Legal
Privacy Policy
Last updated 7 May 2026 · Version 1.0
Contents
- 1. Who we are
- 2. The short version
- 3. What we collect, why, and on what lawful basis
- 4. The AI craving coach (Volt)
- 5. Who we share data with (subprocessors)
- 6. International transfers
- 7. How long we keep things (retention)
- 8. Your rights
- 9. Children
- 10. Security
- 11. Changes to this policy
- 12. Cookies and similar technologies (website)
- 13. California residents — your CCPA / CPRA rights
- 14. Contact
- Change log
DRAFT NOTICE FOR THE QUITR TEAM: This is a comprehensive draft engineered to satisfy UK GDPR / EU GDPR Article 13, the UK Data Protection Act 2018, and California’s CCPA / CPRA. It must be reviewed by a UK-qualified solicitor before publication. Pay particular attention to: (a) the controller details in §1; (b) the lawful-basis table in §3; (c) the international-transfers section in §6; (d) the retention schedule in §7. After review, delete this notice.
1. Who we are
This Privacy Policy describes how Quitr Ltd. (“we”, “us”, “Unwired”) collects, uses, shares, and protects your personal information when you use the Unwired iOS app and the website at getunwired.app (together, the “Services”).
- Data controller: Quitr Ltd., a company registered in England and Wales.
- Registered office: [Insert registered office address before publishing].
- Company number: [Insert Companies House number before publishing].
- Privacy contact: support@getunwired.app
- Postal correspondence: mark “FAO Privacy” at the registered office.
If you are in the United Kingdom or European Economic Area, Quitr Ltd. is the data controller of your personal information for the purposes of UK GDPR and EU GDPR. If you are in California, Quitr Ltd. is the “business” for the purposes of CCPA / CPRA.
2. The short version
Unwired is engineered to be on-device by default.
- Your streak, journal, lessons-read state, and chat history with Volt stay on your iPhone. We don’t have a copy.
- When you send a message to Volt (the AI craving coach), the message is sent to our server and forwarded to a third-party AI model. It is not retained server-side beyond the response.
- Your purchase status (which subscription you have, when it renews) is held by RevenueCat and Apple. We see only an anonymous identifier and the entitlement state.
- We do not sell your personal information, ever. We do not run third-party advertising on the app or this website.
- If you grant App Tracking permission on iOS, anonymous event data (e.g. “trial started”, “purchase completed”) is sent to TikTok and Mixpanel for marketing measurement. No personal data — no name, email, phone, or address — is sent. If you decline, none of this happens.
- You can delete your data at any time from Settings → Account → Delete account in the app.
The full text follows. We’ve tried to keep it specific and free of jargon. Where a defined legal term is unavoidable we explain it in plain English.
3. What we collect, why, and on what lawful basis
The table below lists every category of personal information the Services collect, the purpose for which we use it, and the lawful basis under UK GDPR / EU GDPR. For California residents, the equivalent CCPA / CPRA disclosures appear in §13.
| Category | Examples | Purpose | UK / EU lawful basis |
|---|---|---|---|
| Onboarding answers | years drinking, cans per day, primary brand, triggers, symptoms, goal, signed pledge name | Personalise the app’s numbers (savings counter, damage score) and paywall headline | Performance of contract (UK GDPR Art. 6(1)(b)) — we cannot deliver a personalised quit programme without these answers |
| Streak & usage data (on-device) | streak start time, cravings logged, relapses, lessons read, journal entries, chat with Volt | Deliver the core app function | Performance of contract |
| Purchase records | RevenueCat anonymous user ID, product purchased, subscription status, renewal events | Unlock Pro features; manage subscriptions; receive renewal callbacks | Performance of contract |
| Sign in with Apple identifier (only if you sign in) | the opaque Apple-issued user identifier; optionally email and name only if you choose to share them | Identify you across reinstalls; enable cross-device sync (future) | Performance of contract |
| Volt chat content (in-flight only) | your typed message, recent message history, current streak hour, current lesson day, list of recent craving triggers | Generate an AI response | Performance of contract |
| Crash and error diagnostics | device model, iOS version, anonymous installation ID, stack traces (no chat content, no personal data) | Detect and fix bugs | Legitimate interests (UK GDPR Art. 6(1)(f)) — keeping the app functional |
| Marketing measurement events (only with ATT consent) | event names (“trial_started”, “purchase_completed”, “streak_milestone”), event timestamps, anonymous user identifier, plan price + currency for purchase events | Measure which paid ad campaigns convert and at what cost | Consent (UK GDPR Art. 6(1)(a)), specifically opt-in via Apple’s App Tracking Transparency prompt — you can withdraw at any time in iOS Settings |
| Web analytics (website only) | aggregated, cookieless page views, referrers, country (city-level not collected) via [Plausible Analytics / Cloudflare Web Analytics — confirm before publishing] | Understand which pages people read | Legitimate interests — no individual is identifiable |
We do not collect any of the following: precise location, photos, contacts, microphone, camera, HealthKit data, browsing history outside our app, financial information beyond a purchase confirmation, biometric data, race or ethnicity, religion, sexual orientation, political opinions, trade-union membership, or genetic data.
4. The AI craving coach (Volt)
Volt is powered by a third-party large language model (“Gemini”) provided by Google LLC. When you send a message to Volt:
- On-device safety check: the message is scanned locally on your iPhone for self-harm or crisis language. If a match is found, the message is not sent to any server — we display crisis resources to you instead.
- Server processing: if the message passes the safety check, it is sent over HTTPS to our Cloudflare Worker, which forwards it (along with your recent message history and a small context payload) to Google’s Gemini API for a response.
- No retention: neither our Worker nor Google retains the message content beyond producing the response. The chat transcript is stored only on your iPhone and visible only to you.
Volt does not provide medical, psychological, legal, or financial advice. Its responses are generated probabilistically and may be wrong, misleading, or out of context. Treat them as suggestions, not as professional guidance. If you are in distress or considering self-harm, please contact:
- United States: 988 (Suicide and Crisis Lifeline) — call or text
- United Kingdom: Samaritans 116 123 — free, 24/7
5. Who we share data with (subprocessors)
We use a small number of trusted third parties to operate Unwired. We have data-processing agreements in place with each of them, and they are permitted to process your data only for the purposes listed below.
| Subprocessor | Located in | What they process | Why |
|---|---|---|---|
| Apple Inc. | United States | App Store transactions, Sign in with Apple identifier, push notification delivery | Distributing the app, processing payments, enabling sign-in |
| RevenueCat, Inc. | United States | Anonymous user ID, purchase events, subscription state | Managing subscriptions across the App Store and our backend |
| Cloudflare, Inc. | Global edge | Volt chat requests in transit (transient), website hosting | Edge compute, DDoS protection, hosting |
| Google LLC | United States | Volt message text in transit (transient, not retained for model training under our agreement) | Generating Volt responses via the Gemini API |
| TikTok Pte. Ltd. | Singapore (with US sub-processors) | Anonymous event names + values, hashed user ID — only if you grant App Tracking permission | Measuring paid ad campaign performance |
| Mixpanel, Inc. | United States | Anonymous event names + properties, anonymous distinct ID — only if you grant App Tracking permission | Product analytics |
| Functional Software, Inc. (“Sentry”) | United States | Anonymous crash reports | Detecting and fixing bugs |
| Supabase, Inc. | United States (region: us-east-1 by default) | Reserved for v1.1 — not currently in use. Will hold community posts and aggregate analytics if and when community ships. | Reserved |
We do not share data with any party not listed here. We do not sell or rent your personal information to anyone.
If we add or remove a subprocessor, we will update this list and post a notice on getunwired.app/privacy at least 30 days before the change takes effect for material changes.
6. International transfers
Most of our subprocessors are based in the United States. Where personal information of UK / EEA users is transferred outside the UK / EEA, we rely on the following safeguards:
- Standard Contractual Clauses (SCCs) — the European Commission’s 2021 SCCs (and the UK Information Commissioner’s Office’s UK Addendum where required) are in place with each subprocessor that requires them.
- EU–US Data Privacy Framework / UK extension — where the receiving organisation is certified, we rely on the Framework as an additional safeguard.
- Supplementary measures — TLS in transit (TLS 1.2 or higher), encryption at rest, access controls, contractual restrictions on government-access requests.
You can request a copy of the SCCs in force for any subprocessor by emailing support@getunwired.app.
7. How long we keep things (retention)
| Category | Where | Retention |
|---|---|---|
| Onboarding answers, streak data, journal, lessons-read, chat with Volt | Your iPhone (SwiftData) | Until you delete the app or use Settings → Account → Delete account. We have no copy. |
| Sign in with Apple identifier | Your iPhone (Keychain); RevenueCat (anonymous mapping) | Until you delete your account. We retain a hashed RevenueCat ID for accounting purposes for 7 years (HMRC requirement). |
| Purchase records | Apple, RevenueCat | Apple’s retention is governed by Apple. RevenueCat retains for 7 years for tax / accounting compliance. |
| Volt message content | Your iPhone (SwiftData), and transient at Cloudflare + Google | Server: not retained beyond producing the response. Device: until you delete the conversation in-app. |
| Crash diagnostics | Sentry | 90 days, then deleted. |
| Marketing events (with ATT consent) | TikTok, Mixpanel | TikTok: 180 days for attribution windows. Mixpanel: 24 months for product analytics, then anonymised. |
| Web analytics | Plausible / Cloudflare Web Analytics | Plausible: 24 months aggregated. Cloudflare Web Analytics: 6 months aggregated. |
| Email correspondence | Google Workspace | 3 years from your last message, then deleted. |
When a retention period ends, the data is deleted or fully anonymised so it can no longer be linked to you.
8. Your rights
Under UK GDPR and EU GDPR, you have the following rights regarding your personal information. For California residents, equivalent rights are described in §13.
- Access (Art. 15): ask for a copy of the personal information we hold about you.
- Rectification (Art. 16): ask us to correct anything that’s wrong.
- Erasure / “right to be forgotten” (Art. 17): ask us to delete personal information we hold. The fastest way to exercise this is Settings → Account → Delete account in the app, which wipes everything we have access to in seconds.
- Restriction (Art. 18): ask us to pause processing while we investigate a concern.
- Portability (Art. 20): receive your data in a machine-readable format you can take to another service.
- Objection (Art. 21): object to any processing we do on the basis of legitimate interests (this would mean us deleting that data, since we have no other lawful basis for it).
- Withdraw consent (Art. 7): if you previously granted App Tracking consent and have changed your mind, toggle it off in iOS Settings → Unwired → Tracking. Marketing-measurement events stop immediately.
- Complain to a supervisory authority (Art. 77): if you’re unhappy with how we’ve handled your data, you can complain to the UK Information Commissioner’s Office (ICO) at https://ico.org.uk or to the data-protection authority in your EEA country of residence. We’d appreciate the chance to address concerns first by email at support@getunwired.app.
To exercise any of these rights, email support@getunwired.app from the email address associated with your Apple ID where possible. We will acknowledge within one month and respond within one month of acknowledgement (extendable by two further months for complex requests, with notice). There is no fee unless requests are manifestly unfounded or excessive.
We may need to verify your identity before fulfilling a request — typically by asking you to confirm details only the account holder would know.
9. Children
Unwired is rated 17+ in the App Store and is not intended for anyone under 16. We do not knowingly collect personal information from anyone under 16. If you believe a person under 16 has provided us with personal information, contact support@getunwired.app and we will delete it without undue delay.
The App Store age gate is the primary control. We do not separately verify age in-app.
10. Security
We protect your information with the technical and organisational measures appropriate to its sensitivity:
- In transit: TLS 1.2 or higher between every device, server, and subprocessor.
- At rest on the server: encrypted volumes; no plaintext sensitive data.
- At rest on your iPhone: iOS Data Protection (NSFileProtectionComplete equivalent for SwiftData stores), Apple Keychain for the Sign in with Apple identifier.
- Access: principle of least privilege; only employees and contractors who genuinely need access have it; multi-factor authentication required.
- Incident response: in the event of a personal-data breach, we will notify affected users and the relevant supervisory authority within 72 hours of becoming aware of it, as required by UK GDPR Article 33–34.
No system is perfectly secure. If we become aware that your data has been compromised, we will tell you what happened, what we’re doing about it, and what you should do.
11. Changes to this policy
We may update this Privacy Policy from time to time. When we do:
- We will update the “Last updated” date at the top.
- For material changes (new categories of data, new lawful bases, new subprocessors handling sensitive data, changes to your rights), we will give you at least 30 days’ notice via in-app notification before the changes take effect.
- For minor changes (clarifications, fixed typos, contact-detail updates), we will simply update the page.
A history of changes is maintained at the bottom of this document. The current version is identified by a version number (1.0 at first publication).
12. Cookies and similar technologies (website)
The Unwired iOS app does not use cookies. The website at getunwired.app uses:
- Essential cookies: none for v1.0 (we have no login, no cart, no session-based features).
- Analytics: [Plausible / Cloudflare Web Analytics — confirm and update]. This tool is cookieless and does not identify you. No banner is required under UK PECR / EU ePrivacy Directive because no cookies are set.
If we ever introduce a cookie that requires consent, we will display a compliant banner before setting it.
13. California residents — your CCPA / CPRA rights
If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) give you these rights:
- Right to know: what categories of personal information we have collected, the sources, the purpose, and the categories of third parties we share with. The information in §3 and §5 of this policy is your CCPA disclosure.
- Right to delete: request that we delete personal information we have collected from you. Settings → Account → Delete account is the fastest route.
- Right to correct: request correction of inaccurate personal information.
- Right to opt out of sale or sharing: we do not sell or share personal information as those terms are defined in CCPA / CPRA. We do not need to provide a “Do Not Sell or Share My Personal Information” link, but if our practices change we will add one.
- Right to limit use of sensitive personal information: we do not collect “sensitive personal information” as defined by CPRA.
- Right to non-discrimination: we will not discriminate against you for exercising any of these rights.
To exercise any of these rights, email support@getunwired.app. You may use an authorised agent. We will verify your identity before responding.
We have not sold personal information in the preceding 12 months. We have not shared personal information for cross-context behavioural advertising in the preceding 12 months.
14. Contact
- Email: support@getunwired.app (put “Privacy” in the subject line for data-subject requests so we can route them correctly)
- Postal: Quitr Ltd., [registered office address], United Kingdom
- UK supervisory authority: Information Commissioner’s Office, https://ico.org.uk, +44 0303 123 1113
Change log
| Version | Date | Changes |
|---|---|---|
| 1.0 | 7 May 2026 | Initial publication. |