Who we are (data controller)
Mustafa Baykal (Individual Developer), jurisdiction: Republic of Türkiye.
For all privacy-related questions: mustafabaykal91@gmail.com
What we collect
- Email address — only when you sign in.
- Name — only when you sign in.
- Anonymous usage analytics — page views, button taps, anonymized session data. No personal identifiers.
Third-party services we use
- RevenueCat (subscription receipt validation)
- Supabase (anonymous auth + room state + session history — EU/Frankfurt)
- PostHog (anonymous product-usage analytics — EU/Frankfurt)
- Sentry (crash + performance reports — PII scrubbed)
- hCaptcha (bot defense on optional sign-up)
- Apple StoreKit + APNs
Data processors and international transfers
We use the following processors. All have signed Data Processing Agreements (DPAs); transfers to the United States are additionally protected by Standard Contractual Clauses (SCCs) per GDPR Articles 44–49 (post-Schrems II).
| Processor | Purpose | Location | DPA | SCC |
|---|---|---|---|---|
| Supabase, Inc. | Primary backend — anonymous account auth, focus room state, session history, Live Activity push delivery | EU (Frankfurt region) | ✓ | ✓ |
| RevenueCat, Inc. | Subscription receipt validation and entitlement management | USA | ✓ | ✓ |
| PostHog, Inc. | Anonymous product-usage analytics keyed to a per-install random identifier (never your name or email). User can opt out in Settings → Privacy | EU (Frankfurt region) | ✓ | ✓ |
| Functional Software Inc. (Sentry) | Crash and performance reporting. PII scrubbed before upload. Crash reports older than 90 days are automatically pruned | USA | ✓ | ✓ |
| Intuition Machines, Inc. (hCaptcha) | Bot defense token issued during optional account sign-up. Cannot identify the user | USA | ✓ | ✓ |
| Apple, Inc. | App Store distribution, in-app purchase processing, push notification delivery (APNs), Live Activity push | Global | ✓ | N/A |
Data retention
We keep data only as long as necessary for the purpose collected, or as required by law (GDPR Art. 5(1)(e); KVKK Art. 7).
| Data type | Retention period | Reason |
|---|---|---|
| Anonymous user ID + optional display name + avatar seed | until-deletion | Required to load your streak, achievements, and room membership across devices |
| Email address + Apple display name (only if you upgrade from anonymous to Sign in with Apple) | until-deletion | Account recovery and subscription receipt linking |
| Focus session history | until-deletion | Drives weekly reports, streaks, and coach insights |
| Room content (display name, welcome message, member display name) | until-deletion-of-room | Required for other room members to see the room identity. Server-side CHECK constraints enforce length and reject profanity / URL spam |
| Reports and blocks (reporter id, reported id, category, snapshot of offending content) | until-resolved-or-deletion | Required for moderation review under App Store Guideline 1.2. Content snapshotted at report time so review survives the reported user editing or deleting their content |
| Sentry crash reports | 90-days | Auto-pruned by Sentry per their default retention |
| PostHog usage events | 365-days | Auto-pruned by PostHog per their default retention |
| Subscription receipts (via Apple + RevenueCat) | 7-years | Tax/accounting record retention required by Turkish tax law |
Anonymous-by-default
Only Focus generates an anonymous user ID on first launch. You don't need to provide an email, name, or any personal information to use the timer, save streaks, or join focus rooms. Email and Apple-supplied display name are only collected if you choose to upgrade your account with Sign in with Apple for cross-device sync.
What focus rooms share with other people
When you join a focus room, other members in that room can see: your display name (you choose this — it can be a nickname, capped at 40 characters), your avatar (procedurally generated from a seed you control), your current focus phase (working/break/paused), and emoji reactions from a fixed 5-emoji allowlist (thumbs-up, fire, water-drop, check, star). There is NO free-form chat — reactions only. Members CANNOT see your email, your real name, your subscription tier, or any session history outside that room.
What we do NOT collect
We do not collect or use: precise location, contacts, photos, microphone, camera, health/fitness data, calendar, browsing history, IDFA (advertising identifier), or any biometric data. Only Focus contains zero advertising SDKs. We do not sell, rent, or share your data with advertisers; our privacy manifest declares NSPrivacyTracking: false.
Children
Only Focus is rated 12+ because focus rooms contain user-typed content (room name, welcome message, member display name). We do not knowingly collect any personal information from children under 12. Room content is moderated server-side (length caps + profanity / URL filter) and any user can long-press another member to report or block them. If you discover a child has shared identifying information in a room, contact us at mustafabaykal91@gmail.com and we will remove it within 24 hours.
International data transfer
Your anonymous user data, room state, session history, and product-usage analytics are stored in EU servers (Supabase + PostHog, Frankfurt region). Subscription validation requests pass through RevenueCat's USA infrastructure under Standard Contractual Clauses (post-Schrems II); crash reports go to Sentry's USA infrastructure under SCCs. Apple's StoreKit + APNs pipeline is global. We have signed Data Processing Agreements with all processors.
Your choices
You can opt out of anonymous product-usage analytics at any time in Settings → About → Share anonymous usage data. You can delete your account and all server-side data at any time in Settings → Account → Delete Account — the in-app flow runs a server-side function that hard-deletes your auth row and cascades to remove your sessions, display name, room memberships, reports, and blocks. RevenueCat subscription history is also anonymized.
Your rights
- Access — request a copy of any data we hold about you.
- Rectification — request correction of inaccurate data.
- Erasure — request deletion (see Delete account).
- Portability — receive your data in a machine-readable format.
- Restriction — restrict processing in certain circumstances.
- Objection — object to processing based on legitimate interests.
- Object to automated decisions — the app does not make consequential automated decisions; you may still email us per GDPR Art. 22.
- Withdraw consent — for any processing based on consent.
- Lodge a complaint — with your local supervisory authority (in Türkiye: KVKK; in EU: your national DPA).
Legal bases for processing (GDPR Art. 6)
- Performance of a contract — processing payment receipts via Apple/RevenueCat to provide your subscription.
- Legitimate interests — anonymized analytics + crash reporting to improve the app.
- Consent — health permissions, push notifications, ATT tracking (you can withdraw at any time in iOS Settings).
- Legal obligation — retaining payment records per applicable tax law.
Children
Only Focus is not directed at children under 12. We do not knowingly collect data from children under that age. If you believe a child has provided us data, contact mustafabaykal91@gmail.com and we will delete it within 30 days.
Security
We implement industry-standard security measures: TLS 1.3 for all network traffic, encrypted at rest where stored on third-party services, no plaintext credentials, principle of least privilege for data access. No system is 100% secure; if a breach impacts you, we will notify per GDPR Art. 33–34 (within 72 hours of discovery).
California / CCPA
California residents have the right to: (i) know what personal info we collect; (ii) delete personal info; (iii) opt out of sale (we do not sell); (iv) non-discrimination. To exercise: email mustafabaykal91@gmail.com with subject "CCPA request".
Changes
If this policy changes materially, the "Last updated" date will be revised. Significant changes will be flagged in-app and we will provide a 30-day notice period for objection where required by law.
Contact
Privacy questions: mustafabaykal91@gmail.com · Data subject requests: same email, subject "Data subject request".