Robertson Software LLC

Πολιτική Απορρήτου

Last updated: July 10, 2026

1. Introduction and scope

This policy applies to the applications and related services operated by Robertson Software LLC ("Robertson Software," "we," "us," "our"), including Goalito (web, iOS, and Android). Goalito helps you set goals, plan tasks, build habits, and reflect on your progress. Some of what you record is personal: health intentions, relationships, private reflections. We built our apps to collect as little as we can while still making them work.

Robertson Software operates one platform and one user identity across its apps, so your account may be usable across more than one of our apps over time; this policy governs all of them unless a specific app says otherwise. Robertson Software LLC is the controller (the "business" under California law).

2. What data we collect and why

  • Account data you give us: email, name or display name, timezone, language, country (asked at sign-up), and preferences. We use these to authenticate you, run the app correctly (your timezone drives "what day is it" for streaks and reflections), understand where our users are, communicate with you, and support you.
  • Your content: goals, tasks, habits and streaks, reflections and journal entries, and people you choose to track. Stored to provide the app to you, and otherwise used only as described in section 4: in de-identified form, never including your writing, to learn what helps users succeed. It is yours.
  • First-party product analytics: lifecycle signals such as signed up, onboarded, activated, and feature usage. These events are deliberately minimal: account identifiers and event types from a fixed list we chose, never the titles or contents of your goals, tasks, habits, reflections, or people. If you arrive through one of our marketing links, we also record the campaign parameters carried by that link (utm_source, utm_medium, utm_campaign) and which client platform your signup came from (web, iOS, or Android; a fixed three-value label, nothing more) so we know which of our marketing channels work. These are normalized short channel tokens we chose, never free text you typed, and are collected first-party only. We do not use third-party ad trackers or cross-site identifiers. Before you sign in, we also count aggregate, non-identifying visits to our public login and signup pages: no account, no cookies, and no identifier that we link to you if you later create an account.
  • Technical data needed to deliver and secure the service: IP address, device and app version, and timestamps in server and security logs.

3. How we use your data

To provide and operate our apps; authenticate and secure your account; provide support; send service and account messages (and, only if you opt in or where permitted, occasional product updates); understand and improve the product via first-party analytics, including learning in aggregate which approaches and features actually help users reach their goals; and comply with law and protect rights and safety. We do not use your private content for advertising profiles or to train AI models.

4. First-party analytics, personalization, and your opt-out

Our product-analytics events (section 2) are first-party and deliberately minimal: account identifiers and event types from a fixed list, never your content. The modeling described next is a separate, broader use of de-identified data. One opt-out in your account settings covers both, and using it does not reduce any core functionality. Where law requires consent rather than legitimate interest, we ask for consent and honor your choice.

To make the product genuinely better at its job, we may fit statistical models (for example regressions or cohort groupings) on de-identified data derived from how you use and structure the product: things like goal categories, target cadences, whether you lean on habits or on tasks, which optional fields you use, streaks, completion patterns, and, if you provided it, your country. Two hard rules apply. First, the free text you write - goal names and descriptions, reflections, notes about people - is never included in this analysis (structural facts about it, such as whether an optional field is filled in, may be). Second, the analysis runs on de-identified data, never in a form linked to you. We may use the learned patterns to improve the product and to tailor in-app suggestions to you (for example, suggesting an approach that has worked well for users whose usage looks like yours). These suggestions are only suggestions: you can ignore them, and they never have legal or similarly significant effects. We also apply a small-group rule: when analysis groups users by an attribute such as country, any group of fewer than five users is suppressed - we neither report on it nor base suggestions on it - so no pattern can point back to an individual. The same opt-out excludes your data from these models and turns off personalized suggestions.

5. What we do not do

We do not sell or "share" personal information for cross-context behavioral advertising. We do not run third-party ad networks or behavioral trackers. We do not use Apple ATT cross-app tracking. We do not embed third-party analytics SDKs that profile you. We never use the free text you write - goal names and descriptions, reflections, notes about people - to train AI or ML models of any kind; the statistical models described in section 4 learn only from de-identified structural and usage signals, never from your writing.

6. Sharing and sub-processors

We don't sell your data. We share it only with service providers under contracts requiring them to protect it and use it only for us: our cloud hosting and database providers (account data and content); Paddle (merchant of record and payments for web purchases; billing and transaction data - Paddle handles card data and we receive no raw card numbers); the Apple App Store and Google Play (merchant of record and payments for purchases made through them); and our email provider (account and support email). A current sub-processor list is available on request at the contact below. We may also disclose data to comply with law, enforce our Terms, protect rights or safety, or in a business transfer (with notice; this policy continues to protect your data).

7. Staff access

Authorized Robertson Software staff can access account data to operate the service, provide support, debug, and keep it secure. Access through our internal admin console is restricted, logged, and audited. As a small company, our engineers can also access the underlying database directly when troubleshooting or restoring service; that access is limited to authorized staff and to what the task requires. Staff do not use your personal content beyond operating and supporting the service. We do not claim "no one can ever see your data"; we claim access is limited, controlled, and accountable.

8. International transfers

We serve users worldwide, including in the EU, UK, and California. Data is processed and stored in the United States. For transfers from the EEA and UK we rely on appropriate safeguards, including standard contractual clauses where applicable. You can request details via the contact below.

9. Data retention

Your content is retained while your account is active and deleted when you delete your account. Deletion is immediate in the app; for safety we keep database backups and an internal change history, and deleted data remains in those copies until they age out on a roughly 30-day cycle. Items you delete within the app first go to a recoverable recycle area and are permanently removed after a 30-day recycle window; copies may remain in our secure backups for up to 30 days after that permanent deletion. Analytics events are anonymized on account deletion (the link to you is severed; only aggregate, non-identifying signals are kept). Account data is retained while active, then deleted or anonymized, except records we must keep by law. Financial and tax records are retained as long as legally required, then deleted. Operational and security logs are retained for a limited window, then deleted.

10. Your rights

We honor these globally as a baseline. GDPR (EEA and UK): access; data portability (email us to request an export of your content in a portable format); correction; deletion (available in-app); objection and restriction (including the analytics opt-out); withdrawal of consent; and the right to lodge a complaint with your data protection authority (in the UK, the ICO). Our legal bases are contract (to provide the app), legitimate interest (first-party analytics, security, improvement), consent (where required), and legal obligation (financial records).

California (CCPA/CPRA): know and access, delete, and correct; opt out of sale or sharing (we do neither, so there is nothing to opt out of, but the analytics opt-out is available regardless); limit use of sensitive personal information (already limited); and non-discrimination.

Exercise these via in-app controls (account settings, account deletion) or by emailing [email protected]. We verify and respond within legally required timeframes; authorized agents are allowed where law permits.

11. Security

Encryption in transit (TLS); hashed passwords (never plaintext); access controls and least privilege; and audit logging of administrative actions taken through our admin tools. No system is perfectly secure; we notify affected users and regulators of a qualifying breach as required, including the GDPR 72-hour authority-notification timeline where applicable.

12. A note on data about other people

Goalito lets you keep notes about the people in your life, so you can be a better friend, partner, parent, or colleague. Notes like these are personal data about people who are not users. You decide what's recorded; we store it only on your behalf; nothing you record about another person is ever shown to any other user; and deleting it removes it as described in section 9. Please be thoughtful: we ask you not to record other people's health or medical information, religious or political beliefs, or sexuality. These are "special category" data under privacy law and carry real risk for the people they describe.

13. Children

Our apps are intended for users 13 and older (or a higher local minimum). They are not directed to children under 13 and we do not knowingly collect their data. Contact us to report an underage account and we will delete it.

14. Data category summary

CategoryIncludesWhyRetention
Account data Email, name, timezone, language, country, preferences Run and authenticate your account, support, understand where our users are While active; deleted or anonymized after, except as legally required
Your content Goals, tasks, habits, reflections, people Provide the app to you; de-identified structural signals (never your writing) feed the section 4 models While active; deleted on account deletion
Product analytics Lifecycle and usage events (ids and enumerated types; no content or titles), signup campaign parameters, signup client platform, aggregate pre-signin page-view counts Understand and improve the product; measure our marketing channels Anonymized on account deletion
Payment and billing Transaction and subscription records (no raw card data) Process purchases; tax and finance law As legally required
Technical and security logs IP, device and app version, timestamps, admin audit logs Security, debugging, abuse prevention Limited window, then deleted

15. Changes

We may update this policy. For material changes we notify you (in-app and/or by email) and update the "Last updated" date. Continued use after changes take effect means acceptance.

16. Contact

Robertson Software LLC · [email protected]