Privacy Policy

1. Who This Service Is For

SuperDuper is designed for adults—parents, guardians, and caregivers—who manage family schedules. While the app processes information about children (names, activities, schedules), the app is not intended for use by children.

We do not knowingly allow children under 13 to create accounts or use our service. If you believe a child has created an account, please contact us immediately and we will delete it.

2. Information We Collect

Account Information

• Your name and email address
• Authentication credentials (we use industry-standard OAuth; we never see your email password)
• Payment information (processed by our payment provider; we don't store card numbers)

Family Information

To provide our service, we process information about your family members, which may include:

• Names of family members, including children
• Schedules, appointments, and activities
• Schools, sports teams, and extracurricular organizations
• Contact information for coaches, teachers, and other caregivers
• Relationships between people (e.g., "Coach Mike" is associated with "soccer practice")

Connected Account Data

When you connect your email or calendar, we access data from those services to extract relevant family logistics information. See Section 3 for detailed information about email handling.

Usage Information

• How you interact with the app (features used, corrections made)
• Device information (browser type, operating system)
• Mobile device identifiers, including a Firebase Cloud Messaging registration token and Firebase installation ID, generated automatically when you first open our iOS or Android app. We use these solely to deliver push notifications to your device. See Section 5 for details on the providers involved.
• Advertising identifiers (mobile apps only): on iOS, if you tap “Allow” on Apple’s App Tracking Transparency prompt, we and our attribution partners may receive your device’s IDFA. On Android, we may receive your Advertising ID unless you’ve opted out in device settings or turned off “Share discovery data” in SuperDuper’s Settings. We use these only to attribute app installs and sessions to our own ad campaigns—see Section 5 for details.
• Error logs and performance data

3. Email Access and Handling

Email access is core to how SuperDuper works—we extract family logistics information from school newsletters, activity schedules, and appointment confirmations. Given the sensitivity of email, we want to be explicit about our practices.

How We Filter Your Email

We don't process all your email. Most of your inbox never reaches our AI systems at all. We use a multi-stage filtering process:

• Automatically discarded: Shipping notifications, login codes, password resets, social media alerts, and payment receipts are filtered out immediately based on sender patterns—they never touch any AI system.
• Fast-tracked as relevant: Emails from .edu domains and known kid-logistics platforms (e.g., TeamSnap, ClassDojo, Konstella) proceed directly to processing.
• Evaluated for relevance: Remaining emails are assessed using sender and subject line. For uncertain cases, we may examine a preview of the email content to determine if it's family-related.

For most users, only a small fraction of their inbox is actually processed by our AI systems.

What We Store vs. What We Discard

For the small percentage of emails that are relevant, here's exactly what we keep and what we don't:

Think of it like a friend reading your email and telling you "soccer practice moved to Wednesday at 5pm." We remember the takeaway, not the entire message.

Human Access to Your Email

Our team does not have access to read your raw email content. If you report a bug or issue that requires us to examine your email data to diagnose the problem, we will require your explicit permission first. Any such access is logged, limited to the specific issue, and revoked once the problem is resolved.

Revoking Email Access

You can disconnect your email at any time through your account settings. When you do:

• We immediately stop accessing your email
• Previously extracted information remains in your account (you can delete this too)
• You can also revoke access directly through your email provider's security settings

Google Workspace API Limited Use

SuperDuper's use of information received from Google Workspace APIs (Gmail and Google Calendar) adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not transfer Workspace API data to third parties for their own purposes, we do not use it for advertising, and we do not retain it to develop, improve, or train generalized or non-personalized AI/ML models. Before we request access to your Gmail or Google Calendar, our app shows a disclosure screen explaining that the data will be read by AI systems to extract family logistics; you must affirmatively accept before we request any OAuth scope.

4. Other Connected Accounts

Beyond email, SuperDuper may connect to other data sources you authorize to provide a more complete picture of your family's schedule. For all connected accounts, the following principles apply:

• We access only data relevant to family logistics
• We extract useful information and do not retain raw data long-term
• We never share data from your connected accounts (email, calendar) with advertisers, and we never use it to train AI models
• You can disconnect any account at any time through your settings

As we add support for new data sources, this policy will be updated to reflect any source-specific practices, but the core principles outlined above will always apply.

Calendar Access

When you connect a calendar account (such as Google Calendar), we access your event data to help manage your family's schedule. Here is what that involves:

We use this data to detect scheduling conflicts and surface relevant logistics information alongside data from your other connected sources.

Calendar Sync

If you choose to enable calendar sync, SuperDuper may also create or update events in your calendar on your behalf. Calendar sync is entirely opt-in—it is not enabled by default and requires your explicit consent. You can disable calendar sync at any time through your account settings without disconnecting calendar read access.

Calendar Data Storage

We store structured scheduling information extracted from your calendar events (dates, times, locations, attendees) to power conflict detection and logistics features. We do not retain raw calendar API responses long-term. If you disconnect your calendar, we stop accessing new data immediately. Previously extracted scheduling information remains in your account unless you delete it.

5. AI Processing and Model Training

SuperDuper uses artificial intelligence to understand your family's information and generate personalized applications. We want to be completely transparent about how this works.

How We Use AI

• Interpretation: We use AI to extract meaningful information from your emails and calendars (identifying people, events, and relationships)
• Generation: We use AI to create and customize your family's application interface
• Adaptation: We use AI to suggest improvements based on how you use the app

Third-Party AI Providers

We use third-party AI models to power our service. Today, those providers are Anthropic (Claude), OpenAI (GPT-family models), and Google (Gemini and Vertex AI). We may add or substitute providers over time and will update this list when we do. Here's what you need to know:

• Data Processing Agreements: We have contractual agreements with all AI providers that explicitly prohibit them from using your data to train their models
• API-Only Access: We use these services through their commercial APIs, which have stronger privacy protections than consumer products
• No Data Retention: Our agreements specify that AI providers do not retain your data beyond the immediate processing request
• Provider privacy policies: Anthropic · OpenAI · Google

What "No Training" Means Specifically

To be precise: when your data passes through an AI model, it is processed and a response is returned. Your data does not get added to any training dataset, influence model weights, or get used for reinforcement learning. It is not retained for any purpose beyond completing your request.

Operational Tools and Service Providers

Like virtually all modern software, SuperDuper relies on a small number of trusted third-party services to host the app, deliver notifications, and stay reliable. We name them all here so you can see exactly who they are and what each one does. Every provider on this list operates under a Data Processing Agreement that prohibits them from using your data for their own purposes, requires them to maintain appropriate security standards, and forbids them from training AI models on your data.

• Heroku (Salesforce, Inc.) — our cloud hosting provider. Stores and processes your account and family data on our behalf, in the United States. See the Salesforce Privacy Statement.
• Firebase Cloud Messaging (Google LLC) — delivers push notifications to your iOS and Android devices. Receives a registration token that identifies your specific app install (not you personally), plus device model, OS version, language, time zone, and app version. We never send the contents of notifications through any other party. See Firebase Privacy & Security.
• Sentry — error and crash reporting. Receives stack traces, device model, OS version, and app version when something goes wrong, so we can fix it. Does not receive your email content, calendar events, or family data. See the Sentry Privacy Policy.
• Better Stack — production logging and uptime monitoring. Receives application logs, which may include error context, request metadata, and account identifiers, so we can diagnose problems and keep the service reliable. Does not receive your email content, calendar events, or family data. See the Better Stack Privacy Policy.
• PostHog — product analytics. Receives anonymized interaction events (which features you used, when, on what device) so we can fix bugs and improve the product. Does not receive your email content, calendar events, or family data. See the PostHog Privacy Policy.
• Loops — transactional and product email delivery (the weekly preview email, account notifications, password resets). Receives your email address and the contents of messages we send you. See the Loops Privacy Policy.

That's the complete list of operational and infrastructure providers. Our AI providers are listed separately above, because the data we send them is different in kind and we want to be explicit about it. None of the services on this page use your data to train AI models, and none of them are permitted to use your data for any purpose beyond supporting SuperDuper.

Mobile Ad Attribution (iOS and Android Apps Only)

Our mobile apps include two SDKs used solely to measure the effectiveness of our own advertising—so we can tell whether a user who saw a SuperDuper ad on, say, Instagram went on to install the app. We do not serve ads inside SuperDuper, and we do not use these SDKs to target ads to you anywhere else.

• Meta SDK (FBSDKCoreKit) — used for Meta (Facebook and Instagram) ad attribution. Receives app-install events, app-open events, and your device's advertising identifier (IDFA on iOS with ATT consent; Android Advertising ID subject to your device's opt-out). See the Meta Privacy Policy.
• Firebase Analytics (Google LLC) — used for Google Ads attribution. Receives similar app-install and app-session events, advertising identifier, device model, and app version. See Firebase Privacy & Security and the Google Privacy Policy.

What these SDKs never receive: your email content, your calendar events, the names of your family members, or anything from your connected accounts.

Turning this off. You can disable both SDKs at any time in the SuperDuper app at Settings → Privacy → Share discovery data. Turning this off stops the SDKs from collecting or transmitting any data; changes take effect after you restart the app. On iOS, declining Apple's App Tracking Transparency prompt prevents either SDK from receiving your IDFA regardless of the Settings toggle; the SDKs then rely on Apple's privacy-preserving SKAdNetwork signals, which do not identify you.

6. How We Use Your Information

We use your information for these purposes:

• Providing the Service: Processing your data to create and maintain your family logistics application
• Improving Your Experience: Learning from your corrections and feedback to make the app more accurate for you. This may include re-processing information from your connected accounts to improve accuracy and surface more relevant insights for you.
• Communication: Sending you important updates about the service (you can opt out of non-essential communications)
• Security: Protecting your account and detecting fraudulent activity
• Legal Compliance: Meeting our legal obligations

7. When We Share Your Information

We share your information only in these limited circumstances:

• Service Providers: With companies that help us provide our service (cloud hosting, AI processing, payment processing), under strict contractual protections
• With Your Consent: When you explicitly ask us to share information
• Legal Requirements: When required by law, subpoena, or court order
• Safety: If we believe disclosure is necessary to prevent harm to you, us, or others
• Business Transfer: In connection with a merger, acquisition, or sale of assets, your data may be transferred. We will notify you of any such change and your options regarding your data.

8. How We Protect Your Information

We implement industry-standard security measures to protect your data:

• SOC 2 Compliance: We maintain SOC 2 Type II certification, demonstrating our commitment to security, availability, and confidentiality through independent audit
• Encryption in Transit: All data transmitted to and from our service uses TLS encryption
• Encryption at Rest: Your data is encrypted when stored in our databases
• Access Controls: Strict internal policies limit who can access user data, and all access is logged
• Regular Audits: We regularly review our security practices and update them as needed
• Vendor Security: We vet all service providers for appropriate security practices

No system is perfectly secure. If we discover a security breach affecting your personal information, we will notify you as required by applicable law.

9. Your Rights and Choices

You have the right to:

• Access: Request a copy of the personal information we hold about you
• Correction: Request that we correct inaccurate information
• Deletion: Request that we delete your personal information
• Portability: Request your data in a portable format
• Withdraw Consent: Disconnect data sources or close your account at any time
• Object: Object to certain processing of your information

To exercise these rights, contact us at privacy@superduperlabs.com. We will respond within 30 days.

Shared Family Accounts

SuperDuper allows multiple parents or guardians to be part of the same family account. Here's how data sharing works in shared accounts:

• Consent to Share: By participating in a shared family account and connecting your email, you consent to other family members seeing the extracted summaries from your email (e.g., event details, schedules, activities)
• Dashboard Visibility: All members of a family account can see all items on the shared dashboard, including information extracted from any connected email account
• Raw Email Remains Private: Other family members never have access to your raw email content—only the extracted logistics summaries appear on the dashboard
• Optional Connection: Each parent can choose whether to connect their own email for extraction. You can participate in a family account without connecting your email.

If you're uncomfortable with other family members seeing your extracted email summaries, you can disconnect your email at any time while remaining a member of the family account.

10. Information About Children

Our service processes information about children as part of family logistics management. We want to be clear about our approach:

• Parental Control: All information about children is provided and controlled by their parents or guardians
• Limited Collection: We collect information about children relevant to scheduling and activities (names, schedules, teams, activities)—not academic records, grades, or sensitive educational data
• No Marketing: We never use information about children for marketing or advertising purposes
• Parental Access: Parents can access, modify, or delete any information about their children at any time

Future Integrations

We may add integrations with youth sports platforms, activity management tools, and similar services to improve our ability to track your children's schedules. Any such integrations will require your explicit authorization and will be limited to scheduling and logistics information—not academic performance or grades.

If you have questions about our handling of children's information, please contact us at privacy@superduperlabs.com.

11. Data Retention

We retain your information for as long as you maintain an active account. After account deletion:

• Personal information is deleted from active systems within 30 days
• Legal and billing records are retained as required by law

12. California Privacy Rights

If you're a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: What personal information we collect, use, and share
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: Opt out of the sale or sharing of personal information
• Right to Non-Discrimination: We won't discriminate against you for exercising your rights

We do not sell your personal information. Our mobile apps do share limited data—app-install and app-session events, and advertising identifiers when permitted—with Meta and Google to measure the performance of our own ads. Under California law, this is considered “sharing for cross-context behavioral advertising.” You can opt out at any time in the SuperDuper mobile app at Settings → Privacy → Share discovery data, or by emailing privacy@superduperlabs.com.

13. International Users

SuperDuper is designed for and operated in the United States. We do not specifically target or market to users outside the United States.

If you access our service from outside the United States, you do so at your own initiative and are responsible for compliance with local laws. By using SuperDuper, you consent to the transfer of your information to the United States, where data protection laws may differ from those in your country.

14. Changes to This Policy

We may update this privacy policy from time to time. When we make significant changes, we will:

• Update the "Last Updated" date at the top of this policy
• Notify you by email or through the app
• For material changes, request your acknowledgment before continued use

15. Contact Us

If you have questions about this privacy policy or our data practices, please contact us:

We aim to respond to all privacy inquiries within 30 days.