Privacy Policy

The short version: Your recovery data stays on your device. We don't sell your data, we don't profile you, and we don't share your information with advertisers. Your recovery belongs to no one but you.

1. Introduction

Still ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use the Still mobile application and website (collectively, the "Service").

We understand the deeply sensitive nature of gambling addiction recovery. That principle shapes every decision we make about your data.

2. Information We Collect

2.1 Information Stored Locally on Your Device

The following data is stored only on your device and is never transmitted to our servers:

Daily check-in entries (mood, urge scores, triggers)
Journal entries and private notes
Urge Shield usage history
Streak and milestone data
Mood and urge insight graphs
App blocker and website blocker configurations
Money saved counter settings and calculations
Notification preferences

This data is protected using encrypted storage provided by the operating system (iOS Keychain / Android EncryptedSharedPreferences).

2.2 Information Collected via Firebase

When you create an account or use cloud-connected features, we collect and store the following via Google Firebase:

Authentication data — email address, display name, and authentication tokens (if you sign in with Google or Apple, we receive only your name and email; we never receive your password)
Circle community data — posts, replies, and reactions you submit to the Circle feature are stored in Firebase Cloud Firestore so they can be shared with other users
Push notification tokens — device tokens for delivering notifications via Firebase Cloud Messaging
Basic usage metadata — timestamps of account creation and last sign-in

2.3 Information Collected via RevenueCat

When you subscribe to Still Premium, our payment processor RevenueCat collects:

Anonymous app user ID
Purchase history and subscription status
Transaction receipts (processed by Apple App Store or Google Play)
Device platform and OS version

RevenueCat does not have access to your recovery data, journal entries, or any health information. For details, see RevenueCat's Privacy Policy.

2.4 Information We Do Not Collect

We do not collect:

Payment card details (handled entirely by Apple/Google)
Precise location data
Contacts, photos, or other device data
Browsing history (the website blocker operates locally and does not report blocked sites to any server)
Health data beyond what you voluntarily enter in journal check-ins

3. How We Use Your Information

We use the information we collect solely to:

Purpose	Data Used
Provide the Service	Account data, Circle posts
Process subscriptions	RevenueCat transaction data
Deliver push notifications	FCM device tokens
Fix bugs and improve stability	Crash reports (anonymized)
Respond to support requests	Your email address

4. What We Never Do

❌ We never sell your personal data to third parties
❌ We never display gambling advertisements — or any advertisements
❌ We never share your recovery data with insurers, employers, or any third party
❌ We never build advertising or behavioural profiles
❌ We never upload your journal entries, check-ins, or mood data to any server
❌ We never use your data for AI model training

5. The Circle Feature

The Circle is an optional community feature. When you participate:

Shared with other Circle users:

Your display name
Posts and replies you publish
Your current streak length and milestone achievements

Never shared with anyone:

Journal entries
Urge scores and check-in details
Mood data
Blocker configurations
Any other private recovery data

You can delete your Circle posts and replies at any time. Deleted content is permanently removed from our servers.

6. Third-Party Services

Service	Purpose	Data Shared	Privacy Policy
Firebase Authentication (Google)	User accounts & sign-in	Email, name, auth tokens	Firebase Privacy
Firebase Cloud Firestore (Google)	Circle community data storage	Posts, replies, user profiles	Firebase Privacy
Firebase Cloud Messaging (Google)	Push notifications	Device token	Firebase Privacy
RevenueCat	Subscription management	Anonymous ID, purchase receipts	RevenueCat Privacy
Apple Screen Time / FamilyControls (iOS)	System-level app/website blocking	None — operates entirely on-device	Apple Privacy
Android VPN Service	Local DNS-based website blocking	None — no traffic leaves the device	N/A (local only)
Apple App Store / Google Play	Payment processing	Payment details (we never see these)	Platform policies

7. Data Storage, Security, and Transfers

Local data is encrypted via iOS Keychain / Android EncryptedSharedPreferences and never leaves your device.
Cloud data (Circle posts, account info) is stored in Google Firebase data centers. Firebase may store data in the United States and/or the European Union. Google maintains Standard Contractual Clauses (SCCs) for international transfers.
RevenueCat processes subscription data in the United States under their Data Processing Agreement.

We employ industry-standard security measures including TLS encryption in transit, encrypted storage at rest, and secure authentication protocols.

8. Data Retention

Data Type	Retention Period
Local device data	Until you delete the app or clear data
Firebase account	Until you delete your account
Circle posts/replies	Until you delete them or delete your account
Push notification tokens	Until you log out or uninstall
RevenueCat subscription data	As required by tax/financial regulations (typically 7 years)
Support emails	2 years after last correspondence

When you delete your account, we permanently remove all associated cloud data within 30 days.

9. Legal Basis for Processing (GDPR)

For users in the EU/EEA and UK, we process your data under the following legal bases:

Processing Activity	Legal Basis
Providing the Service (account, Circle)	Performance of a contract (Art. 6(1)(b))
Processing payments	Performance of a contract (Art. 6(1)(b))
Sending push notifications	Your consent (Art. 6(1)(a))
Improving app stability (crash reports)	Legitimate interest (Art. 6(1)(f))
Responding to support requests	Legitimate interest (Art. 6(1)(f))

10. Your Rights

All Users

You have the right to:

Access any personal data we hold about you
Delete your account and all associated cloud data at any time
Delete local data by removing the app
Opt out of push notifications via device settings
Withdraw consent at any time where consent is the legal basis

EU/EEA and UK Users (GDPR)

You additionally have the right to:

Data portability — receive your data in a structured, machine-readable format
Restriction of processing — request we limit how we use your data
Rectification — correct inaccurate personal data
Object — object to processing based on legitimate interest
Lodge a complaint with your local Data Protection Authority

California Users (CCPA/CPRA)

California residents have the right to:

Know what personal information we collect and how it is used
Delete personal information we hold
Non-discrimination — we will not penalize you for exercising your rights

We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

11. Children's Privacy

Still is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us immediately and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes through the app or via email. The "Last updated" date at the top reflects the most recent revision.

13. Contact Us

If you have any questions about this Privacy Policy, your data, or wish to exercise your rights:

Email: contact.stillapp@gmail.com X (Twitter): @aymant19