We built TinyOrbit for people with ADHD — people who deserve a tool they can actually trust. Here is exactly what we collect, why, and how you stay in control.
We collect only what is necessary to run the app. We do not sell your data — ever.
When you create an account you provide an email address and optionally a display name. If you sign in with Google we receive your Google account name and email from Google's OAuth service. We do not receive or store your Google password.
Tasks, routine names and schedules, daily check-in responses, focus timer records, mood and energy entries, and any notes you type are stored so the app can function. This content is yours — you can export or delete it at any time.
We track aggregate in-app events such as tasks completed, streaks, and feature usage to improve the app. This data is linked to a random device identifier, not your name or email.
If the app crashes, Sentry automatically captures a stack trace, device OS version, and app version. No personally identifiable information is intentionally included. Crash reporting is disabled in development builds.
RevenueCat records whether you hold an active Pro subscription, your subscription tier, and renewal status. We never see or store your payment card details — those remain with Apple App Store or Google Play.
Sync your tasks, routines, and check-in data across your devices; generate your personalised focus plan; display progress analytics; send scheduled reminders; and run AI-powered features (task breakdown, coaching) for Pro subscribers.
Your email and password (hashed — we never see the plaintext) or Google ID token is used solely to verify your identity and keep your account secure.
With your explicit permission, we send push notifications for daily check-in reminders, routine alerts, and end-of-day summaries. You can withdraw permission at any time in your device Settings.
Crash reports from Sentry help us identify and fix issues quickly. We review these reports in aggregate — we do not use them to monitor individual users.
TinyOrbit uses the following third-party services. Each operates under its own privacy policy, which we link to below.
| Service | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| Supabase | Authentication, cloud database, and file storage | Email, hashed password, user-created content (tasks, routines, check-ins) | supabase.com/privacy ↗ |
| Google Sign-In | OAuth authentication via your Google account | Google account email and display name (ID token only — no password) | policies.google.com/privacy ↗ |
| RevenueCat | Subscription and purchase management | Device identifier, subscription status, purchase history | revenuecat.com/privacy ↗ |
| OpenAI Whisper | Voice-to-text transcription for Pro voice capture | Audio recording (sent over HTTPS, not retained after transcription) | openai.com/privacy ↗ |
| Sentry | Crash reporting and error monitoring | Stack traces, device OS version, app version (production builds only) | sentry.io/privacy ↗ |
| Expo / EAS | Push notification delivery | Push token (anonymous device identifier) | expo.dev/privacy ↗ |
| Apple App Store | iOS app distribution and in-app purchases | Governed entirely by Apple; we only receive purchase receipts | apple.com/legal/privacy ↗ |
| Google Play | Android app distribution and in-app purchases | Governed entirely by Google; we only receive purchase receipts | policies.google.com/privacy ↗ |
TinyOrbit requests the following device permissions. All are optional — the core task and routine features work without them.
App preferences, theme settings, onboarding state, notification IDs, and your 3-day trial start date are stored locally on your device using AsyncStorage. This data never leaves your device unless you explicitly sign in to a TinyOrbit account.
When you sign in, your tasks, routines, check-in history, profile name, and goal type are synced to Supabase. This allows you to access your data on multiple devices and protects against data loss if you change phones. Supabase stores data in the EU (Frankfurt, Germany) by default.
You can use TinyOrbit without creating an account. In this mode all data lives only on your device. If you uninstall the app, this data is permanently lost. We recommend creating a free account to protect your progress.
android:allowBackup="false") to prevent unencrypted task data being stored in Google's backup infrastructure.
The free tier is available to everyone with no credit card required. It includes tasks, daily routines (up to 3), the focus timer, morning check-in, and SOS reset.
When you tap "Start free trial," a 3-day local trial begins. You can use all Pro features at no charge. No payment details are captured during the trial. If you subscribe after the trial, billing is handled entirely by Apple or Google — we never process card numbers directly.
Pro subscriptions renew automatically at the end of each billing period (monthly or annual) unless cancelled at least 24 hours before the renewal date. You can manage or cancel your subscription at any time through your App Store or Google Play account settings.
Refund requests are handled by Apple or Google according to their respective refund policies. Please contact them directly. We are unable to issue refunds for purchases made through the app stores.
OpenAI's data usage policy applies to audio submitted to Whisper. As of the policy date, OpenAI does not use API-submitted data to train its models by default. For details, refer to openai.com/privacy.
We do not record audio in the background. The microphone is only active while you are holding the record button inside the Voice Capture sheet. We do not share your audio with any party other than OpenAI for transcription.
We send push notifications only if you have granted permission. The types of notifications we send are:
A single daily reminder to open the morning check-in. Scheduled once on your device — we do not send this through a marketing platform.
A reflection prompt at the end of each day. Same scheduling approach — on-device, no third-party marketing service.
Time-based alerts for routines you have personally created and scheduled. These are generated entirely on your device and are not logged by our servers.
Notification permission can be withdrawn at any time in Settings → Notifications → TinyOrbit on iOS, or Settings → Apps → TinyOrbit → Notifications on Android.
TinyOrbit is not directed to children under 13 years of age (or 16 in the European Economic Area). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at the email below and we will delete the information promptly.
If you are under the applicable age limit, please do not use TinyOrbit or provide any personal information through the app.
Depending on where you live, you have the following rights regarding your personal data. To exercise any of them, contact us at the address below — we respond within 30 days.
Users in the European Economic Area, UK, and Switzerland have rights under the General Data Protection Regulation. Our lawful basis for processing is contract performance (providing the app you subscribed to) and legitimate interests (security and bug fixing). You also have the right to lodge a complaint with your local data protection authority.
California residents have the right to know, delete, and opt out of the sale of personal information. We do not sell personal information. To submit a request, email us using the contact information below. We will not discriminate against you for exercising these rights.
Users in India have rights under the Digital Personal Data Protection Act 2023, including the right to access, correct, and erase their data. Contact us to exercise these rights. We will respond within the legally required timeframe.
You can delete your account directly in the app: go to Settings → Account → Delete Account. This permanently removes your Supabase authentication record, profile row, and all associated data. Local device data is cleared simultaneously. This action is irreversible.
| Data Type | Retention Period | Deletion Method |
|---|---|---|
| Account & profile data | Until you delete your account | Settings → Delete Account |
| Tasks, routines, check-ins | Until you delete them or delete your account | In-app swipe-to-delete or Delete Account |
| Voice audio recordings | Not retained — deleted immediately after transcription | Automatic |
| Crash & error reports (Sentry) | 90 days (Sentry default) | Automatic (Sentry purge) |
| Subscription records (RevenueCat) | Per RevenueCat's policy (up to 7 years for billing records) | Contact RevenueCat or us |
| Local device data | Until app uninstall or Delete Account | Uninstall app or Delete Account |
After account deletion, anonymised aggregate statistics (e.g., total app sessions counted) that cannot be linked back to you may be retained indefinitely for product improvement.
All communication between the app and our servers (Supabase, OpenAI, RevenueCat, Sentry) uses TLS 1.2 or higher. Your data is never transmitted over unencrypted connections.
Supabase encrypts all data at rest using AES-256. Passwords are hashed using bcrypt and the plaintext is never stored or transmitted to us.
Your data is protected by row-level security in Supabase, meaning our database is configured so that only authenticated requests from your own account can read or modify your data — not other users, and not our staff under normal circumstances.
We may update this Privacy Policy from time to time. When we do, we will update the Effective Date at the top of this page and, for material changes, we will notify you via an in-app banner or push notification at least 7 days before the change takes effect.
Continued use of TinyOrbit after the effective date of a revised policy constitutes your acceptance of the changes. If you do not agree to the revised policy, you may delete your account before the changes take effect.
Previous versions of this policy are available upon request.
If you have questions about this policy, want to exercise your data rights, or need to report a security issue, please get in touch:
We aim to respond to all privacy enquiries within 5 business days and to complete data requests within 30 days.
contact@creaeza.com