Privacy Policy
Effective Date: March 18, 2026
Introduction
Gratitude First is a gratitude journaling app built by an independent developer. This Privacy Policy explains what data the app collects, how it is used, and how it is protected.
The short version: Your journal entries stay on your device and in your private iCloud account. I cannot read them. I do not sell your data. I collect only the minimum information needed to keep the app working and improving.
By using Gratitude First, you agree to the data practices described in this policy. If you do not agree, please do not use the app.
1. Data I Do Not Collect
It is just as important to understand what Gratitude First does not collect:
- Your name, email address, or phone number.
- Passwords or account credentials (no account is required).
- Your gratitude journal text (it never leaves your device or private iCloud container).
- Health or fitness data.
- Location data.
- Contacts, photos, or other device content.
2. Data I Do Collect
Gratitude First collects a limited set of data to provide, maintain, and improve the app. Here is a complete list:
2.1 Anonymous Device Identifier
When you first open Gratitude First, the app generates a random, anonymous identifier (a UUID). This ID is not linked to your Apple ID, your name, or any other personal information. It is used to:
- Coordinate analytics events across your app sessions.
- Initialize subscription management services.
- Ensure consistent feature flag delivery.
This identifier is stored only on your device. It is not backed up to iCloud and cannot be used to identify you personally. Each device generates its own independent ID.
2.2 Behavioral Analytics
I use PostHog, a privacy-focused analytics service, to understand how people use Gratitude First. The data collected includes:
- Which screens are viewed and for how long.
- Feature usage patterns (for example, whether users set one or two lock windows).
- Onboarding completion rates and drop-off points.
- Subscription events (trial started, purchase completed, cancelled).
- Streak milestone achievements.
- Emergency unlock usage frequency.
Analytics never include your journal text, mood selections, prompt responses, or any content you write. PostHog receives only behavioral events tied to the anonymous device identifier described above.
2.3 Crash & Error Reports
I use Sentry to collect crash reports and error data. This helps me identify and fix bugs. Crash reports may include:
- Device model and iOS version.
- App version and build number.
- A technical stack trace showing where the error occurred.
- Timestamp of the crash.
Crash reports do not include your journal entries, personal information, or any content you write in the app.
2.4 Subscription & Purchase Data
All purchases are processed by Apple through StoreKit. I do not see or store your payment method, billing address, or Apple ID. Superwall, which manages the paywall experience, receives limited subscription status data (whether a trial is active, whether a subscription is current) to determine which features to unlock. Superwall does not receive your journal content or personal information.
2.5 Feature Flags
PostHog is also used to deliver feature flags, which allow me to test different onboarding flows and feature configurations. Feature flag evaluation is based on the anonymous device identifier. No personal data is used for targeting.
2.6 Attribution & Advertising Data
Gratitude First uses Singular, an attribution service, to understand which advertising campaigns and channels lead to app installs and subscriptions. This helps me spend advertising budgets effectively and reach people who would benefit from the app.
When you first open Gratitude First, iOS will present Apple's App Tracking Transparency (ATT) prompt asking whether you allow the app to track your activity across other companies' apps and websites. This is entirely your choice:
- If you allow tracking: Singular receives your device's advertising identifier (IDFA), which it uses to match your install to the ad campaign that brought you here. This data is used solely for measuring advertising effectiveness.
- If you decline tracking: Singular receives only limited, non-identifying information (such as the fact that an install occurred). Your IDFA is not shared, and no cross-app tracking takes place.
Regardless of your choice, Singular never receives your journal entries, mood data, or any content you write in the app. Your ATT preference can be changed at any time in iOS Settings > Privacy & Security > Tracking.
3. Data Stored on Your Device
The following data is stored locally on your device using Apple's SwiftData framework:
| Data | What It Contains | Leaves Your Device? |
|---|---|---|
| Journal entries | Your gratitude text, the prompt shown, mood selection, date, and session type | No — stored locally and in your private iCloud only |
| Streak record | Current streak, longest streak, total entries, last completion date | No — local and private iCloud only |
| User settings | Your name (if provided), schedule preferences, prompt progression stage | No — local and private iCloud only |
| Locked app selections | Tokens representing the apps you chose to lock (Apple FamilyControls tokens) | No — device-specific, not backed up |
| Device identifier | A random UUID generated on first launch | Shared with analytics and subscription services (anonymized) |
All on-device data is encrypted at rest by iOS Data Protection (NSFileProtectionComplete) and is inaccessible when your device is locked.
4. iCloud Backup
If iCloud is enabled on your device, Gratitude First silently backs up your journal entries, streak record, and settings to your private iCloud container (CloudKit). This backup:
- Happens automatically after each entry, streak update, or settings change.
- Is stored in your private CloudKit database, accessible only by your Apple ID.
- Is encrypted in transit and at rest by Apple.
- Cannot be accessed by the developer or any third party.
- Enables data recovery if you switch devices or reinstall the app.
Blocked app tokens are NOT backed up because Apple's FamilyControls tokens are device-specific and do not transfer between devices. You will need to re-select your locked apps on a new device.
If iCloud is disabled, your data exists only on your device. I strongly recommend keeping iCloud enabled to protect against data loss.
5. Third-Party Services
Gratitude First uses the following third-party services. Each receives only the minimum data necessary for its function:
| Service | Purpose | Data Received |
|---|---|---|
| Apple StoreKit | Payment processing for subscriptions | Handled entirely by Apple. I do not receive payment details. |
| Apple CloudKit | Private iCloud backup of your app data | Journal entries, streak, settings — stored in your private iCloud container |
| PostHog | Anonymized behavioral analytics and feature flags | Anonymous device ID, screen views, feature usage events. Never journal text. |
| Superwall | Paywall presentation, A/B testing, and subscription status | Anonymous device ID, subscription status, paywall interaction events |
| Sentry | Crash and error monitoring | Device model, iOS version, app version, crash stack traces. No personal data. |
| Singular | Advertising attribution — measures which ad campaigns drive installs | IDFA (only if you grant ATT permission), install events, subscription conversion events. Never journal text. |
None of these services receive your journal entries, mood data, or prompt responses.
Each service has its own privacy policy. I encourage you to review them if you wish to understand their data practices in detail.
6. How Your Data Is Protected
- On-device storage: Encrypted at rest by iOS Data Protection (NSFileProtectionComplete). Inaccessible when your device is locked.
- Network transit: All communication between the app and any external service uses HTTPS with TLS 1.3 encryption. No data is ever transmitted in plaintext.
- iCloud backup: Encrypted in transit and at rest by Apple. Stored in your private CloudKit database.
- FamilyControls: Managed at the iOS system level. Cannot be bypassed by third-party apps or jailbreak tools. The emergency unlock is the only exit path.
- Extension isolation: The DeviceActivityMonitor and ShieldConfiguration extensions run as separate iOS processes with limited permissions, communicating with the main app only through the secure App Group container.
7. Tracking & Advertising
Gratitude First uses Singular to measure the effectiveness of advertising campaigns. This is the only form of tracking in the app, and it is subject to your explicit permission.
7.1 App Tracking Transparency (ATT)
When you first open Gratitude First, iOS will present Apple's App Tracking Transparency prompt. This prompt asks whether you allow the app to track your activity across other companies' apps and websites. You have full control:
- If you allow: Singular can use your device's advertising identifier (IDFA) to attribute your install to a specific ad campaign. This helps me understand which ads are working and invest in the right channels.
- If you decline: No cross-app tracking occurs. Singular receives only limited, non-identifying data (such as the fact that an install happened). The app works identically either way.
You can change your choice at any time in iOS Settings > Privacy & Security > Tracking.
7.2 What Tracking Does Not Include
Regardless of your ATT choice, the following is never shared with advertising services:
- Your journal entries, mood data, or prompt responses.
- Your name, email, or any personal contact information.
- Your streak, settings, or any content you create in the app.
Gratitude First does not display ads within the app, does not sell your data to advertisers, and does not participate in ad networks. Singular is used only to measure campaign performance, not to serve ads or build advertising profiles.
8. FamilyControls & Screen Time
Gratitude First uses Apple's FamilyControls framework in "individual" (self-management) mode to enable the app-locking feature. This means:
- You are choosing to restrict your own apps. This is not a parental control tool.
- The app requests Screen Time authorization through Apple's standard system prompt.
- App selection tokens (the identifiers for which apps you chose to lock) are generated by Apple and are opaque — they do not reveal the names of the apps to the developer or any third party.
- These tokens are device-specific and are not backed up or transmitted.
- You can revoke Screen Time authorization at any time through iOS Settings, which will disable the locking feature.
9. Children's Privacy
Gratitude First is intended for users aged 13 and older. I do not knowingly collect personal information from children under 13. If you believe a child under 13 is using the app, please contact me and I will take appropriate steps.
Users between 13 and 18 should have the consent of a parent or legal guardian before using the app.
10. Data Retention & Deletion
10.1 On-Device Data
Your journal entries, streak data, and settings remain on your device for as long as the app is installed. If you delete the app, all locally stored data is permanently removed by iOS.
10.2 iCloud Data
Data backed up to your private iCloud container persists until you either delete it through iCloud settings or delete your iCloud account. I do not have access to your iCloud data and cannot delete it on your behalf.
10.3 Analytics Data
Anonymized analytics events stored in PostHog and crash data in Sentry are retained for a reasonable period for product improvement purposes. Because this data is tied only to an anonymous device identifier and contains no personal information or journal content, it cannot be linked back to you.
10.4 Requesting Deletion
If you would like to request deletion of any data associated with your anonymous device identifier from third-party services, please contact me at the email address listed below. I will process your request within a reasonable timeframe.
11. Future Features & Data Handling
As of this version, your gratitude journal text is stored exclusively on your device and in your private iCloud container. It is never transmitted to external servers.
In the future, Gratitude First may introduce optional premium features (such as AI-powered insights or personalized analysis) that would require portions of your journal data to be processed by third-party services. If and when such features are introduced:
- They will be entirely optional and will not affect the core app experience.
- You will be clearly informed of exactly what data is shared, with whom, and for what purpose.
- Your explicit, informed consent will be required before any journal data is transmitted. No data will be shared without your active opt-in.
- You will be able to continue using Gratitude First without opting into these features, with no loss of existing functionality.
- This Privacy Policy will be updated to reflect the specific data practices of any new features before they launch.
Your journal is yours. That will not change without your clear, informed permission.
12. Your Rights
Depending on where you live, you may have certain rights regarding your personal data, including the right to access, correct, delete, or restrict the processing of your data. Because Gratitude First collects minimal data and does not maintain user accounts, most of your data is already under your direct control on your device.
If you have questions about your rights or wish to make a data-related request, please contact me at the email address below. I will respond within a reasonable timeframe.
13. Changes to This Policy
I may update this Privacy Policy from time to time to reflect changes in the app or in applicable laws. If I make material changes — especially any changes to how your data is collected, stored, or shared — I will notify you through the app and, where required, obtain your consent before the changes take effect.
The effective date at the top of this policy indicates when it was last updated.
14. App Store Privacy Labels
In accordance with Apple's requirements, the following categories are disclosed in Gratitude First's App Store privacy nutrition labels:
| Category | Data Type | Purpose | Linked to Identity? |
|---|---|---|---|
| Identifiers | Device ID (anonymous UUID) | Analytics, subscription management | No |
| Usage Data | Screen views, feature usage, crash data | App improvement, bug fixing | No |
| Diagnostics | Crash logs, performance data | App stability | No |
| Identifiers | Advertising identifier (IDFA) | Advertising attribution (only with ATT consent) | No |
Data Used to Track You: If you grant App Tracking Transparency permission, the IDFA is used by Singular to attribute your install to an advertising campaign. If you decline, no data is used to track you.
Data Not Collected: Gratitude First does not collect names, email addresses, phone numbers, physical addresses, payment information, health data, fitness data, location data, contacts, browsing history, search history, photos, or audio.
15. Contact
If you have any questions about this Privacy Policy or about how your data is handled, you can reach me at:
Email: gratitudefirst.app@gmail.com
Website: www.gratitudefirst.app