Who we are
Sweet Goals is a project of GENLY, Inc. It is a to-do list app that strives to offer simplicity, enouragement, and useful integrations with third party APIs. Our website address is: https://sweetgoals.com
What personal data we collect and why we collect it
When visitors fill out contact forms, we collect the data shown in the form, and also the visitor's IP address to help with spam detection.
When you log in, we will set up a cookie to save your login information, and occasionally additional cookies to save your screen display choices. Login cookies last for 2 hours. If you select "Remember Me," your login will persist for up to three months, or until your cookies are cleared in some other manner. If you log out of your account, the login cookies will be removed.
When users access the site, we record their IP address to assist in spam and fraud prevention. These IP addresses are kept for a period of 3 months and then discarded.
The date and time a user last accessed the site is kept as part of that user's information. Only one such timestamp is recorded; accessing the site removes any previous "last usage" timestamp.
At this time, Sweet Goals users do not have any public profile. However, this may change in future -- you will be able to choose whether to opt in to sharing features or not.
To-do list tasks
When you enter a to-do list task on Sweet Goals, that information is stored indefinitely in association with your account. Your to-do list tasks are only visible to you, and occasionally to site admins when assisting in technical support requests.
When you connect a third-party calendar application (such as Google Calendar) to Sweet Goals, the names and IDs of your third party calendars will be cached on our server, along with the events on those calendars. Your synced calendar events are only visible to you, and occasionally to site admins when assisting in technical support requests. If you disconnect your third-party calendar from your Sweet Goals account, all cached information about that calendar will be erased in at most 24 hours.
Sweet Goal's use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
If you choose to register your account via Google OAuth, or to connect a Google account to your Sweet Goal's account at a later time, an OAuth access token and refresh token will be stored in association with your account to allow us to access the information that you request, as well as an account ID number to help us identify you when you login using these third party services. OAuth refresh tokens last an average of 200 days before they need to be renewed by a fresh OAuth login. After setting an on-site password, you may choose to disconnect your OAuth accounts at any time.
Embedded content from other websites
Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.
We use Google Analytics for aggregated, anonymized website traffic analysis. In order to track your session usage, Google drops a cookie (_ga) with a randomly-generated ClientID in your browser. This ID is anonymized and contains no identifiable information like email, phone number, name, etc. We also send Google your IP Address. We use GA to track aggregated website behavior, such as what pages you looked at, for how long, and so on. This information is important to us for improving the user experience and determining site effectiveness. If you would like to access what browsing information we have - or ask us to delete any GA data - please delete your _ga cookies, reach out to us via our contact form, and/or install the Google Analytics Opt-Out Browser Add-On.
How long we retain your data
IP addresses that have been stored as part of site usage (rather than as part of the meta data of a comment) are kept for a period of 3 months and then discarded. This is to help us with spam, harassment and fraud prevention.
To-do list tasks and calendar events may be kept indefinitely, to provide you with a full record of your usage.
If you choose to delete your user account, all todo-list tasks, password information, personal information, calendar events, and third-party OAuth connections will be deleted.
Notes made by staff in a user's moderation/customer service log may be kept indefinitely.
What rights you have over your data
If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.
We do not view messages you have left for other users, such as comments, as personal information; however, your name may be removed from comments if you have also closed your user account with which you made those comments (if any.)
Who we share your data with
Sweet Goals staff members, such as administrators and moderators, can view data you provide to us or post on the site. Private information is held in confidence and not discussed outside of the staff.
We never sell or trade your information to third-parties.
In the few and rare cases where information is shared with third parties, it is with the understanding that that information be used solely to assist us in providing you with the services associated with Sweet Goals. See "where we send your data" below for more on this topic.
Where we send your data
We make use of the email service Mailgun to send our newsletters, transactional emails and other announcements. If you have opted-in to our newsletter, we may sync some basic information about you to Mailgun to help us address our emails to you. Mailgun may not use or distribute this information for any reason other than delivering the emails from us to you. You may unsubscribe from our newsletter at any time to stop receiving these emails.
What third parties we receive data from
We receive anonymized data from Google Analytics regarding where people are accessing the site from, what browsers and devices are used when accessing the site, what portions of the site see the most traffic, and durations of sessions. This information is not personally identifiable to you and instead gives us an "in general" data view about how the site is used over time.
If you have connected a third-party application such as Google Calendar or Basecamp, we may also receive some information from the third-party that you have connected in order to provide you with a more useful experience. For example, connecting a Google Calendar allows us to show you your calendar events in your Sweet Goals planner.
Your contact information
On rare occasions, we may use your provided contact information (email) to contact you off-site. This includes "transactional" messages (such as receipts,) and questions or notices regarding your account.
How we protect your data
Securing a website requires many different types of threats to be minimized and prepared for. This includes securing the website code, the server that the website is hosted on, and the transfer of data between the user's access device and our service. It also includes having appropriate data-handling policies in place and a culture of security for staff that must handle user data. We've made efforts to address all of these areas, and continue to educate ourselves on evolving best-practices and update our procedures or code accordingly.
All connections to the site are done via https:// with a valid third party SSL certificate to prevent attackers from "listening in" or changing data as it is sent between your computer and our server, and vice versa.
All passwords are stored using one-way encryption; not even the staff here at Sweet Goals can see your password. In addition, access to even the encrypted passwords is restricted to a very small number of staff members whose jobs absolutely require interacting with the database.
Our customer service procedures are written to require that when someone contacts us about an account, we may only discuss account information or provide password resets or other assistance with the email address associated with the account. If for some reason this is not possible, then other methods of identification must be provided. Simply telling us you no longer have access to your email account is insufficient, as anyone could tell us this. If a member is requesting assistance changing the email associated with their account, we will email the old email address first, in addition to asking for other methods of identification.
We keep our underlying software updated with all necessary security patches.
We have worked with the hosting company that owns the server that Sweet Goals is hosted on to ensure that our hosting server has been properly hardened against attackers, and have received assurances that if a security breach occurs on their end we will be immediately notified.
In addition to our continued efforts to keep the site safe and secure, we urge our users to make use of good password hygiene practices, including not re-using passwords between different sites or accounts. This is one of the most important steps an individual can take to avoid losing control of more sensitive accounts, such as email and banking.
What data breach procedures we have in place
If we discover or suspect that a data breach has taken place, we will notify all potentially affected users as soon as possible, and no later than 24 hours after becoming aware of the data breach. This will allow potentially affected users to take immediate action to protect themselves such as by changing their passwords on any other site where they re-used their Sweet Goals password.
We will thoroughly investigate the breach or potential breach, and provide further updates to affected members should any new information of relevance come to light. We will also take corrective action to prevent a similar breach from re-occurring. However, these remedies will not delay our initial alert to members.
If we have a reason to suspect that an individual account has been compromised on the user's end (ex. having your laptop that was logged into our service stolen, having your password known or guessed by a jealous ex) we may initiate a password reset and contact the account owner.
You may also wish to review our Terms of Service.
This policy last updated 9/15/2020