Privacy Policy
DeskDash is a desktop application that displays calendar events, stock prices, weather, news headlines, and Slack DM counts on top of your desktop wallpaper. This page describes what data DeskDash touches, where it lives, and how to remove it.
The short version: your personal data stays on your device. The only data that crosses our infrastructure is the prompt you send when generating an AI background image, and even that is proxied to Google's Gemini API and not retained.
What DeskDash collects on your device
DeskDash stores the following locally on the device where you installed it. None of it is transmitted to any DeskDash-operated server.
- Your settings (refresh schedule, widget positions, ticker symbols, weather location, news feed URL) — saved in
electron-store's JSON config file. - OAuth refresh + access tokens for the integrations you connect (Google Calendar, Microsoft 365, Slack) — stored in your operating system's keychain (macOS Keychain / Windows Credential Manager) via the
keytarlibrary. - An anonymous device UUID (random v4 GUID) generated on first launch, also in the OS keychain. This identifier is only used to count the number of free AI background generations you've used.
- The most recent successful response from each integration, cached locally so the wallpaper still shows useful information when you're offline.
- The most recent AI-generated wallpaper PNG (last 5 generations are kept; older are pruned).
Third-party services DeskDash talks to
Google Calendar (optional)
If you connect Google Calendar, DeskDash uses OAuth 2.0 with the
https://www.googleapis.com/auth/calendar.readonly scope to
read today's events on your primary calendar. We also request
openid and email so the Settings UI can show
which Google account is connected. DeskDash never writes,
modifies, or deletes calendar data. Events are fetched on the
schedule you configure (default: hourly, weekdays, 7am–5pm) and used
only to display titles and times on your wallpaper. They are not
retained on any DeskDash-operated server.
Disconnect at any time from Settings → Integrations → Disconnect, or revoke DeskDash directly from your Google Account at myaccount.google.com/permissions.
Microsoft 365 / Outlook (optional)
If you connect Outlook, DeskDash uses OAuth 2.0 with the
Calendars.Read and User.Read scopes against
Microsoft Graph. The flow uses PKCE (no client secret on your machine)
and the common tenant so personal Microsoft accounts and
AAD work/school accounts both work. Same usage rules as Google
Calendar — read only, schedule-driven, never written to a server.
Slack (optional)
If you connect Slack, DeskDash uses OAuth 2.0 with the user-token
scope im:read to count unread direct messages in your
workspace. We don't read message content, mentions in channels, or
anything else. Disconnect from Settings → Integrations or revoke from
Slack → Apps → Manage your apps.
Twelve Data (stock prices)
Stock symbols you add to the Stocks widget are sent to
Twelve Data via our Cloudflare
Worker proxy at api.deskdash.app. The Worker forwards your
symbol list to Twelve Data using a shared API key we hold; your device
identifier is not sent. Responses are cached at the edge for 15
minutes so multiple users querying the same symbols share one upstream
call.
Open-Meteo (weather)
The location string you enter for the Weather widget is sent directly from your device to Open-Meteo's geocoder + forecast API (open-meteo.com). No API key is used; no DeskDash server is involved.
RSS / Atom feed (optional, news widget)
Your device fetches the URL you provide directly. No DeskDash server is involved.
Google Gemini (AI background generation)
When you click Generate background, your prompt text and your anonymous device UUID are sent to our Cloudflare Worker, which forwards the prompt to Google's Gemini Flash Image API using a shared API key. The Worker increments a counter in a Cloudflare Workers KV store keyed to your device UUID so we can enforce the free-tier limit (one generation per install). The generated image is returned to your device and saved locally; we don't retain it.
Google's privacy practices govern how Gemini handles the prompt content. See Google's Privacy Policy and Gemini API Terms.
What DeskDash's servers store
We operate a single Cloudflare Worker at api.deskdash.app.
It holds:
- API keys and OAuth client IDs/secrets, in Cloudflare's Secrets Store. These are never returned to your device.
- A counter per anonymous device UUID for AI generations used. Stored in Cloudflare Workers KV. Reset whenever you reinstall the app to a new OS user account.
- Edge-cached stock-quote responses for 15 minutes (no per-user data).
We do not run a database, do not log request bodies, and do not have any way to associate a device UUID with a person.
Subscription billing (when applicable)
Paid subscriptions for unlimited AI generations are processed by Apple (Mac App Store) or Stripe / Clerk (direct download). Their privacy policies apply to the data they collect during purchase: Apple, Stripe, Clerk.
Children's data
DeskDash is not directed to children under 13. We do not knowingly collect data from children.
Removing your data
- Disconnect an integration: Settings → Integrations → Disconnect. We clear the keychain entry immediately.
- Reset the AI generation counter: uninstall + reinstall, or contact us.
- Revoke DeskDash from Google / Microsoft / Slack: use the respective provider's account-permissions page.
Changes to this policy
We'll update this page when the data DeskDash touches changes. The "Last updated" date at the top reflects the most recent revision.
Contact
Questions or removal requests: privacy@deskdash.app.