Privacy Policy

Effective: 2026-04-28 Last updated: 2026-04-28 Last reviewed: 2026-05-14

This is the privacy policy for toody, a mood journal for iOS made by Lennard Behrends ("we" / "us"). toody is built around a simple promise: your mood data stays yours.

For the standardized Apple disclosure format, see the Privacy section of toody's App Store listing — it summarises the same information in Apple's "privacy nutrition label" format.

the short version

• toody runs on your iPhone or iPad.
• Your moods, notes, photos, and reflections are stored on your device and, when you are signed into iCloud, synced to your private iCloud database via Apple's CloudKit. toody (the developer) cannot read that database.
• toody does not have a server that holds your data. There is nothing for us to sell, leak, or hand over.
• HealthKit data (sleep duration, sleep stages, menstrual flow, cycle irregularity signals) is read from Apple Health on-device, only after you grant permission, only to render the charts you see in Insights. HealthKit data is not persisted by toody and not synced to iCloud.
• We do not use any analytics SDK, advertising ID, or crash-reporting service. The only counters we keep live in your local app preferences and never leave the device.
• We use Cloudflare to host this website (toody.day) and to forward email sent to support@toody.day.
• toody offers an optional auto-renewing subscription unlocked through Apple's StoreKit. Billing, receipt issuance, and receipt validation flow through Apple and our subscription-state processor RevenueCat. We do not receive your name, email, address, or payment-card data; only Apple's standard subscription receipt and a pseudonymous App Account Token tied to your subscription.

The rest of this page is the long version, written so you can verify the short version is accurate.

who is responsible (controller)

For the purposes of the EU General Data Protection Regulation (GDPR), the data controller for toody is:

Lennard Behrends Etzhorner Weg 25 26125 Oldenburg Germany

Contact: support@toody.day

A formal legal notice (Impressum) under §5 DDG is also published at /impressum.

what toody stores

When you use toody, the following is stored on your device in Apple's SwiftData store inside the app's sandbox, and — when iCloud sync is on — synced to your private CloudKit database in your iCloud account:

• Mood entries (the mood, the time, optional activities, optional note, optional photo).
• Daily reflections (the structured prompts you answer in the day-detail card).
• Month-end reflections (the longer prompts at the end of each month).
• Weekly digest snapshots (the summaries Insights uses; these are computed locally from your own entries).

Photos you attach to a mood are stored as files in toody's sandbox via SwiftData's external-storage attribute. When iCloud sync is on, those photos are uploaded to your private CloudKit database as CKAssets. toody does not upload them anywhere else.

What toody does NOT store on its own servers: nothing. We do not operate a backend that receives your entries, your photos, your reflections, or any derived analytics. There is no toody account.

lawful basis for processing (GDPR)

For users in the EU/EEA/UK, the lawful bases under GDPR Article 6 are:

• Performing the contract you entered into with us (Art. 6(1)(b)) — storing your mood entries on your device and syncing them to your private iCloud is what the app does; you cannot use the app without this processing.
• Your explicit consent (Art. 6(1)(a) and, for HealthKit data, Art. 9(2)(a) for special-category data) — for reading sleep, sleep stages, menstrual flow, and cycle-irregularity samples from Apple Health. iOS itself surfaces this consent prompt when you first open a card that needs the data; you can revoke it any time in iOS Settings. You can also withhold consent without losing the rest of the app.

For the optional auto-renewing subscription, the lawful basis is performing the subscription contract (Art. 6(1)(b)) for billing and entitlement, and legitimate interest (Art. 6(1)(f)) for fraud prevention and receipt validation through our processor RevenueCat. You can object to legitimate-interest processing under Art. 21 by not subscribing or by cancelling an active subscription.

HealthKit data is special-category personal data under GDPR Art. 9. We treat it accordingly: raw Apple Health samples are read only with your explicit consent, only on-device, only at the moment a chart is rendered, and the samples themselves are never persisted, exported, or shared. The one carve-out: if you are a Pro subscriber and generate a PDF insights report (Settings → Export insights report) for a range where you have granted HealthKit access, the PDF embeds a small derived summary — sleep: median nightly hours + nights observed + the rested-vs-tired mood delta; cycle: per-phase average mood + entry counts. No raw samples and no timestamps leave the device. The PDF is saved only where you send it via the iOS Share Sheet — AirDrop, Mail, Files, etc. — and toody never sees it. If you do not want any HealthKit summary in your export, turn off the Sleep ↔ Mood and Cycle ↔ Mood cards in Settings (Insights cards) before generating the PDF; the report mirrors those toggles exactly.

iCloud sync

toody uses Apple's CloudKit to keep your data in sync across devices signed into the same iCloud account.

• Sync writes to your private CloudKit database. Your data lives in your iCloud account, under your Apple ID. Apple encrypts it in transit and at rest.
• toody (the developer) cannot read the contents of your private CloudKit database. We do not have an admin view, an analytics pipeline, or a backup we control. CloudKit's private database is accessible only to the signed-in user.
• toody never writes to the public CloudKit database.
• If you are not signed into iCloud, toody works fully offline — your data stays on the device only.
• You can turn off toody's iCloud sync any time in iOS Settings → [your name] → iCloud → Apps Using iCloud → toody.
• Disabling iCloud, signing out of iCloud, or wiping the iCloud copy via Settings → [your name] → iCloud → Manage Account Storage → toody → Delete Data, removes the synced copy. The local copy on each device is unaffected unless you also delete the app there.

HealthKit data is never written to iCloud by toody. Sleep, sleep stages, menstrual cycle samples, and cycle-irregularity signals stay where Apple keeps them — on your device, in Apple Health, under Apple's own protections. The values toody reads from HealthKit are held in memory only long enough to draw the charts you are looking at, and are then discarded. They are never persisted to local storage and never uploaded to CloudKit.

What is synced to your private CloudKit database is your own authored content (moods, notes, photos, reflections, digests you've already seen), not the underlying Apple Health samples.

HealthKit

If you open the Sleep ↔ Mood card or the Cycle ↔ Mood card in Insights, toody asks for permission to read the following from Apple Health:

• Sleep duration
• Sleep stages
• Menstrual flow samples (used for the cycle-phase view)
• Cycle irregularity signals (when available)

toody does not write to Apple Health. toody does not transmit Health data anywhere. The reads happen on-device, only when you open a card that needs them, and the values are used to draw charts and surface correlations during that view session.

You can revoke access any time in iOS Settings → Privacy & Security → Health → toody. Revoking access does not affect any other part of the app.

photos

If you attach a photo to a mood entry, toody asks Apple's PHPicker to present a photo chooser. PHPicker is the modern iOS picker that shows your library inside Apple's own UI; toody only ever receives the specific photos you tap to select, not access to your wider library. The selected photo is copied into toody's local storage and, when iCloud sync is on, synced to your private CloudKit database as a CKAsset so the same photo appears on your other signed-in devices. toody does not upload the photo anywhere else.

You can review and adjust toody's photo permission any time in iOS Settings → Privacy & Security → Photos → toody.

notifications

toody can send local reminders (for example, an end-of-day "reflect" nudge) if you grant notification permission. Reminders are scheduled on your device by iOS. We do not send push notifications from a server.

You can disable reminders any time in iOS Settings → Notifications → toody.

subscriptions

toody offers an optional auto-renewing subscription that unlocks premium insights and features. The free tier of toody works without it. Billing runs entirely through Apple's StoreKit under your existing App Store account; we do not see your payment-card data, your billing address, or your Apple ID email.

To resolve subscription state across your devices and to validate receipts, toody uses RevenueCat, Inc. (USA) as a GDPR Art. 28 processor under a Data Processing Addendum. RevenueCat receives:

• Apple's standard subscription receipt (issued by Apple, identifies the product and renewal state, no name or email).
• An App Account Token — a pseudonymous UUID generated on your device, used to keep entitlement consistent across reinstalls. It is not your Apple ID and not derived from any personal identifier.
• Coarse device metadata (platform, app version) for receipt validation.

RevenueCat does not receive your mood entries, notes, photos, reflections, HealthKit values, or anything else from inside the app. We do not pass your name, email address, or precise location to RevenueCat. Their processing terms and security documentation are at https://www.revenuecat.com/privacy and https://www.revenuecat.com/dpa/ .

You can cancel the subscription at any time in iOS Settings → [your name] → Subscriptions → toody. Cancellation takes effect at the end of the current billing period; access to premium features ends then. Refunds are handled by Apple at https://reportaproblem.apple.com/ .

If you are an EU/EEA consumer, you have a 14-day right of withdrawal on a new subscription under the EU Consumer Rights Directive, exercised through Apple's refund flow at the link above. By starting use of premium features immediately on subscribing, you consent to performance beginning before the 14-day period ends; this may limit the refund in line with Apple's policy and applicable consumer law.

diagnostics & telemetry

toody keeps a small number of local-only counters in iOS UserDefaults to help the app behave well — for example, "how many times has the weekly digest been shown" or "did the user interact with this card." The counters store integers and timestamps only. They never leave your device. There is no analytics SDK, no event payload, no user ID.

If iOS shares anonymized crash logs with developers (the system-level opt-in in Settings → Privacy & Security → Analytics & Improvements → Share with App Developers), Apple may pass aggregated, anonymized crash reports through their pipeline. This is an Apple system feature, not something toody implements.

processors and international transfers

Three processors handle limited slices of data on our behalf:

• Apple (USA / EU) — App Store distribution, CloudKit private- database hosting, and StoreKit subscription billing. Your CloudKit data is governed by your iCloud account, not by us. Apple processes your payment data under its own terms.
• Cloudflare, Inc. (USA / global) — hosts toody.day via Cloudflare Pages and routes email sent to support@toody.day to the developer's inbox via Cloudflare Email Routing. Cloudflare may briefly process your IP address and request metadata as a normal part of serving a static website; it does not receive any of your toody app data.
• RevenueCat, Inc. (USA) — receipt validation and subscription entitlement state, used only if you choose to subscribe. Receives the Apple subscription receipt, a pseudonymous App Account Token, and coarse device metadata. Does not receive mood entries, notes, photos, reflections, or HealthKit values. Operates as a GDPR Art. 28 processor under a signed DPA.

For data leaving the EU/EEA, transfers rely on the EU–US Data Privacy Framework where applicable, plus EU Standard Contractual Clauses, plus the providers' supplementary technical and organisational measures.

what we do not do

• We do not run servers that store your mood data.
• We do not sell, rent, or share your data.
• We do not use third-party analytics (no Firebase, Mixpanel, Amplitude, Google Analytics, etc.).
• We do not use advertising IDs.
• We do not include third-party SDKs that read your device for marketing purposes.
• We do not perform automated decision-making or profiling that produces legal or similarly significant effects on you (GDPR Art. 22). The correlations Insights displays are arithmetic summaries shown back to you; nothing about you is scored, ranked, or shared.

children

toody is not directed at children. Under GDPR Article 8, the default age for valid consent in the EU is 16; in member states that have lowered this (e.g., Germany at 16, others as low as 13), the local age applies. We do not knowingly collect data from children below the applicable age without verifiable parental consent. In the United States, toody is not directed at children under 13 (COPPA). If you believe a child has used toody and you are a parent or guardian, email support@toody.day and we will help.

retention

• On your device: your data stays as long as the app is installed and you have not deleted it.
• In your iCloud: synced data stays in your private CloudKit database under your Apple ID until you delete it (per the steps in "your rights" below) or close your iCloud account.
• Subscription receipts: if you subscribe, Apple retains the underlying transaction records under their App Store terms and applicable tax law. RevenueCat retains the validated receipt, the App Account Token, and entitlement history under their own retention schedule (see https://www.revenuecat.com/privacy ); we use that state only to keep your premium access in sync across devices. We do not store your subscription receipts on any server we operate.
• Support email: if you email support@toody.day, the email sits in the developer's email account for as long as it would normally — typically until the issue is resolved and the thread is archived. Email is not encrypted end-to-end; please do not include sensitive health information you would not want sitting in a normal mailbox.

your rights

Because your data lives on your device and in your own iCloud account, you control most of it directly. Under GDPR you also have the following rights with respect to any data we process about you:

• Right of access (Art. 15) — Settings → Export in toody produces a JSON file you can save anywhere. For data you believe we hold outside the app (e.g., support correspondence), email support@toody.day.
• Right to rectification (Art. 16) — you can edit any entry inside the app at any time.
• Right to erasure (Art. 17):
  • Delete a single entry inside the app — the deletion syncs to your other signed-in devices via CloudKit.
  • Delete the local copy by removing the toody app from a device.
  • Delete the iCloud copy: iOS Settings → [your name] → iCloud → Manage Account Storage → toody → Delete Data. Doing this on its own does not remove a local copy still installed on a device.
  • There is no toody account to delete server-side, because we do not run a server that holds your data.
• Right to restrict processing (Art. 18) — turn off iCloud sync for toody at any time in iOS Settings → [your name] → iCloud → Apps Using iCloud → toody. Your local data stays put; nothing new gets uploaded.
• Right to data portability (Art. 20) — the JSON export is designed to be portable.
• Right to object (Art. 21) — to processing based on legitimate interest. The only legitimate-interest processing is fraud prevention and receipt validation through RevenueCat for active subscribers; you can object by not subscribing or by cancelling an active subscription.
• Right to withdraw consent (Art. 7) — for HealthKit, photos, and notifications, revoke the relevant iOS permission. Withdrawing does not affect lawfulness of processing before withdrawal.
• Right to lodge a complaint with a supervisory authority (Art. 77) — if you believe we are mishandling your data. The competent supervisory authority for users in Germany is the data protection authority of the developer's federal state; you may also contact your own local authority.

If you have a specific request — for example, a copy of any correspondence we might hold from a previous support thread — email support@toody.day.

changes

If we update this policy, we will revise the "Last updated" date at the top. For material changes (changes that meaningfully expand what we process, who we share it with, or how long we keep it), we will surface a notice inside the app on next launch and refresh the effective date. Continuing to use the app after the new effective date means you accept the updated policy; if you don't, you can delete the app and, optionally, wipe the iCloud copy as described above.

contact

Questions, requests, or concerns: support@toody.day.

For the legal notice (Impressum) required under §5 DDG, see /impressum.