This policy explains what data Desk FT ("we", "us") collects when you use the Desk FT mobile or web application, why we collect it, and what choices you have. Plain English first — if anything here is unclear, write to [email protected] and we'll explain.
Who runs Desk FT
Desk FT is operated as a sole-trader product. The data controller for the purposes of GDPR is the operator, reachable at [email protected].
What we collect
- Account info. Email address (used to sign in) and, if you sign in with Apple or Google, the identifier and name those providers return.
- Workspace content. Anything you or your clients put into your desks — workspace name, brand colour, module data (timeline posts, checklist items, form submissions, file uploads, link entries, welcome messages).
- Files. Documents uploaded to the Vault module are stored in Supabase Storage and served via signed URLs to members of the same workspace.
- Device info. A Firebase Cloud Messaging push token, generated per device, used only to deliver in-app notifications. Removed when you sign out.
- Usage events. Workspace activity events (new file, new timeline post, checklist item completed) — kept in your workspace's database so other members can see the activity feed. No third-party analytics.
- Logs. Supabase records request metadata (timestamp, IP, path) for security and rate-limiting. Retention follows the Supabase default of 7 days on the free plan.
What we don't collect
- No third-party analytics or advertising SDKs. No Google Analytics, no Meta pixel, no tracking cookies.
- No location data.
- No microphone, camera, or contacts access.
- We don't sell or rent your data to anyone. Ever.
Why we collect it
- To run the product — sign you in, store your desk data, deliver push notifications, let workspace members see each other's activity.
- To keep things secure — detect abuse, enforce row-level security so each workspace's data stays isolated.
- To answer support questions — if you write in, we may look at your workspace to help debug.
Who processes the data
- Supabase (Supabase Inc., USA) — auth, database, file storage, realtime. Data is stored on Supabase's infrastructure under their privacy policy.
- Google / Firebase (Google LLC, USA) — push notification delivery via Firebase Cloud Messaging. When you subscribe through Google Play, Google also processes your purchase as the payment processor. Subject to Google's privacy policy.
- Apple (Apple Inc., USA) — when you choose Sign in with Apple, Apple receives the authentication request and returns an identity token. When you subscribe through the App Store, Apple processes the purchase as the payment processor. Subject to Apple's privacy policy.
- RevenueCat (RevenueCat, Inc., USA) — receives a per-user identifier (your Desk FT user ID) and subscription events from the App Store / Google Play so we can keep your entitlement status in sync across devices. RevenueCat does not receive your name, email, or workspace contents. Subject to RevenueCat's privacy policy.
We use the standard production tiers of these services. None of them are used for marketing or profiling.
Where the data lives
Supabase hosts the database and file storage in the us-west-2 (Oregon, USA) region. Push-notification routing flows through Google's global infrastructure; in-app purchase events flow through Apple or Google's servers (depending on the store) before reaching RevenueCat in the United States. Data is stored encrypted at rest and transmitted over HTTPS / TLS.
International transfers. If you're in the EU, the UK, Canada, or another jurisdiction with cross-border data-transfer rules, accessing Desk FT means your data is transferred to and stored in the United States. We rely on the Standard Contractual Clauses (and the UK Addendum where applicable) that Supabase, Google, Apple, and RevenueCat maintain with their customers as the legal basis for these transfers. We do not move your data between regions on our end.
How long we keep it
- While your account is active — your workspace and its contents are kept indefinitely so they're there when you log in.
- After you delete your account — workspace data is removed within 30 days. Backup snapshots may persist for up to 90 days.
- Server logs — Supabase default retention (~7 days on the free plan; longer on paid tiers).
Your rights
If GDPR, UK GDPR, CCPA, PIPEDA or a similar regime applies to you, you have the right to:
- See what data we hold about you.
- Correct it if it's wrong.
- Delete your account and have the associated data removed.
- Export your workspace data in a portable format.
- Object to processing, or withdraw consent — for example, you can revoke notification permission in your OS settings at any time.
To exercise any of these, email [email protected] from the address attached to your account. We'll respond within 30 days.
Children
Desk FT is intended for adults running a business. We don't knowingly collect data from anyone under 16. If you believe a child has signed up, write to us and we'll delete the account.
Cookies
The mobile apps don't use cookies. The web admin at app.deskft.com uses Supabase's session cookie to keep you signed in. The marketing site at deskft.com sets no cookies of its own.
Changes to this policy
If we change anything material we'll update the "Last updated" date at the top and, where reasonable, notify active accounts in-app or by email.