction and URL passthrough are both enabled

If you click Accept All, all categories switch to granted. If you click Reject All (or dismiss the banner via the X button), the deny state is persisted, and any pre-existing Google cookies (_ga, _gid, _gat, _gcl_au, NID, IDE, __gads, __gpi) are proactively scrubbed.

14.3 Ads always show

To be explicit: ads are visible to all visitors regardless of consent choice. AdSense is loaded unconditionally because it is a core revenue stream. The cookie choice controls only whether ads are personalized (granted) or non-personalized (denied). Showing ads without consent is permitted worldwide; only tracking-based personalization requires consent.

14.4 Categories

• Essential: Authentication tokens, CSRF token, your stored consent choice. Always on — the site cannot function without them.
• Functional: Language and theme preference. Toggle in settings.
• Analytics: Google Analytics 4 with anonymize_ip, no Google signals, no ad personalization. Toggle.
• Personalized ads: Whether AdSense is allowed to use ad-related cookies to personalize ads. Toggle. When denied, ads still show, just non-personalized.

For the full mechanism see our Cookie Policy.

asktodo.ai relies on the following processors to provide the service. Each is bound by its own data-processing agreement and security commitments:

Material changes to the subprocessor list will be reflected on this page with at least 14 days' advance notice for paying customers.

In practice this means we use Gmail OAuth data only to:

• Send the email campaigns you create through your connected account
• Read bounce-notification headers so we can suppress invalid addresses

We do not transfer Gmail data to third parties, we do not use it for advertising, we do not allow humans to read it (except with your explicit consent for support or as required by law), and we do not use it for any purpose unrelated to providing the outreach feature.

We protect your information with the following measures:

• Encryption in transit (TLS 1.2+) and at rest (AES-256 in Supabase)
• OAuth tokens and custom SMTP credentials encrypted before insert
• Row-level security on every user-scoped table and storage object
• Per-IP and per-user rate limiting on all sensitive endpoints
• Automated detection of brute-force, credential-stuffing, and suspicious-user-agent traffic
• Content-Security-Policy and security headers on every response
• Server-side audit logs for authentication, payment, and admin actions
• Regular dependency updates and vulnerability scanning

Data breach notification

In the event of a breach affecting your personal data we will notify you and the relevant supervisory authorities without undue delay and, where required by GDPR, within 72 hours of becoming aware of it.

asktodo.ai operates from India. Our cloud infrastructure (Supabase) hosts data in multiple regions including the United States and the European Union, depending on the project region and edge-function execution location.

For data transferred from the EU/EEA or UK to a third country, we rely on the European Commission's Standard Contractual Clauses (SCCs) as our transfer mechanism, plus any supplementary technical measures (encryption in transit and at rest) needed to maintain an equivalent level of protection.

For data transferred under India's DPDP Act, transfers are made to jurisdictions not restricted by the Central Government.

We may publish or share aggregated, anonymous statistics about how the platform is used overall — for example, “asktodo.ai users generated 2 million pieces of content last month” or “the average resume takes 14 minutes to draft.” This data is irreversibly stripped of anything that could identify an individual user.

We will never publish individual prompts, outputs, contact lists, resume content, or any other personally identifiable data without explicit written consent from the user.

We will only feature your logo, name, quote, screenshots, or any other identifying information in our marketing material (website, social media, sales decks, advertising) with your explicit prior written consent. You can withdraw that consent at any time by emailing hi@asktodo.ai, and we will remove the material from active channels within a reasonable period.

asktodo.ai is intended for users 18 years of age or older. We do not knowingly collect personal data from anyone under 18. If we learn that we have collected data from someone under 18, we will delete it promptly. Parents and guardians who believe their child has provided us data should contact hi@asktodo.ai.

We may update this Privacy Policy from time to time. When we do, we will:

• Post the updated policy on this page
• Update the “Last updated” date at the top
• Notify registered users by email for material changes
• Where the change requires it, obtain fresh consent

For any privacy question, data-request, grievance, or to exercise any right above, please contact us: