Privacy Policy

Thornline Labs LLC ("Company," "we," "us," "our") operates the Thornline Labs website and develops iOS applications including LockIn, SettleIt, FlowScanner, and Swappr (collectively, "Services"). This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our Services.

Please read this Privacy Policy carefully. By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by all the terms of this Privacy Policy. If you do not agree with our practices, please do not use our Services.

1. Information We Collect

1.1 Account Information

When you create an account with our Services, we collect information you provide directly, including:

• Name and email address (via Sign in with Apple)
• Apple ID account information required for authentication
• Profile information you choose to provide (e.g., profile picture, username, display name)
• Any other information you voluntarily submit through our Services

1.2 Health and Fitness Data

HealthKit Step Data (LockIn): LockIn integrates with Apple HealthKit to read your step count data. You explicitly grant permission to access this data when you use the app. This data is used solely to enable step tracking features and achievements within the app. Your step data is never shared with third parties, never sold, and remains on your device.

1.3 Screen Time Data (LockIn)

Family Controls Integration: LockIn uses Apple's Family Controls API to process Screen Time data locally on your device. This API allows the app to interact with device-level app blocking and Screen Time features. All processing occurs on your device only. No Screen Time data is transmitted to our servers or shared with third parties.

1.4 Firebase Authentication and Cloud Services

We use Firebase (Google Cloud) for:

• User authentication and account security
• Cloud synchronization of app settings and data
• Storage of non-sensitive app data (user preferences, achievements, leaderboard entries)

Firebase may collect limited diagnostic and performance data to maintain service reliability. You can review Google's privacy policies for their Firebase services at https://policies.google.com/privacy.

1.5 Subscription and Purchase Data

We use RevenueCat to manage subscriptions and in-app purchases. RevenueCat collects:

• App Store receipt information
• Subscription status and renewal information
• Purchase history
• Limited device identifiers required for purchase processing

RevenueCat handles subscription management but does not share your purchase data with us for marketing purposes. You can review RevenueCat's privacy policy at https://www.revenuecat.com/privacy.

1.6 Analytics Data

We collect limited, anonymized analytics to improve our Services, including:

• App crash reports and error logs
• Feature usage statistics (which features are used, how often)
• Device type and operating system version
• Approximate location based on IP address

Analytics data is aggregated and does not identify you personally. We do not track individual user behavior or create detailed usage profiles.

1.7 Communication Data

If you contact us via email or through our Services, we collect:

• Your email address and name
• The content of your message
• Any attachments or information you provide

2. How We Use Your Information

We use the information we collect for the following purposes:

• Providing Services: To deliver, maintain, and improve our Services, including account management, feature development, and customer support
• Authentication: To securely authenticate your identity and prevent unauthorized access to your account
• Personalization: To customize your experience, track achievements, and maintain leaderboards
• Step Tracking (LockIn): To sync step count data from HealthKit and enable step-based challenges and achievements
• Screen Time Features (LockIn): To enable app blocking and focus session features on your device
• Analytics and Improvement: To understand how our Services are used, identify bugs, optimize performance, and plan new features
• Security: To detect, prevent, and address fraud and security issues
• Legal Compliance: To comply with applicable laws, regulations, and legal processes
• Customer Support: To respond to your inquiries, troubleshoot issues, and provide assistance

3. Data Sharing and Disclosure

3.1 What We Do NOT Do

• We do not sell your personal data. We do not sell, trade, or rent your information to third parties for marketing purposes.
• We do not share health data. HealthKit step data is never shared with third parties and remains on your device.
• We do not share Screen Time data. Screen Time data remains on your device and is not transmitted to our servers.
• We do not use advertising. We do not serve targeted ads based on your personal information.
• We do not create detailed tracking profiles. We do not build comprehensive profiles of your behavior for commercial purposes.

3.2 Limited Sharing with Service Providers

We share information only with third-party service providers who assist us in operating our Services, and only to the extent necessary:

• Firebase (Google Cloud): For authentication, cloud storage, and data synchronization
• RevenueCat: For subscription and purchase management
• Apple: For Sign in with Apple authentication and HealthKit integration

We require these service providers to maintain strict confidentiality and use data only for the purposes we specify.

3.3 Legal Requirements and Protection

We may disclose your information when required by law or when we have a good faith belief that disclosure is necessary to:

• Comply with applicable laws, regulations, or court orders
• Enforce our Terms of Service and other agreements
• Protect the safety, rights, and property of Thornline Labs, our users, or the public
• Detect and address fraud or security concerns

3.4 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will provide notice if your information becomes subject to a materially different privacy policy.

4. HealthKit and Health Data Protection

LockIn accesses HealthKit data with your explicit permission. This permission is requested by the operating system, and you control it through your device settings at all times.

Your step count data from HealthKit is used exclusively within LockIn for:

• Tracking step progress and achievements
• Enabling step-based challenges
• Displaying step statistics in the app

Your HealthKit data is never:

• Transmitted to our servers
• Shared with third parties
• Sold or commercialized
• Used for purposes other than those explicitly stated

You can revoke HealthKit access at any time through your device settings without affecting other app functionality.

5. Screen Time and Family Controls Data Protection

LockIn uses Apple's Family Controls API to access Screen Time data. This integration allows the app to:

• Block apps during focus sessions
• Enable managed App Limits
• Track Screen Time usage

All Screen Time data is processed locally on your device only. Your Screen Time information:

• Never leaves your device
• Is not transmitted to Thornline Labs servers
• Is not shared with third parties
• Is protected by iOS security mechanisms

Family Controls permissions are managed through your device settings, and you can revoke access at any time.

6. Data Retention and Deletion

6.1 Retention

We retain your information only for as long as necessary to provide our Services and fulfill the purposes outlined in this Privacy Policy. Specific retention periods:

• Account data: Retained while your account is active; deleted upon account termination (see below)
• HealthKit data: Processed in real-time and not retained on our servers
• Screen Time data: Not transmitted or retained; processed only on your device
• Analytics data: Aggregated and retained for up to 90 days
• Backup/archive data: Retained for up to 90 days after account deletion for data recovery purposes

6.2 Data Deletion Requests

You may request deletion of your personal data at any time by contacting us at mitch@thornlinelabs.com with the subject line "Data Deletion Request." Please include:

• Your name and email address associated with your account
• A clear statement that you request deletion of your personal data

Upon receiving a valid request, we will:

• Delete your account information within 30 days
• Purge personal data from backups within 90 days
• Provide written confirmation of deletion

Note: Some data may be retained when required by law or for legitimate business purposes (e.g., fraud prevention, legal disputes). We will inform you of any such retention.

7. California Privacy Rights (CCPA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

• Right to Know: You may request what personal data we have collected, the sources, and how we use it
• Right to Delete: You may request deletion of personal data we have collected (with certain exceptions)
• Right to Opt-Out: You have the right to opt-out of the "sale" of your personal data (we do not sell data, so this right is not applicable)
• Right to Non-Discrimination: We will not discriminate against you for exercising your rights

To exercise these rights, email mitch@thornlinelabs.com with your request. We will verify your identity and respond within 30 days.

8. Children's Privacy

Our Services are not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will delete such information and terminate the child's account.

For children ages 13 and older, we maintain the same privacy protections outlined in this Privacy Policy.

If you believe a child under 13 has provided us with information, please contact us immediately at mitch@thornlinelabs.com.

9. Security Measures

We implement industry-standard security measures to protect your information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of sensitive data in transit (TLS/SSL) and at rest
• Secure authentication via Sign in with Apple
• Regular security audits and testing
• Strict access controls and employee confidentiality agreements
• Compliance with Apple's security guidelines

However, no security system is impenetrable. While we strive to protect your information, we cannot guarantee absolute security. You use our Services at your own risk.

10. Third-Party Services and Links

Our Services may contain links to third-party websites and services that are not operated by Thornline Labs. This Privacy Policy does not apply to third-party services, and we are not responsible for their privacy practices. Please review the privacy policies of any third-party services before providing your information.

Third-party services we integrate with include:

• Apple services: App Store, Sign in with Apple, HealthKit, Family Controls
• Firebase/Google Cloud: For authentication and data storage
• RevenueCat: For subscription management

11. International Data Transfers

Your information may be transferred to, stored in, and processed in countries other than your country of residence. These countries may have data protection laws that are different from your home country. By using our Services, you consent to the transfer of your information to countries outside your country of residence, which may not provide the same level of protection as your home country.

12. Your Rights and Choices

12.1 Access and Correction

You may access and update your account information at any time by logging into your account. If you need assistance, contact us at mitch@thornlinelabs.com.

12.2 Email Communications

If we send you promotional emails, you may opt-out by clicking the "unsubscribe" link in the email or by contacting us directly. Please note: We may continue to send you transactional emails (e.g., account notifications, password resets) even if you opt-out of promotional messages.

12.3 Device Permissions

You can control app permissions on your device at any time:

• HealthKit access: Settings → Health → Data Access & Devices → [App Name]
• Screen Time/Family Controls: Settings → Screen Time → Family Controls

12.4 Tracking and Do Not Track

We do not respond to "Do Not Track" signals, as there is no universal standard. However, we do not track you across third-party websites or apps, and we do not use third-party tracking for marketing purposes.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes, we will notify you by:

• Posting the updated Privacy Policy on our website
• Updating the "Effective" date at the top of this policy
• Sending you an email notification (for material changes)

Your continued use of our Services after changes become effective constitutes your acceptance of the updated Privacy Policy. We encourage you to review this policy periodically to stay informed about how we protect your information.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

15. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of the State of Ohio, without regard to its conflict of law principles. Any disputes arising out of or relating to this Privacy Policy shall be resolved in the courts located in Ohio.