Privacy Policy

This Privacy Policy describes how Whistl ("we," "our," or "us") collects, uses, stores, and protects your personal information when you use the Whistl mobile application (the "App"). We are committed to protecting your privacy and ensuring transparency about our data practices.

1. Information We Collect

1.1 Account and Authentication Information

• Email Address: Collected during account registration and used for authentication and communication
• Password: Securely hashed and stored using Firebase Authentication
• Display Name: Optional name you provide for your profile
• User ID: Unique identifier generated by Firebase Authentication
• Authentication Tokens: Firebase authentication tokens for secure access

1.2 Profile and Onboarding Data

• Subscription Tier: Information about your account tier (free or premium)
• Onboarding Survey Responses:
  • Gambling frequency
  • Spending range
  • Recovery goals
  • Partner preferences
  • Challenge participation preferences
  • Challenge duration preferences

1.3 Location Data

• GPS Coordinates: Precise location data collected when location services are enabled
• Venue Detection:
  • Venue names, addresses, and categories (bars, casinos, nightclubs, etc.)
  • Venue entry and exit times
  • Dwell time at venues
  • Geofence monitoring data (up to 20 concurrent regions)
• Location History: Historical location data for venue tracking and risk assessment
• MapKit Search Data: Venue search queries and results from Apple's MapKit service

Note: Location tracking requires explicit "Always" permission and can be disabled at any time in app settings.

1.4 Network and Internet Activity

• Blocked Gambling Attempts:
  • Domain names of blocked gambling websites
  • Timestamps of blocked attempts
  • App bundle IDs (for mobile gambling apps)
  • Blocking reason
• VPN Connection Data: VPN tunnel status and configuration
• Network Filter Logs: Records of network filtering activity

1.5 Behavioral and Usage Data

• Risk Scores: Calculated risk scores based on your behavior patterns
• Risk Score History: Historical risk score data with timestamps
• App Usage Patterns:
  • App open times and frequency
  • Session durations
  • Feature usage statistics
• Break Requests: Records of requests to temporarily disable restrictions
• Schedule Changes: History of changes to your protection schedules
• Device Activity: Screen Time and device usage data (with Family Controls permission)
• Engagement Metrics:
  • Journal entry frequency
  • Check-in completion
  • Goal progress
  • Streak counts

1.6 Journal and Personal Content

• Journal Entries:
  • Text content of journal entries (stored locally with AES-256 encryption)
  • Entry dates and timestamps
  • Word count
  • Sentiment analysis results (positive, negative, neutral, crisis)
  • Crisis keyword detection flags
• Journal Metadata: Sentiment and engagement metadata synced to Firestore (text content remains local only)

1.7 Social and Partner Data

• Pairing Information:
  • Pair ID and partner user ID
  • Pairing status and relationship type
  • Invite codes
• Partner Notifications:
  • Venue alerts sent to your partner
  • Blocked attempt notifications
  • Risk score updates
• Shared Inbox Messages: Messages exchanged with your accountability partner
• Nudges: Support messages sent and received
• Activity Feed: Shared recovery activities and milestones

1.8 Device Information

• Device Identifiers: Device tokens for push notifications (FCM tokens)
• Device Activity Data:
  • App usage statistics (via DeviceActivity framework)
  • Screen Time data (with Family Controls permission)
• Device Settings: VPN configuration, location permissions, notification preferences

1.9 Analytics and Technical Data

• Firebase Analytics Events:
  • User actions and feature usage
  • Gambling attempt events (domain, blocked status)
  • App performance metrics
• ML Analytics:
  • Behavioral pattern analysis
  • Anomaly detection results
  • Risk prediction data
• Error Logs: Technical error information for app improvement
• Performance Metrics: App performance and battery usage data

2. How We Use Your Information

2.1 Core App Functionality

• Account Management: Creating and managing your account, authentication, and profile
• Protection Services:
  • Blocking gambling websites and apps
  • Managing VPN and Screen Time restrictions
  • Enforcing protection schedules
• Risk Assessment: Calculating and updating your risk scores based on behavior patterns
• Location-Based Alerts: Detecting and notifying about visits to risky venues

2.2 Recovery Support Features

• Journal Analysis: Analyzing journal entries for sentiment and crisis detection
• Progress Tracking: Tracking recovery milestones, streaks, and goals
• Partner Accountability: Sharing relevant information with your accountability partner
• Interventions: Triggering crisis intervention features when risk is detected

2.3 Service Improvement

• Analytics: Understanding how users interact with the app to improve features
• ML Model Training: Using anonymized behavioral data to improve risk prediction models
• Bug Fixes: Using error logs to identify and fix technical issues
• Performance Optimization: Monitoring app performance to optimize battery and resource usage

2.4 Communication

• Push Notifications: Sending important alerts, reminders, and partner notifications
• In-App Notifications: Displaying venue alerts, blocked attempt notifications, and partner messages

3. Data Storage and Security

3.1 Data Storage Locations

• Firebase Firestore: User profiles, risk scores, behavioral data, partner information, and analytics data stored in Google Cloud infrastructure
• Local Device Storage:
  • Journal entries (encrypted with AES-256, stored locally)
  • Blocked attempt logs (UserDefaults with App Group sharing)
  • Venue tracking state (UserDefaults)
  • App preferences and settings
• Apple Keychain: Encryption keys for journal entries stored securely in iOS Keychain

3.2 Security Measures

• Encryption:
  • Journal entries encrypted with AES-256-GCM
  • Data in transit encrypted via HTTPS/TLS
  • Firebase data encrypted at rest
• Authentication: Secure password hashing via Firebase Authentication
• Access Controls: Firestore security rules restrict data access to authorized users only
• Secure Storage: Sensitive data stored in iOS Keychain with device-only access

3.3 Data Retention

• Active Accounts: Data retained while your account is active
• Deleted Accounts: Data deletion available upon account deletion request
• Local Data: Journal entries and local logs retained on device until manually deleted
• Analytics Data: Aggregated analytics data may be retained for service improvement

4. Data Sharing and Disclosure

4.1 With Your Accountability Partner

When you pair with an accountability partner, we share:

• Venue visit alerts (when you visit risky venues)
• Blocked gambling attempt notifications
• Risk score updates
• Shared inbox messages you send
• Recovery milestones and achievements (if enabled)

4.2 With Service Providers

• Firebase (Google):
  • Authentication services
  • Cloud Firestore database
  • Firebase Analytics
  • Firebase Cloud Messaging (push notifications)
• Apple:
  • Core Location services
  • MapKit venue search
  • Family Controls and Screen Time APIs
  • Push notification services

4.3 Legal Requirements

We may disclose your information if required by law, court order, or government regulation, or to:

• Protect our rights and property
• Prevent fraud or security threats
• Comply with legal obligations

4.4 No Sale of Data

We do not sell your personal information to third parties for marketing or advertising purposes.

5. Your Privacy Rights and Choices

5.1 Access and Export

• Data Export: You can export your data through the app's data export feature, including:
  • Risk score history
  • Blocked attempts
  • App usage events
  • Venue tracking events
  • Journal entries (if included in export settings)
• Profile Access: View and update your profile information in app settings

5.2 Deletion

• Account Deletion: Request account deletion to remove:
  • User profile
  • Risk scores and history
  • Goals and restrictions
  • Timeline events
  • Recovery weekly data
  • Nudges and partner messages
• Local Data: Journal entries and local logs can be cleared through app settings
• Note: Some data may be retained in backups for a limited time as required by law

5.3 Permissions and Controls

• Location Services: Enable/disable location tracking in iOS Settings or app settings
• Notifications: Manage notification preferences in iOS Settings
• Screen Time: Control Family Controls access in iOS Settings
• VPN: Enable/disable VPN protection in app settings
• Partner Sharing: Control what information is shared with your partner in app settings

5.4 Opt-Out Options

• Analytics: Analytics collection is automatic but can be limited by disabling app usage permissions
• Location Tracking: Disable location services to stop venue tracking
• Partner Notifications: Adjust partner notification preferences in settings

6. Children's Privacy

The Whistl app is not intended for users under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

7. International Data Transfers

Your data may be stored and processed in countries outside your country of residence, including the United States, where our service providers (Firebase/Google) operate. We ensure appropriate safeguards are in place to protect your data in accordance with this Privacy Policy.

8. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

• Posting the updated policy in the app
• Updating the "Last Updated" date
• Sending a notification (for significant changes)

Your continued use of the app after changes become effective constitutes acceptance of the updated policy.

9. Third-Party Services

9.1 Firebase Services

The app uses Google Firebase services:

• Firebase Authentication: User authentication
• Cloud Firestore: Database storage
• Firebase Analytics: Usage analytics
• Firebase Cloud Messaging: Push notifications

Firebase's privacy practices are governed by Google's Privacy Policy: https://policies.google.com/privacy

9.2 Apple Services

The app uses Apple services:

• Core Location: Location tracking and geofencing
• MapKit: Venue search and mapping
• Family Controls: Screen Time integration
• DeviceActivity: Device usage monitoring
• NetworkExtension: VPN functionality

Apple's privacy practices are governed by Apple's Privacy Policy: https://www.apple.com/privacy/

10. Data Processing Legal Basis

We process your personal information based on:

• Consent: When you provide explicit consent (e.g., location tracking, partner pairing)
• Contract Performance: To provide the core app functionality you've requested
• Legitimate Interests: For service improvement, analytics, and security
• Legal Obligations: To comply with applicable laws and regulations

11. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal information, please contact us at:

• Email: ned@whistl.app
• Address: WHISTL TECHNOLOGIES PTY LTD, Privacy Team

12. Additional Information

12.1 Data Minimization

We collect only the data necessary to provide and improve our services. You can limit data collection by:

• Disabling location services
• Limiting partner sharing
• Adjusting notification preferences
• Using minimal profile information

12.2 Data Accuracy

We strive to keep your data accurate and up-to-date. You can update your profile information and preferences in the app settings.

12.3 Breach Notification

In the event of a data breach that may affect your personal information, we will notify you and relevant authorities as required by applicable law.