What we keep, and why.

Pair Cafe is a small, two-person app (often just called “Pair” in this doc). We only collect what we need to make your shared list work, and we never sell or rent it. You can delete your account, your couple, or your data any time from Settings.

We don’t use trackers across the web, we don’t profile you for ads, and there’s no third party reading your todos or your photos. The full detail is below.

Pair Cafe (the “Service”) lives at pair.cafe. The fastest way to reach us about anything in this policy is through the form at /contact.

Pair stores only the data you give us. We don’t buy data, and there’s no analytics SDK trying to fingerprint your device.

From you, when you sign up

• Your email address — used as your sign-in handle. We send a one-time magic link to confirm it; no passwords.
• Your display name — shown next to todos so your partner knows who added or completed what.
• Optionally, an avatar image you choose, and your relationship start date (used to celebrate your anniversary).

From you, while using Pair

• The contents of your shared list: todo titles, notes, target dates, who added each item, and who completed it.
• Completion details — your free-text "How did it go?" note and up to four photos or short video clips per completion (max 19MB each; photos are compressed by your browser before upload, clips are uploaded as-is).
• Reactions you and your partner add to completed items.
• Categories — auto-assigned for new todos by an AI categorizer (see below) so the app can show you a meaningful filter row.
• In-app notifications about activity on your shared list.

From your device, only if you opt in

• Web push subscription details (an endpoint URL plus two cryptographic keys) so we can deliver notifications when Pair isn't open. You enable this from Settings; we delete the subscription the moment your browser tells us it's gone.
• Your "Add to Home Screen" choice is remembered locally in your browser so we don't nag you again.

Automatically, when your browser talks to our server

• A short-lived auth cookie set by Supabase so you stay signed in.
• Standard request metadata (IP, timestamp, user agent) that our hosting and database providers process to serve traffic and protect against abuse. We don't use this for analytics, ad targeting, or profiling.

We use what you give us to do the obvious things and nothing else:

• Show your shared list, calendar, completion gallery, and notifications.
• Send the magic link that signs you in, and the small set of transactional emails described in our email policy (sign-in, email change, etc.).
• Deliver web push notifications you've opted into.
• Categorize new todos so the filter row stays useful.
• Triage messages you send through the contact form.

We do not use your data to train any AI model, sell to brokers, build advertising profiles, or share with anyone outside the subprocessors listed below.

Pair runs on a small, deliberately boring stack. Each provider sees only what they need to do their job:

• Supabase — hosts our database, authentication, and the storage bucket where completion photos live. They process your account record, your couple's todos and reactions, your push subscriptions, and your photos.
• Vercel — hosts the website itself and serves traffic from their edge network. Standard request logs apply.
• OpenAI — receives the title and notes (only) of new todos so it can return one or two category labels. We don't send your name, email, photos, or completion notes. You can disable AI categorization by leaving the API key unset on your self-hosted copy.
• Apple, Google, and Mozilla push services — receive encrypted notification payloads addressed to your specific browser endpoint, so notifications can land on your lock screen. They cannot read the contents.

We don’t use Google Analytics, Meta Pixel, Mixpanel, PostHog, or any equivalent tool. There is no third-party JavaScript loaded into your session that you didn’t already see in this list.

• Account data (email, profile, couple, todos, completion notes, photos, reactions) — kept as long as your account exists.
• Push subscriptions — automatically deleted as soon as your browser tells us they're no longer valid (the standard "410 Gone" response).
• Notifications — kept in your in-app inbox until you or your partner clear them.
• Contact form messages — kept until we've actioned them, then archived. We may keep them for up to 24 months for support continuity.
• Server request logs (held by Supabase and Vercel) — typically retained for 30–90 days per their respective policies.

When you delete your account from Settings → Danger zone, we delete your profile andthe couple you’re part of — which means every todo, completion note, comment, recap, and photo you and your partner created together is removed at the same time. Your partner loses access to those shared memories as a result; their own profile and any solo data stays untouched. This is a hard delete: we don’t archive a shadow copy, and we can’t undo it.

You have the right to:

• Access the data we hold about you — most of it is visible directly in the app; the rest is one request away.
• Export it in a portable format.
• Correct anything that's wrong (you can edit your name, email, anniversary, todos, and notes directly in the app).
• Delete your account and your shared content at any time from Settings → Danger zone.
• Withdraw consent for push notifications by toggling them off in Settings — we'll stop sending and remove your subscription.
• Lodge a complaint with your local data protection authority if you believe we've mishandled your data.

To exercise any of these rights beyond what the app exposes directly, send a message via /contact. We aim to respond within 30 days.

Pair isn’t designed for or directed at children under 13 (or the equivalent minimum age in your jurisdiction). Don’t use the Service if you are under that age. If we learn we’ve collected data from someone underage, we’ll delete it.

Pair’s database, storage bucket, and hosting are operated in the United States. By using the Service you understand that your data may be processed there.

Connections to Pair are encrypted with TLS. Your magic-link tokens are single-use and short-lived. Photos and todos are protected by row-level security policies that scope access to the two members of your couple. No system is invincible — if you spot something that looks off, please tell us at /contact.

If we make a substantive change, we’ll update the Last updated date at the top and, when the change materially affects your rights, give you reasonable notice through the app or via email before it takes effect.