what am I doing

Privacy Policy

Last updated: 10 May 2026

This policy explains what personal information what am I doingcollects, why, and what your rights are. We follow the Protection of Personal Information Act (POPIA) — South Africa’s data protection law — and apply the same principles to users elsewhere.

1. What we collect

  • Account information — your name, email address, and (optionally) avatar and timezone
  • Workspace content — workspaces, clients, projects, tasks, pages, comments, and uploaded files you create
  • Usage data — basic technical logs (IP, browser, pages visited, error traces) to operate and secure the service
  • Authentication data — session tokens, sign-in provider, and (for password sign-in) a securely hashed password we never see in plaintext

2. How we use it

  • To provide the service and the features you use
  • To authenticate you, keep your account secure, and prevent abuse
  • To debug issues, improve performance, and ship product updates
  • To contact you about account, security, or service changes — never marketing without your opt-in

3. Third-party services

We use a small number of trusted vendors to run the platform. They’re bound by data-processing agreements:

  • Supabase — database, authentication, storage, and realtime. Hosted on EU servers (eu-west-1).
  • Vercel — web hosting and edge networking
  • Anthropic / Claude— only if and when you explicitly invoke an AI feature; your content is sent on request and isn’t used to train models

4. Data storage and transfers

Your workspace content is stored in the EU (Supabase eu-west-1). Operational logs may be processed in other regions by our infrastructure providers under standard contractual clauses. We don’t sell your data.

5. Your rights under POPIA

You can ask us to:

  • Access the personal information we hold about you
  • Correctanything that’s inaccurate or out of date
  • Delete your account and the personal information tied to it
  • Export a copy of your workspace content in a portable format
  • Object to processing or withdraw consent where we rely on consent

Email info@whatamidoing.co.za and we’ll respond within 30 days. You can also lodge a complaint with the South African Information Regulator if you’re not satisfied with how we handle your request.

6. Cookies

We use first-party session cookies to keep you signed in. We don’t use advertising or cross-site tracking cookies. That’s why you don’t see a cookie banner — there isn’t anything to consent to beyond the cookies that make the service work.

7. Data retention

Active accounts: we keep your workspace content as long as your account is open. Closed accounts: content is removed from production within 30 days; backups are purged on their normal rotation (currently 30 days). Operational logs roll over after 90 days.

8. Security

We use TLS in transit, encryption at rest, hashed passwords (Argon2 via Supabase Auth), row-level security in the database, and per-user access control on every API. No system is bullet-proof — if we ever discover a breach affecting your data, we’ll notify you and the Information Regulator promptly as required by POPIA.

9. Children

The service isn’t intended for children under 18. If you believe a child has signed up, contact us and we’ll remove the account.

10. Changes

We’ll update this policy as the service evolves. Material changes will be announced in-app or by email at least 14 days before they take effect.

11. Contact

Privacy questions, DSR requests, or breach reports: info@whatamidoing.co.za.

Back to sign in