Data Controller: Hably Software Ltd, a company registered in England and Wales under company number 17050988
Product: Productivities — comprising the desktop application, the iOS mobile companion app, the bundled command-line interface, and any optional self-hosted server you operate (together, "the App")
Effective Date: 1 June 2026
Last Updated: 8 June 2026
Productivities ("the App", "we", "us") is a personal productivity application produced by Hably Software Ltd, a company registered in England and Wales (company number 17050988). This Privacy Policy describes what personal data the App processes, where it is stored, who it is shared with, and the rights you have over that data under the UK GDPR, the EU GDPR, and equivalent applicable laws.
The defining characteristic of Productivities is that it is a local-first application. Hably Software Ltd does not operate any cloud service that stores, processes, or backs up the content you create, and the App does not transmit your content to any Hably Software Ltd-controlled server. Your data lives on your own devices and on any infrastructure you choose to host it on. We do not run analytics, telemetry, crash reporting, or any "phone-home" services. We do not have access to your data.
If you use the Productivities mobile companion app, your phone communicates directly with the Productivities server running on your desktop (or on a self-hosted server you operate). No data passes through Hably Software Ltd in the process. By default the desktop server listens only on the loopback interface (127.0.0.1) and is not reachable from any other device. To allow your phone to connect, an administrator on the installation must explicitly enable network (LAN) access in the App's settings on a Pro-tier installation; until that happens, no device other than the desktop itself can reach the server. While LAN access is on, other devices on the same network can also reach the sign-in endpoint (authentication, rate-limiting, and tier and per-user permission checks all continue to apply), and the App reverts to loopback-only as soon as that setting is turned off and the App is restarted. If you wish to use the mobile app from outside your local network, that is handled by infrastructure you operate — for example, a reverse proxy, VPN, or secure tunnel — and the security of that transport (TLS termination, who can reach the tunnel, and so on) is your responsibility. The mobile app signs in to your server using your username and password, in the same way the desktop interface does, and the server then issues a session cookie that authenticates subsequent requests from that device. Mobile access additionally requires that mobile is enabled on a Pro-tier installation and that mobile access is permitted for your user account.
Aside from the mobile sync just described, no data you enter into the App leaves your device unless you deliberately enable an integration with a third-party service (see Section 5). This policy describes the data the App handles on your device, the mobile-companion data flow, and the third-party services you may choose to connect to. Where you choose to connect such services, those third parties become independent data controllers for the data you direct the App to send them, and their own privacy policies will additionally apply.
| Topic | Position |
|---|---|
| Cloud storage of your content by Hably Software Ltd | None |
| Analytics, telemetry, or uploaded crash/error reports | None — the App writes a local log file on your device that records crashes and errors, but it is not uploaded anywhere (see 3.4) |
| Tracking cookies | None |
| Third-party advertising | None |
| Selling of personal data | Never |
| Data stored locally on your device | Yes — all content by default |
| Data sent to third parties | Only when you explicitly enable an optional integration (AI providers, Google, Jira, etc.) |
| Encryption of sensitive credentials at rest | AES-256-GCM |
| Password storage | bcrypt (cost factor 10) |
| Two-factor authentication | Not currently supported |
| Children under 13 | Service is not directed at children |
When you create a user account in the App, the following is stored in the App's local SQLite database (or, in self-hosted multi-user deployments, in your PostgreSQL database):
The App is designed to store the productivity content you author. Depending on the features you use, this may include:
Where you configure the App to use file-based features, content is written as plain files in folders you choose:
.md) files with optional YAML frontmatter, stored in the folder you specify in Settings → NotesDD-Mon-YYYY.md (e.g. 01-Jan-2026.md), stored in the folder you specify (these are referred to as "journal" in some internal storage paths and setting names)These files are ordinary files under your control. The App does not back them up or transmit them anywhere of its own accord. However, if you nominate a folder that is a Git repository, you can additionally enable the App's optional Git integration. When enabled, the App can:
The remote URL is configured by you, in the App, via Settings → Notes → Git. Authentication to the remote is handled by your system's standard Git mechanisms (credential helpers, SSH keys, personal access tokens, etc.); the App itself does not store Git credentials. If you enable a remote and push to it, the contents of your Notes (and any Daily Notes or other Markdown files in the same repository) are transmitted to that remote host, and that host's terms and privacy policy apply. You can remove the remote, or disable Git integration entirely, at any time.
config.json in your application-data directorysafeStorage (macOS Keychain, Windows DPAPI, or Linux libsecret); the sealed form is stored as a small file in your application-data directory with owner-only file permissions (mode 0600). On systems where a keystore is not available, the key is stored directly in that same file with the same file permissionsconnect.sid cookie, set as HttpOnly and SameSite=Lax, with a default lifetime of 30 days; expires when you sign outproductivities.log) in the application-data directory. This file records operational messages, warnings, crashes, and error stack traces — in other words, it serves the role that a crash-reporting service would serve in other apps, except that it stays on your device. Nothing in this file is uploaded to Hably Software Ltd or to any third party; there is no background process that transmits errors anywhere. You can open, inspect, or delete the file at any timepr command-line tool and external scripting): if you generate one or more API keys in Settings → API Keys, each key is shown to you once at the moment of creation and is stored in the database only as a one-way bcrypt hash, alongside a short non-secret prefix, an optional label you assign, and the times of creation, last use, and (if applicable) revocation. These keys are used by the bundled pr command-line interface and by any script you write to talk to your own Productivities server; the mobile companion app does not use this mechanism. You can revoke any API key at any time, after which it is rejected for all further requestsIf you choose to connect the App to a third-party service, you provide credentials to that service. The following credentials are stored encrypted at rest using AES-256-GCM:
The encryption key is a 256-bit random value generated when the App first runs. On macOS and Windows, and on Linux systems that provide a keyring daemon, the key is sealed with your operating system's secure keystore — the macOS Keychain, Windows DPAPI, or Linux libsecret (gnome-keyring / wallet) — via Electron's safeStorage API; only the sealed (wrapped) form is written to disk, in a file in your application-data directory with owner-only file permissions (mode 0600). The unwrapped key never touches the filesystem. This means an attacker who obtains a copy of the database and the wrapped key file (for example via a copied user-data folder, an unencrypted disk image, or a filesystem snapshot taken without the keystore) still cannot read the encrypted credentials, because unwrapping the key requires the original macOS user session, the original Windows user/machine pair, or the original Linux libsecret-protected secret. If you copy your application-data folder to a different machine or restore from a backup on a new operating-system install, the wrapped key will not unseal there: the App detects this on next launch, leaves the encrypted credentials in place (untouched), and surfaces a prompt asking you to reconnect Google, Atlassian, and your AI provider keys. Your tasks, notes, and other non-credential data are unaffected.
On systems where a keystore is not available (most commonly: Linux without a running keyring daemon, or running the server in a headless multi-user / self-hosted PostgreSQL configuration under a service account), the key is stored directly in the same file with owner-only file permissions. In that configuration the at-rest protection is equivalent to "the database file alone is not enough to read your credentials"; we still recommend enabling full-disk encryption (such as macOS FileVault, BitLocker, or LUKS) on the device running the App.
The notes lock-password (an optional feature that password-protects access to your notes) is stored only as a bcrypt hash.
The iOS app is a thin companion to your Productivities server. Everything below describes data the iOS app handles on your phone, in addition to the data flows already described above. The iOS app does not talk to Hably Software Ltd; it talks only to the Productivities server you point it at (your desktop App on the same network, or a self-hosted server you operate).
Operating-system permissions requested. The iOS app requests only one OS-level permission: access to your device's Calendars (full access), used to display calendar events alongside your tasks. The app does not request access to your microphone, camera, photo library, contacts, location, Health data, HomeKit, biometrics, push notifications, or any other sensitive data class. You may revoke calendar access at any time from iOS Settings.
How the iOS app reaches your server. You enter the URL of your Productivities server manually on the sign-in screen (for example http://192.168.1.20:3456 for a local-network desktop, or https://your.tunnel.example for a reverse-proxied / tunnelled server). The app does not use Bonjour / mDNS discovery, QR-code pairing, or any other automatic mechanism, and it does not maintain a directory of servers. Plain HTTP is permitted only for local-network destinations (iOS App Transport Security is configured with NSAllowsLocalNetworking, with all other URLs required to use HTTPS); for any non-local-network destination, you must front your server with TLS. The mobile app signs in to your server using your username and password, in the same way the desktop interface does, and the server then issues a session cookie that authenticates subsequent requests from that device. Mobile access additionally requires that mobile is enabled on a Pro-tier installation and that mobile access is permitted for your user account.
Authentication and credential storage on the phone. You sign in with your Productivities username and password. The server returns a session cookie which is held in iOS's standard HTTPCookieStorage. So that the iOS Share Extension (described below) can authenticate as you, the cookie and your server URL are also persisted into a shared App Group UserDefaults container. App Group UserDefaults is sandboxed to the Productivities app and its Share Extension and is not readable by other apps, but it is included in iCloud and iTunes/Finder device backups unless those backups are encrypted; we therefore recommend enabling the Encrypt iPhone Backup option in Finder and using an iCloud backup if you back up your device. The iOS app does not store your password; if your session expires, you sign in again.
Local cache of your content on the phone. To support offline use and quick launches, the iOS app maintains a local cache in the app's sandbox containing snapshots of your tasks, notes, pinned items, spaces, app settings, and similar content fetched from your server, together with a queue of pending offline changes that the app will replay to your server when next connected. This cache is stored as plain JSON in the app's sandbox; image previews are cached separately. The cache is not encrypted by the App. iOS itself protects the sandbox while your phone is locked (via the standard Data Protection class), and the contents are inaccessible to other apps. You can clear the cache by signing out of the app, or remove it entirely by deleting the app from your device.
Share Extension. The iOS app installs a Share Extension that lets you send a URL, snippet of text, or image from another app into Productivities. When you use it, the selected content is uploaded over the same authenticated connection to your Productivities server; large images are downscaled and recompressed locally before upload. The Share Extension does not transmit anything anywhere other than to your server.
Background refresh. The app uses iOS Background App Refresh (BGAppRefreshTask) to flush pending offline changes when iOS judges it a good moment to do so. This is a local, OS-scheduled mechanism — it does not involve push notifications and nothing about the schedule is sent off-device.
What the iOS app does not do. The iOS app does not include any third-party analytics, crash-reporting, advertising, or attribution SDK; it does not request or use the iOS advertising identifier (IDFA), does not present an App Tracking Transparency prompt, and does not register for Apple Push Notification service (APNS) or any other push provider.
By default, all data described in section 3 is stored on your own device, in the following locations on macOS:
~/Library/Application Support/Productivities/productivities.db~/Library/Application Support/Productivities/.encryption-key~/Library/Application Support/Productivities/.session-secret~/Library/Application Support/Productivities/productivities.log~/Library/Application Support/Productivities/memory/~/Library/Application Support/Productivities/focus-music/On the iOS mobile companion app, data is held inside the app's standard iOS sandbox: the offline cache of your tasks/notes/pins/spaces/settings and the pending-mutation queue are written as JSON files inside the app's Application Support directory; cached images are written inside Caches; the session cookie and your server URL are written into the shared App Group UserDefaults container (group.app.hably.flow.ios) so that the Share Extension can authenticate. Removing the app from your device removes all of the above.
If you deploy the App as a self-hosted multi-user server (an advanced configuration), the database may be PostgreSQL on the server you operate. In that case Hably Software Ltd has no involvement: you are the data controller for the deployment, and you are responsible for its security, backups, and lawful operation.
The App is functional and feature-rich without enabling any integration. The integrations described below are entirely optional, are disabled by default, and require you to enter credentials. When you enable an integration, you are directing the App to transmit data to that third party, and that third party becomes an independent data controller for the data you send it. Their privacy policies apply in addition to this one.
If you enable the AI assistant, your chat messages, conversation history, system instructions, and any files you attach (images, PDFs, text) are sent to the AI provider you select. Supported providers are:
| Provider | Endpoint | What is sent |
|---|---|---|
| Ollama (local) | http://localhost:11434 by default (configurable) |
Stays on your device; no external transmission |
| xAI (Grok) | https://api.x.ai/v1 |
Conversation history, chosen model, attachments, tool-use signals (e.g. web search) |
| OpenAI | https://api.openai.com/v1 |
Conversation history, chosen model, attachments |
| Google Gemini | https://generativelanguage.googleapis.com/v1beta/openai |
Conversation history, chosen model, attachments |
Attachments may be up to 20 MB per file. Supported types are JPEG, PNG, WebP, PDF, plain text, Markdown, and CSV. Attachments are held only in memory by the App and are not retained on disk after the request completes.
If you grant the AI assistant tool access (a Pro-tier feature), the assistant can additionally read and write content within the App on your behalf — for example, creating tasks, reading notes, updating settings, or logging measurements. When this happens, the contents of those operations are sent to the AI provider as part of the conversation context.
If you connect a Google account, the App initiates a standard OAuth 2.0 flow with PKCE. The scopes requested are:
https://www.googleapis.com/auth/calendar — read and write access to your Google Calendarshttps://www.googleapis.com/auth/drive.readonly — read-only access to file metadata in your Google Driveopenid, email — to identify the connected accountThe resulting access and refresh tokens are stored encrypted on your device and are used only to make API calls to Google in response to your actions in the App. You can disconnect at any time via Settings → Integrations, which revokes the tokens with Google and removes them from local storage.
If you supply your Atlassian email and API token, the App can fetch the live status of Jira issues you reference. The token is stored encrypted. Requests are made directly from your device to your Atlassian instance using HTTP Basic Authentication, and may retrieve summaries, statuses, assignees, priorities, descriptions, labels, and comments for issues you reference.
On macOS, the App can read from and write to the system Calendar and Reminders databases via Apple's EventKit framework, mediated by a bundled native command-line helper. This requires you to grant Calendar and Reminders permission to the App through macOS's standard consent prompts. This data exchange is between the App and your own Mac; no data is transmitted off the device by this feature.
If you add an iCal feed URL to the calendar, the App will fetch that URL directly from your device in order to display its events. The URL itself is stored in your local settings.
When you save a pin (a bookmarked URL), the App fetches the URL from your device to extract a preview (title, description, image, and parsed article text). The remote site will see this request as originating from your device. If you enable the optional vision feature for pins, an associated image may additionally be sent to the AI provider you have configured for analysis.
Tier upgrades (Group, Pro) are sold exclusively through Apple's App Store using StoreKit. Hably Software Ltd does not operate its own payment system and does not receive your payment-method details. Transaction receipts signed by Apple are verified by the App and a record of the resulting entitlement (tier, product ID, transaction ID, purchase timestamp, and environment) is stored locally so that the App knows which features to enable.
If you use voice dictation in the AI chat, the App requests microphone permission. Speech recognition is performed on-device using Apple's local speech recognition framework; audio is not sent to any cloud speech service. The resulting transcript is then sent to the AI provider you have configured, in the same way as any other message you type.
We want to be specific about what we have deliberately chosen not to do:
We implement the following technical measures:
safeStorage, so the wrapped key file alone cannot be opened without the original OS user session. On other systems the key is stored with owner-only file permissions (mode 0600)Secure when served over HTTPS127.0.0.1) and is not reachable from any other device. The server only begins listening on the local network when an administrator explicitly enables network (LAN) access in the App's settings on a Pro-tier installation, and reverts to loopback-only when that setting is turned off. Self-hosted operators who run the App in a server context (for example, in Docker or behind their own reverse proxy) can override the bind address via the HABLY_BIND_HOST environment variable to suit their deployment topologyYou should be aware of the following limitations:
No security measure is perfect. You are responsible for securing the device on which the App runs.
The App can be operated as a multi-user installation (an advanced "Group" or "Pro" deployment). In this mode:
In a multi-user deployment, the person or organisation operating the installation is the data controller. Hably Software Ltd is not involved in that deployment and does not have access to it.
The App supports configurable automated backups to a folder you nominate. Backups are full copies of the SQLite database, written with timestamped filenames, retained according to a configurable retention policy (default: 7 most recent copies). Backups are not transmitted anywhere. You are responsible for the security and storage of your backup folder.
Productivities is a general-purpose productivity tool intended for adults. It is not directed at children under the age of 13 (or under 16 in jurisdictions where that is the applicable threshold), and we do not knowingly process personal data of children. If you believe a child has used the App in a way that requires your attention as a parent or guardian, you have full control over the data on the device; please use the deletion options described below.
Because the App stores your data locally on a device you control, you exercise most data-protection rights directly through the App, without needing to ask us:
| Right | How to exercise it |
|---|---|
| Access | All your data is in the App's interface, the SQLite database file, and the file folders you nominated. You can open or copy them at any time |
| Rectification | Edit any record directly in the App |
| Erasure | Use Settings → Erase All Data to delete tasks, sub-tasks, routines, routine logs, spaces, kanban columns, time entries, and the systems framework. Notes and other filesystem-stored content are not deleted by this action — you must delete those files yourself. An administrator can delete an entire user account, which cascades to substantially all of that user's content in the database |
| Restriction / Objection | Disable any feature in Settings. Disconnect any integration in Settings → Integrations |
| Portability | Notes and Daily Notes are already in a portable format (Markdown). Database content can be exported by copying the SQLite database file or by an administrator generating a backup |
| Withdraw consent | Disable the relevant integration; revoke the relevant credential at the provider (e.g. revoke an OpenAI API key in your OpenAI account) |
We note the following honest limitations of the current implementation:
To the extent that Hably Software Ltd is a data controller in respect of any processing (which, in the default local-only configuration, is limited), we rely on the following legal bases:
Because data is stored on your device, retention is under your control. We do not impose any retention period on data we cannot see. Specific defaults within the App:
The App itself does not transfer your data internationally. Where you enable a third-party integration, that integration may involve transfers — for example, AI providers and Google operate globally. Those transfers are governed by the respective provider's safeguards (Standard Contractual Clauses, Data Privacy Framework adherence, etc.) and by their own privacy policies.
We may update this Privacy Policy from time to time, for example to reflect new features or legal requirements. The "Last Updated" date at the top of this document will indicate when the most recent change was made. Material changes will be highlighted in release notes for the version of the App that introduces them.
For questions about this Privacy Policy or to make a data-protection request: