KickMint Privacy Policy

Effective April 20, 2026 · Last updated April 20, 2026

What we collect: nothing

KickMint runs the AI on your phone. Your tasks, voice transcripts, AI prompts, AI outputs, cycle data, sleep data, and medication timing never leave your device. The only thing that crosses our network is encrypted task sync data that we cannot read, plus an opaque sync group ID that is not linked to your identity.

If you do not want sync, you do not enable it. The app works fully offline and is functionally identical without sync.

This is enforced in code, not just policy. See iosApp/Sources/Sync/SyncManager.swift (the nonSyncableTables constant) and iosApp/Sources/App/PrivacyInfo.xcprivacy (Apple Privacy Manifest declaring NSPrivacyTracking=false and an empty NSPrivacyCollectedDataTypes array).

1. Who we are

KickMint is an iOS productivity app for adults with ADHD and similar executive-function differences, distributed worldwide via the Apple App Store and described at kick-mint.com.

In this policy, "we", "us", and "our" refer to:

Controller / publisher: KickMint (sole proprietorship, [INSERT LEGAL ENTITY WHEN INCORPORATED])
Registered address: [INSERT MAILING ADDRESS]
Contact for privacy matters: [email protected]
Contact for legal notices: [email protected]
EU/EEA representative (Article 27 GDPR): [INSERT EU REPRESENTATIVE OR "Not appointed, see Section 12"]
UK representative (UK GDPR Art. 27): [INSERT UK REPRESENTATIVE OR "Not appointed, see Section 12"]
Data Protection Officer: Not appointed. We are not subject to the mandatory DPO requirement under GDPR Article 37(1) because (a) we are not a public authority, (b) our core activity does not require regular and systematic monitoring of data subjects on a large scale, and (c) our core activity does not involve large-scale processing of special categories of data under Article 9.

2. Plain-language data summary

Category	Do we collect it?	Where it lives
Your name or email	No	We have no account system
Your tasks, notes, projects	Stays on your device	Encrypted sync payload only if you enable sync
Voice you record into the app	Stays on your device	Transcribed by iOS on-device. Audio never written
AI prompts and AI outputs	Stays on your device	Inference runs locally via llama.cpp + Qwen 2.5 1.5B
Menstrual cycle phase, sleep, meds	Stays on your device	Listed in `nonSyncableTables`, never transmitted
Health data from HealthKit	Stays on your device	Read-only access. We do not write or transmit it
Crash reports	Apple receives if you opt in via system settings	We never see them as a separate dataset
Location	No	We do not request location permission
Contacts	No	We do not request Contacts permission
Advertising IDs (IDFA)	No	We do not request App Tracking Transparency and never call `ATTrackingManager.requestTrackingAuthorization`
Browsing or search history	No	The app has no web browser or search log
Payment / card details	No	Apple's StoreKit handles all subscriptions. We see no card data

Statutory basis for this disclosure format: California Civil Code section 1798.100(a) requires a business to inform consumers of the categories of personal information collected at or before collection. Our answer to all enumerated CCPA categories is "not collected", so we list each category to make that affirmative claim verifiable. GDPR Article 13(1)(c) requires the purpose and lawful basis for each processing activity; where we do not collect data we have no Article 13 obligation for that category, but we list it for transparency.

3. The on-device AI

KickMint includes a Qwen 2.5 1.5B large language model in GGUF format, executed locally on your iPhone using llama.cpp. This model is downloaded from a Cloudflare R2 bucket on first launch (a one-time ~900MB download) and runs entirely on your device thereafter.

What this means in practice:

Every AI feature (task breakdown, suggestion ranking, capture parsing) runs on your phone with no network call to us during inference.
Your prompts, the model's intermediate state, and the model's outputs are never transmitted to any server we control.
AI telemetry (latency, token counts, fallback rate) is stored in a local table named ai_telemetry, which is in SyncManager.nonSyncableTables and therefore never included in sync payloads.
The model file itself is downloaded over HTTPS without authentication. Cloudflare's standard server logs may record the IP that requests the file. Those logs are operated by Cloudflare under their own privacy terms and are used for abuse prevention and content delivery, not user profiling.

If we ever change inference to a hybrid or cloud model, we will update this policy, notify users in-app at least 30 days before the change, and require explicit opt-in for any cloud inference.

4. Optional cross-device sync

If you enable sync, KickMint generates an opaque sync group ID and a sync group secret on your device. The secret never leaves your device. The server only stores a SHA-256 hash of the secret, used to verify HMAC-signed requests (see sync-worker/src/index.ts, the validateAuth function).

What we send to the sync backend:

An opaque sync group ID (random UUID with no user mapping)
An opaque device ID (random UUID generated locally)
A device name you can set yourself (sanitized to strip HTML and capped at 100 characters)
AES-256-GCM encrypted CRDT operations representing your task changes (encryption key generated on your device, stored in iOS Keychain with kSecAttrAccessibleAfterFirstUnlock, never transmitted; see iosApp/Sources/Sync/EncryptionManager.swift)
A timestamp and nonce for replay protection
The HLC (hybrid logical clock) values needed to merge changes across devices

What the server can see:

Encrypted ciphertext (it cannot decrypt; the key never leaves your device)
The sync group ID, device ID, device name, and timing metadata
The entity type field (e.g. "task", "project", "tag") needed to route the operation; the entity contents are inside the ciphertext
Approximate IP address from the connection, used by Cloudflare for abuse prevention and discarded on Cloudflare's standard log retention schedule

What the server cannot see:

Your task content
Your notes, voice transcripts, or AI outputs
Any health, cycle, sleep, medication, or sensitive context (these are in nonSyncableTables and are never sent at all, encrypted or not)
Your name, email, payment information, or any identifier we could link back to you

Sync is opt-in. The app works fully without it. If you turn it off, no further sync data is sent.

5. Lawful basis for processing (EU/UK GDPR)

The minimal data we do process for sync is processed on the following bases:

Performance of a contract under GDPR Article 6(1)(b) and UK GDPR Art. 6(1)(b) for sync delivery itself: when you enable sync, we are providing the cross-device feature you signed up for.
Legitimate interests under Article 6(1)(f) for security and abuse prevention (rate limiting, replay protection, HMAC verification). The legitimate interest is keeping the sync service available for paying users; the impact on you is minimal because the data is anonymous.
Legal obligation under Article 6(1)(c) for retaining purchase records to the extent required by tax law in [INSERT JURISDICTION, likely your country/state].

We do not rely on consent for any processing in section 4 because there is no personal data under Article 4(1) on our side: encrypted ciphertext we cannot read, plus opaque IDs not linked to a person, do not constitute personal data unless and until they can be associated with an identifiable natural person.

6. Third-party processors

We use exactly two categories of third party. Both are necessary to deliver the service.

Apple Inc.

What they do for us: App Store distribution, in-app purchase processing via StoreKit 2, push notifications via APNs (if you enable them), device-level crash and performance reports if you have opted in via iOS Settings.
What data they receive directly from you: payment information, App Store account identifier, device telemetry per Apple's policies. We never see any of this.
Apple's privacy policy: apple.com/legal/privacy
App Store data and privacy: apple.com/legal/privacy/data/en/app-store

Cloudflare, Inc.

What they do for us: Hosts our sync-worker (Cloudflare Workers + D1 + KV) and the AI model file (Cloudflare R2). Provides standard CDN edge protection.
What data they process: encrypted sync payloads, opaque sync/device IDs, IP addresses for connection routing and abuse prevention, request logs for service operation.
Region: Cloudflare routes requests to the nearest edge by default. Our worker is deployed globally; D1 is replicated. We do not pin to a specific region.
Cloudflare's privacy policy: cloudflare.com/privacypolicy
Cloudflare DPA: Available on request, signed [INSERT DATE OR "TODO"].

We use no analytics SDK, no advertising SDK, no crash-reporting SDK other than Apple's built-in opt-in service, no attribution SDK, no fingerprinting library, no third-party tracking pixel, and no tag manager.

7. International data transfers

If you are outside the United States and use sync, your encrypted sync payload may transit to and be stored on Cloudflare infrastructure that includes US points of presence. We rely on the following legal mechanisms:

EU/EEA users: Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) between us and Cloudflare, plus Cloudflare's adherence to the EU-US Data Privacy Framework where applicable.
UK users: UK Addendum to the SCCs as published by the ICO, in force from 21 March 2022.
Swiss users: Swiss-US Data Privacy Framework where Cloudflare is certified.

Because the only personal data we transmit is encrypted ciphertext we cannot decrypt, plus opaque pseudonymous identifiers, the practical impact of any cross-border transfer is minimal.

8. Your rights

All users

Delete the app to delete the data. Because almost all data is on your device, uninstalling KickMint deletes it.
Export. Settings > Data > Export creates a JSON file you can save anywhere. Sync is not required to export.
Disable sync. Settings > Sync > Disable. Subsequent local changes are never sent.
Revoke a paired device. Settings > Sync > Devices > Revoke. The revoked device cannot re-register (see sync-worker/src/index.ts, the handleRevokeDevice function).

EU/EEA, UK, and other GDPR-style users

Under GDPR Articles 15-22 and equivalent UK provisions, you have the rights of access, rectification, erasure, restriction, portability, and objection.

Right of access (Art. 15): ask [email protected] and we will send you everything we hold that is associable with your sync group ID. In practice this is your sync group's encrypted operation list, sanitized device names, and timestamps. We cannot decrypt the operations. We will respond within 30 days.
Right to erasure (Art. 17, "right to be forgotten"): ask [email protected] and provide your sync group ID (visible in Settings > Sync > Advanced). We delete all operations, device records, and the secret hash within 30 days. Local data on your devices is unaffected; delete the app to remove that.
Right to portability (Art. 20): the in-app Export feature satisfies this for your task data. For sync metadata, ask [email protected] and we will export in JSON.
Right to restriction (Art. 18) and objection (Art. 21): disable sync in Settings, which stops further processing.
Right to lodge a complaint (Art. 77): you may complain to your national data protection authority. In Ireland, the DPC at dataprotection.ie. In the UK, the ICO at ico.org.uk.

California users (CCPA / CPRA)

Under California Civil Code section 1798.100 et seq., you have the rights of access, deletion, correction, opt-out of sale or sharing for cross-context behavioral advertising, and limit on use of sensitive personal information.

Right to know (1798.110, 1798.115): ask [email protected]. As described above, we hold opaque IDs and encrypted ciphertext. We have no source from which we sold or shared personal information because we do not sell or share.
Right to delete (1798.105): see the EU section above for the same mechanism. We do not retain any backup copies of operations after deletion outside of Cloudflare's standard 30-day request log retention.
Right to opt out of sale or sharing (1798.120): N/A. We do not sell or share personal information for cross-context behavioral advertising as those terms are defined in 1798.140.
Right to limit use of sensitive personal information (1798.121): N/A. We do not collect sensitive personal information as defined in 1798.140(ae). All cycle, health, sleep, and medication data stays on your device and is in nonSyncableTables.
No discrimination (1798.125): we do not discriminate against you for exercising any of these rights. Pricing and features do not depend on whether you exercise rights.
Authorized agent requests: you may designate an agent under California Code of Regulations Title 11 section 7063 by emailing [email protected] with written authorization signed by you.

We are required to disclose retention periods (1798.100(a)(3)). Because we collect almost nothing, the relevant retention periods are: encrypted operations are retained until you request deletion or for the lifetime of the sync group, whichever comes first; device records are retained until you revoke the device; tombstones are retained for 30 days then auto-deleted by a daily cron in sync-worker (scheduled handler in index.ts).

Brazil users (LGPD)

Under Lei nº 13.709/2018, particularly Article 18, you have the rights of confirmation of processing, access, correction, anonymization, portability, deletion, information about sharing, and revocation of consent. Use the same email mechanism as above. ANPD complaints: gov.br/anpd.

Canada users (PIPEDA)

PIPEDA Principle 9 (Individual Access) and Principle 8 (Openness) apply. Contact [email protected]. The Office of the Privacy Commissioner of Canada accepts complaints at priv.gc.ca.

Australia users (Privacy Act 1988)

Australian Privacy Principles 5, 6, 12, and 13 apply. Contact [email protected]. The Office of the Australian Information Commissioner accepts complaints at oaic.gov.au.

9. Children's privacy

KickMint is rated 4+ on the App Store, but the product is built for adult users. We do not direct the app at children under 13 (United States COPPA, 15 U.S.C. sections 6501-6506) and we do not knowingly collect data from children under 13.

The 4+ App Store rating reflects the absence of objectionable content, not a target audience of small children. Per Apple's App Review Guideline 1.3 and the Kids Category guidance, an app is "directed at children" only if it is primarily intended for children under 13, which KickMint is not.

If you are a parent or guardian and you believe a child under 13 has used KickMint, contact [email protected]. We will delete any associated sync group on confirmation.

For users in the UK, the ICO's Age Appropriate Design Code (issued under section 123 DPA 2018) applies to services likely to be accessed by children. Because our user base is intentionally adult-targeted (productivity for ADHD adults), we believe the Code is not applicable to KickMint, but we have nevertheless followed its data-minimization guidance by collecting nothing.

10. Security

Local data: stored in the iOS app sandbox using SQLite, automatically protected by iOS Data Protection (NSFileProtectionComplete-class), encrypted at rest with a key derived from your device passcode.
Cryptographic keys: the sync secret, HMAC signing key, and AES-256-GCM encryption key live in the iOS Keychain. On devices with the Secure Enclave, the keys are hardware-backed.
Sync transport: TLS 1.3 to Cloudflare endpoints, plus a second layer of AES-256-GCM application-layer encryption on the payload (we encrypt before transmission; Cloudflare cannot decrypt).
Authentication: every authenticated sync request is HMAC-signed using the sync group secret with a 5-minute timestamp window and single-use nonce, providing replay protection (see sync-worker/src/index.ts validateAuth and iosApp/Sources/Sync/DeviceIdentity.swift).
Rate limiting: per-device and per-group quotas in the sync worker prevent abuse and exfiltration attempts.
Breach notification: if we discover a breach involving personal data, we will notify affected users without undue delay and within 72 hours of becoming aware where required by GDPR Article 33, and within statutory windows under CCPA, LGPD, PIPEDA, and Australia's Notifiable Data Breaches scheme.

11. Retention

Data	Retention
Local task and AI data on your device	Until you delete it or uninstall the app
Encrypted sync operations on our backend	Until deletion request, sync group revocation, or 30 days after the last device revoked. After all devices in a group are revoked we purge associated rows on the next scheduled cleanup.
Tombstones (deletion records)	30 days, then auto-purged daily by `sync-worker` cron at 03:00 UTC
Cloudflare connection logs	Per Cloudflare's standard policy, typically rolling 30 days for abuse prevention
Apple StoreKit purchase records	Per Apple's policy. We retain receipt data only for the lifetime of the subscription

12. Changes to this policy

If we make material changes, we will:

Update the "Last updated" date at the top.
Notify users inside the app the next time they open it after the change.
For changes that broaden processing (which we do not anticipate), we will give 30 days' advance notice and, where required, request fresh consent.

13. Contact

Privacy questions, rights requests, or breach reports: [email protected]
Legal notices: [email protected]
Postal address: [INSERT MAILING ADDRESS]

If you do not receive a response within 30 days, you may escalate to your data protection authority. See section 8 for the relevant authority in your jurisdiction.