Privacy policy

Last updated: 2026-04-26

Singletick is built around a simple promise: your content never leaves your phone in a form anyone but you can read. This page is the long version of that promise. It also enumerates every third party Singletick speaks to, what they see, and what your rights are under privacy law (GDPR, CCPA, LGPD, India's DPDP Act).

1. Who we are

"Singletick", "we", "our" refers to the Singletick mobile application (iOS + Android, package app.singletick.mobile) and the Singletick website (singletick.app). Both are operated by the Singletick project, headquartered in India. For privacy enquiries contact hello@singletick.app.

2. What we do not collect

The following is true by design. The app's source enforces it; tests pin it.

• The contents of any habit, todo, note, mood entry, pledge, or secret.
• Your account, name, email address, phone number, or any identifier you would recognise as "yours". Singletick has no sign-up.
• Your master passphrase, any key derived from it, or any data encrypted under it.
• Your contacts, photos, calendar events, location (unless you opt-in to specific HealthKit / Health Connect categories), or any device sensor not directly powering a feature you tapped.
• Any free-form text you typed anywhere in the app.

3. What we do collect

3a. On your device — encrypted with your passphrase

Habits, ToDos, Notes (including images and rich-text), Pledges, Mood entries, Secrets, Focus sessions, Settings preferences, and any other user-generated content. Encrypted with AES-256-GCM under a key derived from your passphrase via Argon2id (memory: 64 MB, iterations: 3, parallelism: 2). The salt lives in your device's secure enclave (Keychain on iOS, Keystore on Android). Even if your phone is taken apart and the storage chip read directly, the data is opaque without your passphrase.

3b. Anonymous analytics (Firebase)

A short list of named events with no content payload — for example habit_completed, paywall_viewed, purchase_completed, feature_used. Habit names, streak counts, identifiers, and free-form text are explicitly forbidden by the codebase's analytics rules. You can disable analytics entirely in Settings → Privacy → Local-only mode (Pro).

3c. Crash reports (Firebase Crashlytics)

Stack traces, device model, OS version, and app version. No personal data, no entry contents. Used solely to diagnose crashes.

3d. Push notifications (Firebase Cloud Messaging)

A device-scoped FCM push token (rotates per install, not tied to your identity). We use it only to wake the app for local reminders and Live Activities; we never send notification payload content via FCM — the app composes notification text on-device.

3e. Remote feature flags (Firebase Remote Config)

The app fetches a small key/value blob to read feature flags (e.g. "is the new theme picker live yet?"). Sent: nothing about you. Received: a JSON object of strings and booleans.

3f. Subscription state (RevenueCat)

For Pro subscribers only: an anonymous appUserID (a UUID generated on your device, not tied to your name or email) and the receipt forwarded by Apple / Google for entitlement checks. RevenueCat is the subscription processor; Singletick is not the merchant of record. RevenueCat's privacy policy is at revenuecat.com/privacy.

3g. HealthKit / Health Connect (opt-in)

Step count, sleep duration, and heart-rate variability — only when you explicitly opt in via the in-app permission flow. The data stays on your device and powers the on-device Energy Score feature. We never upload it.

3h. Encrypted backup (your own cloud)

For Pro subscribers who enable backup: a single ciphertext blob is uploaded to your own Google Drive (in the hidden appDataFolder for app.singletick.mobile) or your own iCloud private container. The encryption happens on your device; what reaches Google or Apple is opaque bytes. Singletick does not have access to your cloud account; your cloud provider does not have access to a key that can decrypt the blob.

3i. Companion signalling (Phase 8B, Cloudflare Workers)

When you pair a browser companion: a 6-digit pairing code, the WebRTC SDP offer/answer, and ICE candidates flow through a Cloudflare Worker we operate at signalling.singletick.app. State lives at most 60 seconds in a Durable Object before being deleted. Nothing about your habit / todo / note content ever passes through.

3j. TURN fallback (Phase 8B, Metered.ca)

If the companion can't connect peer-to-peer (~10–20% of users behind symmetric NAT), the data channel falls back through a TURN relay run by Metered.ca. The relay sees only the DTLS-encrypted bytes; we layer Noise_KK on top so even a Metered.ca compromise reveals nothing readable.

3k. Hosting (this website)

Singletick.app is served by GitHub Pages. GitHub may log access IPs and User-Agents per its standard infrastructure policy. We do not run any analytics on the website itself — no Google Analytics, no Plausible, nothing.

4. Where data goes

The third parties that touch any data, however small:

• Google — Firebase Analytics, Crashlytics, FCM, Remote Config, your own Drive backup, public STUN servers (companion). Subject to Google's privacy policy.
• Apple — App Store, your own iCloud backup, HealthKit (opt-in), push notifications. Subject to Apple's privacy policy.
• RevenueCat — anonymous subscription state. revenuecat.com/privacy.
• Cloudflare (Phase 8B) — companion signalling endpoint. Sees ephemeral pairing metadata only.
• Metered.ca (Phase 8B fallback) — companion TURN relay. Sees encrypted bytes only.
• GitHub — hosts singletick.app via GitHub Pages.

5. Your rights

Under GDPR, CCPA, LGPD, and India's DPDP Act:

• Right to access — your content is on your device. Open the app, look at it.
• Right to deletion — Settings → Backup → Delete cloud backups, then Settings → Reset all local data, then uninstall the app. See the Delete account page for the step-by-step.
• Right to data portability — Settings → Backup → Export to JSON or CSV.
• Right to object — disable Firebase Analytics in Settings → Privacy → Local-only mode.
• Right to restriction — same as above plus disable HealthKit / Health Connect permissions in your OS settings.
• Right to lodge a complaint — with your local data-protection authority (e.g. ICO in the UK, CNIL in France).

6. Children's privacy

Singletick is not directed at children under 13 (16 in the EU under GDPR, 18 in some jurisdictions). We do not knowingly collect data from children. If you believe a child has used Singletick, contact hello@singletick.app and we will assist.

7. International transfers

Firebase data flows to Google's US servers under their Standard Contractual Clauses for international transfers. Cloudflare's signalling endpoint runs at the global Cloudflare edge (anycast) so requests resolve to the nearest data centre. We rely on each sub-processor's own legal-basis posture for any transfers that happen.

8. Data retention

Your encrypted content lives on your device until you delete it. Backup blobs in your own cloud live until you delete them. Anonymous analytics events are retained per Firebase's default policy (currently 14 months for events, 26 months for user-bound data — neither of which contains anything personally identifiable to you in our case). Companion signalling state is deleted within 60 seconds of pairing.

9. Changes to this policy

We will post material changes to this policy on this page with a refreshed "Last updated" date and announce them on the changelog. Continued use of Singletick after a change indicates acceptance of the revised policy.

10. Contact

Privacy enquiries: hello@singletick.app.
Security disclosure: see the security page.