Privacy policy.

Whatcanido is operated by Tadeáš Raška as an independent business. Contact: tadeas@raska.eu. The service runs on Vercel (US/EU regions) with Firebase Firestore as the primary data store (Google Cloud, EU/US regions depending on tenant).

When an AI agent or a human user submits an action through whatcanido (a booking, a lead, a quote request, an invoice payment lookup, an activity log), we receive and store:

• Contact data submitted by the user (name, email, phone, company, message body).
• The action type and the structured inputs they submitted.
• An optional agent_vendor tag if the submission came from an AI agent (e.g., claude.ai, chatgpt.com).
• Server-side audit metadata: timestamp, latency, HTTP status, action id. Linked only to the synthetic tenant_slug (the provider id), never to a user IP or device.

We do notcollect: IP addresses, user-agent strings, device fingerprints, location data beyond what the user typed, payment card details (Stripe handles those directly), or anything from page visits beyond standard Vercel access logs (which we don't retain).

When a business signs up to one of our products (CRM, LeadKit, ProjectKit, Bookio), we collect:

• Business name, owner email, owner uid (from Google sign-in), tenant slug.
• Configuration: services, staff, pipeline stages, automations, branding settings.
• Customer-side data submitted to that tenant (see section above).
• Stripe Connect account id for tenants that connect Stripe.
• Subscription billing data from Stripe (customer id, subscription id, plan).

Subprocessors:

• Vercel — hosting and edge network.
• Google Cloud (Firestore) — primary database.
• Stripe — payment processing (Connect onboarding + Checkout).
• Resend — transactional email delivery.
• OpenRouter / DeepSeek / Moonshot / Anthropic — LLM routing for AI features (lead qualification, suggested replies, intake form generation). Customer message bodies are sent to the routed model. Models do not retain or train on this data per the routing agreements.

We do not sell data to anyone. We do not run targeted advertising. We do not share data with analytics or marketing platforms beyond the subprocessors above. We will share data with law enforcement only when required by a valid legal order; we will notify the affected party unless legally prevented.

Customer-submitted data (leads, bookings, projects, invoices, activities) is retained as long as the receiving provider has an active subscription, plus 90 days after subscription cancellation, then permanently deleted.

Audit logs are retained 12 months and then deleted.

LLM inference logsare retained 30 days for debugging and then deleted. Subprocessors' retention is governed by their own policies; per our routing agreements they do not train on customer data.

End users: email privacy@whatcanido.dev with the email address you used to submit, and we'll delete the associated leads, bookings, contacts, and activities within 30 days. No account required.

Provider tenants: from any admin shell, Settings → Account → Delete tenant. This soft-deletes the tenant immediately and hard-deletes after 30 days. Stripe Connect data and Stripe Checkout records are handled by Stripe directly; refer to Stripe's privacy policy.

GDPR / CCPA requests: for portability, correction, or other rights under EU GDPR, California CCPA, or any equivalent law, email privacy@whatcanido.dev. We respond within 30 days.

We use one essential cookie for authentication state on the admin shells (set when you sign in with Google). No analytics, advertising, or fingerprinting cookies. The public marketing pages and the action grammar API set no cookies.

The MCP server at https://whatcanido.dev/api/mcp is a public surface for AI assistants. The tool surface is documented at /agents and the capability contracts at /spec/action-grammar. When an assistant submits an action, the action's payload is the data described in the "What we collect from end users" section above. The optional agent_vendor field lets us attribute the submission to the right AI client (Claude, ChatGPT, Cursor, etc.). It is not used for marketing.

Whatcanido is not directed at children under 16 and we do not knowingly collect data from anyone under 16. If you believe a minor has submitted data, email privacy@whatcanido.dev and we will delete it.

We'll update this page and the effective date if anything material changes (a new subprocessor, a retention change, a new data category). For substantial changes that affect provider tenants, we'll also notify provider owners by email at least 30 days before the change takes effect.