Privacy Policy

Who this applies to

3life Hub (hub.3life.in) is a single-user personal productivity application operated by Jitender Bishnoi for private use. It is not offered to the public, has no sign-up flow, and no third party other than the sole operator has data stored in the system. The application's authentication is gated to one allowlisted email address.

This policy describes what data the application handles, why, and how it is protected — primarily to satisfy Google’s OAuth consent-screen verification requirements.

Data we collect

When the sole user authenticates with Google, the application receives and stores the following from Google’s OAuth flow:

• Google account email address, name, and profile picture URL.
• OAuth access and refresh tokens, used solely to call the Google APIs the user has consented to (Gmail, Calendar, Contacts, Drive, Sheets).
• Messages, events, contacts, and files retrieved from the user’s own Google account in response to the user’s explicit actions inside the application (e.g. viewing the inbox, scheduling an event, scanning a recipe attachment).

The application also stores content the user creates directly inside it: notes, tasks, journal entries, reminders, expenses, voice memos, recipes, and similar personal-organizer data.

How we use the data

Data is used only to provide the features the user interacts with inside the application:

• Display the user’s own emails and calendar events.
• Generate AI summaries and triage suggestions over the user’s own content.
• Schedule reminders, push notifications, and daily briefings.
• Power semantic search across the user’s own notes and memos.

We do not use Google user data for advertising. We do not sell, lease, or share Google user data with any third party. We do not use Google user data to train, fine-tune, or otherwise improve generalized AI models.

Limited Use disclosure (Google API Services)

3life Hub’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. In particular:

• We only request the OAuth scopes minimally needed to perform the features the user has chosen to use.
• Google user data is used only to provide or improve user-facing features that are prominent in the application.
• We do not transfer Google user data to third parties except as necessary to provide or improve those features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
• Humans do not read Google user data unless the operator (also the sole user) is troubleshooting their own account.

Where the data lives

• Application database: Neon Postgres, US/EU region. Access is restricted via per-environment credentials and TLS-only connections.
• File attachments and voice memos: Vercel Blob storage, signed URLs with limited lifetime.
• Encrypted vault entries (passwords, ID copies): encrypted client-side via WebCrypto AES-GCM before being stored. The server only ever sees ciphertext; the master passphrase never leaves the device.
• OAuth tokens and ephemeral session cookies: encrypted at rest in the database, transmitted over HTTPS only.

Third-party services

The application relies on the following processors to deliver features, each governed by their own privacy policies:

• Google LLC — Gmail, Calendar, Contacts, Drive, Sheets, OAuth authentication, Firebase Cloud Messaging push.
• Anthropic — Claude API for AI summaries, draft replies, and command-bar tool use. Per Anthropic’s API terms, content sent for inference is not used to train models.
• Vercel Inc. — Application hosting and Blob storage.
• Neon Inc. — Managed Postgres hosting.
• Inngest Inc. — Durable background job scheduler.

Retention & deletion

Daily-maintenance jobs automatically clean up transient records on a schedule (expired sessions, OTPs in the inbox, fired reminders older than 60 days, mail metadata older than 180 days, etc.). The user can revoke Google access at any time from Google Account → Security → Third-party access, which immediately invalidates the stored refresh token.

To request deletion of all stored personal data and OAuth tokens, contact the operator at the address below; data will be erased from the database, Blob storage, and all caches within seven days.

Children’s privacy

The application is restricted to a single allowlisted adult user. It is not intended for and does not knowingly process information from children under 13.

Changes to this policy

Material changes will be reflected on this page with an updated effective date. Because the application has a single user, the operator personally communicates changes via in-app notification.

Contact

Questions or data-deletion requests: jitender@getcomplai.com.