Privacy policy
Last updated: 12 July 2026
This policy covers the Digital Retinue website at retinue.digital and the Digital Retinue app at app.retinue.digital. It is written to be read, not skimmed past: it says what we collect, why, what we could technically see, and what we deliberately cannot.
Who we are
Digital Retinue is built and run by one person, based in the United Kingdom, not a company with a support department. That cuts both ways: there is no anonymous employee pool with database access, but the operator might be someone you know. This policy explains exactly what that person could and could not see, so you do not have to take anyone's word for it.
For anything in this policy, contact hello@retinue.digital.
What we collect on this website
- Waitlist signups. If you join the waitlist we store your email address, where on the site you signed up, and when. We use it to send you launch news about Digital Retinue and nothing else. We do not add you to any other list, and we remove you on request: email us or use the removal link in anything we send.
- No analytics, no marketing cookies. This website sets no advertising or analytics cookies. Our hosting provider (Vercel) keeps standard, short-lived server logs (such as IP addresses) to run and protect the service.
What the app collects
- Account details. Your email address and name, held through Google Firebase Authentication, which handles sign-in.
- Your content. The things you put into the app: tasks, notes, plans, lists, meals, inventory and similar. This is your data; we process it only to provide the service.
- Financial data, only if you enable the Accountant. Accounts, transactions and bills you add or import. The Accountant's matching engine works by reading transaction descriptions and amounts, so that data must be readable by the server for the feature to work at all. We do not pretend otherwise.
- Calendar data, only if you connect a calendar. If you connect a Google or Microsoft calendar we read event titles and times so the planner can show them and count them against your day. We only ever read your calendar, we never write to it, you choose exactly which calendars sync, and the keys that let us reach your calendar are stored encrypted, not in plain text. You can disconnect at any time, which stops the sync and invalidates our access.
Google user data
Digital Retinue's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. In plain terms: calendar data we read from your Google account is used only to show your events in the app and to plan around them. It is not used for advertising, it is not sold, it is not used to train AI models, and no human reads it except with your explicit permission, or where strictly necessary for security or to comply with law.
AI features
When you talk to a retinue member, the words of that exchange are sent to our AI provider (currently OpenAI) to generate the reply, together with the relevant context the app already holds. This happens only when you initiate it. The server does not store your messages: our usage records hold counts and codes (tokens used, which feature, which model), never message content. Conversation history lives on your device, not on our servers. We do not use your content to train AI models, and our provider agreements do not permit them to either.
What the operator could technically see
The app has no admin screens, no impersonation feature and no support backdoor. The API physically has no endpoint that returns one account's data to another account, and that is enforced by an automated test that runs on every code change, so it cannot quietly regress.
The application's own database credentials can only read this app's data, and the day-to-day credentials cannot alter tables. Direct database access would show your data as the app stores it. We are honest about that rather than hiding behind vague words like "encrypted": encryption at rest protects against stolen disks, not against an operator with credentials. What protects you from the operator is the next section.
What happens if anyone ever looks
Every connection and table read on the database server is logged, and those logs are shipped to write-once storage that nobody can edit or delete, not even the operator. That retention is a locked policy enforced by the storage provider, not by promises. Unusual access would leave a permanent mark.
Coming next: a lock we cannot open
A "Private" lock for individual notes and tasks is planned: items you lock will be encrypted on your device with a key that never leaves it. Those items, nobody but you will be able to read, mathematically, even with full database access. We will update this policy when it ships; until then we do not claim it.
Who we share data with
Nobody, for money or marketing. We do not sell data, we do not run advertising, and we do not pass your data to third parties except the processors that make the service work:
- Microsoft Azure: hosts the app's API and database.
- Vercel: hosts this website.
- Google Firebase: sign-in and authentication.
- OpenAI: generates AI replies, transiently, as described above.
- Google and Microsoft: calendar access, only if you connect a calendar.
- TrueLayer: open banking connections for the Accountant, only where that feature is enabled for your account.
Where a processor handles data outside the UK, we rely on recognised safeguards such as UK adequacy decisions and standard contractual clauses.
How long we keep it, and your way out
- Export. One action gives you everything the app holds about you as a single file: every task, note, account, transaction, bill and setting.
- Delete. One action permanently erases your account and all its data, including anything of yours referenced from other people's accounts, and your sign-in identity. There is no soft-delete limbo and no retention period. It cannot be undone.
- Waitlist emails are kept until launch and then retired, or removed sooner on request.
Legal bases
Under UK data protection law we process data on these bases: consent (the waitlist, connecting a calendar or bank), performance of a contract (providing the app you signed up for), and legitimate interests (security logging and abuse prevention, applied narrowly).
Your rights
You have the rights UK GDPR gives you: access, rectification, erasure, restriction, portability and objection. The export and delete actions above answer most of these instantly and without asking anyone. For the rest, email hello@retinue.digital. If you are unhappy with how we handle your data you can complain to the Information Commissioner's Office (ico.org.uk).
Children
Digital Retinue is not directed at children under 13 and we do not knowingly collect their data.
Changes to this policy
When the architecture changes, this page changes, and the date at the top moves. Material changes will be flagged in the app and, for waitlist members, by email. This page describes what is true today, not what is aspirational.