Legal
Privacy Policy
Effective May 16, 2026
This Privacy Policy describes how Perennial (“Perennial,” “we,” “us,” or “our”) collects, uses, and protects information about people who use the Perennial application at app.perennial.design(the “Service”). It applies to your use of the Service through any interface — the web app, any future native client, and the Perennial API.
Perennial is built for independent designers, artists, and makers, and we treat your work and your relationships with the discretion they deserve. The short version: we collect only what the product needs to function, we do not sell or rent any of it, we do not use your content or any connected-service data to train AI models, and you can export or delete your data at any time.
1. Information we collect
a. Information you provide directly
When you create an account we collect your name, email address, and password (stored as a salted hash; we never have access to the cleartext). You may also choose to provide profile information such as your studio name, location, profession, bio, and a profile photo.
When you use the Service we store the content you create: projects, notes, tasks, contacts, leads, activity log entries, files, invoices, expenses, time logs, and the prompts and responses exchanged with our AI assistant (“Ash”).
b. Information from connected services
If you connect a third-party service — for example Google Workspace, Microsoft 365, Apple iCloud, a banking provider, a newsletter platform, or a social platform — we receive the data those services share with us under the OAuth scopes (or app-specific password) you authorize. The specific Google user data we access is described in detail in Section 4.
c. Automatically collected information
When you use the Service we receive standard server logs containing your IP address, browser user-agent, timestamps, request paths, and error traces. We use this information for security, debugging, and to maintain the Service. We do not use third-party advertising trackers or cross-site advertising identifiers.
d. Cookies and similar technologies
We use cookies that are strictly necessary to authenticate you and keep you signed in. We do not use cookies for cross-site tracking, advertising, or profiling.
2. How we use information
We use the information we collect to:
- Provide, maintain, secure, and improve the Service;
- Authenticate you and protect your account;
- Render your content and data from your connected services inside the app;
- Send transactional emails (account verification, password resets, billing receipts, and invoices you explicitly send to clients);
- Respond to your support requests;
- Detect, prevent, and respond to fraud, abuse, or security incidents;
- Comply with our legal obligations.
We do not:
- Sell your personal information, your content, or any data from your connected services;
- Use your content or any connected-service data (including Google user data) to train, fine-tune, or otherwise improve generalized or non-personalized machine-learning or AI models;
- Use your data for advertising, ad targeting, ad profiling, or data brokerage;
- Use your data for credit assessment, lending decisions, or financial profiling.
When Ash processes your content to answer a request you make, the processing is performed through a third-party model provider (currently Anthropic) under contractual terms that prohibit that provider from training models on your content.
3. Sharing and disclosure
We share information only as follows:
- Service providers (subprocessors) who help us run the Service under contractual data-protection terms — including our hosting and database provider (Supabase, on AWS infrastructure in the United States), our transactional-email provider (Resend), and our AI model provider (Anthropic). Each subprocessor receives the minimum data needed to perform its function.
- With your explicit direction, such as when you publish a public share link for a note, send an invoice to a client through the Service, or connect a third-party integration.
- For legal reasons, when we believe in good faith that disclosure is necessary to comply with valid legal process or protect the rights, property, or safety of Perennial, our users, or the public.
- In a business transfer, such as a merger, acquisition, or sale of assets. In that event we will provide advance notice and you will be given a meaningful opportunity to delete your data before the transfer takes effect.
We do not share your content or your Google user data with advertisers, data brokers, or any party for purposes unrelated to operating the Service for you.
4. Google user data & Limited Use disclosure
If you choose to connect a Google account, you authorize Perennial to access specific Google data through Google’s OAuth consent flow. The scopes we may request, the data they grant access to, and how we use that data, are:
| Scope | Data accessed | How we use it |
|---|---|---|
gmail.readonly | Metadata of messages in your Gmail account (sender, recipients, subject, date) and a short snippet (~200 characters). If you opt in to Store linked email bodiesin Settings → Integrations, we additionally store the full body of any email whose sender or recipient matches a contact in your Perennial Network module — never of emails that do not match a contact. Stored bodies are encrypted at rest, isolated to your account, and deleted within 24 hours if you disable the setting, disconnect Gmail, or remove the matching contact. | Automatically log a corresponding activity entry against any matched contact, with the subject and snippet visible inline. If full-body storage is enabled, the body is available offline inside the activity row and may be used by the Ash assistant to answer your questions about the relationship. If not, we fetch the body from Gmail in real time when you open the row and discard it after display. |
calendar | Events on the calendars you authorize, including title, time, attendees, and description. | Surface events on the Perennial calendar, and create a “meeting” activity entry for any event whose attendees include a contact in your Network module. |
contacts.readonly | Your Google contact entries (name, email, phone, organization, notes). | One-time and ongoing import into your Perennial Network module, for contacts you choose to import. |
openid, email, profile | Your basic Google profile (name, email address, profile picture). | Identify which Google account is connected and display it in Settings. |
Limited Use
Perennial’s use and transfer to any other application of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We use Google user data only to provide and improve user-facing features that are prominent in the Perennial application interface.
- We do not transfer Google user data to others, except as necessary to provide or improve user-facing features, to comply with applicable law, or as part of a merger or acquisition with appropriate user notice and choice.
- We do not use Google user data to serve advertisements, including retargeting, personalized, or interest-based advertising.
- We do not allow humans to read Google user data, except (a) with your affirmative agreement to view specific messages, files, or other data; (b) for security purposes such as investigating a bug or abuse; (c) to comply with applicable law; or (d) where the data has been aggregated and de-identified for internal operations.
- We do not use Google user data to develop, improve, train, or fine-tune generalized or non-personalized AI or machine-learning models.
You can revoke Perennial’s access to your Google data at any time from your Google account at myaccount.google.com/permissions, or from within Perennial under Settings → Integrations.
5. Other connected services
Data we receive from Microsoft 365 (via Microsoft Graph), Apple iCloud (via IMAP, CalDAV, and CardDAV using an app-specific password you create), banking providers (Teller), newsletter providers (Mailchimp, Beehiiv), analytics providers (Google Analytics, Plausible), and social platforms (Instagram) is governed by the same principles set out for Google user data above: we use it only to provide the features you have enabled, we do not sell it, we do not share it with advertisers or data brokers, and we do not use it to train AI models.
6. Storage, security, and location
Your data is stored on infrastructure operated by Supabase, hosted in AWS data centers in the United States. Connections between your browser and our servers are encrypted in transit using HTTPS. OAuth access and refresh tokens for connected services are encrypted at rest.
We follow industry-standard security practices, including least- privilege access controls for staff, row-level security policies that isolate each user’s data, audit logging, and prompt patching of known vulnerabilities. No system is perfectly secure; if we become aware of a breach affecting your account we will notify you without undue delay and as required by applicable law.
7. Retention and deletion
We retain your account data for as long as your account is active. You have the following controls:
- Disconnect an integration at any time from Settings → Integrations. When you disconnect, we delete the stored OAuth tokens immediately. Activity entries already logged from that integration remain in your account unless you also delete them.
- Export your data from Settings → Account → Export. Data is provided in standard, portable formats.
- Delete your account from Settings → Account → Delete account. We permanently delete your content from our active systems within 30 days. Encrypted backups are purged on their normal rotation within 90 days.
- Request deletion of specific data by emailing privacy@perennial.design. We will respond within 30 days.
De-identified, aggregate analytics that cannot reasonably be tied back to an individual may be retained for product-improvement purposes after account deletion.
8. Your rights
Depending on where you live, you may have rights under laws such as the EU and UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the CPRA, and similar regimes. These may include the right to access, correct, port, restrict, or delete your personal information, and the right not to be subject to solely automated decision-making. To exercise any of these rights, email privacy@perennial.design. We will not discriminate against you for exercising your rights.
If you are in the EU or UK and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data-protection authority.
9. Children
Perennial is intended for use by adults (16 years of age and older). We do not knowingly collect information from children under 16. If you believe a child has provided us with personal information, please contact us at privacy@perennial.design and we will delete it.
10. International transfers
Perennial is operated from the United States. If you use the Service from outside the United States, your information will be transferred to, stored in, and processed in the United States. Where required, we rely on legally recognized transfer mechanisms such as the European Commission’s Standard Contractual Clauses.
11. Changes to this policy
If we materially change this policy — including any change to how we handle Google user data — we will update the “Effective” date at the top, notify signed-in users in the Service, and (for material changes affecting connected-service data) send an email notification. Continued use of the Service after a change takes effect constitutes acceptance of the updated policy.
12. Contact
For privacy questions, requests, or complaints:
Email: privacy@perennial.design
Postal:Perennial, 991 St. John’s Place #3B, Brooklyn, NY 11213, USA