Privacy Policy — MyLifeFlow

1. Introduction

MyLifeFlow: Habit & Shifts ("App", "we", "our", "us") is developed and maintained by Anton Dimitrov ("Developer"). This Privacy Policy describes our practices regarding the collection, use, and protection of your information when you use our App.

By using MyLifeFlow, you agree to the terms of this Privacy Policy.

This Privacy Policy is provided in English only and governs your use of the App regardless of your device language setting.

2. Core Privacy Principle: Your Data Stays on Your Device

MyLifeFlow is a locally-operated application. All data you enter — habits, shifts, finances, wellness entries, notes, emotions, and energy levels — is stored exclusively on your device in an encrypted local database (SQLite).

We do not:

Operate servers that collect or store your personal data
Transmit your personal data to any third party
Have any ability to access, view, or retrieve your data
Use your data for analytics, advertising, or profiling

3. Information You Provide

You may voluntarily enter the following categories of data:

Habit Data: Habit names, descriptions, completion records, streaks, frequencies, and timestamps
Shift Schedule Data: Shift start/end times, shift types (day/night/rest), shift notes
Financial Data: Income records, expenses, loan details, budgets, financial goals, salary calculations
Wellness & Mood Data: Emotion states, energy levels, mood entries, wellness notes, quick tags
Task Data: Daily tasks, completion status, priorities
Notes: Free-text daily notes stored within the Today screen

All of the above is stored only on your device and is never transmitted to us.

4. Data We Do NOT Collect

We explicitly do not collect:

Your name, real address, phone number, or government identifiers
Location data (GPS or approximate)
Device identifiers for advertising (IDFA, GAID)
Behavioral analytics or usage telemetry
Crash reports sent to third parties
Contacts, calendar, photos, or any other on-device library
Health data from HealthKit or Google Fit
Any biometric raw data (Face ID / Touch ID templates stay on your device)
Financial account numbers or payment details beyond IAP transaction IDs from Apple/Google
Any data we could sell, rent, or share for behavioral advertising

Note on email and IP address: The App offers two places to add an email:

Settings → Email verification (Optional): you may add an email purely to receive notifications about your subscription. Saving an email is fully voluntary. You can leave the field empty and the App still works in every other respect.
Refer a Friend → Add your email (Required): if you want to participate in the Referral Program (share your code, earn rewards), an email is required so we can attribute referrals to you and notify you when rewards unlock. Without it, the program cannot credit you.

In both cases the address is processed identically: encrypted at rest with ECIES, decryptable only with the offline private key, never used for marketing, never sold or shared. Your IP address (encrypted) is recorded only when the Referral Program backend is contacted, for rate limiting and fraud detection. Outside these flows, neither is collected.

What we DO NOT do with your email

Never sell your email to anyone
Never use your email for marketing newsletters
Never share your email with third-party advertisers
Never use your email to profile you
Never enrich your email with data from other sources

5. Automatically Generated Data (Local Only)

The App may automatically generate the following locally only, never transmitted:

App usage timestamps (for habit streak calculations)
Notification schedules (for reminder timing)
Trial start date and status (stored in iOS Keychain)
Subscription and purchase status (stored in iOS Keychain)

None of this data leaves your device.

6. Biometric Authentication (Face ID / Touch ID)

The App optionally uses biometric authentication via Apple's Local Authentication framework.

We never store biometric data of any kind
Biometric processing happens exclusively in Apple's Secure Enclave hardware
We only receive a boolean result (success or failure) — no biometric templates, images, or raw data
Disabling biometrics in App settings stops all biometric prompts immediately

7. Referral Program (Optional Cloud-Backed Feature)

The App includes an optional Referral Program. When you open the "Refer a Friend" screen and use any of its features, a small amount of data is exchanged with our backend hosted on Cloudflare Pages Functions with a Cloudflare D1 database in the EU (Europe-East region). All other parts of the App remain fully local — using the Referral Program is your choice.

This section describes everything the Referral Program collects, how it is encrypted, who else processes it, and how long it is kept.

Email data flow — end to end

You enter email

HTTPS to Cloudflare Pages (TLS 1.3)

Cloudflare Turnstile (bot check)

KV rate limit (5/min per IP)

Cloudflare D1 (EU region) — encrypted at rest

Notification webhook (only when friend subscribes)

Email delivered → Done.

7.1 What the Referral Program collects

Data	Why	How it is stored
Pseudonymous device hash (SHA-256 of your iOS Identifier-for-Vendor)	Prevents one device from generating multiple referral codes; lets us reattach an existing code after reinstall	Cleartext (no PII). Cannot be reversed back to your Apple ID or device serial.
Your 12-character referral code	Identifier you share with friends	Cleartext. Random characters; contains no information about you.
Email address — required if you participate in the Referral Program; optional if you only add it under Settings → Email verification	Required path: needed to attribute referrals to you and unlock rewards when a friend's paid subscription confirms. Optional path: notifications about your own subscription renewals.	Encrypted at rest with ECIES (256-bit elliptic-curve scheme). The decryption key is held offline on the operator's computer and never deployed to Cloudflare. A separate HMAC fingerprint allows duplicate-detection without ever decrypting the address.
IP address of every Referral Program request	Per-IP rate limiting and fraud detection	Encrypted at rest with the same ECIES scheme. Cleartext copies are not retained.
Device fingerprint metadata (model, iOS version, locale, timezone, User-Agent)	Forensic context if a referral is later disputed	Cleartext. Not personally identifying on its own.
Apple `appAccountToken` (UUID v4 generated on your device)	Lets Apple's Server Notifications V2 webhook tell our backend that a paid subscription occurred — so the right person earns the reward	Cleartext UUID. Not linked to your Apple ID.
A friend's referral code if you enter one	Records the pending claim until your first paid subscription confirms it	Cleartext.
Audit log entries for every Referral API call	Required to investigate disputes (e.g., a refund chargeback or a missing reward)	IP and free-form details encrypted; device metadata cleartext.

What the Referral Program does NOT collect: your name, real address, phone number, payment method, behavioral analytics, location, contacts, photos, the contents of any other screen of the App, or any data outside the Referral screens.

7.2 Email verification (magic link)

Whenever you save an email — whether through the optional Settings card or the required Referral field — our backend issues a single-use 256-bit token, stores it for up to 24 hours, and asks Resend (a transactional email provider — see Section 15) to deliver a "Verify email" link to that address. Tapping the link from the same browser confirms ownership; the token is then marked used and cannot be replayed. Tokens that are not used within 24 hours expire automatically.

Why verification is required for the Referral Program: a verified email is the only reliable way to ensure that the address actually reaches you when a friend's paid subscription unlocks a reward, and it lets us refuse referrals that try to attach the same address to multiple referral codes (a common form of abuse). Without verification, we cannot guarantee reward notifications.

You may change your email at any time. The previous value is moved into an append-only history table (still encrypted) so we can deduplicate notifications across all addresses you have ever attached. We will not contact a superseded address again unless you re-attach it.

7.3 How the Referral Program uses the data

To register your code with the backend (one code per device, idempotent on reinstall).
To match a friend's code you enter to your future paid subscription, exactly once.
To deliver the verification email and the optional reward-unlocked notification.
To enforce per-IP rate limits and detect self-referral or bot abuse.
To investigate a specific dispute if you, a referee, or Apple raises one.

We do not use Referral Program data for advertising, profile-building, cross-app tracking, or sale to third parties. We do not run any analytics SDK and do not maintain a user-by-user profile beyond what this section describes.

7.4 Legal basis (GDPR Art. 6)

Consent (Art. 6(1)(a)): for an email address you save through Settings → Email verification. This is fully optional. You may withdraw consent at any time by saving an empty email or contacting us — see Section 18.
Performance of a service you requested (Art. 6(1)(b)): for the referral code itself, the friend-code claim, the appAccountToken, and the email you supply on the Refer-a-Friend screen — that email is a contractual prerequisite of the Referral Program. Without it we cannot perform the service (track and pay out referral rewards), so its collection is justified by the contract you enter into when you tap "Save".
Legitimate interest (Art. 6(1)(f)): for IP, device fingerprint, audit logs and rate limits — the legitimate interest is fraud prevention and dispute resolution. You may object under Art. 21 by contacting us.

7.5 Retention

Referral code, claim, reward grants, audit log: retained for as long as the Referral Program is operated, plus a reasonable period for tax and dispute records (currently indefinitely; we will publish a cut-off if/when we adopt one).
Email (encrypted): retained until you delete it (by saving a blank value) or request erasure. Old values are kept in the encrypted history table for the same period for deduplication.
Verification token: deleted automatically 24 hours after issuance, or immediately on use.
Cloudflare KV rate-limit counters: 60 seconds.

7.6 Right to erasure — one-tap, in-app

You can erase every server-side trace of your participation in the Referral Program at any time, in two taps, without contacting us:

Settings → Data Management → Erase All Data

Tapping that button now does the following in a single transaction:

Wipes your local SQLite database (habits, shifts, finances, wellness — everything you entered on this device).
Sends a signed deletion request to our backend that, on receipt, removes:
- Your referral code row in the codes table.
- Every encrypted email address you ever attached, in email_history.
- Every outstanding email-verification token in email_verifications.
- Your pending or verified claims in referrals (whether you were the referee or the referrer).
- Reward grants attributed to your device in rewards_granted.
- Audit log rows tied to your device hash, in audit_log.
Clears the iOS Keychain entries that hold your device hash and Apple appAccountToken.

What we keep, and why: rewards already credited to other users who referred you (or who you referred) stay credited on their account — Apple's TOS and Section 6A.4 of our Terms both treat granted reward time as final. Their visibility into the relationship is anonymized once your row is gone (the referrer code becomes an orphaned reference). No personal data of yours remains.

What happens to pending claims: if a friend entered your code but had not yet completed a paid subscription at the moment you deleted, that pending claim disappears with the rest of your data. There is no working code for the friend's eventual purchase to attribute to, so no reward will fire on that side. Friends who had already crossed a milestone keep what they earned; friends who were still mid-funnel lose the link. The same applies in reverse: if you had entered a friend's code and your subscription had not yet confirmed at the moment of deletion, the pending claim disappears and you cannot retroactively re-attach it later.

If the deletion request fails to reach our backend (you're offline, or our server is briefly down), the local wipe still completes and the App will retry the server portion the next time it reaches the network. You may also re-tap the button to retry immediately. Where erasure is refused — which we don't expect to ever happen unless required by law — you have the right to lodge a complaint with the Bulgarian Commission for Personal Data Protection (KZLD, cpdp.bg) or your local supervisory authority.

7A. Apple iCloud (separate, fully optional)

The Referral Program described above runs on our Cloudflare backend. Independently of it, the App may in future offer optional iCloud sync of your local habit/shift/finance data through Apple CloudKit. As of this version, iCloud sync is not enabled in the consumer build. If we enable it in a future version, we will update this Privacy Policy and clearly mark it as opt-in.

8. In-App Purchases

All payment processing is handled by Apple StoreKit (iOS) or Google Play Billing (Android).

We receive from Apple/Google:

Transaction IDs (not financial data)
Product identifiers purchased
Purchase status (active, expired, restored)

We do NOT receive:

Credit card or bank account details
Billing addresses
Apple ID or Google account email
Any payment method information

All purchase data is stored locally on your device.

9. Local Notifications

The App schedules local notifications for habit reminders and trial expiry alerts. These notifications:

Are generated and stored entirely on your device
Are never processed through external servers
Can be disabled at any time in your device's notification settings

10. Your Responsibility for Local Data

Since all data resides on your device, you are solely responsible for:

Securing your device with a passcode, Face ID, or Touch ID
Backing up your device regularly (via iCloud Backup or computer backup)
The consequences of device loss, theft, damage, or factory reset
Data entered by third parties who have access to your unlocked device

The Developer bears no responsibility for data loss resulting from:

Device failure, loss, or theft
Uninstallation of the App
Operating system updates that may affect App data
User-initiated data deletion within the App
Failure to maintain device backups
iCloud synchronization conflicts or failures

You are strongly advised to enable device backups and use the App's built-in export feature regularly.

11. Data Retention and Deletion

Local data:

Retained on your device as long as the App is installed
Automatically and permanently deleted when you uninstall the App
Can be manually deleted within App Settings > Data > Wipe All Data

iCloud data (if sync enabled):

Synchronized with your iCloud account
Deleted from iCloud when you delete it within the App
Manageable via iOS Settings > Apple ID > iCloud > Manage Storage

We do not retain any copy of your data on our systems at any time.

12. Children's Privacy (COPPA)

MyLifeFlow is not designed for or directed at children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe a child under 13 is using the App, please contact us immediately. Users between ages 13–17 must have parental consent prior to use.

13. Your Rights Under GDPR (EU / EEA / UK Users)

If you are located in the EU, EEA, or United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR):

Right of Access (Article 15) — View all your data directly within the App
Right to Rectification (Article 16) — Edit any data directly in the App
Right to Erasure / Right to Be Forgotten (Article 17) — Delete data within the App or uninstall it
Right to Restrict Processing (Article 18) — Disable iCloud sync at any time
Right to Data Portability (Article 20) — Export your data via App Settings > Export
Right to Object (Article 21) — Disable iCloud sync or uninstall the App
Right to Withdraw Consent (Article 7(3)) — Save an empty email or contact us to withdraw any consent previously given
Right to Lodge a Complaint with Supervisory Authority (Article 77) — Contact your national Data Protection Authority (DPA)

Since we do not store data on servers, most rights are exercisable directly within the App.

Legal basis for processing: Consent (you voluntarily enter all data) and Legitimate Interest (local App functionality).

14. Your Rights Under CCPA (California Residents)

California residents have the right to:

Know what personal information is collected (see Section 3)
Know whether personal information is sold or disclosed — We do NOT sell your data
Opt out of the sale of personal information — Not applicable (no sale occurs)
Request deletion of personal information — Delete within the App or uninstall
Non-discrimination for exercising CCPA rights

15. Third-Party Services and International Transfers

The App uses the following platform-provided services. Each is engaged for a single, narrowly scoped purpose; none receives data outside that purpose.

Apple StoreKit / Google Play Billing — In-app purchases. We receive only the transaction ID, product ID and renewal status. No payment-card data.
Apple Local Authentication — Biometric unlock. Returns a boolean to the App; biometric templates never leave the device.
Apple Push Notification Service — Local reminders only. The App does not register for remote pushes.
Apple App Store Server Notifications V2 — Apple sends a signed webhook to our backend when a referred user starts, renews, or refunds a paid subscription, so the right reward is granted. The webhook is verified against Apple's Root CA G3 before any state change.
Apple CloudKit — Reserved for future opt-in iCloud sync of local data. Not enabled in the current consumer build.
Cloudflare Pages, D1, KV, and Pages Functions — Host the Referral Program backend (registration, claim, stats, email, verification, Apple webhook). The D1 database lives in the EU (EEUR region). Cloudflare also rate-limits and may serve Cloudflare Turnstile on the email endpoint to deter automated abuse. Cloudflare, Inc. acts as our Article 28 GDPR data processor under a Data Processing Addendum aligned with EU Standard Contractual Clauses for any cross-border transfer. See Cloudflare's privacy policy.
Resend — Transactional email delivery service used for the Referral Program's "Verify email" magic link and reward-unlocked notifications. Resend receives the recipient address and the rendered email body in transit; we do not use Resend for marketing, newsletters, or broadcast email. See Resend's privacy policy.

International transfers. Cloudflare and Resend are US-headquartered providers operating global infrastructure. Where personal data of EU/UK/EEA users is transferred to the US, the transfer is covered by the EU Standard Contractual Clauses published by each provider, plus our supplementary technical measure of holding the ECIES decryption key offline outside both providers' systems. You may request a copy of the relevant SCCs by writing to us using Section 18.

Bulgarian Personal Data Protection Act (PDPA / Закон за защита на личните данни) compliance is maintained alongside GDPR. The Commission for Personal Data Protection (Комисия за защита на личните данни / KZLD / CPDP, https://www.cpdp.bg) is the supervisory authority for residents of Bulgaria.

We do not integrate:

Google Analytics, Firebase, or Crashlytics
Facebook SDK or Meta Pixel
Any advertising SDK or network
Any third-party analytics, attribution, or crash-reporting platform
Any third party that buys, sells or rents personal information

16. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in law, App functionality, or our practices. Material changes will be communicated via an in-app notice. The "Last Updated" date at the top will always reflect the most recent revision. Continued use of the App after changes constitutes acceptance of the revised policy.

17. Data Protection Officer (DPO)

DPO appointment status

We have not appointed a Data Protection Officer (DPO). Under GDPR Article 37, a DPO is mandatory only for (a) public authorities, (b) controllers whose core activity involves large-scale, regular, and systematic monitoring of data subjects, or (c) controllers whose core activity involves large-scale processing of special categories of data (Art. 9) or criminal data (Art. 10). MyLifeFlow does not fall into any of these categories. For all data-protection inquiries you would otherwise direct to a DPO, contact us at [email protected].

18. Contact

For privacy-related questions, data subject requests (GDPR/CCPA), or concerns:

Email: [email protected]

Developer: Anton Dimitrov

Please include "Privacy Request" in the subject line. We aim to respond within 30 business days.

This Privacy Policy is governed by applicable international privacy laws, including GDPR, CCPA, and COPPA. Your local mandatory consumer protection rights are not affected.