Privacy Policy

This Privacy Policy explains how PomPom ("we," "us," or "our") collects, uses, stores, and protects information about you when you use the PomPom mobile application ("App"). This policy applies globally and includes specific provisions for users in the European Economic Area (EEA), United Kingdom, and Switzerland as required by the General Data Protection Regulation ("GDPR") and UK GDPR.

For GDPR purposes, the Data Controller can be contacted via the in-app support section or the Developer's designated contact email (provided upon request). Given the minimal data collection architecture of PomPom, the Developer does not currently require a formal EU Representative or Data Protection Officer; however, the Developer is committed to full GDPR compliance.

1. Who We Are (Data Controller)

PomPom is operated by an individual independent developer ("Developer"). As the operator of the App, the Developer acts as the Data Controller for any personal data processed in connection with the App, to the extent that such data is collected.

2. What Data We Collect & Why

2.1 Data You Provide — Stored Locally Only

PomPom operates with a local-first philosophy. The following data is stored exclusively on your device and is never transmitted to the Developer's servers:

• Task content, titles, and descriptions
• Focus session history and timer logs
• Custom focus templates and settings
• Personal notes or labels

Legal Basis (GDPR): Processing is based on the performance of a contract (Article 6(1)(b) GDPR) — specifically, providing you with the core App functionality you have contracted for.

2.2 Analytics Data

We use analytics to collect anonymous, aggregated usage analytics. The specific data points collected include:

• Anonymous event identifiers (e.g., 'start_session_tapped', 'settings_opened')
• App version and device OS version
• General device category (e.g., 'iPhone', 'Android phone') — not a unique device identifier
• Session duration and feature interaction counts (aggregated)

We DO NOT collect via Analytics:

• Your name, email, or any direct identifier
• Your task content or any productivity data
• Precise or coarse geolocation
• IP address in a way that is stored long-term or linked to your identity

Legal Basis (GDPR): Processing is based on our legitimate interests (Article 6(1)(f) GDPR) in improving the App's functionality and user experience. We have assessed that this interest is not overridden by your fundamental rights and freedoms, given the anonymous and aggregated nature of the data. Where required by law (e.g., ePrivacy Directive), we will seek your consent.

2.3 Data Collected by Platform Providers

Apple and Google independently collect certain data when you use their Platforms and App Stores. This collection is governed by their own privacy policies (Apple Privacy Policy and Google Privacy Policy). The Developer has no control over and is not responsible for Platform-level data collection.

2.4 Purchase Data

Payment and purchase transactions, including both one-time purchases (such as Lifetime Licenses) and recurring subscriptions, are processed entirely by Apple (via In-App Purchase) or Google (via Google Play Billing) (each, a “Platform”). The Developer does not collect, access, or store your payment card details or billing information.

The Developer may receive limited, non-identifying transaction data from the Platform, such as purchase receipts and subscription status information. This may include details necessary to verify and manage your access to premium features, such as whether a subscription is active, expired, cancelled, or in a trial period.

This information is used solely to validate your entitlements and provide the appropriate level of service within the app. The Developer does not use this data for independent profiling, marketing, or resale.

3. How We Use Your Data

We use the limited data we collect for the following purposes:

• App improvement: Analyzing aggregated, non-identifiable usage patterns to prioritize features, enhance performance, and fix bugs.
• License & subscription verification: Confirming your purchase or active subscription status through Platform-provided receipts and entitlement signals.
• Legal compliance: Complying with applicable laws, regulations, and lawful requests from authorities.
• Responding to your requests: Addressing support inquiries, feedback, or requests related to your legal rights.

We do not use your data for targeted advertising, behavioral profiling, or any commercial purpose beyond operating, maintaining, and improving the App.

4. Data Sharing & Third Parties

4.1 Analytics

Anonymous analytics data is shared with Mixpanel (EU). Mixpanel acts as a Data Processor on our behalf and is bound by a Data Processing Agreement compliant with GDPR Article 28. Data transfers to Mixpanel in the United States are conducted under the EU-US Data Privacy Framework and/or Standard Contractual Clauses as applicable. Mixpanel Privacy Policy: https://mixpanel.com/legal/privacy-policy/

4.2 Platform Providers

Apple Inc. and Google LLC act as independent controllers for data collected through their platforms. We share only the minimum information required for App distribution and purchase verification.

4.3 No Sale of Data

We do not sell, rent, or trade your personal data to any third party, and we never have. We do not engage in data brokerage.

4.4 Legal Disclosures

We may disclose data if required to do so by law, regulation, court order, or governmental authority, or if we believe disclosure is necessary to protect the rights, property, or safety of the Developer, our users, or the public.

5. Data Retention

Given our local-first architecture, most of your data remains on your device and you control its retention entirely (including by uninstalling the App or clearing app data). For analytics data processed: anonymized event data is retained in accordance with standard retention periods (generally up to 5 years for aggregated analytics). We configure analytics to minimize retention wherever possible. Subscription status data (such as entitlement receipts) is retained for as long as necessary to manage your access to paid features, and for a reasonable period after cancellation to address disputes, refunds, or related inquiries. For any data held by the Developer in connection with support requests: such data is retained only as long as necessary to resolve the request, subject to any applicable legal retention obligations.

6. Your Rights Under GDPR & Applicable Law

If you are located in the EEA, United Kingdom, or Switzerland, you have the following rights under the GDPR and equivalent legislation:

6.1 Right of Access (Article 15 GDPR)

You have the right to request a copy of the personal data we hold about you and information about how we process it.

6.2 Right to Rectification (Article 16 GDPR)

You have the right to request correction of inaccurate or incomplete personal data.

6.3 Right to Erasure / 'Right to be Forgotten' (Article 17 GDPR)

You have the right to request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, or where you withdraw consent (where processing was based on consent).

6.4 Right to Restriction of Processing (Article 18 GDPR)

You have the right to request that we restrict the processing of your personal data in certain circumstances (e.g., while the accuracy of data is contested).

6.5 Right to Data Portability (Article 20 GDPR)

Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format. Since data is stored locally, the right to portability is fulfilled by the user's full control over the local database.

6.6 Right to Object (Article 21 GDPR)

You have the right to object at any time to the processing of your personal data where such processing is based on the Developer's legitimate interests, including profiling. Where you object, the Developer will cease processing your personal data unless the Developer demonstrates compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.

You may also object to the use of your data for analytics or similar purposes by contacting us using the details provided in this Policy.

6.7 Right to Withdraw Consent

Where processing is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

6.8 Right to Lodge a Complaint

You have the right to lodge a complaint with your local supervisory authority. In the EU, this is the data protection authority ("DPA") in the country where you reside, work, or where the alleged infringement took place. In the UK, this is the Information Commissioner's Office (ICO).

How to Exercise Your Rights

To exercise any of the above rights, please contact the Developer via the in-app support section or email, clearly identifying yourself and specifying the right you wish to exercise. The Developer will respond within 30 days of receiving your request (extendable by a further two months for complex requests). We may need to verify your identity before processing your request.

7. Opt-Out of Analytics

You can opt out of analytics data collection by:

• Using the opt-out control available in the App's Settings (where implemented).
• Contacting the Developer directly to request opt-out and we will configure your device identifier accordingly.
• Disabling analytics/tracking in your device's OS-level privacy settings.

Opting out of analytics does not affect the core functionality of the App.

8 Children's Privacy

The App is not directed at children under the age of 13 (or the applicable age of digital consent in your jurisdiction, which is 16 in certain EU member states). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact the Developer immediately so we can take appropriate action, including deletion of that data.

9. International Data Transfer

Analytics data may be transferred to and processed in the United States. Where such transfers occur from the EEA, UK, or Switzerland, they are conducted in compliance with applicable data transfer mechanisms, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• The EU-US Data Privacy Framework (where applicable).

By using the App, you acknowledge that your anonymized analytics data may be transferred internationally under these safeguards.

10. Security

The Developer implements appropriate technical and organizational measures to protect data against unauthorized access, accidental loss, alteration, or disclosure. These include:

• Local data is protected by your device's built-in OS-level encryption and security sandboxing.
• Analytics data is transmitted over encrypted (TLS/HTTPS) connections.
• The Developer regularly reviews security practices and updates them as necessary.

No method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

11. California Privacy Rights (CCPA/CPRA)

If you are a California resident, in addition to the rights described above, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• The right to know what personal information is collected and how it is used.
• The right to delete personal information (subject to certain exceptions).
• The right to opt out of the sale or sharing of personal information. (Note: We do not sell or share personal information as defined under the CCPA.)
• The right to non-discrimination for exercising your privacy rights.

To submit a California privacy request, please contact the Developer using the contact information below.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you through an in-app notice or by updating the 'Last Updated' date at the top of this policy. We encourage you to review this policy periodically. Your continued use of the App after any change constitutes acceptance of the updated policy.

13. Contact & Data Controller Details

For all privacy-related inquiries, data subject rights requests, or complaints: Contact Channel: In-app support section or Developer's contact email (contactus@planndu.com). Subject Line for GDPR Requests: 'GDPR Data Request — [Your Right]' Response Time: Within 30 calendar days of receipt. If you are not satisfied with our response, you have the right to complain to your local data protection supervisory authority.