Privacy Policy
A Secret Company, LLC ("we," "us," or "our") respects your privacy and is committed to protecting it. NowThis is designed from the ground up as a privacy-first application. This Privacy Policy describes how data is handled when you use NowThis.
By using NowThis, you agree to the terms outlined in this policy.
1. Core Privacy Principle: Zero Knowledge
NowThis is a native iOS task management app that connects to your own self-hosted Nextcloud or CalDAV server. We do not operate any cloud service, sync server, or intermediary infrastructure.
- We have zero access to your tasks, journals, settings, or any personal data.
- We do not collect personal information, track usage, or use third-party analytics SDKs or advertising networks.
- We do not include any third-party tracking, analytics, or advertising frameworks in the app.
- No data is transmitted to A Secret Company, LLC's servers at any time.
2. Data Storage & Handling
2.1 Local Data (On Your Device)
All app data is stored exclusively on your device using Apple's SwiftData framework within a shared App Group container.
- What is stored locally: Tasks, subtasks, journals, tags, task lists, playback settings, queue order, completion history, and app preferences.
- Encryption: Data is encrypted by the iOS/macOS operating system using standard device passcode protection (Data Protection).
- Spotlight Index: Task titles and metadata are indexed locally via CoreSpotlight for on-device search. This index is stored on your device and is not transmitted anywhere.
2.2 Synced Data (Your Nextcloud/CalDAV Server)
If you connect NowThis to a Nextcloud or CalDAV server, your data is synchronized between your device and your designated server using the standard CalDAV protocol (RFC-4791) and iCalendar format (RFC-5545).
- User-Controlled Infrastructure: Synchronization occurs exclusively between your device and your server. You control where your data is stored.
- Data Transmitted to Your Server: Task data (VTODO components), journal entries (VJOURNAL components), task list metadata, and iCalendar properties including titles, descriptions, due dates, priorities, completion status, recurrence rules, tags, and subtask relationships.
- No Intermediary: Sync traffic does not pass through A Secret Company, LLC's servers. We are technically unable to intercept or view this data.
- Protocol: All sync communication uses HTTPS (when your server is configured with TLS), ensuring data is encrypted in transit.
3. Account Credentials
When you connect to a Nextcloud or CalDAV server:
- Your server URL, username, and authentication token are stored in the iOS/macOS Keychain (service:
com.asecretcompany.nowthis.caldav). - The Keychain is encrypted by the operating system and protected by your device passcode and Secure Enclave.
- Credentials are transmitted only to your specified server for authentication. We never see, store, or have access to your credentials.
- NowThis supports Nextcloud Login Flow v2 for secure, token-based authentication. Your Nextcloud password is never stored — only the app-specific token issued by your server.
4. App Permissions
NowThis may request access to certain iOS/macOS system features. All permissions are optional and can be revoked at any time in iOS/macOS Settings, though this may limit functionality.
| Permission | Purpose | Data Handling |
|---|---|---|
| Network Access | Required to sync tasks with your CalDAV server | Data transmitted only to your server |
| Background App Refresh | Sync tasks while the app is in the background | Same as network access — your server only |
| Notifications | Task reminders and due date alerts | Scheduled locally on-device; no server communication |
| Location (When In Use / Always) | Location-based task reminders (geofencing) | Geofence coordinates are stored on-device only. Location data is processed locally by iOS and is never transmitted to us or any third party. |
| Siri & Shortcuts | Voice-based task creation and automation | Processed by Apple on-device; task data stays local |
| Calendars (EventKit) | Add tasks to your Apple Calendar as time-blocked events | Accessed locally via Apple's EventKit framework |
5. Purchase & Payment Data
NowThis is available as a one-time purchase on the Apple App Store. Your purchase is processed entirely by Apple. We do not collect, process, or store any payment information whatsoever — no credit card numbers, billing addresses, or Apple ID credentials.
We receive only aggregate, anonymized sales data from Apple (total units sold, territory breakdowns). We cannot identify individual purchasers from this data.
6. Third-Party Services
NowThis does not integrate any third-party analytics, crash reporting, advertising, or tracking services. The app contains no third-party SDKs that collect or transmit user data.
The only third-party interaction is with your self-hosted Nextcloud or CalDAV server, which you choose, configure, and control.
6.1 Self-Hosted Servers
You are solely responsible for:
- The security, maintenance, and configuration of your Nextcloud or CalDAV server.
- Ensuring your server complies with applicable data protection laws.
- The reliability of the CalDAV implementation on your server.
To the maximum extent permitted by applicable law, A Secret Company, LLC disclaims all liability for data loss, corruption, or synchronization errors resulting from your server; security breaches or unauthorized access to your server; and service interruptions caused by third-party software.
7. Open Source Transparency
The source code for NowThis is publicly available on GitHub under an open-source license. You can audit exactly what data the app accesses, stores, and transmits by reviewing the source code at opensource.nowthis.app.
8. Apple Standard Data
Apple Inc. may collect limited, anonymized technical data (such as crash reports or installation metrics) depending on your device's privacy settings (Settings > Privacy > Analytics & Improvements). This data is aggregated and does not identify you personally to us.
9. Your Data Rights (GDPR / CCPA / WA State)
Because NowThis operates as a fully local app with no company-operated cloud service:
| Right | How It Applies |
|---|---|
| Access | All your data is on your device and/or your server. We hold none of it. |
| Export | Your data is stored as standard iCalendar (.ics) files on your CalDAV server. You can export it at any time using any CalDAV-compatible tool. |
| Deletion | Delete the app from your device to remove all local data. Data on your server is managed by you. |
| Correction | Edit your data directly in the app or on your server. |
| Portability | iCalendar (VTODO/VJOURNAL) is an open, interoperable standard. Your data works with any compliant app. |
We do not maintain any user accounts, databases, or records that would require a data subject access request (DSAR) to us. If you have questions, we are happy to confirm this in writing — contact us at the address below.
10. Children's Privacy
NowThis is not intended for children under the age of 13. Because the app does not collect any personal information, there is no data collection from children. If you believe a child has connected to a server improperly, the server administrator (you or your organization) is responsible for managing access.
11. Changes to This Policy
We may update this Privacy Policy to reflect changes in the app or legal requirements. If we make material changes, we will notify you through the App Store update notes or our website. Your continued use of the app after such changes constitutes acceptance of the new policy.
12. Contact Us
If you have questions about this Privacy Policy or our privacy practices, please contact us:
A Secret Company, LLCVancouver, Washington, USA
Email: support@asc.is
Website: https://asc.is/