Privacy Policy

Effective date: 18 March 2026 · Last updated: 13 May 2026

1. Introduction

RePattern (Arabic: تبصره) ("RePattern", "we", "us", or "our") is a privacy-first, CBT-based mental health self-help companion application for iOS, developed and operated by an individual developer based in the United Kingdom. Our bundle identifier is help.repattern.app and our website is repattern.help.

RePattern (Arabic: تبصره) ("RePattern", "we", "us", or "our") is a privacy-first, CBT-based mental health self-help companion application for Android, developed and operated by an individual developer based in the United Kingdom. Our website is repattern.help.

This Privacy Policy explains what information the RePattern application ("the App") collects, how it is used, where it is processed, and your rights in relation to it. We are committed to transparency and to protecting your privacy by design.

By downloading, installing, or using the App, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, please do not use the App.

2. Data Controller

For the purposes of the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and all applicable data protection legislation, the data controller is:

For all privacy-related inquiries, data subject requests, or complaints, please contact us at contact@repattern.help. We aim to respond to all legitimate requests within 30 days.

3. Information We Do NOT Collect

RePattern is designed around data minimisation. We want to be explicit about what we do not collect, transmit, or store on any server:

  • Personal identification information (name, email address, phone number, postal address)
  • User account credentials (the App requires no registration or sign-in)
  • Behavioural analytics, in-app event tracking, or telemetry tied to your identity, device, or session. (We do maintain anonymous, non-linkable usage logs for each backend request — country + platform + timestamp only — see Section 6.6.)
  • Behavioural analytics or in-app event tracking. The App contains no analytics SDK (no Firebase Analytics, Google Analytics, Mixpanel, Amplitude, etc.). Crash telemetry is collected only if you explicitly opt in to crash reporting in Settings (see the entry below). We do maintain anonymous, non-linkable usage logs for each backend request — country + platform + timestamp only — see Section 6.6.
  • Tracking data, cookies, browser fingerprints, or advertising identifiers
  • Crash reports, diagnostics, or performance metrics
  • Crash reports. On Android, Firebase Crashlytics is enabled by default in the App as you install it from Google Play, so we can diagnose crashes that affect real users. You may turn it off at any time in Settings > Privacy > Crash reports; the change takes effect immediately. When enabled, anonymous crash data is sent to Google: technical information about the crash, the app version, your device model, your operating system version, and a randomly generated install identifier. No journal content, mood entries, or thought-record text is included — our log filter strips out any sensitive fields before crash reports are sent.
  • Precise location data (GPS, street-level geolocation, or cell tower data). When the App communicates with our backend, Cloudflare (our network provider) provides us a two-letter country code based on your IP address, and we store only that two-letter code for anonymous usage logging — see Section 6.6. Your raw IP address is visible to Cloudflare and briefly to our backend while the request is being processed, but is not stored anywhere. If crash reporting is enabled, Crashlytics may also infer an approximate region from your IP when uploading a crash report.
  • Device identifiers beyond what Apple provides for subscription verification
  • Persistent device identifiers, except for a random install identifier generated by Crashlytics when crash reporting is enabled. This identifier is unique to your specific app installation, is not your Google Account ID, is not your Android advertising identifier, and resets if you uninstall the App or clear its data.
  • Health data from HealthKit or any other health framework
  • Health data from Health Connect, Google Fit, or any other health framework
  • Contacts, calendar, photos, microphone input, or camera access

There are no third-party analytics SDKs (e.g., Firebase Analytics, Mixpanel, Amplitude), no advertising networks (e.g., AdMob, Meta Audience Network), no crash reporting services (e.g., Crashlytics, Sentry), and no telemetry of any kind embedded in the App.

There are no third-party analytics tools (e.g., Mixpanel, Amplitude) and no advertising networks (e.g., AdMob, Meta Audience Network) embedded in the App. The Firebase Analytics library ships as part of Crashlytics' installation package but is explicitly disabled by us and does not collect any data. The only Google service that actively transmits data from the App is Firebase Crashlytics, which is enabled by default and can be turned off in Settings (see Section 17 for full details).

4. On-Device Data Storage

4.1 Local Data Store

All user-created content — thought records, mood entries, and exercise logs — is stored locally on your device using Apple's standard local storage. The data lives in a shared storage area that the home-screen widget can read to display your latest mood. This data never leaves your device unless you have iCloud enabled (see Section 5).

Apple's built-in file protection encrypts the data using your device passcode. When your device is locked, the data is encrypted and inaccessible.

4.2 Lightweight Preferences

The App stores lightweight, non-sensitive preferences using Apple's standard preferences storage, including:

  • Language preference (English or Arabic)
  • Appearance mode (light or dark)
  • Daily reminder schedule and settings
  • AI consent status (whether you have opted into AI features)
  • Onboarding completion status

These preferences are stored locally on your device only and are never transmitted to any server.

4.3 Keychain

The App uses the iOS Keychain (Apple's secure credential storage) to hold session tokens and shared secrets used to authenticate with our backend. The Keychain is protected by Apple's secure hardware chip and is not accessible to other applications. Keychain items are not included in device backups unless you use encrypted backups. We do not store personal information, passwords, or biometric data in the Keychain.

4.4 Shared Storage for the Widget

The local data store lives in a shared storage area so that both the main App and the iOS home-screen widget can read your latest mood. The widget has read-only access and makes no network calls. The shared area is protected by the same Apple file protection as the rest of the App's data.

4.1 Encrypted Local Database (Primary Data Store)

All user-created content — thought records, mood entries, and exercise logs — is stored locally on your device in an encrypted database. The entire database file is encrypted at rest using strong, industry-standard encryption (AES). On top of that, sensitive text fields (situation, automatic thought, evidence for / against, reframed thought) are encrypted a second time with their own key before being written, so the plaintext never touches disk even within the already-encrypted database.

The encryption keys are generated once per install on first launch and stored in your device's secure key storage (see 4.3). The database file lives in the App's private storage area and is not accessible to other apps. Android also encrypts the file at the operating-system level using your device's screen lock, providing an additional layer of protection when the device is locked.

Automatic Android backups for the App are turned off, so the database is never copied to Google Drive's Android Auto Backup or to local backup archives on a connected computer.

4.2 Lightweight Preferences

The App stores lightweight, non-sensitive preferences using Android's standard preferences storage, including:

  • Language preference (English, Arabic, or system)
  • Appearance mode (light, dark, or system)
  • Daily reminder enabled flag and time
  • Crash reporting enabled flag (see Section 17)
  • Onboarding completion status

These preferences are stored locally on your device only and are never transmitted to any server.

4.3 Secure Key Storage

For secrets, the App uses Android's encrypted preferences storage, which protects values with strong (AES-256) encryption and is itself locked by a master key kept in your device's hardware-isolated key store (the Android Keystore). On most modern Android devices this key store runs on a separate secure chip and is not accessible to other applications. We use it to hold the database encryption keys and a pair of modern public-key encryption keys generated for future end-to-end encrypted features. We do not store personal information, passwords, or biometric data here.

5. iCloud Sync

If you have iCloud enabled on your device, your journal content (thought records, mood entries, and exercise logs) automatically syncs across your Apple devices through Apple's iCloud service.

  • Encryption: Data is encrypted while travelling over the internet and while stored on Apple's servers, using Apple's own encryption.
  • Control: iCloud sync is controlled by your device's iCloud settings, not by RePattern. You can disable sync at any time via Settings > [Your Name] > iCloud.
  • Access: Apple stores and manages your iCloud data. Under Apple's Standard Data Protection (the default), Apple could technically access it; under Advanced Data Protection (opt-in in iCloud settings), the data is end-to-end encrypted and even Apple cannot. RePattern is not on this path: we have no iCloud credentials and cannot read, query, export, or process your synced content. The data is associated with your Apple ID, which is managed entirely by Apple.
  • Deletion: You can manage or delete iCloud data via Settings > [Your Name] > iCloud > Manage Account Storage.

For details on how Apple handles iCloud data, please refer to Apple's Privacy Policy.

5. Cross-Device Sync

The Android version of the App does not sync your journal data across devices. Your thought records, mood entries, and exercise logs live only on the device where they were created. There is no Google Drive Auto Backup (we set android:allowBackup="false"), no Firebase database sync, and no RePattern-operated cross-device sync in the launch build.

If you uninstall the App, switch devices, or factory-reset your device, your data will be lost. We recommend exporting any data you wish to keep before doing so.

6. AI Features (Premium Subscribers Only)

6. AI Features

6.1 Consent and Opt-In

AI-powered features (distortion detection, smart reframes, evidence helper, daily tips, and exercise recommendations) are available exclusively to RePattern Premium subscribers and require your explicit, informed, and affirmative consent before activation. You will be presented with a clear consent prompt explaining exactly what data is sent and how it is processed. You must actively opt in; AI features are never enabled by default.

AI-powered features (distortion detection, smart reframes, evidence helper, daily tips, and exercise recommendations) are available in the Android version of the App at no cost and require your explicit, informed, and affirmative consent before activation. You will be presented with a clear consent prompt explaining exactly what data is sent and how it is processed. You must actively opt in; AI features are never enabled by default. In the current launch configuration, AI requests are not tied to an account — there is no login, no email, and no persistent identifier sent with your request. To limit abuse, our backend uses a short-lived counter based on your request's IP address and a random per-install identifier the App generates; this counter lives only in temporary memory and is discarded automatically.

You may revoke your AI consent at any time by navigating to Settings > AI Data Consent within the App. Revoking consent immediately and permanently stops all AI data transmission. Revoking consent does not delete any data already stored on your device.

6.2 Data Sent to the AI Service

When AI features are active and you interact with them, the following data is transmitted to our backend API:

  • Current thought text — the automatic thought you have entered (maximum 500 characters)
  • Situation text — the situation description you have entered (maximum 500 characters)
  • Selected distortion IDs — numerical identifiers (integers 1–18) of cognitive distortions you have selected
  • Emotion value — your selected emotion (one of: joy, trust, fear, surprise, sadness, disgust, anger, anticipation) with intensity level (1–3)
  • Language preference — your App language setting (English or Arabic)

This is the complete and exhaustive list of content submitted in AI requests. No other content — historical entries, personal identifiers, device information, account information, or session tokens — is included in the request payload. Because the request is sent over the internet, your IP address is necessarily visible to Cloudflare (which derives the two-letter country code we log) and to our backend code that handles the request — a Cloudflare Worker on iOS — our server hosted on Railway on Android, which uses it transiently for rate-limiting and to forward your request to the AI provider. The raw IP address is not stored in any RePattern database in any form, hashed or otherwise.

6.3 How AI Data Is Processed

AI features are powered by Claude, a large language model from Anthropic. Your request reaches Cloudflare, where a small serverless function (a Cloudflare Worker) handles the secure connection, adds a country code, and forwards your input directly to Anthropic's API for processing. There is no separate backend server in the iOS path; the Worker is the entire backend. A small operational audit row (no content) is written to a database hosted by Neon (see Section 6.6). Anthropic's commercial terms prohibit training on customer content. See Anthropic's Privacy Policy for details.

AI features are powered by a large language model accessed through the API of the AI provider active for your platform. On Android, this is by default Claude from Anthropic; we may also use Gemini from Google as an alternate provider for Android. The request first reaches Cloudflare (our network provider, which handles the secure connection and adds a country code), then goes to our backend server hosted on Railway with a database hosted by Neon. The backend forwards your input to whichever AI provider is active for processing. Both providers' commercial API terms prohibit training on customer content. See Anthropic's Privacy Policy and Google's Privacy Policy for how each handles API requests.

  • Anonymous processing by the AI provider: Only the text of your thought and situation is forwarded to Anthropic for AI analysis. The forwarded request contains no name, no email, no device identifier, no IP address, no account, and no session token — our backend strips all such metadata before calling Anthropic, so the AI provider receives only anonymous text with no technical means to link it to you or your device. (Your IP address is necessarily visible to our backend during processing — see Section 6.2 — but is not forwarded to the AI provider and is not stored.)
  • How your AI content is handled at our backend — and how this differs from iCloud: The text of your AI request necessarily passes through our backend on its way to the AI provider. On iOS, the backend is a Cloudflare Worker that handles the request in temporary memory and forwards it to Anthropic.On Android, the backend is our server hosted on Railway that handles the request in temporary memory and forwards it to the AI provider. Your content stays in memory only long enough to be forwarded, and is then discarded. We do not log it, save it, copy it, hash it, or otherwise keep anything derived from it. Be aware that this is a different trust posture from iCloud:
    • With iCloud, your data is stored on Apple's servers. Under Apple's Standard Data Protection (the default), Apple could technically access your iCloud data; under Advanced Data Protection, even Apple cannot. Either way, RePattern is not on the path — we have no iCloud credentials and cannot read your iCloud data. You're trusting Apple here, not RePattern.
    • With AI requests, the AI provider (Anthropic, and on Android possibly Google) receives and processes the plaintext of your request — that is by design, because the AI has to read the input to respond. They retain it briefly for safety monitoring and then delete it. RePattern is on the path too: our backend handles the text in temporary memory. We could technically read it during processing, but we commit not to (no logging, no storage, no derivation). This is an operational commitment, not a structural impossibility.
    If the architectural distinction matters to you, you can leave AI features off — nothing in the App will send your journal content to our backend or to the AI provider.
  • No content-derived data is kept: The only persistent record we write per AI request is the non-content operational information described in Section 6.6 — which AI feature was used, whether it succeeded, token count, processing time, country, platform, language, and timestamp. No request body, no copy of the body, no fingerprint of any kind derived from your content.
  • AI provider retention: Our AI provider (Anthropic) retains anonymous API inputs and outputs for up to 30 days for safety and abuse monitoring, after which they are automatically deleted. If content is flagged for a potential usage policy violation, it may be retained for up to 2 years for enforcement purposes. Because no identifying information is included in the request, this retained data cannot be linked to you or your device.
  • No training: Your data is never used to train, fine-tune, or improve any machine learning model, AI system, or algorithm. Anthropic's commercial terms explicitly prohibit training on API customer content.
  • No profiling: We do not build user profiles, track patterns across sessions, or aggregate data across users.
  • No human review by RePattern: Your submitted text is not read or accessed by any person at RePattern. Anthropic's trust and safety team may review flagged content to enforce their usage policy or to comply with applicable law.

6.4 Crisis Detection

The AI service includes automated crisis detection. If content suggesting self-harm, suicidal ideation, or acute distress is detected, the App will automatically surface crisis helpline resources and support information. This is an automated safety measure and does not constitute professional intervention, diagnosis, or emergency response. Crisis detection does not result in any data being stored, reported, or transmitted to any third party.

6.5 Rate Limiting

AI requests are rate-limited to 60 requests per day per device to prevent abuse. Rate limiting is enforced using anonymous, non-identifying technical mechanisms.

6.6 Operational Audit Log

When the App communicates with our backend (which happens when you use AI features, and on iOS when the App verifies your Premium subscription), our backend writes one row to an audit log for each request. The row contains only operational information — no content of your request, no copy of your content, and no fingerprint derived from your content:

  • Which AI feature was used (for example, distortion detection, reframe, or daily tip).
  • Whether the request succeeded (success, rate-limit hit, or error).
  • Token count — how much capacity the AI model used for the request, for billing and quotas.
  • Processing time — how long the AI call took, for performance monitoring.
  • Approximate country — a two-letter country code (e.g. GB, US) that Cloudflare provides to us based on your request's IP address. We store only the two-letter code — no city, region, or precise location.
  • Platform — whether the request came from the iOS or Android version of the App.
  • Language — the App's interface language (English or Arabic).
  • Timestamp — the time the request was processed.
  • User ID — left empty for all unauthenticated requests, which covers Android guest mode and all AI calls in the current launch configuration. For requests from logged-in accounts in future versions of the App, this would be the user's internal account identifier.

In the current launch configuration, all AI requests are unauthenticated, so the user ID is always empty. The rows are not linked to any device identifier, session token, transaction, or subscription identifier — we have no technical means to tie a row back to a specific person, device, or install. Your raw IP address is visible to Cloudflare at the edge (so it can derive the country code) and to our backend at the moment of processing (so it can apply rate limits), but the raw IP is not stored in any form. Rate-limit counters live in a short-lived in-memory cache and are not persisted.

Audit log rows are kept for up to 90 days on a rolling basis, after which a daily automated job permanently deletes them.

7. API Communication and Security

  • Transport encryption: All communication between the App and our backend uses HTTPS with modern encryption (TLS 1.2 or higher), so data is encrypted while in transit over the internet.
  • Request authentication: Every backend request is signed with a cryptographic signature to verify it hasn't been tampered with and to prevent replay attacks.
  • Request authentication: In the current launch configuration, AI requests are anonymous — no login, no account, and no persistent identifier is sent. The App also pins our website's security certificate (so it will refuse to connect to a fake server pretending to be us) and refuses to follow redirects, preventing common interception attacks. To limit abuse, our backend uses a short-lived rate-limit counter derived from your request's IP address and a random per-install identifier the App generates; this counter lives only in a short-term memory cache and is discarded automatically.
  • Infrastructure: Our public web address is fronted by Cloudflare, which handles the secure connection and adds a country code based on your IP. On iOS, a small serverless function (a Cloudflare Worker) handles the AI forwarding directly — there is no separate backend server in the iOS path. A small audit row (no content) is written to a database hosted by Neon. Cloudflare's edge servers span the United States, the European Economic Area, the United Kingdom, and other regions depending on network routing (see Section 11).
  • Infrastructure: Our public web address is fronted by Cloudflare, which handles the secure connection, adds a country code based on your IP, and forwards the request to our backend server. The backend runs on Railway (a hosting provider), backed by a managed database hosted by Neon. Cloudflare's edge servers span the United States, the European Economic Area, the United Kingdom, and other regions depending on network routing; the backend server itself runs in Railway's hosting region (see Section 11).
  • On-device protection: Local data is protected by iOS's built-in data protection and encryption. Secrets are stored in iOS Keychain, which is secured by Apple's secure hardware chip.
  • On-device protection: Local journal data is stored in a database encrypted with strong, industry-standard encryption, with sensitive fields encrypted a second time on top (see Section 4.1). Secrets are kept in Android's encrypted preferences storage, locked by a master key held in the device's hardware-isolated key store. Automatic Android backups are turned off for the App.
  • No server-side logs of user content: We do not keep server-side logs containing your thought text, situation text, mood entries, or other journal data. The only persistent server-side record per AI request is the operational audit row described in Section 6.6 — which AI feature was used, success or failure, token count, processing time, country, platform, language, and timestamp. None of those fields are derived from your content.

8. Subscriptions and Payment Processing

RePattern Premium is offered as an auto-renewable subscription (weekly and yearly plans available, prices vary by region as determined by Apple) managed entirely through Apple's App Store and Apple's in-app purchase system.

  • We do not process, collect, or store any payment information (credit card numbers, billing addresses, etc.).
  • All payment processing is handled by Apple in accordance with Apple's App Store Terms.
  • We store your Apple transaction ID locally on your device to verify premium access with our API. This transaction ID is a non-identifying alphanumeric string generated by Apple and is not linked to your personal identity, Apple ID, or payment method.

8. Payment Processing

The Android version of the App is currently provided free of charge and does not offer paid subscriptions or in-app purchases at launch. We do not process, collect, or store any payment information.

The Google Play Billing library is included in the App for future paid features, but it is not active in the launch build. If we introduce paid features later, payments will be processed entirely by Google Play in accordance with the Google Play Terms of Service, and we will update this Privacy Policy and notify you within the App before any such features are enabled.

9. Notifications

The App offers optional daily reminders to encourage regular self-reflection practice. These notifications are:

  • Scheduled entirely locally on your device using Apple's standard notifications system
  • Scheduled entirely locally on your device using Android's built-in scheduling and notification system. The App asks for notification permission at first launch on Android 13 and above, as required by Google Play.
  • There is no push notification server — notifications are not sent from our infrastructure. No Firebase Cloud Messaging service is registered in the App and no FCM token is generated or transmitted.
  • We never receive, collect, or store your notification settings, schedule, or device token.
  • You can enable, disable, or customise reminder times within the App's Settings.

10. Home Screen Widget

RePattern includes a mood check-in widget you can place on your iOS home screen. The widget:

  • Has read-only access to the App's local data store on your device
  • Makes no network calls of any kind
  • Does not collect, transmit, or process any data
  • Accesses only the local copy of your data, even when iCloud sync is enabled

10. Home Screen Widget

The Android version of the App does not include a home-screen widget.

11. International Data Transfers

If you use AI features, your request crosses several systems and may be processed in different jurisdictions:

  • Cloudflare (US-headquartered, global edge network) terminates the TLS connection at the edge location closest to you — in the United States, the European Economic Area, the United Kingdom, or another region depending on network routing — before forwarding the request to our origin (on Android) or handling it in a Cloudflare Worker (on iOS). Cloudflare maintains GDPR compliance commitments and a Data Processing Addendum.
  • Railway (US-headquartered) hosts our backend server (Android only). Our service currently runs in Railway's default US region.
  • Neon (US-hosted) holds our operational audit log (Section 6.6) for both platforms. This means the audit information (country, which feature, success/failure, etc.) is stored on US infrastructure.
  • Anthropic (US-based) is our default AI provider. When in use, Anthropic processes the actual AI request content and retains anonymous API inputs/outputs for up to 30 days for safety monitoring (or longer if flagged for a potential usage policy violation).
  • Google (US-based) is our alternate AI provider via the Gemini API, available on Android only. When in use, Google processes the request content; retention follows the Gemini API terms then in effect (Google's published default for paid Gemini API tiers is short-term retention for abuse-monitoring purposes; check the Gemini API Terms and Google Privacy Policy for current details).

Because no name, email, account, device identifier, or session token is included in the AI request body, and because the operational audit row contains no content-derived data, the transfer safeguard requirements under UK GDPR Article 46 and EU GDPR Chapter V are minimised. Cloudflare, Neon, and Anthropic each maintain their own GDPR safeguards including Standard Contractual Clauses where applicable.

Because no name, email, account, device identifier, or session token is included in the AI request body, and because the operational audit row contains no content-derived data, the transfer safeguard requirements under UK GDPR Article 46 and EU GDPR Chapter V are minimised. Cloudflare, Railway, Neon, Anthropic, and Google each maintain their own GDPR safeguards including Standard Contractual Clauses where applicable.

iCloud sync data is transferred and stored by Apple in accordance with Apple's data processing practices and applicable data transfer mechanisms. Please refer to Apple's Privacy Policy for details.

If Crashlytics is enabled on your device (see Section 17), crash reports are transmitted to Google's Firebase infrastructure, which may process them in the United States or other Google regions. Google maintains GDPR safeguards including Standard Contractual Clauses where applicable; see the Google Privacy Policy.

12. Legal Basis for Processing (UK GDPR / EU GDPR)

Under the UK General Data Protection Regulation (retained from EU GDPR post-Brexit) and the EU GDPR, we process data on the following lawful bases:

  • Consent (Article 6(1)(a)): AI data processing is performed only with your explicit, freely given, specific, informed, and unambiguous consent. You may withdraw consent at any time via Settings > AI Data Consent, and withdrawal takes immediate effect. Crash reporting via Crashlytics also relies on consent — you may withdraw it at any time in Settings > Privacy > Crash reports.
  • Contract performance (Article 6(1)(b)): Processing necessary to provide the Premium subscription service you have purchased (e.g., verifying subscription status via Apple transaction IDs).
  • Legitimate interests (Article 6(1)(f)): Basic operational functions such as cryptographic request signatures for API security, and anonymous regional usage logging (Section 6.6) to understand service demand. We have assessed that these do not override your rights and freedoms, as no personal data is involved.
  • Legitimate interests (Article 6(1)(f)): Basic operational functions such as API authentication, certificate pinning, and anonymous regional usage logging (Section 6.6) to understand service demand. We have assessed that these do not override your rights and freedoms, as no personal data is involved.

12.1 Special Category Data

Mental health data may constitute special category data under Article 9 of the GDPR. We process this data only on the basis of your explicit consent (Article 9(2)(a)). Importantly, RePattern stores mental health content exclusively on your device. When AI features are used with consent, thought text is sent anonymously (with no identifying information) to the AI provider, which retains it for up to 30 days for safety compliance before automatic deletion (or longer if flagged for a potential usage policy violation).

13. Your Rights Under Applicable Law

13.1 UK GDPR / EU GDPR Rights

If you are located in the United Kingdom or the European Economic Area, you have the following rights under the UK GDPR / EU GDPR:

  • Right of access (Article 15): You may request confirmation of whether we process your personal data and access to that data. Because we do not store personal data on our servers, there is no server-side data to provide.
  • Right to rectification (Article 16): You may correct inaccurate data. Your on-device data can be edited directly within the App.
  • Right to erasure (Article 17): You may request deletion of your data. See Section 14 for deletion instructions.
  • Right to restriction of processing (Article 18): You may restrict processing by revoking AI consent or disabling iCloud sync.
  • Right to restriction of processing (Article 18): You may restrict processing by revoking AI consent or by turning off Crashlytics in Settings > Privacy > Crash reports.
  • Right to data portability (Article 20): Because data is stored locally on your device, you have full physical possession of it at all times.
  • Right to object (Article 21): You may object to processing by disabling AI features or uninstalling the App.
  • Right to withdraw consent (Article 7(3)): You may withdraw AI consent at any time via Settings > AI Data Consent. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
  • Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority. In the United Kingdom, this is the Information Commissioner's Office (ICO).

13.2 California Consumer Privacy Act (CCPA / CPRA) Rights

If you are a California resident, you have rights under the California Consumer Privacy Act (as amended by the CPRA):

  • Right to know: You may request disclosure of what personal information we collect about you. We do not collect personal information as defined under the CCPA.
  • Right to delete: You may request deletion of personal information. See Section 14 for on-device deletion instructions.
  • Right to opt out of sale/sharing: We do not sell or share any personal information, as defined under the CCPA/CPRA. There is no "Do Not Sell or Share My Personal Information" mechanism because no sale or sharing occurs.
  • Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.

CCPA categories disclosure: In the preceding 12 months, RePattern has not collected, sold, shared, or disclosed for a business purpose any categories of personal information as defined under the CCPA.

13.3 Exercising Your Rights

To exercise any of the above rights, or if you have questions about our data practices, please contact us at contact@repattern.help. We will respond to verifiable requests within 30 days (or within the shorter timeframe required by applicable law).

14. Data Retention and Deletion

Because we do not store your journal content on any server, there is no server-side retention period for that content. Data exists only in the following locations:

  • On your device: Retained until you delete it within the App or uninstall the App.
  • In iCloud (if enabled): Retained until you remove it via Apple ID > iCloud > Manage Account Storage, or until you delete data within the App (which syncs the deletion to iCloud).
  • On our servers (during AI processing): Your thought and situation content is held in our server's temporary memory only while the request is being processed (typically milliseconds to seconds), then immediately discarded. The only persistent server-side record per request is the operational audit row described in Section 6.6 (which feature, success/failure, token count, processing time, country, platform, language, timestamp — no content-derived data), kept for up to 90 days.
  • At the AI provider (Anthropic): Anonymous API inputs and outputs are retained for up to 30 days for safety and abuse monitoring, then automatically deleted. If content is flagged for a potential usage policy violation, it may be retained for up to 2 years for enforcement purposes. No identifying information is included, so this data cannot be linked to you.
  • At Google (if Crashlytics is enabled): Anonymous crash reports are retained by Google for up to 90 days. See Section 17.

How to delete your data:

  • Delete all App data: Navigate to Settings > Delete All Data within the App. On Android, this wipes the encrypted journal database, all encryption keys we hold, your preferences, and any cached data.
  • Remove all local data: Uninstall the App from your device. Because Android Auto Backup is disabled for the App, uninstalling completely removes all locally stored data.
  • Manage iCloud data: Go to iOS Settings > [Your Name] > iCloud > Manage Account Storage
  • Revoke AI consent: Navigate to Settings > AI Data Consent within the App.
  • Cancel subscription: Go to App Store > [Your Profile] > Subscriptions
  • Disable crash reporting: Navigate to Settings > Privacy > Crash reports and turn it off (takes effect immediately).

15. Children's Privacy (COPPA Compliance)

RePattern is not directed at, marketed to, or intended for use by children under the age of 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children under 13.

Because RePattern collects no personal information from any user, regardless of age, there is no mechanism by which children's data could be inadvertently collected, stored, or processed on our servers.

If you believe a child under 13 has provided personal information to us, please contact us at contact@repattern.help and we will investigate promptly.

16. Apple App Store Privacy Disclosures

In compliance with Apple's App Store requirements, we provide privacy "nutrition labels" on the RePattern App Store listing. These labels accurately reflect the following:

  • Data Not Linked to You:
    • Other User Content — thought and situation text submitted to AI features. Sent anonymously to our backend, forwarded anonymously to Anthropic, and never linked to your identity, Apple ID, or device.
    • Coarse Location — the country derived from your IP address when the App communicates with our backend (for anonymous regional usage logging only, see Section 6.6). Not linked to any user, device, or session identifier.
    • Product Interaction / Other Diagnostic Data — non-content operational information per request (which feature was used, success/failure, token count, processing time, country, platform, language, timestamp). Kept anonymously for up to 90 days. Not linked to any user, device, or session identifier.
  • Data Not Collected: We do not collect contact information, account credentials, precise location, browsing history, search history, financial information, health and fitness data (beyond what you voluntarily enter into thought records), or sensitive information. We do not collect any identifiers that would let us link backend data to a specific user, device, or install.
  • Tracking: The App does not engage in cross-app tracking as defined by Apple's App Tracking Transparency rules. We do not show the "Ask App Not to Track" prompt because we have no tracking to ask permission for.

16. Google Play Data Safety Disclosures

In compliance with Google Play's Data Safety section, we declare the following data practices on the RePattern Google Play listing:

  • Data collected and not shared (anonymous, not linked to your identity):
    • Other User Content (when you opt in to AI features) — thought and situation text sent anonymously to our backend and forwarded to Anthropic. Not linked to your account or device. Processing only; not used to identify you.
    • App Activity / Diagnostics — when you opt in to AI: non-content operational information per request (which feature was used, success/failure, token count, processing time, country derived from your IP at Cloudflare, platform, language, timestamp), kept for up to 90 days. When Crashlytics is enabled (default): crash reports and the diagnostic information described in Section 17, kept by Google for up to 90 days.
  • Data not collected: name, email address, phone number, postal address, precise location, browsing or search history, financial information, health and fitness data, contacts, calendar, photos, microphone input, or camera. No Advertising ID (GAID) is collected.
  • Data not sold or shared with third parties for advertising: we do not sell any data, and we do not share data with third parties for advertising or behavioural analytics.
  • Encryption in transit: all data sent to our backend or to Google is encrypted via HTTPS with TLS 1.2 or higher. Our backend connection additionally uses TLS certificate pinning.
  • Data deletion: You can delete all on-device data via Settings > Delete All Data, or by uninstalling the App (which permanently removes all locally stored data because Android Auto Backup is disabled). See Section 14.

17. Third-Party Services

The App integrates with the following third-party services:

  • Apple iCloud (CloudKit): For optional cross-device data synchronisation. Governed by Apple's Privacy Policy and iCloud Terms of Service.
  • Apple App Store: For subscription management and payment processing. Governed by Apple Media Services Terms and Conditions.
  • Google Play: For App distribution and updates. Governed by the Google Privacy Policy and the Google Play Terms of Service.
  • Firebase Crashlytics (Google): Crash reporting. Enabled by default in the App as you install it from Google Play; can be turned off in Settings > Privacy > Crash reports at any time (the change takes effect immediately). When enabled, Crashlytics collects anonymous crash data: technical information about the crash, the time it happened, the app version, your device model, your operating system version, and a randomly generated install identifier unique to your specific app installation (not your Google Account and not your advertising identifier). Google keeps crash data for up to 90 days. No journal content, mood entries, or thought-record text is included — our log filter strips any sensitive fields before reports are sent. Governed by the Firebase Privacy and Security Information and the Google Privacy Policy.
  • Cloudflare: Our network provider. On iOS, Cloudflare handles the secure (HTTPS) connection, adds a two-letter country code based on your IP (which we then store in our operational audit log), and runs a small serverless function (a Cloudflare Worker) that forwards your AI request directly to Anthropic. There is no separate backend server in the iOS path. Cloudflare does not store your request body or response body as part of our setup. Cloudflare does keep its own operational logs (the connection's IP, timestamp, requested URL, response code, and timing) as part of normal service operation; those logs are subject to Cloudflare's own retention policies and are not accessible to RePattern. Governed by Cloudflare's Privacy Policy.
  • Cloudflare: Our network provider, sitting in front of our backend server. On Android, Cloudflare handles the secure (HTTPS) connection, adds a two-letter country code based on your IP (which we then store in our operational audit log), and forwards your request to our backend server hosted on Railway. Cloudflare does not store your request body or response body as part of our setup. Cloudflare does keep its own operational logs (the connection's IP, timestamp, requested URL, response code, and timing) as part of normal service operation; those logs are subject to Cloudflare's own retention policies and are not accessible to RePattern. Governed by Cloudflare's Privacy Policy.
  • Railway: Hosts our backend server for the Android AI path. When you use AI features on Android, Railway runs the code that forwards your request to the AI provider and writes the operational audit row to the database. Not used on iOS. Governed by Railway's Privacy Policy.
  • Neon: The managed database service we use to store our operational audit log described in Section 6.6 (no content-derived data) for both platforms. In future versions of the App that enable accounts, this would also hold user, login, and synced-data information. Governed by Neon's Privacy Policy.
  • Anthropic (Claude): Our default AI model provider. When active, your thought and situation text is sent to the Anthropic API via our backend for real-time processing. Anthropic does not train on API customer content. Governed by Anthropic's Privacy Policy.
  • Google (Gemini API): Alternate AI model provider we may use in place of Anthropic on Android, configurable at the environment level on our backend. When active, your thought and situation text is sent to the Gemini API via our backend. Google's published terms for the paid Gemini API state that customer content is not used to train Google's models. Governed by the Gemini API Terms and Google's Privacy Policy.
  • Sentry: Error tracking for our Android backend server. When an unexpected error happens while processing your AI request, technical information about the error (when it happened, which feature was being used, the error code, and which environment it was in) may be sent to Sentry to help us diagnose the problem. We do not send the request body, your AI input, journal content, IP address, email, or user identifiers to Sentry. Only 10% of error events are sampled. Sentry keeps events for up to 90 days, after which they are automatically deleted. Not used on iOS. Governed by Sentry's Privacy Policy.

We do not integrate with any advertising networks, third-party analytics providers, social media SDKs, or data brokers. Our backend does maintain anonymous, first-party usage logs (country + platform + timestamp per request, not linked to any user) — see Section 6.6.

We do not integrate with any advertising networks, third-party behavioural analytics providers, social media SDKs, or data brokers. The only Google service that actively transmits data from the App is Firebase Crashlytics (enabled by default and can be turned off in Settings). Our backend also maintains anonymous, first-party usage logs (country + platform + timestamp per AI request, not linked to any user) — see Section 6.6.

18. Do Not Track Signals

RePattern does not track users in any way. The App honours Do Not Track (DNT) signals by default, as no tracking occurs regardless of signal status. There is no behavioural tracking to disable.

19. Security Measures

We implement reasonable and appropriate technical and organisational measures to protect the limited data we process:

  • HTTPS with modern encryption (TLS 1.2 or higher) for all network communication
  • Cryptographic signatures on every request to prevent tampering or replay attacks
  • Certificate pinning on the production backend, so the App refuses to connect to anyone pretending to be us; redirects disabled on outgoing requests
  • Apple's built-in file encryption for data stored on your device
  • Strong (AES) encryption for the local journal database, with sensitive fields encrypted a second time on top using their own keys
  • Apple's secure hardware chip protects Keychain items
  • Android's hardware-isolated key store protects the master key that unlocks our encrypted preferences storage
  • Automatic Android backups are turned off for the App, so secrets and journal data are never copied to Google Drive Auto Backup or to local backup archives
  • No server-side logging of journal content, AI input/output, or any fingerprint derived from your content
  • On iOS, the AI request is handled by a Cloudflare Worker that forwards to Anthropic in temporary memory; the only persistent server-side record per AI request is the non-content operational audit row (Section 6.6) stored in Neon
  • On Android, the backend server (on Railway) is reached only through Cloudflare, which handles the secure connection; the only persistent server-side record per AI request is the non-content operational audit row (Section 6.6) stored in Neon
  • Rate limiting (60 AI requests per day per device) enforced through short-lived in-memory counters; counters are discarded automatically

While no system is 100% secure, our architecture is designed to minimise risk by not retaining data on servers. In the unlikely event of a data breach affecting any personal data, we will notify affected individuals and the relevant supervisory authority in accordance with UK GDPR Article 33 requirements (within 72 hours of becoming aware).

20. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we do:

  • We will revise the "Last updated" date at the top of this page.
  • Material changes will be noted in the App's release notes on the App Store.
  • Material changes will be noted in the App's release notes on Google Play.
  • If a change materially affects how we process data you have already provided consent for (e.g., changes to AI data processing), we will seek renewed consent within the App before such changes take effect.

Because we do not collect email addresses or maintain user accounts, we cannot provide direct notification of policy changes. We encourage you to review this page periodically. Your continued use of the App after changes are posted constitutes acceptance of the revised Privacy Policy.

21. Supervisory Authorities

If you are unsatisfied with our response to a privacy concern, you have the right to lodge a complaint with your local data protection authority:

  • United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
  • European Union: Your local Data Protection Authority — EDPB member list

22. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy, your data, or RePattern's privacy practices, please contact us at:

Email: contact@repattern.help
Website: repattern.help

We take all privacy inquiries seriously and will endeavour to respond within 30 days of receipt.