Privacy Policy

1. Who we are

This Privacy Policy explains how iffapp ("iffapp," "we," "us," or "our") collects, uses, shares, and protects personal information when you use the iffapp website at https://iffapp.com and the iffapp mobile app for iOS and Android (together, the "Service").

iffapp is operated as a personal project based in Portland, Oregon, United States. If you have any questions about this policy or your data, contact us at support@iffapp.com.

2. Information we collect

We only collect information that is necessary to provide the Service. Specifically:

2.1 Account information

When you create an account, our authentication provider Clerk collects and stores:

• Your email address
• Your name (if you provide one)
• A hashed password (if you sign up with email/password)
• A unique user identifier and session tokens
• Basic device and browser metadata associated with your sessions

2.2 Google account information (optional)

If you choose "Sign in with Google," Google shares your email address, name, and profile image with Clerk and iffapp solely to create and sign in to your account. We do not receive or store your Google password.

2.3 Apple account information (optional)

If you choose "Sign in with Apple," Apple shares a unique Apple user identifier with Clerk and iffapp, and may share your name and email address based on the choices you make at sign-in. If you elect Apple's "Hide My Email" option, Apple provides a private relay email address instead of your real one, and any messages we send to that address are forwarded by Apple. We do not receive or store your Apple ID password.

2.4 Content you create

We store the lists, tasks, and related content you create in the Service. This data is stored in our managed Postgres database hosted by Neon.

2.5 Payment information

If you make a purchase, payment is processed by Stripe. Stripe collects your card number, expiration date, CVC, and billing details directly. iffapp never sees or stores your full card number; we only receive a Stripe customer identifier and non-sensitive metadata (amount, last four digits, status).

2.6 Performance and analytics

We use Vercel Speed Insights to measure aggregated, anonymous page performance (such as load times and Core Web Vitals). This data does not identify you personally.

2.7 Mobile device information

On iOS and Android, the iffapp mobile app stores your Clerk authentication token in the device's encrypted keychain (via Expo SecureStore). We do not access your contacts, photos, location, microphone, or camera.

3. How we use your information

• To create and manage your account and authenticate you
• To provide and operate the Service (for example, storing and displaying the lists you create)
• To process payments you authorize
• To respond to your support requests
• To detect, prevent, and address technical issues, fraud, or abuse
• To improve the Service through aggregated, anonymous performance data
• To comply with legal obligations

We do not sell your personal information, and we do not use your information for advertising or targeted marketing.

4. How we share your information

We share your information only with the service providers ("sub-processors") we rely on to operate the Service, and only to the extent necessary for them to perform their function:

• Clerk - authentication and user management. Clerk Privacy Policy
• Stripe - payment processing. Stripe Privacy Policy
• Neon - managed Postgres database hosting. Neon Privacy Policy
• Vercel - web hosting and Speed Insights analytics. Vercel Privacy Policy
• Google- only if you choose "Sign in with Google." Google Privacy Policy
• Apple- only if you choose "Sign in with Apple." Apple Privacy Policy

We may also disclose information if required by law, subpoena, or valid legal process, or to protect the rights, property, or safety of iffapp, our users, or others.

If iffapp is ever involved in a merger, acquisition, or asset sale, your information may be transferred as part of that transaction. We will notify you by email or an in-app notice before your information becomes subject to a different privacy policy.

5. Your rights (EEA, UK, and other GDPR regions)

If you are located in the European Economic Area, the United Kingdom, or another region with similar laws, you have the following rights in relation to your personal data:

• Access - request a copy of the personal data we hold about you
• Rectification - correct inaccurate or incomplete data
• Erasure- request deletion of your data ("right to be forgotten")
• Restriction - request that we limit how we process your data
• Portability - receive your data in a machine-readable format
• Objection - object to processing that relies on our legitimate interests
• Withdraw consent - where we rely on your consent, you can withdraw it at any time
• Complaint - lodge a complaint with your local data protection authority

Our legal bases for processing are: performance of a contract (providing the Service), your consent (for optional features like Google or Apple sign-in), our legitimate interests (security and product improvement), and compliance with legal obligations.

To exercise any of these rights, email support@iffapp.com. You can also delete your account at any time from the profile menu in the web or mobile app, which removes your personal data from our systems.

6. Your rights (California - CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:

• Right to know - what personal information we collect, use, disclose, and (if applicable) sell
• Right to delete - request deletion of your personal information
• Right to correct - correct inaccurate personal information
• Right to opt out of sale or sharing - iffapp does not sell or share personal information for cross-context behavioral advertising, so there is nothing to opt out of
• Right to limit use of sensitive personal information - we do not use sensitive personal information for purposes that would trigger this right
• Right to non-discrimination - we will not discriminate against you for exercising any of your rights

To exercise these rights, email support@iffapp.com. We will verify your request by confirming information tied to your account.

7. 🍪 and similar technologies

We use a small number of cookies and similar technologies:

• Essential session cookies set by Clerk to keep you signed in. Without these, the Service cannot function.
• Anonymous performance cookies set by Vercel Speed Insights. These measure page speed without identifying you.

We do not use advertising, marketing, or third-party tracking cookies. Because our cookies are limited to essential and anonymous performance purposes, we do not display a consent banner. You can control cookies through your browser settings; blocking essential cookies will prevent you from signing in.

8. Data retention

We retain your personal information for as long as your account is active or as needed to provide the Service. When you delete your account, we delete your personal information from our primary systems within 30 days. Backups are purged on a rolling basis (typically within 90 days). We may retain a limited subset of information for longer when required by law (for example, payment and tax records held by Stripe).

9. Security

We use industry-standard measures to protect your information, including HTTPS/TLS for all traffic, encrypted storage of authentication tokens on mobile devices, password hashing by Clerk, and encrypted storage and backups by our database and hosting providers. No method of transmission or storage is 100% secure, but we work hard to protect your information and will notify affected users and regulators of any breach as required by law.

10. International data transfers

iffapp is based in the United States, and our sub-processors may process your data in the United States or other countries. When we transfer personal data from the EEA, UK, or Switzerland to countries that have not received an adequacy decision, we rely on Standard Contractual Clauses or equivalent safeguards provided by our sub-processors.

11. Children's privacy

The Service is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If you believe that a child under 13 has provided us with personal information, please contact support@iffapp.com and we will delete it. Users between 13 and 16 in some regions may need parental consent under local law; please do not use the Service without the consent of your parent or guardian.

12. Third-party links

The Service may contain links to third-party websites (for example, links to the privacy policies of our sub-processors). We are not responsible for the privacy practices of those sites. We encourage you to review the privacy policies of every site you visit.

13. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will post the updated version on this page and update the "Last updated" date above. If the changes are material, we will provide additional notice (for example, by email or an in-app message).

14. Contact us

If you have questions, concerns, or requests about this Privacy Policy or your personal data, contact us at support@iffapp.com.