Privacy Policy

Effective: 2026-04-27 Last updated: 2026-04-27 Last reviewed: 2026-04-27

This is the privacy policy for toody, a mood tracker for iOS made by Lennard Behrends ("we" / "us"). toody is built around a simple promise: your mood data stays yours.

For the standardized Apple disclosure format, see the Privacy section of toody's App Store listing — it summarises the same information in Apple's "privacy nutrition label" format.

the short version

toody runs on your iPhone or iPad.
Your moods, notes, photos, and reflections are stored on your device and, when you are signed into iCloud, synced to your private iCloud database via Apple's CloudKit. toody (the developer) cannot read that database.
toody does not have a server that holds your data. There is nothing for us to sell, leak, or hand over.
HealthKit data (sleep duration, sleep stages, menstrual flow, cycle irregularity signals) is read from Apple Health on-device, only after you grant permission, only to render the charts you see in Insights. HealthKit data is not persisted by toody and not synced to iCloud.
We do not use any analytics SDK, advertising ID, or crash-reporting service. The only counters we keep live in your local app preferences and never leave the device.
We use Cloudflare to host this website (toody.day) and to forward email sent to support@toody.day. v1.0 ships with all features free — there is no in-app subscription, no payment processing, and no third-party receipt-validation processor in this version. When a paid subscription is added in a future version, this policy will be materially updated to describe the receipt-validation processor at that time.

The rest of this page is the long version, written so you can verify the short version is accurate.

who is responsible (controller)

For the purposes of the EU General Data Protection Regulation (GDPR), the data controller for toody is:

Lennard Behrends Etzhorner Weg 25 26125 Oldenburg Germany

Contact: support@toody.day

A formal legal notice (Impressum) under §5 DDG is also published at /impressum.

what toody stores

When you use toody, the following is stored on your device in Apple's SwiftData store inside the app's sandbox, and — when iCloud sync is on — synced to your private CloudKit database in your iCloud account:

Mood entries (the mood, the time, optional activities, optional note, optional photo).
Daily reflections (the structured prompts you answer in the day-detail card).
Month-end reflections (the longer prompts at the end of each month).
Weekly digest snapshots (the summaries Insights uses; these are computed locally from your own entries).

Photos you attach to a mood are stored as files in toody's sandbox via SwiftData's external-storage attribute. When iCloud sync is on, those photos are uploaded to your private CloudKit database as CKAssets. toody does not upload them anywhere else.

What toody does NOT store on its own servers: nothing. We do not operate a backend that receives your entries, your photos, your reflections, or any derived analytics. There is no toody account.

lawful basis for processing (GDPR)

For users in the EU/EEA/UK, the lawful bases under GDPR Article 6 are:

Performing the contract you entered into with us (Art. 6(1)(b)) — storing your mood entries on your device and syncing them to your private iCloud is what the app does; you cannot use the app without this processing.
Your explicit consent (Art. 6(1)(a) and, for HealthKit data, Art. 9(2)(a) for special-category data) — for reading sleep, sleep stages, menstrual flow, and cycle-irregularity samples from Apple Health. iOS itself surfaces this consent prompt when you first open a card that needs the data; you can revoke it any time in iOS Settings. You can also withhold consent without losing the rest of the app.

v1.0 does not rely on legitimate interest (Art. 6(1)(f)) for any processing, because it ships with no subscription pipeline. When a paid subscription is added in a future version, the additional lawful basis for receipt-validation processing will be added here.

HealthKit data is special-category personal data under GDPR Art. 9. We treat it accordingly: it is read only with your explicit consent, only on-device, only at the moment a chart is rendered, and is not persisted, exported, or shared.

iCloud sync

toody uses Apple's CloudKit to keep your data in sync across devices signed into the same iCloud account.

Sync writes to your private CloudKit database. Your data lives in your iCloud account, under your Apple ID. Apple encrypts it in transit and at rest.
toody (the developer) cannot read the contents of your private CloudKit database. We do not have an admin view, an analytics pipeline, or a backup we control. CloudKit's private database is accessible only to the signed-in user.
toody never writes to the public CloudKit database.
If you are not signed into iCloud, toody works fully offline — your data stays on the device only.
You can turn off toody's iCloud sync any time in iOS Settings → [your name] → iCloud → Apps Using iCloud → toody.
Disabling iCloud, signing out of iCloud, or wiping the iCloud copy via Settings → [your name] → iCloud → Manage Account Storage → toody → Delete Data, removes the synced copy. The local copy on each device is unaffected unless you also delete the app there.

HealthKit data is never written to iCloud by toody. Sleep, sleep stages, menstrual cycle samples, and cycle-irregularity signals stay where Apple keeps them — on your device, in Apple Health, under Apple's own protections. The values toody reads from HealthKit are held in memory only long enough to draw the charts you are looking at, and are then discarded. They are never persisted to local storage and never uploaded to CloudKit.

What is synced to your private CloudKit database is your own authored content (moods, notes, photos, reflections, digests you've already seen), not the underlying Apple Health samples.

HealthKit

If you open the Sleep ↔ Mood card or the Cycle ↔ Mood card in Insights, toody asks for permission to read the following from Apple Health:

Sleep duration
Sleep stages
Menstrual flow samples (used for the cycle-phase view)
Cycle irregularity signals (when available)

toody does not write to Apple Health. toody does not transmit Health data anywhere. The reads happen on-device, only when you open a card that needs them, and the values are used to draw charts and surface correlations during that view session.

You can revoke access any time in iOS Settings → Privacy & Security → Health → toody. Revoking access does not affect any other part of the app.

photos

If you attach a photo to a mood entry, toody asks Apple's PHPicker to present a photo chooser. PHPicker is the modern iOS picker that shows your library inside Apple's own UI; toody only ever receives the specific photos you tap to select, not access to your wider library. The selected photo is copied into toody's local storage and, when iCloud sync is on, synced to your private CloudKit database as a CKAsset so the same photo appears on your other signed-in devices. toody does not upload the photo anywhere else.

You can review and adjust toody's photo permission any time in iOS Settings → Privacy & Security → Photos → toody.

notifications

toody can send local reminders (for example, an end-of-day "reflect" nudge) if you grant notification permission. Reminders are scheduled on your device by iOS. We do not send push notifications from a server.

You can disable reminders any time in iOS Settings → Notifications → toody.

subscriptions

toody v1.0 ships with all features free. There is no in-app subscription, no in-app purchase, no payment processing, and no third-party receipt-validation processor in this version of the app. No purchase identifier, App Account Token, or receipt is generated or transmitted while running v1.0.

When a paid subscription is added in a future version, this section will be materially updated to describe:

the receipt-validation processor we use and its role under GDPR Art. 28,
what data is shared with that processor (typically the standard Apple subscription receipt and an App Account Token),
the additional lawful basis under GDPR Art. 6 for that processing,
how subscription state interacts with premium features, and
your EU 14-day right of withdrawal where it applies.

That update will count as a material change under the "changes" section below: a notice will surface inside the app on next launch and the effective date at the top of this page will be refreshed.

diagnostics & telemetry

toody keeps a small number of local-only counters in iOS UserDefaults to help the app behave well — for example, "how many times has the weekly digest been shown" or "did the user interact with this card." The counters store integers and timestamps only. They never leave your device. There is no analytics SDK, no event payload, no user ID.

If iOS shares anonymized crash logs with developers (the system-level opt-in in Settings → Privacy & Security → Analytics & Improvements → Share with App Developers), Apple may pass aggregated, anonymized crash reports through their pipeline. This is an Apple system feature, not something toody implements.

processors and international transfers

Two processors handle limited slices of data on our behalf in v1.0:

Apple (USA / EU) — App Store distribution and CloudKit private- database hosting. Your CloudKit data is governed by your iCloud account, not by us.
Cloudflare, Inc. (USA / global) — hosts toody.day via Cloudflare Pages and routes email sent to support@toody.day to the developer's inbox via Cloudflare Email Routing. Cloudflare may briefly process your IP address and request metadata as a normal part of serving a static website; it does not receive any of your toody app data.

When a paid subscription is added in a future version, a third processor (the receipt-validation provider) will be added here, and this list and the "subscriptions" section above will be updated together.

For data leaving the EU/EEA, transfers rely on the EU–US Data Privacy Framework where applicable, plus EU Standard Contractual Clauses, plus the providers' supplementary technical and organisational measures.

what we do not do

We do not run servers that store your mood data.
We do not sell, rent, or share your data.
We do not use third-party analytics (no Firebase, Mixpanel, Amplitude, Google Analytics, etc.).
We do not use advertising IDs.
We do not include third-party SDKs that read your device for marketing purposes.
We do not perform automated decision-making or profiling that produces legal or similarly significant effects on you (GDPR Art. 22). The correlations Insights displays are arithmetic summaries shown back to you; nothing about you is scored, ranked, or shared.

children

toody is not directed at children. Under GDPR Article 8, the default age for valid consent in the EU is 16; in member states that have lowered this (e.g., Germany at 16, others as low as 13), the local age applies. We do not knowingly collect data from children below the applicable age without verifiable parental consent. In the United States, toody is not directed at children under 13 (COPPA). If you believe a child has used toody and you are a parent or guardian, email support@toody.day and we will help.

retention

On your device: your data stays as long as the app is installed and you have not deleted it.
In your iCloud: synced data stays in your private CloudKit database under your Apple ID until you delete it (per the steps in "your rights" below) or close your iCloud account.
Subscription receipts: v1.0 has no subscription pipeline, so no receipts are generated and there is nothing for us or any processor to retain on this basis. When subscriptions launch, retention by Apple and the chosen receipt-validation processor will follow their respective legal/tax obligations and will be described here.
Support email: if you email support@toody.day, the email sits in the developer's email account for as long as it would normally — typically until the issue is resolved and the thread is archived. Email is not encrypted end-to-end; please do not include sensitive health information you would not want sitting in a normal mailbox.

your rights

Because your data lives on your device and in your own iCloud account, you control most of it directly. Under GDPR you also have the following rights with respect to any data we process about you:

Right of access (Art. 15) — Settings → Export in toody produces a JSON file you can save anywhere. For data you believe we hold outside the app (e.g., support correspondence), email support@toody.day.
Right to rectification (Art. 16) — you can edit any entry inside the app at any time.
Right to erasure (Art. 17):
- Delete a single entry inside the app — the deletion syncs to your other signed-in devices via CloudKit.
- Delete the local copy by removing the toody app from a device.
- Delete the iCloud copy: iOS Settings → [your name] → iCloud → Manage Account Storage → toody → Delete Data. Doing this on its own does not remove a local copy still installed on a device.
- There is no toody account to delete server-side, because we do not run a server that holds your data.
Right to restrict processing (Art. 18) — turn off iCloud sync for toody at any time in iOS Settings → [your name] → iCloud → Apps Using iCloud → toody. Your local data stays put; nothing new gets uploaded.
Right to data portability (Art. 20) — the JSON export is designed to be portable.
Right to object (Art. 21) — to processing based on legitimate interest. v1.0 has no processing on this basis. When subscriptions launch, opting out will mean not subscribing.
Right to withdraw consent (Art. 7) — for HealthKit, photos, and notifications, revoke the relevant iOS permission. Withdrawing does not affect lawfulness of processing before withdrawal.
Right to lodge a complaint with a supervisory authority (Art. 77) — if you believe we are mishandling your data. The competent supervisory authority for users in Germany is the data protection authority of the developer's federal state; you may also contact your own local authority.

If you have a specific request — for example, a copy of any correspondence we might hold from a previous support thread — email support@toody.day.

changes

If we update this policy, we will revise the "Last updated" date at the top. For material changes (changes that meaningfully expand what we process, who we share it with, or how long we keep it), we will surface a notice inside the app on next launch and refresh the effective date. Continuing to use the app after the new effective date means you accept the updated policy; if you don't, you can delete the app and, optionally, wipe the iCloud copy as described above.

contact

Questions, requests, or concerns: support@toody.day.

For the legal notice (Impressum) required under §5 DDG, see /impressum.