Privacy Policy

1. Introduction

This Privacy Policy describes how Piotr Boroń ("we," "us," or "our"), operating the Offbox mobile application ("App"), collects, uses, stores, shares, and protects your personal information. Offbox is a wellness application designed to support users through the process of healing after a breakup.

We are committed to protecting your privacy. Offbox follows a local-first architecture: your personal data is stored on your device by default and is never transmitted to our servers unless you explicitly choose to use the optional cloud backup feature.

This Privacy Policy applies to all users of the App, regardless of location, and is designed to comply with:

• General Data Protection Regulation (GDPR) — European Union / European Economic Area
• UK Data Protection Act 2018 (UK GDPR) — United Kingdom
• California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA) — California, United States
• Apple App Store Guidelines — Section 5.1 (Privacy)
• Google Play Developer Policy — User Data and Privacy requirements

Operator Contact Information:

• Data Controller / Business: Piotr Boroń
• Registered Address: al. Solidarności 68/121, 00-240 Warsaw, Poland
• Contact Email: support@offbox.app
• Data Protection Officer (DPO): support@offbox.app
• EU Representative (if applicable): Not applicable — the Data Controller is established in the EU (Poland)

2. Data We Collect

2.1 Data You Provide Directly

When you use Offbox, you may provide the following categories of personal data. All data listed below is stored locally on your device by default and is not transmitted to any server unless you explicitly use the cloud backup feature (see Section 4).

Onboarding Data

Usage Data (Created During App Use)

Security & Preferences

2.2 Data Collected Automatically

Offbox collects minimal automatic data:

• Error reports (via Sentry): If the App encounters a technical error, an anonymized crash report may be sent to our error monitoring service. These reports contain: error type, error message, stack trace (code references only), device operating system version, and App version. Error reports do not contain your personal content, name, journal entries, mood data, or any other user-generated content. PII (personally identifiable information) transmission is explicitly disabled in our Sentry configuration.

• Purchase data (via RevenueCat): If you make a purchase, transaction data (product identifier, price, currency, subscription status) is processed by RevenueCat. RevenueCat assigns its own anonymous customer identifier. Your name, email, and personal content are never shared with RevenueCat.

2.3 Data We Do NOT Collect

Offbox does not collect, access, or transmit the following:

• Location data (GPS, IP-based, or Wi-Fi)
• Device advertising identifiers (IDFA, GAID)
• Contact lists or address books
• Call or SMS history
• Browsing or search history
• Biometric data (fingerprint, face scan)
• Health or fitness sensor data (steps, heart rate)
• Calendar events
• Financial information (beyond purchase receipts handled by Apple/Google)
• Analytics or behavioral tracking data
• Social media accounts or activity
• Cookies or web tracking technologies

We do not use any analytics SDKs (no Google Analytics, Firebase Analytics, Mixpanel, Amplitude, or similar). We do not track sessions, screen views, user flows, retention metrics, or engagement events.

3. Special Category Data (Health Data)

3.1 Classification

Under GDPR Article 9, several categories of data collected by Offbox qualify as special category data related to health and psychological well-being:

• Mood and emotional state tracking
• Mental health-related journal entries
• Relapse tracking (behavioral patterns related to emotional dependencies)
• Sleep quality assessments
• Coping ritual activities

3.2 Legal Basis for Processing (GDPR)

We process this special category data on the basis of your explicit consent (GDPR Article 9(2)(a)), which you provide when:

1. Completing the onboarding process and beginning to use the App
2. Voluntarily entering mood, journal, diary, or relapse data
3. Optionally enabling cloud backup (separate consent for data transfer)

You may withdraw your consent at any time by:

• Deleting individual entries within the App
• Deleting all data via the account deletion feature
• Uninstalling the App (which removes all locally stored data on iOS; on Android, you should clear app data before uninstalling)

3.3 Health Data Declaration (Google Play)

Offbox is classified as a wellness application. It does not provide medical diagnosis, treatment recommendations, or clinical assessments. The App is a self-help tool for emotional support during relationship recovery. See Section 14 (Disclaimer) for important limitations.

4. How Your Data Is Stored

4.1 Local Storage (Default)

By default, all your personal data remains on your device. We use AsyncStorage, a standard local storage mechanism for mobile applications. Your device's operating system provides encryption at the file system level:

• iOS: Data is protected by iOS Data Protection (hardware-backed encryption when device is locked)
• Android: Data is protected by file-based encryption (on supported devices running Android 7.0+)

Important: We recommend enabling a device passcode/biometric lock to maximize the protection of your locally stored data.

Your PIN is stored using a cryptographic one-way hash (PBKDF2-SHA256 with 100 iterations and a unique random salt). Your actual PIN is never stored on the device.

4.2 Cloud Backup (Optional, User-Initiated)

If you choose to use the cloud backup feature, you must:

1. Sign in with Apple or Google (creating an authenticated account)
2. Set a backup passphrase of your choosing

When you create a backup:

• All your App data is encrypted on your device before being transmitted
• Encryption uses AES-256-CBC with a key derived from your passphrase via PBKDF2-SHA1 (600,000 iterations)
• An HMAC-SHA256 signature is applied to ensure data integrity
• The encrypted data is transmitted to our cloud infrastructure provider (Supabase) over TLS
• We cannot read, access, or decrypt your backup data. Only you, with your passphrase, can decrypt it.

Your backup passphrase is never transmitted to or stored on our servers. If you forget your passphrase, we cannot recover your data. There is no passphrase reset mechanism.

4.3 Cloud Infrastructure

Our cloud services are hosted by Supabase with servers located in the European Union. Supabase acts as a data processor on our behalf and is subject to:

• GDPR-compliant data processing agreements
• SOC 2 Type II certification
• TLS encryption for all data in transit

5. How We Use Your Data

We use your personal data only for the following purposes:

We do not use your data for:

• Advertising or ad targeting
• Marketing emails or communications
• Profiling or automated decision-making
• Sale to third parties
• Training artificial intelligence or machine learning models
• Research purposes (unless separately consented)

6. Third-Party Services

We work with a limited number of third-party service providers. We do not sell, rent, or share your personal data for advertising, marketing, or profiling purposes.

6.1 Supabase (Cloud Infrastructure)

• Purpose: Authentication, encrypted backup storage
• Data shared: Encrypted backup blobs (unreadable without your passphrase), authentication tokens, email address (from OAuth provider)
• Server location: European Union
• Privacy policy: https://supabase.com/privacy

6.2 Sentry (Error Monitoring)

• Purpose: Detect and fix App crashes and errors
• Data shared: Error type, error message, stack trace, OS version, App version
• Data NOT shared: Names, journal entries, mood data, any user-generated content
• Server location: European Union (Frankfurt, Germany)
• PII transmission: Explicitly disabled (sendDefaultPii: false)
• Privacy policy: https://sentry.io/privacy/

6.3 RevenueCat (In-App Purchases)

• Purpose: Process subscriptions and purchases, manage entitlements
• Data shared: Purchase events, product identifiers, anonymous customer ID
• Data NOT shared: Names, email addresses, personal content
• Note: RevenueCat may link purchases to your Apple ID or Google account for transaction verification and fraud prevention purposes. For details, see RevenueCat's privacy policy.
• Privacy policy: https://www.revenuecat.com/privacy

6.4 Apple (Authentication & Payments)

• Purpose: Apple Sign-In authentication, App Store payment processing
• Data shared: OAuth authorization tokens
• Data received: User ID, email (if user chooses to share)
• Privacy policy: https://www.apple.com/privacy/

6.5 Google (Authentication & Payments)

• Purpose: Google Sign-In authentication, Google Play payment processing
• Data shared: OAuth authorization code (PKCE flow with S256 challenge)
• Data received: User ID, email
• Privacy policy: https://policies.google.com/privacy

6.6 Sub-Processors

Our service providers may use their own sub-processors (e.g., Supabase uses AWS, Sentry uses Google Cloud). For current sub-processor lists, please refer to each service's privacy policy linked above. We require all processors and sub-processors to maintain appropriate data protection safeguards in compliance with GDPR and applicable law.

7. Data Retention

7.1 Local Data

Your locally stored data persists on your device until:

• You delete individual entries within the App
• You use the "Delete Account" feature (removes all local data)
• You uninstall the App (removes local data on iOS; on Android, clear app data before uninstalling to ensure deletion)

7.2 Cloud Data

If you use the cloud backup feature:

• Backup data is retained until you delete it or delete your account
• OAuth provider email is retained alongside your account until account deletion and is not used for any purpose other than authentication
• When you delete your account, all cloud data (backups, encrypted files, authentication records, and email) is permanently deleted
• There is no recovery after deletion
• If you forget your backup passphrase, your encrypted backup data becomes inaccessible. However, you can still delete your account and all cloud data (including the encrypted backup) using the "Delete Account" feature. The passphrase is only needed to restore data, not to delete it.

7.3 Third-Party Retention

7.4 Legal Obligations

We may retain certain data beyond the periods listed above if required by applicable law (e.g., tax records for purchase transactions, legal disputes, or regulatory requirements).

8. Your Rights

8.1 Rights Under GDPR (EU/EEA/UK Users)

You have the following rights under the General Data Protection Regulation:

8.2 Rights Under CCPA/CPRA (California Residents)

As a California resident, you have the following rights:

• Right to Know: You have the right to know what personal information we collect, use, and disclose. This Privacy Policy provides that information.
• Right to Delete: You may request deletion of your personal information. Use the in-app "Delete Account" feature or contact us at support@offbox.app.
• Right to Correct: You may correct inaccurate personal information directly within the App.
• Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising. There is no need to opt out.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.
• Right to Limit Use of Sensitive Personal Information: Your sensitive personal information (mood, health-related entries) is used only to provide the App's core functionality and is not used for profiling or advertising.

To exercise your rights, contact us at support@offbox.app or use the in-app features described above. We will respond within 45 days (CCPA) or 30 days (GDPR).

8.3 Data Protection Authorities

If you believe your data protection rights have been violated, you may lodge a complaint with:

• EU/EEA: Your national supervisory authority. A list is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en
• UK: Information Commissioner's Office (ICO) — https://ico.org.uk/
• California: California Attorney General — https://oag.ca.gov/privacy

9. International Data Transfers

9.1 Primary Storage

• Local data: Stored on your device in your country of residence
• Cloud data: Stored on Supabase servers in the European Union

9.2 Cross-Border Transfers

Some of our service providers may process data outside the EU/EEA:

• Sentry: Data is ingested in the EU (Frankfurt, Germany). Processing may involve transfers to the United States under Sentry's Data Processing Addendum and Standard Contractual Clauses (SCCs).
• RevenueCat: Headquartered in the United States. Transfers are governed by Standard Contractual Clauses (SCCs) and RevenueCat's Data Processing Agreement.
• Apple/Google: Authentication data is processed in accordance with Apple's and Google's respective privacy policies and transfer mechanisms.

All international transfers are protected by:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Supplementary technical measures (encryption in transit and at rest)
• Data processing agreements with each provider

10. Device Permissions

Offbox may request the following device permissions. All permissions are optional and the App functions without granting them:

Important: Offbox uses local (on-device) notifications only. We do not use push notification services, and no notification data is sent to any server.

11. Children's Privacy

Offbox is not intended for use by children under the age of 16 (EU/EEA/UK) or 13 (United States). We do not knowingly collect personal information from children.

If you believe a child has provided personal information through the App, please contact us at support@offbox.app and we will promptly delete that information.

12. Security Measures

We implement the following security measures to protect your data:

While we implement strong security measures, no method of electronic storage or transmission is 100% secure. We encourage you to:

• Use a strong device passcode or biometric lock
• Choose a strong backup passphrase if using cloud backup
• Keep your device operating system and the App updated

13. Cookies and Tracking Technologies

Offbox does not use cookies, web beacons, pixel tags, or any tracking technologies. The App does not contain any advertising SDKs, analytics frameworks, or third-party trackers.

14. Health and Wellness Disclaimer

Offbox is a self-help wellness tool and is not a medical device, therapy service, or mental health treatment platform. The App does not:

• Provide medical advice, diagnosis, or treatment
• Replace professional therapy, counseling, or psychiatric care
• Offer crisis intervention services

If you are in crisis or experiencing thoughts of self-harm, please contact emergency services or a crisis helpline immediately:

• International: https://findahelpline.com/
• US: 988 Suicide & Crisis Lifeline (call or text 988)
• EU: 112 (emergency) or local crisis lines
• UK: Samaritans (116 123)

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or App features. When we make material changes:

1. We will update the "Last Updated" date at the top of this policy
2. We will notify you through the App (via in-app notification or prompt)
3. For material changes affecting your data rights, we may request renewed consent

We encourage you to review this Privacy Policy periodically. Your continued use of the App after changes are posted constitutes acceptance of the updated policy.

16. Data Protection Impact Assessment (DPIA)

Given that Offbox processes special category (health-related) data, we have conducted a Data Protection Impact Assessment in accordance with GDPR Article 35. Key findings:

• Risk mitigation: Local-first architecture minimizes data exposure
• Encryption: Strong encryption for any data that leaves the device
• Consent: Explicit consent obtained for all data processing
• Data minimization: No unnecessary data collection; no analytics or tracking
• User control: Users maintain full control over their data at all times

A copy of our DPIA is available upon request to support@offbox.app.

17. US State Privacy Rights (California, Nevada, Virginia, Colorado, and Others)

We do not sell or share your personal information for advertising, profiling, or cross-context behavioral advertising — under any US state privacy law, including the CCPA/CPRA, Nevada SB 220, VCDPA, CPA, CTDPA, and UCPA. We have not sold or shared personal information in the preceding 12 months and do not have actual knowledge that we sell or share the personal information of consumers under 16 years of age.

Under these laws, you generally have rights to access, correct, and delete your personal data, and to opt out of the sale of personal data and profiling. Because we do not sell data or profile users, no opt-out action is required. To exercise any of these rights, use the in-app features or contact us at support@offbox.app.

18. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: support@offbox.app
• Data Protection Officer: support@offbox.app
• Mailing Address: al. Solidarności 68/121, 00-240 Warsaw, Poland

We aim to respond to all inquiries within 30 days (GDPR) or 45 days (CCPA/CPRA). For data subject requests, we may require identity verification to protect your privacy and prevent unauthorized access to your data.

19. Summary Table — Data Collection Overview

This summary is provided for transparency and to assist with Apple App Store Privacy Nutrition Labels and Google Play Data Safety declarations.

*Email is obtained from your OAuth provider (Apple/Google) during sign-in for cloud features only. We do not collect email independently. Your email is stored alongside your authenticated account and is deleted when you delete your account.