This inventory maps Paradaq product features and data flows to data categories, purposes, roles, legal bases, processors, transfer safeguards, retention rules, and user controls. It is a public summary of how Paradaq handles data across the website, backend, mobile app, and external service providers.
Related materials: Privacy Policy, Terms, and DPA and Subprocessors.
Processing inventory
| Feature / data flow | Data categories | Purpose | Controller / processor role | Legal basis | Processor / recipient | Transfer country / safeguard | Retention | User controls |
|---|---|---|---|---|---|---|---|---|
| Account and authentication | Email, Supabase user id, auth/session tokens, login metadata, profile data, plan tier. | Create and secure accounts, authenticate requests, and authorize app features. | Paradaq controller for account administration; Supabase processor. | GDPR: contract for account/service delivery; legitimate interest for security. Belarus: contract, consent, and security bases as applicable. | Supabase Auth and database; Apple/Google if platform sign-in is enabled. | Supabase EU project region where configured; provider operations/support may involve US or other approved locations; DPA/SCCs or adequacy as applicable. | Active account lifetime; deleted through account deletion flow; provider security logs and backups age out by provider policy. | Log out, account deletion, access/rectification/deletion requests. |
| Screenshot, file, and share-sheet intake | Screenshots, images, shared text, documents/files, filenames, MIME type, client names, messages, visible source context, source platform hints. | Capture incoming work and prepare it for extraction into structured tasks/meetings. | User or professional customer controller for client/work content; Paradaq processor for uploaded work content; Paradaq controller for account/security records. | GDPR: contract or user/customer instruction for requested processing; users should avoid special-category or sensitive third-party data unless they have a lawful basis. Belarus: consent/contract and cross-border transfer disclosures as applicable. | Supabase Storage/database, Vercel API routes, OpenAI API for AI analysis. | Supabase/Vercel/OpenAI regions; DPA/SCCs/adequacy or vendor safeguards; Belarus cross-border transfer disclosures where applicable. | Images stored in extraction-images while account/content remains; intake jobs and accepted extraction history retained while account is active; deleted with account deletion; backups age out. | Delete item/account, edit extracted fields, avoid uploading sensitive data, review before accepting. |
| AI screenshot/file extraction | Submitted text/images/files, OCR-like prompt content, candidate client/project context, extracted fields, confidence, source platform, image object paths. | Extract tasks, meetings, client/project signals, dates, summaries, and next steps. | User/professional customer controller and Paradaq processor for submitted work content; Paradaq controller for abuse/security telemetry. | GDPR: contract or processing under user/customer instruction; legitimate interest for abuse prevention and reliability. Belarus: consent/contract and cross-border transfer disclosures as applicable. | OpenAI API, Vercel serverless/API routes, Supabase database/storage, PostHog for limited extraction metrics when configured. | OpenAI US/other processing locations; Vercel/Supabase regions; DPA/SCCs/adequacy; OpenAI API no-training default to be kept verified. | OpenAI used for request processing; Paradaq stores extracted result, job state, and image object paths while account is active; no intentional raw server storage outside listed app tables/storage; provider transient/log retention follows DPA. | User review before saving, edit/delete extracted results, account deletion, avoid AI submission of sensitive data. |
| Voice transcription | Audio file, MIME type, filename, locale/language hint, transcript text, transcript-derived inbox/task/meeting fields. | Convert voice input into inbox drafts and structured work items. | User/professional customer controller and Paradaq processor for voice/work content; Paradaq controller for eligibility and security checks. | GDPR: contract or user/customer instruction; platform microphone/speech permissions are separate from legal basis. Belarus: consent/contract and cross-border transfer disclosures as applicable. | OpenAI API cloud transcription, Vercel API route, Supabase for auth/profile plan checks; native/local speech engines if used in mobile app. | OpenAI US/other processing locations; DPA/SCCs/adequacy; local device speech processing follows OS/provider terms. | Backend returns transcript and does not intentionally store raw audio in the web route; transcript-derived content may persist in local inbox, Supabase extraction history, calendar items, and intake jobs while account is active; raw audio/local drafts deleted with item/account where stored. | Microphone/speech permissions, choose local/cloud mode where available, delete voice item/transcript, edit transcript, account deletion. |
| Local Whisper/model download | Generic model files, download state, app version/device metadata, optional cloud transcription preference. | Enable local/offline transcription and reduce cloud processing where supported. | Paradaq controller for app design and download telemetry; model host/CDN processor where logs exist. | GDPR: contract for requested local feature; legitimate interest for operational logs. Belarus: consent/contract and cross-border log disclosures as applicable. | Model host/CDN where used; device file system. | Model files stay on device; CDN/provider logs may process in provider regions under DPA/SCCs/adequacy if applicable. | Model remains until user deletes model, clears app data, or uninstalls; generic model files may remain after account deletion unless app data/model cache is cleared. | Delete model/cache if exposed, clear app data/uninstall, choose cloud/local transcription preference where available. |
| Manual todos, meetings, clients, and projects | Todo/meeting title, notes, dates/times, reminders, descriptions, locations, meeting URLs, participants/client references, project topics/status. | Let users create and manage structured work records. | Paradaq controller for user account data; for professional users' client/work content, user/customer controller and Paradaq processor. | GDPR: contract or user/customer instruction. Belarus: contract or consent basis as applicable. | Supabase database, local app cache/outbox, Vercel API routes where used. | Supabase EU region where configured plus provider operations/support; DPA/SCCs/adequacy; Belarus cross-border transfer disclosures where applicable. | Active account lifetime or until user deletes/changes content; local cache until sign-out/account deletion/app data clear; deleted by account deletion. | Create/edit/delete items, account deletion, local data clear, support privacy requests. |
| Local calendar sync | Todo/meeting title, time, notes, location, meeting URL, reminder metadata, native calendar id/event id, sync state. | Add accepted Paradaq items to the phone calendar and reconcile updates/deletions. | Paradaq controller for sync design and app records; user controls native calendar; Apple/Google/local calendar provider may be independent controller. | GDPR: contract for requested sync; platform calendar permission required. Belarus: consent/contract basis and third-party calendar disclosures as applicable. | Device OS calendar via expo-calendar; Apple iCloud/Google Calendar or other user-configured calendar providers if the user's calendar account syncs externally. | Local device unless user's calendar account syncs to Apple/Google/other provider; platform/provider safeguards under their terms. | Native event remains until user deletes it, disables/removes sync, account deletion cleanup removes tracked events, or calendar provider retention applies. | OS calendar permission, confirmation-first sync, edit/delete events, revoke calendar permission, account deletion cleanup of tracked events. |
| Notifications and reminders | Notification permission status, local notification ids, reminder times/content, device scheduling metadata; push token if remote push is later enabled. | Send local reminders for tasks/meetings and app updates where enabled. | Paradaq controller for reminder configuration; OS/platform provider independent/processor depending channel. | GDPR: contract for requested reminders; consent for marketing notifications. Belarus: consent/contract and marketing consent rules as applicable. | Expo Notifications/local OS notification scheduler; Apple Push Notification service/Firebase/Expo push if remote push is enabled. | Local notifications stay on device; remote push uses Apple/Google/Expo global infrastructure with provider safeguards. | Reminder registry retained locally while notifications enabled/account active; cleared on deletion/sign-out cleanup; remote push tokens retained only while enabled/account active if implemented. | OS notification permission, disable notifications, delete reminders/items, account deletion. |
| Analytics | Page/app events, route/page names, CTA/nav/waitlist events, app/device metadata, consent state, PostHog distinct id, optional email/user id after waitlist identification. | Measure usage, conversion, onboarding, and product reliability without raw intake content. | Paradaq controller; PostHog processor. | GDPR: consent for optional analytics on website/mobile. Belarus: consent basis where analytics is enabled. | PostHog EU cloud, client-side PostHog, server-side PostHog for configured API events. | EU PostHog region; DPA/SCCs/Data Privacy Framework safeguards where applicable. | Disabled by default until opt-in; retained according to PostHog project retention settings; identified profiles should be deleted/suppressed on deletion request where feasible. | Cookie/banner analytics opt-in/out, privacy settings where available, PostHog reset on logout/deletion, account deletion request. |
| Session replay | Screen/touch interaction metadata, replay frames, masked UI state, potential accidental capture of personal/work content if masking fails. | Debug UX issues and reproduce product problems. | Paradaq controller; PostHog/Sentry processor if enabled. | GDPR: explicit consent for replay where enabled; safer default is disabled. Belarus: explicit consent and sensitive-screen masking where enabled. | PostHog replay or Sentry replay if enabled. | Vendor region/safeguards depend on provider; DPA/SCCs/adequacy. | Current web PostHog config disables session recording; mobile map treats replay as disabled unless analytics consent is granted. If enabled, use short retention such as 14-30 days and mask sensitive screens. | Keep disabled by default, opt in/out, masking, do-not-capture rules for intake/content screens, deletion/suppression requests. |
| Error telemetry and observability | Crash/error events, stack traces, logs, traces, device/app metadata, breadcrumbs, possible user id/email if ever attached, accidental content in errors. | Diagnose crashes, reliability, abuse, and security issues. | Paradaq controller; Sentry or hosting/log providers as processors. | GDPR: legitimate interest for service reliability/security; consent-gated where configured for mobile Sentry. Belarus: legitimate/security basis or consent as applicable. | Sentry, Vercel logs, Supabase logs; PostHog exception capture where analytics consent applies. | EU/US/global provider infrastructure; DPA/SCCs/Data Privacy Framework or adequacy. | Retained according to provider/project retention settings, preferably 30-90 days for identifiable telemetry; provider security logs may persist. | Analytics/telemetry opt-out where offered, account deletion/suppression for linked user identifiers, avoid submitting sensitive content in support logs. |
| Subscriptions and payments | RevenueCat customer id, Supabase user id mapping, entitlement state, product ids, transaction/store references, subscription status, country/currency, refund/billing metadata. | Manage paid access, restore purchases, subscription support, billing/fraud/legal records. | Paradaq controller for entitlement state and account mapping; RevenueCat processor; Apple/Google independent platform providers for checkout/store records. | GDPR: contract; legal obligation for tax/accounting where applicable; legitimate interest for fraud/security. Belarus: contract/legal obligation and cross-border disclosures as applicable. | RevenueCat, Apple App Store, Google Play, Supabase profile/plan tier. | RevenueCat US/global; Apple/Google global; DPA/SCCs/adequacy where applicable; platform terms. | Retained while subscription/customer active plus legal/provider retention; account deletion calls RevenueCat deletion when configured; Apple/Google ledgers retained under platform/legal periods. | Manage/cancel in app store, restore purchases, contact support, account deletion where Paradaq can delete, platform refund/cancellation controls. |
| Waitlist and marketing | Email, optional first name, locale/newsletter language, source page, UTM metadata, use case/roadmap interest, platform interest, alpha tester flag, consent version/timestamp/status, unsubscribe path. | Process early-access request, send transactional waitlist updates, send optional marketing newsletter only with separate consent. | Paradaq controller; Brevo processor; PostHog processor when analytics consent identifies/captures waitlist events. | GDPR: contract or request for transactional waitlist updates; consent for marketing newsletter and analytics. Belarus: consent and email marketing requirements as applicable. | Brevo, Supabase consent events, PostHog when analytics consent is granted. | Brevo EU/other provider locations; DPA/SCCs/adequacy; PostHog EU safeguards. | Waitlist contacts until launch cycle completion, unsubscribe, or deletion request; consent logs retained 3 years for governance evidence; suppression/unsubscribe records retained as needed. | Unsubscribe, withdraw marketing consent, request deletion/erasure, analytics opt-out. |
| Website contact, support, and legal requests | Email address, message content, attachments/screenshots voluntarily sent, request metadata, privacy/legal/billing/support history. | Respond to support, privacy, billing, legal, and deletion requests. | Paradaq controller; mailbox/support provider processor. | GDPR: contract/legitimate interest/legal obligation depending request. Belarus: consent/contract/legal basis as applicable. | Support mailbox provider, hosting/provider logs if forms are added. | Provider-supported regions; DPA/SCCs/adequacy safeguards where applicable. | Retained while request is handled plus limited history needed for legal claims, accounting, security, or statutory obligations; deletion/anonymization when no longer needed. | Contact deletion/erasure request, avoid sending sensitive screenshots unless necessary, legal rights requests. |
| Website operation and consent storage | IP-derived request metadata, browser/device metadata, cookies/localStorage values, locale/theme preference, consent receipt id, consent categories/version/timestamp. | Operate website, remember preferences, record consent evidence, maintain security. | Paradaq controller; Vercel/Supabase/PostHog as processors depending data. | GDPR: legitimate interest for essential logs/security; consent for analytics storage; legal obligation/legitimate interest for consent evidence. Belarus: consent for non-essential cookies/analytics. | Vercel hosting, Supabase consent event store, PostHog for opted-in analytics. | Vercel US/EU/global; Supabase region; PostHog EU; DPA/SCCs/adequacy. | paradaq-consent, paradaq-consent-id, locale/theme storage persist until cleared; consent logs retained 3 years; server logs short operational windows to define with provider. | Cookie settings button, accept/reject/save preferences, clear browser storage, privacy request. |
| Local app storage and cache | Supabase session tokens, inbox items, media copies, calendar cache/outbox, extraction history outbox/stats, client tags, native calendar sync state, reminders registry, speech capability cache, voice cloud preference, theme/language/onboarding state, downloaded model files. | Offline access, faster app use, preserve unsent captures, support account session and local preferences. | Paradaq controller for app design; user device stores data locally; OS/cloud backup provider may be independent controller if user enables backup. | GDPR: contract and security legitimate interest; Belarus: consent/contract and device-backup disclosures as applicable. | User device storage, SecureStore/Keychain/Keystore, AsyncStorage, FileSystem, OS backup providers if enabled. | Local device; no Paradaq transfer unless synced; user-controlled OS backup may transfer to Apple/Google or device backup provider. | Account-scoped data retained until sign-out/account deletion/app data clear/uninstall; non-account preferences until changed/cleared; model files until deleted/cache clear/uninstall. | Delete items, sign out, account deletion cleanup, clear app data/uninstall, OS backup controls, revoke permissions. |
| Abuse prevention and rate limiting | Request metadata, anti-spam fingerprints/timestamps, rate-limit state, request id, IP-derived request signals, user agent, and operational security records. | Prevent abusive extraction requests and protect service availability. | Paradaq controller; hosting and logging providers act as processors where logs are processed. | GDPR: legitimate interest for security/abuse prevention. Belarus: security basis or consent/notice as applicable. | Vercel API route, in-memory anti-spam store, Supabase logs, PostHog limited extraction metrics if configured. | Vercel/Supabase/PostHog regions; DPA/SCCs/adequacy or vendor safeguards where applicable. | In-memory anti-spam data is short-lived; provider logs follow configured project or vendor retention. | Sign in where required, avoid abusive requests, privacy request. |
This overview is kept aligned with the Privacy Policy, Terms, and DPA materials. Operational deletion verification and internal system-owner checklists are maintained separately.