Privacy Policy

The Service is intended for users 13 years of age or older. We do not knowingly collect information from children under 13. If you believe a child under 13 has provided us with personal information, contact us at <PRIVACY_CONTACT> and we will delete the account.

If you are between 13 and the age of digital consent in your country (e.g., 16 in some EU member states), you may need a parent or guardian's consent to use the Service.

We try to be specific. Each row below names the actual database column or service where the data lives.

2.1 Account info (when you sign in)

• Email address. Provided by Apple or Google during sign-in. Stored as users.email in our database. Apple users can use Apple's Hide-My-Email relay; we never see your real email if you choose that.
• Internal user ID. A random UUID that identifies your account across our systems. Stored as users.id.
• Handle. A short username you can edit. Stored as users.handle. Visible to other users next to your videos.
• Avatar URL. Optional. Stored at our database host (Supabase Storage).

We collect these so you can sign in, so other users can attribute videos to you in the feed, and so we can email you about important account changes.

2.2 Interests and tiers (after onboarding)

The interests you pick at signup, plus your Core / Regular / Occasional tier assignments. Stored in user_interests. Used by our ranker to scope your feed to topics you care about.

2.3 Activity history (everything you do in the app)

The product wouldn't function without this. Specifically:

• Feed activity: which prompt cards you saw, which videos played within them, how many seconds you watched, whether you skipped or committed. Stored in feed_card_events and feed_video_views. Used to enforce the daily cap, compute your watch-vs-do ratio, and decide what your weekly digest says.
• Commitments: when you tapped "Do this too" or "Do later," and what you scheduled. Stored in commitments.
• Completions: when and for how long you actually did the activity, plus any optional notes you typed. Stored in completions.
• Habit check-ins: your daily one-tap habit row. Stored in habit_checks.
• Block list: prompts you long-pressed-skip ("don't show me this again"). Stored in prompt_blocks. The single biggest signal we use to stop showing you stuff you don't want.
• Reactions: "support" reactions you left on other users' videos. Stored in reactions. We do not show counts publicly until past a threshold to keep this from turning into a popularity metric.

2.4 Videos you upload

• The video file itself (and its audio track) is stored at Mux, our video host and processor. We hold the Mux IDs for it (videos.mux_asset_id, videos.mux_playback_id, videos.thumbnail_url).
• Captions you write are stored alongside (videos.caption) and are visible to anyone who sees your video in the feed.

We do not collect photos. The app does not have a photo-upload path.

2.5 Reports you submit

If you report another user's video, we store your reporter ID, the video, the reason text you typed, and the timestamp (reports). Used to triage the moderation queue.

2.6 Approximate location (only with your permission)

If — and only if — you grant location permission, we send your approximate latitude and longitude to OpenWeather to look up your local weather. The ranker uses this to demote outdoor activities when the weather is bad. We cache the lookup against your account for about an hour (weather_cache) and never write your raw coordinates to long-term storage. We do not request precise location; the OS gives us a coarse value.

2.7 Diagnostics and crash data

When the app errors out, we collect a stack trace, app version, OS version, and your user ID and send it to Sentry. We use this to fix bugs.

2.8 Product analytics

We send anonymized-by-design product events (e.g., "feed card viewed", "prompt committed") to PostHog, scoped to your user ID. We use this in aggregate to understand which prompts work, where the funnel drops, and what to fix. PostHog is product analytics, not advertising; we do not use it to target you with ads, and PostHog does not share data with ad networks.

2.9 What we don't collect

For clarity, we do not collect:

• Your real name (unless you put it in your handle, which is your choice).
• Your phone number.
• Your address.
• Your contacts list, calendar, photo library, or any other on-device list.
• Your IDFA, Android Advertising ID, or any cross-app identifier.
• Health data from HealthKit / Health Connect.
• Browsing history outside the app.
• Search history.
• Anything from any other app you have installed.

We collect the data above to:

• Run the Service. Sign you in, show you the feed, enforce the daily cap, fire pre-commit notifications, build your weekly digest.
• Personalize your experience. Rank prompt cards based on your interests, block list, time of day, and (with permission) local weather.
• Keep the platform safe. Detect and remove videos that violate our Moderation Policy.
• Understand and improve the product. Aggregate analytics to identify bugs, broken funnels, and underperforming prompts.

We do not use your data for cross-app advertising, and we do not sell it. See section 5 below.

We share data only with the third-party processors that make the Service work, listed exhaustively below. We do not sell or rent your personal information.

Supabase — United States

Stores the database rows above and your auth tokens. Provides database, authentication, and file storage.

Mux — United States

Stores your uploaded videos, captions, and the user UUID associated with each. Handles video upload, transcoding, content moderation, and delivery.

PostHog — United States (we use the US instance)

Receives your user UUID plus product events. Provides product analytics. PostHog is configurable in EU or US; we use the US instance.

Sentry — United States

Receives your user UUID and stack traces / app diagnostics. Provides crash and error monitoring.

OpenWeather — United Kingdom

Receives approximate latitude/longitude only when you have granted location permission. Provides weather lookup for our ranker.

Apple — United States

Receives the OAuth payload at sign-in only. Provides Sign in with Apple.

Google — United States

Receives the OAuth payload at sign-in only. Provides Sign in with Google.

Each of these processors is contractually bound to use the data only for the service they provide to us. We do not share your data with advertisers, ad-tech partners, data brokers, or anyone else.

For the purposes of the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and equivalent state laws (e.g., Virginia, Colorado, Connecticut, Utah): we do not sell your personal information, and we do not share your personal information for cross-context behavioral advertising. We have no opt-out to offer because there is nothing to opt out of.

For the purposes of the EU/UK GDPR: our legal bases for processing are (a) performance of a contract (running the Service you signed up for), (b) legitimate interests in product analytics and safety moderation that do not override your rights, and (c) consent for location data, which you grant or withhold via the OS permission prompt.

• Account data (your row in users, your interests, your handle): until you delete your account.
• Activity history (feed_card_events, feed_video_views, commitments, completions, habit_checks, prompt_blocks, reactions): until you delete your account.
• Videos at Mux: until you delete the video, until you delete your account, or until they are removed by moderation.
• Reports you filed: kept after account deletion in anonymized form (your reporter ID is set to null) so we don't lose moderation history. The video you reported is kept or deleted on its own schedule.
• Reports filed against your videos: the report itself is kept after account deletion in anonymized form; the video is hard-deleted as part of the cascade.
• Crash/diagnostic data at Sentry: ~90 days.
• Product events at PostHog: ~12 months (rolling window).
• Weather cache: ~1 hour TTL.

In the App: Settings → Delete Account. That's the supported path; it takes effect immediately.

When you delete your account, all of the following happen:

• Your users row is marked deleted and our access policies (RLS) lock you out of your own data immediately, even if a session token persists.
• Every video you uploaded is deleted at Mux via the Mux delete API, removing the asset, playback URLs, and thumbnails.
• Your rows in videos, completions, habit_checks, commitments, feed_card_events, feed_video_views, prompt_blocks, reactions, user_interests, and notification_preferences are hard-deleted.
• Your PostHog identity is deleted via PostHog's /v1/api/persons/{id}/delete/ endpoint, removing past product events tied to your user ID.
• Your Sentry user identifier is scrubbed from past error events.
• Reports you filed and reports filed against you are kept but anonymized (your user ID is set to null on the relevant side).
• The deletion is logged to deletion_audit_log for our internal compliance confirmation.

If anything in the steps above fails for transient reasons, we retry; if a step permanently fails, we record it in the audit log and email you at <PRIVACY_CONTACT> with the residual records, and we manually clean them up.

You can request a JSON export of your account data at any time. In the App: Settings → Export My Data. The export includes everything in section 2 above except video binaries (those are at Mux; we include the Mux playback IDs so you can download them yourself before deleting).

If you'd rather email us, write to <PRIVACY_CONTACT> and we'll send you the export within 30 days.

Depending on where you live, you have some or all of the rights below. We honor them regardless of your jurisdiction; the App's Settings exposes the self-serve path. For anything you can't do in-app, write to <PRIVACY_CONTACT>.

• Access — get a copy of what we hold about you (Settings → Export My Data).
• Correction — fix inaccurate info (Settings → Edit Profile / Interests).
• Deletion — delete your account and the data tied to it (Settings → Delete Account).
• Objection / restriction of processing — disable analytics; opt out of notifications; revoke location permission via the OS.
• Portability — same as Access; the export is machine-readable JSON.
• Non-discrimination — we will not penalize you for exercising any of these.

If you live in the EU/UK, you also have the right to lodge a complaint with your local Data Protection Authority. We hope you'll come to us first.

We do not knowingly collect information from children under 13. The App is not intended for children under 13. If you are a parent or guardian and believe your child has signed up for the Service, contact us at <PRIVACY_CONTACT> and we will delete the account immediately.

We comply with COPPA and similar children's-privacy laws by setting a 13+ age floor at signup (the OAuth providers do not always communicate age, so this is enforced contractually via this policy and via the App Store / Play age rating). We do not include any features designed for children under 13.

• All data in transit is encrypted (TLS / HTTPS) to every processor listed in section 4.
• Database rows are protected by row-level security: every table that contains user data has policies that allow access only to that user's own rows.
• Soft-deleted users are immediately locked out of their own data, even if a session token survives, by an additional RLS gate.
• We do not store passwords; sign-in goes through Apple or Google.

No system is perfectly secure. If we discover a breach affecting your data, we will notify you within the timeframe required by applicable law and at the email on file.

<COMPANY_NAME> is based in <COMPANY_ADDRESS>. The processors listed in section 4 may store and process data in the United States and elsewhere. If you live in the European Economic Area, the United Kingdom, or Switzerland, your data is transferred under the Standard Contractual Clauses (SCCs) where required, and we rely on the EU–US Data Privacy Framework where the processor is certified.

If we change this policy materially, we will:

• Update the version number and <EFFECTIVE_DATE> at the top.
• Surface a notice in-app on next sign-in.
• For changes that meaningfully expand what we collect, share, or use, we will require fresh consent before you can continue using the App.

Privacy questions, complaints, or requests: <PRIVACY_CONTACT> · <COMPANY_NAME>, <COMPANY_ADDRESS>.