Privacy Policy · Driftless

This Privacy Policy explains how Driftless (the “App”), published by Arthur Paraschiv, a sole proprietor established in the European Union (“we”, “us”), collects, uses, and protects your information when you use the App.

The short version. Driftless does not require an account. The 14 questionnaire answers you provide and the report we generate are stored on your device. To produce the report we send your answers to our server and to an AI processor; we do not store them on our server after the response is returned. We do not sell your data and we do not use it for advertising.

1. Who is the data controller?

Arthur Paraschiv, sole proprietor, European Union.
Contact for privacy matters: arturparaschiv@outlook.com.

2. What information we process

We process the following categories of information:

2.1 Self-reported wellness information

your usual bedtime and wake time;
night-time wake-ups;
caffeine consumption and the time of your last caffeinated drink;
screen time before bed;
perceived stress level (1–10);
morning energy level (1–10);
afternoon crashes;
self-noticed morning symptoms (snoring, dry mouth, headache, sore jaw);
exercise frequency;
heavy food or alcohol within 3 hours of bed;
your first action on waking;
weekend sleep pattern;
bedroom temperature feel.

These answers are self-reported. They are not collected from sensors, HealthKit, or any other Apple framework.

2.2 The generated report

We use your answers to generate a personalised report containing an energy score, a fatigue type, an energy timeline, a caffeine cutoff suggestion, a 7-day plan, and morning/evening routine suggestions. The report and your daily-checklist progress are stored locally on your device.

2.3 Subscription and purchase information

When you subscribe through the Apple App Store, the purchase is processed by Apple. We use RevenueCat as a subscription-management processor. RevenueCat receives an anonymous, app-generated identifier and your purchase receipt from Apple, so we can confirm whether you have an active entitlement. We do not receive your Apple ID, name, email, address, or payment card details.

2.4 Technical information

Our server records minimal request metadata (IP address, timestamp, request path) for the strict purpose of security, rate-limiting, and abuse prevention. These logs are kept for a short, defined period (see section 6) and are not used to build profiles about you.

We do not collect:

your name, email, or phone number;
precise location data;
contacts, photos, microphone, or camera data;
HealthKit, motion, or sensor data;
cross-app tracking identifiers (we do not use the IDFA / App Tracking Transparency).

3. How we use information & legal bases (GDPR Art. 6 & 9)

Purpose	Legal basis
Generate your personalised report from your answers	Performance of a contract (Art. 6(1)(b)) and your explicit consent for processing health-related information (Art. 9(2)(a))
Confirm and manage your subscription entitlement	Performance of a contract (Art. 6(1)(b))
Protect the service against fraud, abuse, and excessive load	Legitimate interest (Art. 6(1)(f))
Comply with legal obligations	Legal obligation (Art. 6(1)(c))

We do not use your information for advertising, profiling for marketing, automated decision-making with legal effects, or training third-party AI models.

4. Who we share information with

We share information only with the limited set of processors we need to run the service:

OpenAI — we send your answers (without any personally identifying information) to OpenAI’s API to generate the report. OpenAI processes the request on our behalf and, per its API data-usage policy, does not use the inputs to train its models.
Apple Inc. — processes all in-app purchases and subscriptions and delivers App Store services. Apple’s privacy practices are described in the Apple Privacy Policy.
RevenueCat, Inc. — receives the anonymous app user identifier and the Apple purchase receipt, used solely to determine whether you have an active entitlement.
Hosting provider — our server is hosted by a European infrastructure provider that processes only the request metadata described in section 2.4.

All processors are bound by data-processing agreements that require confidentiality, security, and use limited to our instructions. We do not sell your personal information.

5. International transfers

Some of our processors (notably OpenAI, Apple, and RevenueCat) may process information outside the European Economic Area, including in the United States. Where this happens we rely on the European Commission’s Standard Contractual Clauses and any applicable adequacy decisions to provide an equivalent level of protection.

6. How long we keep information

Your answers and report — stored on your device for as long as you choose. You can clear them at any time by deleting the App from your device.
Server logs — retained for up to 30 days for security and debugging, then deleted or rotated.
AI processing — OpenAI may retain API request data for up to 30 days for abuse-monitoring per its zero-data-retention agreement defaults, then deleted.
Subscription entitlements — retained at RevenueCat for the lifetime of your subscription plus any period required for accounting and tax compliance.

7. Security

All data in transit is protected with HTTPS / TLS. The App rejects insecure connections (App Transport Security). We apply rate-limiting and request-size limits to the server endpoints. No system is perfectly secure; we strive to apply reasonable and proportionate technical and organisational measures.

8. Your rights

Under the GDPR you have the right to:

Access the information we hold about you;
Rectify inaccurate information;
Erase your information (right to be forgotten);
Restrict or object to processing;
Data portability — receive your data in a portable format;
Withdraw consent at any time without affecting processing already carried out;
Lodge a complaint with your local data-protection authority.

Because your answers and report live on your device and not on our servers, you can erase them instantly by deleting the App from your device. For any other request, contact us at arturparaschiv@outlook.com; we will respond within 30 days.

If you are a resident of California, you have analogous rights under the CCPA/CPRA, including the right to know, delete, correct, and opt out of the sale or sharing of personal information. We do not sell or share personal information for cross-context behavioural advertising.

9. Children

Driftless is not directed to children under 16 and we do not knowingly collect information from anyone under 16. If you believe a child has provided us with information, contact us and we will delete it.

10. Not a medical service

Driftless is a wellness tool. It is not a medical device, does not provide medical advice, and is not regulated as a medical service. Information shown in the App is based on your self-reported answers only. Always consult a qualified healthcare professional for medical concerns.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will change the “Last updated” date at the top of this page and, where changes are material, notify you in the App. Continued use after the changes take effect constitutes acceptance.

12. Contact

For any privacy-related question or to exercise any of your rights, write to arturparaschiv@outlook.com.