Privacy Policy

Last Updated: May 20, 2026

Today I Am ("Today I Am," "we," "us," or "our") respects your privacy. This Privacy Policy explains what personal data we collect when you use the Today I Am mobile app, why we collect it, who we share it with, how long we keep it, and the rights you have over it. It is written to meet the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA/CPRA). If you do not agree with this policy, please do not use the app.

If you have any questions, or want to exercise any of your rights, contact us at [email protected]. We respond to privacy requests within 30 days (one month).

1. Who we are

Today I Am is a daily affirmations app for iPhone. It is operated by Launchroom (the "controller" of your personal data under GDPR). You can reach us at [email protected]; contact us at that address if you need our postal address for a formal request. If you are in the EEA or UK and we are required to designate a representative, the representative's details are available on request at the same address.

2. The data we collect

You can use Today I Am anonymously, without providing any personal details. If you choose to sign in to back up your data across devices, we collect a small amount of additional information. Categories of data we collect include:

  • Account and profile information (optional): If you choose to sign in, you can do so using Sign in with Apple or Google Sign-In. Where you sign in, we may receive basic profile information such as your name, email address, and a unique user identifier provided by Apple or Google. You can use the app without signing in.
  • App activity and usage events: Things you do inside Today I Am: opening the app, time spent in the app, which affirmations you save or favorite, and which features you interact with. This helps us understand how the app is used and improve it.
  • Subscription status: Whether you have an active Today I Am Pro subscription, which plan, and renewal or expiry, handled through our payments provider RevenueCat. We do not receive or store your card details; Apple and Google handle payment.
  • Crash and diagnostic data: If the app crashes or misbehaves, we receive crash logs and diagnostic information (stack traces, device state, app version) so we can fix it.
  • Device and technical data: Device model, operating system version, app version, language and region setting, and a push notification token. The push token is used to deliver your daily affirmation reminders if you have granted notification permission.
  • Session replay (limited): We use PostHog's session replay to understand how the app's screens are used. Text, text inputs, and images are masked, so the replay shows interaction patterns, not your content. Replay is sampled and may be off entirely depending on our settings.

We do not collect your contacts, precise location, health data, or browsing history. We do not use Apple's App Tracking Transparency identifier (IDFA), and we do not track you across other companies' apps or websites for advertising.

3. A note on photo library access

Today I Am lets you pick photos from your device gallery to use as custom backgrounds for your affirmations. This feature works entirely on-device: image selection and rendering happen inside the app's local sandboxed storage. We do not read your photo library, we do not upload your images to our servers, and we never see your personal photos.

4. Why we use your data, and our lawful basis

Under GDPR we must have a lawful basis for each purpose. Ours are:

  • To provide and personalize the app (Article 6(1)(b), performance of a contract): Authenticating your account if you sign in, keeping your saved or favorited affirmations available across devices, and remembering your settings.
  • To manage your subscription (Article 6(1)(b), contract): Checking whether you have access to Pro features and handling restores and refund requests.
  • Analytics, crash reporting, and product improvement (Article 6(1)(f), legitimate interests): Understanding how the app is used and where it breaks so we can make it better. We have weighed this against your interests; the data is pseudonymous, is not used to make decisions about you, and is not used for advertising. You can object to this at any time (see Section 8).
  • Notifications you have turned on (Article 6(1)(a), consent): Daily affirmation reminders, controlled by the toggles in Settings and by your device permissions. Turn them off there at any time.
  • Legal, safety, and refund handling (Article 6(1)(c) and (f)): Complying with law, handling App Store refund requests (which may involve sharing limited consumption data with Apple), and protecting against fraud and abuse.

5. Who we share data with

We do not sell your personal data and we do not share it with advertisers or data brokers. We use a small number of trusted service providers ("processors") who handle data on our instructions:

  • Google / Firebase (United States): Authentication (for Sign in with Apple and Google Sign-In), analytics, crash reporting (Crashlytics), and remote configuration. Privacy policy: firebase.google.com/support/privacy and policies.google.com/privacy. Sub-processors: cloud.google.com/terms/subprocessors.
  • PostHog (European Union): Product analytics and limited session replay, stored in the EU. Privacy policy: posthog.com/privacy. Sub-processors: posthog.com/subprocessors.
  • RevenueCat (United States): Subscription management. May share limited app-usage information with Apple to help Apple decide on a refund request you make. Privacy policy: revenuecat.com/privacy. Sub-processors: listed in Annex 3 of revenuecat.com/dpa.
  • Apple and Google: As the app stores and payment processors, and (for Apple) for refund decisioning as described above and in our Terms of Use.

We may also disclose data if required by law, to enforce our Terms, or to protect the rights, safety, and property of users or the public.

6. International data transfers

Some of our processors are in the United States (Google/Firebase, RevenueCat), so the data described above is transferred there. PostHog data is stored in the European Union. Where data leaves the EEA or the UK, we rely on appropriate safeguards: the European Commission's Standard Contractual Clauses (with the UK Addendum where relevant) and, where the recipient is certified, the EU-US Data Privacy Framework. We have a Data Processing Agreement (or have accepted the equivalent Data Processing Addendum) in place with each US processor. We can provide our transfer assessment on request at [email protected].

7. How long we keep data

  • On your device: Your preferences, favorited affirmations, and application settings are stored locally. Everything local is removed when you choose "Delete Account" in the app or when you uninstall.
  • After "Delete Account": We erase the personal data we hold about you and stop associating new activity with you.
  • With our processors: Firebase Crashlytics retains crash diagnostics for 90 days. PostHog retains analytics events for 1 year and session recordings for 30 days. RevenueCat retains subscription records for the lifetime of your subscription so restores and refunds keep working. Where we ask processors to delete data on your behalf, we forward the request in line with our agreements with them and follow up where the law requires us to.

8. Your rights

If you are in the EEA or the UK, you have the right to: access the personal data we hold about you; have inaccurate data corrected; have your data erased; restrict or object to processing (including objecting to analytics processing carried out on the basis of our legitimate interests); receive your data in a portable, machine-readable format; and withdraw any consent you have given, without affecting processing already carried out. You also have the right to lodge a complaint with your local data protection supervisory authority.

  • In the app: Use "Delete Account" in Settings to erase your data. Turn notifications off in Settings or in your device settings.
  • By email: Email [email protected] for access, portability, correction, restriction, objection, or deletion. We reply within 30 days. If you have not signed in, we may ask for the pseudonymous app identifier shown in Settings so we can locate the right records.

California residents: you have the right to know what personal information we collect and how we use and disclose it, to request its deletion, and not to be discriminated against for exercising these rights. We do not "sell" or "share" personal information as those terms are defined under the CCPA/CPRA. Make a request at [email protected].

9. Children

Today I Am is intended for users aged 16 and over (or the minimum age of digital consent in your country, which is between 13 and 16 in the EEA). We do not knowingly collect personal data from children below that age without verified parental consent. If you are a parent or guardian and believe a child has provided us with personal data, contact us at [email protected] and we will delete it.

10. Security

On-device data is stored in the app's sandboxed storage with the operating system's default protection. Data in transit to our processors is encrypted with TLS. No method of storage or transmission is completely secure, but we take reasonable measures to protect your data.

11. Changes to this policy

We will update this policy when our data practices change. Material changes will be noted in the changelog below and reflected by the "Last Updated" date above. Continued use of the app after a change means you accept the updated policy.

12. Contact

Questions, requests, or complaints: [email protected]. Our Terms of Use are available here.

Changelog

  • May 20, 2026: Initial version, published alongside the App Store launch. Covers lawful bases per purpose, international transfer mechanisms, the full list of data-subject rights, the processor list (Firebase, PostHog, RevenueCat), per-processor retention, and a CCPA section.