Legal
Privacy Policy
Last updated: 24 April 2026
The short version
- We read your per-app screen time on your device, directly from the operating system. We never scrape or record the content of the apps you use.
- The only personal data we store on our servers is your email address and the per-app minutes you've opted in to have us coach you on.
- We never sell, share, rent, or trade your data with third parties for advertising.
- You can delete everything we hold about you in two taps (Settings → Delete account).
What we collect
| Category | What | Where it lives | Why |
|---|---|---|---|
| Account | Your email address + an encrypted Supabase Auth identifier | Supabase (EU region) | To let you sign in across devices |
| Usage minutes | Per-app total minutes per day for the social apps you selected on the Select Apps screen | Supabase (EU region) | To compute your reclaim and show the scorecard |
| Your goals + “why” | The ladder targets and commitment reasons you chose | Supabase (EU region) | To personalise the intervention and feedback screens |
| Intervention events | When we showed you the 60-second takeover and what you chose (“close” / “scroll” / micro-action) | Supabase (EU region) | To improve the coaching |
| Diagnostics | Anonymised crash reports + funnel events | Sentry, PostHog (EU) | To fix bugs and measure whether the 6-step loop is working |
| Subscription state | Active / trialing / expired — never card details | RevenueCat + Stripe | To know whether to show you the paywall |
What we DO NOT collect
- The content of posts you see or create on TikTok, Instagram, or any other app.
- Your contacts, calendar, location, microphone, camera, photos, or health data.
- Browsing history outside of the minute-totals reported by the OS Screen Time APIs.
- Any identifier that lets advertisers track you across apps (no IDFA tracking).
How we read screen time
- iOS: we use Apple's Family Controls, Device Activity, and Managed Settings frameworks. You pick the apps on a picker provided by Apple; the actual per-app minutes are computed on your device and never transmitted in raw form to a third party. We subtract the time you spend inside Zombie Social's own 60-second intervention before we even read the number.
- Android: we use
UsageStatsManagerwith thePACKAGE_USAGE_STATSpermission, which is granted through Android's system settings. Same subtraction rule applies. - Manual mode: if you decline the permission we let you type minutes in by hand. You can switch modes at any time in Settings.
Data retention + deletion
- While you're a user: we keep everything needed to power the scorecard indefinitely.
- When you delete your account: all rows with your
user_idare purged within 30 days across Supabase, PostHog, Sentry, and RevenueCat. - If you cancel your subscription but don't delete: we retain your data so you can resume later without starting over.
- Email-marketing unsubscribes (Klaviyo) propagate within 24 hours.
Subprocessors
| Vendor | What they do | Location |
|---|---|---|
| Supabase | Database + auth | EU (eu-west-1) |
| RevenueCat | Subscription state + IAP receipt validation | US |
| Stripe | Annual web-checkout payments | US/EU |
| Klaviyo | Trial-nurture emails | US |
| Sentry | Crash reports | EU |
| PostHog | Product analytics | EU |
| Apple / Google | App distribution + native IAP | US/EU |
We pass the minimum data each one needs. Full DPAs on file.
Your rights (GDPR + UK-GDPR)
You have the right to access, correct, delete, and export your data. Email markthompsonmba@yahoo.co.uk and we'll respond within 30 days. You can also raise a complaint with the ICO (UK) or your local DPA.
Children
Zombie Social is for users 13+. We don't knowingly collect data on under-13s. If you believe a child under 13 has created an account, email markthompsonmba@yahoo.co.uk and we'll delete it.
Changes to this policy
If we change what we collect or how, we'll notify you in-app 30 days before the change takes effect — not buried in a legal doc.
Contact
markthompsonmba@yahoo.co.uk — email is the fastest way to reach a human.