everQUIN

Privacy Policy

App: everQUIN Effective date: _to be set on first public release_ Last updated: 2026-05-26

⚠️ Draft. This document is a starting point written by the engineering team to reflect what the app actually does. Have a privacy lawyer review before publishing, especially if you operate in or serve users in the EU (GDPR), the UK (UK GDPR), California (CCPA/CPRA), or jurisdictions with health-data rules. This template aims for honest, plain-language disclosure consistent with the app's actual behavior.

Plain-language summary

If any of this changes in a future version, we'll update the policy and notify you in-app at least 14 days before the change takes effect.

1. What information the app processes

1a. Information you provide directly

When you complete onboarding and use the app, you may enter:

1b. Information automatically generated

1c. Information we do not collect

1d. Coarse location — only if you opt in

The framework can colour today's nudge with the weather where you are (e.g., "it's a cold morning where you are — start with breath"). This requires the device's coarse location.

2. Where information lives and how it's protected

2a. On-device storage

All data you enter is stored locally on your phone using Hive, in your app's private storage area. iOS and Android keep this storage in a per-app sandbox that other apps cannot read, and the operating system encrypts it at rest using device-level file encryption whenever your phone has a passcode or biometric lock set. This storage is also excluded from iCloud and Google device backups, so your entries do not leave your phone via a backup. (The keys for the optional Ravel pairing feature are held separately in your device's secure keychain — iOS Keychain / Android Keystore.) If you uninstall the app, all data is deleted along with it.

2b. We do not run servers that store your personal data

The everQUIN app does not have user accounts. There is no server we maintain that stores your name, your reflections, your ring members, or any other input. Nothing you type leaves your device unless you explicitly tap "share."

2c. The bundled canon

The 307-verse everQUIN canon ships inside the app as a static read-only file. Loading the canon does not require any network connection. Your reading of any verse is not reported anywhere.

3. When information leaves your device

There are five situations where information leaves your device. All five are user-initiated — either by an explicit tap (share, opt-in) or by a feature you specifically asked to use (Ravel Walk pair-with-partner).

3a. Sharing a verse

When you tap "share" on a verse, your phone's standard share sheet opens. You choose what to send, who to send it to, and which app/channel to use (iMessage, WhatsApp, Mail, etc.). The verse text and the everQUIN attribution are passed to that app/channel. We never see what you shared, who you shared it with, or whether the recipient responded.

We log a local record that you shared a verse (so the Profile dashboard can show your share count). The recipient's name is recorded only if you typed it in or selected it from your ring members; if you used the system share sheet's contact picker, no recipient identifier is logged.

3b. App store reviews and crash reports

If you choose to leave a review on the App Store or Google Play, that review is governed by Apple's or Google's terms — not ours.

If you opt in (when prompted by your phone) to send anonymous crash reports to your platform vendor (Apple App Analytics or Google Play Console), those reports include only crash stack traces and device characteristics. They do not include your reflections, journal entries, or any user-entered data. You can opt out at any time in your phone's settings.

3c. In-app purchases (when shipped)

If a future version of the app offers paid features through in-app purchases, the purchase itself is processed by Apple or Google. We receive a confirmation that you have a valid subscription; we do not receive your payment details, full name, billing address, or other purchase metadata.

3d. Weather context (opt-in)

When you turn on Weather context (Profile → Preferences → Weather context, or via the explainer that appears the first time you tap the location icon on the home header), the app sends your phone's coarse latitude/longitude to two third-party endpoints:

Neither endpoint receives anything else from the app — no name, no journal entries, no ring data. We do not log either request locally beyond the cached snapshot (the city, region, temperature band, and weather code) that drives the home banner. Disabling the feature clears that snapshot. Web users on a build that disables weather entirely will not see this section apply.

3e. Ravel Walk pair-with-partner (when shipped)

If you ever start a Ravel Walk with a partner who uses a separate device — a feature in development at the time of writing — your two devices exchange end-to-end-encrypted messages through a relay we operate (a Cloudflare Worker). The relay sees:

The relay does NOT see message content. Decryption happens only on the two paired devices. Private keys never leave your phone (they live in iOS Keychain / Android Keystore, pinned to the device — they do not migrate via iCloud Keychain or Google encrypted backup). Local-only pass-the-phone walks (the default mode) do not use the relay at all.

4. Permissions the app may request

The app asks for these permissions only when you take an action that requires them. You can decline any permission and the app will degrade gracefully — features that need a permission will explain what's needed and continue to work in a reduced form.

| Permission | When asked | What it enables | Refusable? | |---|---|---|---| | Notifications | After onboarding, when you set a daily reminder time | Lets the app deliver your daily verse / practice reminder at the time you chose | Yes — you can manually open the app daily | | Contacts (read-only) | The first time you use share-to-friend | Lets the system share sheet suggest people from your contacts list. The app itself never reads or stores your contacts. | Yes — you can type recipient names manually | | Photos library (read) | The first time you attach a photo to a marvel | Lets you pick a photo from your library; the app copies the file into its own sandbox. EXIF GPS is ignored; only the capture date is read | Yes — log the marvel without a photo | | Photos library (write-only) | The first time you save a verse share card to your camera roll | Lets you save a generated share-card image | Yes — share via system share sheet instead | | Location (coarse) | Only after you opt in to Weather context inside the app | Lets the framework voice tune today's nudge to the local weather. See §3d for what's sent off-device | Yes — Weather context is off by default; refuse the OS prompt or never opt in | | Local storage | Automatic | Used for Hive encrypted database, no user prompt required on iOS/Android | N/A (required for the app to function) |

Notably absent: microphone, camera, motion, calendar, health data. The app does not need any of these.

5. Children

The app is not directed to children under 13. The app discusses mortality (the temporal timeline), intimate relationships, life experiences including loss, and self-knowledge work — content intended for adults. We do not knowingly collect data from children. If you believe a child under 13 has used the app, contact us and we'll help with deletion.

For users 13–17: parental guidance is recommended for the temporal-timeline and grief-related content (qMARVEL chapters on the Forge, qTENSOR § grief pause, etc.).

6. Your rights

Because all your data is on your device, your rights to access, export, correct, and delete your data are exercised directly through the app:

If you are in the EU, UK, California, or another jurisdiction granting specific privacy rights (right to erasure, right to portability, right to object to processing, etc.), you can exercise them all through the in-app actions above. We do not retain copies on any server.

7. Data retention

Your data is retained on your device until you delete it or uninstall the app. We do not have a copy.

If you opt into a future end-to-end encrypted backup feature (not in v1.0), retention will be governed by terms presented at the time you enable it.

8. AI and machine learning

Future versions of the app may include narrowly-scoped AI features (verse search, pattern recognition over your own journal, daily theme curation). When and if these ship, the following commitments apply:

As of this policy's effective date, no AI or ML features are active in the app.

9. Third-party services in the app

| Service | Purpose | Data received | |---|---|---| | Apple App Store / Google Play | Distribution + crash reports (opt-in) | Crash stack traces if you opt in; never your user-entered content | | Your phone's share sheet | Routing your "share" actions | Whatever you choose to share, to whoever you select | | Google Fonts (Cormorant Garamond, Inter) | Typography | On mobile: fetched from fonts.googleapis.com on first launch and cached in app storage; no other data is sent. On web: fetched at page load from fonts.googleapis.com. Standard browser caching applies. (A future build will bundle these fonts as static assets so no font fetch happens at runtime.) | | Open-Meteo (api.open-meteo.com) | Weather forecast for the home banner — only if you opt in to Weather context | Latitude / longitude (one snapshot per refresh, no API key, no account) | | BigDataCloud (api.bigdatacloud.net) | Reverse-geocode the coordinates into a city / region label — only if you opt in to Weather context | Latitude / longitude | | Cloudflare Workers (*.workers.dev) — only when you start a multi-device Ravel Walk | Relay end-to-end-encrypted messages between you and a paired partner. Feature is in development at the time of writing — local pass-the-phone mode does not use the relay. | Opaque pair identifier, sender label, encrypted ciphertext + timestamp, public keys. The relay cannot decrypt any message content. |

That's the complete list. We do not use Google Analytics, Mixpanel, Segment, Amplitude, Firebase Analytics, Sentry, Bugsnag, AppsFlyer, Branch, Adjust, or any other third-party SDK that collects user behavior data.

10. International users

The app is local-first. There is no server-side processing, so there is no cross-border data transfer to disclose. Your data lives in the jurisdiction your phone (or, on the web build, your browser) is in. If you uninstall the mobile app, your data is deleted in that same jurisdiction; on the web, the equivalent action is "Delete all data" in-app or clearing site data in your browser. See §14 for what's specific to the web build.

11. Changes to this policy

If we change this policy, we will:

1. Update the "Last updated" date at the top. 2. Display an in-app notice the next time you open the app (a banner you must dismiss to continue). 3. For material changes (e.g., adding any third-party data-sharing or AI feature that sends data off-device), provide at least 14 days' advance notice before the change takes effect.

The current version of this policy is published at https://everquin.com/privacy.html. Prior versions are kept on file and available on request to privacy@everquin.com.

12. Contact

For privacy questions, data deletion help, or to report a concern:

We commit to responding to legitimate privacy inquiries within 30 days.

13. Crisis disclosure

The everQUIN framework discusses topics that can surface difficult feelings — mortality, grief, isolation, relationship loss, identity work. The app is not a substitute for professional mental-health care.

If you are in crisis or considering harming yourself, please contact a qualified provider or a crisis service:

We do not have crisis-detection or crisis-routing built into the app. The app does not collect content that would let us detect crisis. If you write something concerning in your journal, only you will see it.

14. Web build — what's different from the mobile app

everQUIN runs in two places: the iOS / Android app (the primary surface) and a web build at everquin.com/app/ that is convenient for trying the framework before installing. The web build is built from the same Flutter source, but the browser environment limits what some features can do. We disclose those limits here so the policy isn't quietly inaccurate when you use the web version.

| Topic | Mobile app | Web build | |---|---|---| | Local storage | Hive, in the app's private OS sandbox. Encrypted at rest by the device's file-level encryption when a passcode/biometric lock is set; excluded from iCloud / Google backups. | Hive on top of the browser's IndexedDB. Not encrypted — the browser does not expose an encrypted storage primitive equivalent to Keychain/Keystore. | | Erasure | "Delete all data" wipes the local database. Uninstalling does the same. | "Delete all data" wipes the local database. Uninstalling does not apply; you can also clear site data in your browser to remove anything that might remain. | | Daily reminder notifications | Scheduled locally on your device. | Not available. The web build does not deliver reminders; you visit the page when you want to. | | Sharing | System share sheet handles text and image cards. | Browser Web Share API handles text. Image-format share cards (verse cards, EKG, ring map) are not produced on the web; the share is text-only. | | Saving share-card images to your camera roll | Available on iOS / Android. | Not available — browsers do not have a "save to photo library" permission. | | Contacts suggestions in the share sheet | Optional; the system share sheet can suggest contacts. | Not available — browsers have no contacts API. | | In-app purchase / Patron | Apple or Google handles billing. | Not available — in_app_purchase is iOS / Android only. To support everQUIN as a Patron, install the app on your phone. | | Google Fonts | See §9. | Loaded from fonts.googleapis.com at page load (standard browser caching applies). No other data is sent. |

Everything in §1–§11 above (no accounts, no telemetry, no third-party AI, no data sent to our servers, no sale of data) applies to both runtimes equally. The web build does not collect anything the mobile app doesn't.

If you would like the encrypted-storage and notifications experience, install the mobile app. The web build is intentionally a read-and-practice surface that works without permissions.

15. App store privacy summaries

For app store privacy nutrition labels, the following summaries describe what we collect:

Apple Privacy Nutrition Label (App Store Connect):

Google Play Data Safety form:

If a future feature ever changes this, the labels will be updated before the feature ships.

Honest about uncertainty

This policy is written to reflect the app's actual technical behavior. We have made our best effort to be precise. If you spot something that contradicts how the app actually works, please tell us at the contact above — we will correct the policy or the app, whichever is wrong.