Privacy Policy — WinnerPlan

Effective date: [05 September 2025]

Last updated: [05 September 2025]

WinnerPlan ("WinnerPlan", "we", "us", "our") provides a personal AI assistant and planning app that connects to services such as Gmail and Google Calendar, helps you automate workflows, summarize content (e.g., YouTube videos, long text, news), and turn information into actionable tasks.

This Privacy Policy explains how we collect, use, disclose, and protect your information when you use WinnerPlan’s websites, mobile apps, and services (together, the "Services").

If you do not agree with this Privacy Policy, please do not use the Services.


1. Who we are and how to contact us

  • Controller: For most data (account, billing, marketing), Ubani LTD, 2001 Acer Point, Cortland Cassiobury, Ascot Road, Watford, UK is the data controller.
  • Processor: For certain features where you connect mail, calendar and related content, we generally act as a processor on your behalf.
  • Contact: admin@ubani.co (privacy inquiries)
  • EU/UK representative / DPO: If applicable, list details here. Otherwise, “Not appointed.”

2. Personal data we collect

A. Information you provide

  • Account & profile: name, email address, password or auth token, profile preferences, time zone.
  • Waitlist & marketing: email address, referral information, form responses.
  • Support & feedback: messages, attachments, bug reports.

B. Connections you authorize

When you connect third-party services (e.g., Gmail, Google Calendar, Drive, YouTube), we access data only as needed to provide the features you enable. Examples:

  • Email data (Gmail): message metadata, sender/recipient, subject, timestamps, message bodies/attachments if required for rules, summaries, auto-drafts, or classification.
  • Calendar data: events, titles, descriptions, times, attendees.
  • Files/links: documents or YouTube links you explicitly provide for transcription/summarization.
  • Agentic workflows: prompts, rules, and output artifacts (e.g., compiled spreadsheets).
WinnerPlan's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We only use Google user data to provide or improve user-facing features, we do not sell Google user data, and we do not use it for ads or unrelated purposes.

C. Automatically collected information

  • Device & app diagnostics: app version, device type, OS, crash logs, performance metrics.
  • Usage data: feature use, clicks, in-app events, referral codes.
  • Web data: cookies or similar technologies for authentication, analytics, A/B tests, and waitlist flows.

3. How we use personal data

Core service delivery

  • Provide and maintain the Services, including AI features that summarize content, create tasks, monitor for specified emails, send user-approved replies, and run agentic workflows you configure.
  • Personalize your experience (e.g., topics of interest for news briefings).
  • Sync across devices and provide widgets/notifications.

Communications

  • Service and transactional emails (e.g., confirmations, security alerts).
  • Marketing emails (only with your consent or as permitted by law; you can unsubscribe any time).

Safety, security, and compliance

  • Detect, prevent, and respond to security incidents.
  • Enforce terms, prevent fraud/abuse, and comply with legal obligations.

Legal bases (EEA/UK) Where applicable, we rely on: Contract (to provide the Services you request); Consent (e.g., marketing, connecting accounts); Legitimate Interests (security, product improvement); and Legal Obligations.


4. Google, Gmail & restricted scopes

If you authorize Gmail or other Google Workspace scopes, you may grant sensitive or restricted access. We request the minimum necessary scopes and adhere to Google's Restricted Scope Verification requirements when applicable.

OAuth Scopes We Request

  • Gmail API: Read, compose, send, and modify emails (for smart replies, email monitoring, and automation)
  • Google Calendar API: View and manage calendar events (for task scheduling and calendar integration)

Limited Use: We use Google user data only to provide or improve user-facing features; we do not sell it; we do not use it for ad targeting; we only transfer it to others if needed to provide/improve the user-facing features, comply with law, or as part of a merger/acquisition.

For more information about Google's privacy practices, see the Google Privacy Policy.


5. YouTube links and API Services (if enabled)

If you connect YouTube via YouTube API Services (optional), your use is also subject to the YouTube API Services Terms of Service and Developer Policies. We do not circumvent YouTube players/ads or extract audio/video in ways prohibited by policy.


6. AI processing and vendors

We may use reputable AI infrastructure and service providers (e.g., model hosting or API inference) to process content you submit (emails you select, text, links, transcripts) to generate summaries, extractions, classifications, or task suggestions. Where we use providers like OpenAI via API, they do not use API data to train models by default; we do not opt in to such training without your explicit permission.


7. Data retention

  • Account data: retained while your account is active; deleted or anonymized within a reasonable period after deletion requests or inactivity, unless retention is required by law.
  • Connected data (e.g., email content, calendar items): retained only as needed to provide the features you’ve enabled. We avoid long-term storage of full mailbox contents when not necessary.
  • Logs & diagnostics: retained for a limited time for security and troubleshooting.

You may delete rules, tasks, and generated artifacts at any time. If you disconnect an integration, we cease new collection from that source and begin deletion of related cached data not required for legal or security reasons.


8. How we share information

We do not sell your personal information. We share data only with:

  • Service providers / processors: cloud hosting, databases, analytics, error monitoring, email delivery, AI inference, and payments (if applicable).
  • Integrations you authorize: when you connect Google or other services, we exchange data as needed to deliver the requested features.
  • Legal/disclosure: to comply with law, enforce terms, protect rights, safety, and security, or in a business transfer (merger, acquisition).

9. International data transfers

We may transfer, store, and process information outside your country (including the UK, EEA, and US). When transferring personal data from the UK/EEA to countries without an adequacy decision, we use Standard Contractual Clauses (SCCs) and additional safeguards as appropriate.


10. Your rights

UK/EEA (UK GDPR / GDPR)

Depending on your location, you may have rights to access, rectify, erase, restrict, object, portability, and to not be subject to decisions based solely on automated processing. You also have the right to lodge a complaint with your local supervisory authority (e.g., the UK ICO).

California (CCPA/CPRA)

California residents have rights to know/access, correct, delete, and to opt-out of the sale or sharing of personal information. We do not sell or share personal information as defined by CPRA; if this changes, we will provide a “Do Not Sell or Share” mechanism. We honor recognized global privacy controls for opt-out where required.

Other regions

Residents of certain US states (e.g., CO, CT, VA) and other jurisdictions may have similar rights. We will honor these rights in accordance with applicable law.

To exercise rights: email admin@ubani.co with your request. We may verify your identity before acting on the request.


11. Security

We implement appropriate technical and organizational measures to protect personal data, including encryption in transit and at rest, access controls, and least-privilege practices. If we are required to undergo third-party security assessments for certain OAuth scopes (e.g., Gmail restricted scopes), we will comply. When required by Google for verification, we undergo annual security assessments and obtain a Letter of Assessment from a Google-designated third party.


12. Cookies & similar technologies

We use cookies, SDKs, and similar tech to:

  • Keep you signed in and secure the session.
  • Measure usage (analytics), perform A/B testing, and operate waitlist/referrals.
  • Remember preferences (e.g., theme, time zone).

Where required, we will present a consent banner and provide controls to manage preferences.


13. Children’s privacy

The Services are not directed to children under 13 (or the minimum age required in your jurisdiction). We do not knowingly collect personal information from children. If we learn we have done so, we will take appropriate steps to delete it.


14. Your responsibilities when connecting accounts

When you connect accounts (e.g., Gmail), you represent that you have the authority to do so and that your use complies with the applicable terms of those services. Do not connect third-party accounts you are not authorized to use. If you enable auto-reply or agentic workflows, review settings carefully before activation.


15. Third-party links

Our Services may contain links to third-party sites. We are not responsible for their privacy practices. Review their policies before providing personal data.


16. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version and revise the “Last updated” date. If changes are material, we will notify you via email or in-app notice where appropriate.


17. How to contact us

For questions, requests, or complaints about this Privacy Policy or our data practices, contact:

Ubani LTD

2001 Acer Point, Cortland Cassiobury, Ascot Road, Watford, UK

Email: admin@ubani.co

If you reside in the UK/EEA, you also have the right to contact your local supervisory authority (e.g., the UK Information Commissioner’s Office).