Privacy Policy

Last updated: February 18, 2026

LockedIn ("we", "our", or "us") is committed to protecting your privacy and securing your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and related services (collectively, the "Service"). Please read this Privacy Policy carefully. By using the Service, you consent to the data practices described in this policy.

1. Information We Collect

We collect information that you provide directly to us when you:

• Create an account using Google or Apple sign-in, or use guest mode
• Create and track habits across three categories: track, avoid, and observe
• Log daily habit entries using toggles, counters, currency, or measurement values
• Set goals and monitor progress
• Use the AI-powered Coach for personalized guidance
• Write journal entries
• Create and manage to-do items and events
• Provide personal background information for AI personalization
• Use Quick Add via text, voice, or image input

2. Types of Data Collected

Account Information: When you sign in, we receive your name, email address, and profile information from your authentication provider (Google or Apple). We do not store your authentication provider password. In guest mode, a temporary anonymous account is created with no personal identifiers.

Habit Data: We store the habits you create, including names, categories (track, avoid, observe), icons, input types, and daily entries. This data is essential to provide the core functionality of the app.

Journal Entries: Your journal entries are stored securely and are only used to personalize AI Coach responses if you choose to use that feature. Journal content is never shared with other users or used for advertising.

Background Information: If you voluntarily provide personal background details (such as goals, interests, or lifestyle information), this data is used exclusively to personalize AI-powered guidance within the app.

Activity Log: We maintain a log of changes to your habits, entries, and to-do items to provide you with an activity history and enable data consistency.

Quick Add Input: Text, voice transcriptions, and images submitted through Quick Add are processed to match activities to your tracked habits. Image data may be sent to third-party AI services for processing and is not retained after processing is complete.

Device and Usage Data: We may collect non-personally-identifiable information about how you use the app, including features accessed, interaction patterns, and error reports, solely to improve our services.

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our services
• Personalize your experience and AI Coach recommendations
• Generate and deliver optional weekly email summaries of your habit progress
• Send you technical notices and support messages
• Respond to your comments and questions
• Analyze anonymized usage patterns to improve the app
• Detect, prevent, and address technical issues and security threats

4. What We Do NOT Do With Your Data

We want to be clear about what we will never do:

• We do not sell your personal data to any third party, under any circumstances
• We do not share your data with advertisers or use it for targeted advertising
• We do not use your data for profiling beyond providing the app's stated functionality
• We do not share your habit data, journal entries, or personal information with other users of the Service
• We do not retain your data after account deletion except as required by law
• We do not use your data to train AI models. Data sent to third-party AI providers is used only for generating immediate responses and is subject to their data processing policies

5. Data Storage and Security

5.1 Storage

Your data is stored in a PostgreSQL database hosted on secure, professionally managed infrastructure. Access to production databases is restricted to authorized personnel only.

5.2 Security Measures

We implement multiple layers of technical and organizational measures to protect your personal information. For a detailed overview, visit our Security page.

• Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS (Transport Layer Security)
• Secure Authentication: We use OAuth 2.0 through trusted providers (Google, Apple) rather than storing passwords. We never see or store your authentication provider password
• Cryptographic Auth Tokens: Authentication tokens are cryptographically generated 64-character random strings, not guessable identifiers. On mobile devices, tokens are encrypted using the device's secure keychain. Tokens automatically expire after 90 days, and expired tokens are cleaned up regularly
• Rate Limiting: API endpoints are protected by tiered rate limiting to prevent brute-force and denial-of-service attacks. Authentication endpoints have stricter limits than general API routes
• Security Headers: We deploy comprehensive HTTP security headers to protect against cross-site scripting (XSS), clickjacking, MIME sniffing, and other common web attacks
• Session Security: User sessions are managed with HTTP-only, secure, same-site cookies that are inaccessible to client-side scripts, protecting against cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks
• Input Validation: All user input is validated and sanitized using schema validation to prevent injection attacks. Strict size limits are enforced on all inputs
• Response Sanitization: API responses are sanitized to strip internal identifiers and sensitive metadata, ensuring that only the data you need is ever exposed
• Access Controls: All API endpoints require authentication, and users can only access their own data. Strict server-side authorization checks prevent unauthorized access to other users' information
• CORS Protection: Cross-origin resource sharing is restricted to authorized domains only, preventing unauthorized websites from making requests to our API
• Minimal Data Collection: We only collect data necessary to provide the Service's functionality

5.3 Data Breach Notification

In the event of a data breach that compromises the security, confidentiality, or integrity of your personal data, we will:

• Notify affected users within 72 hours of becoming aware of the breach, as required by GDPR and consistent with best practices
• Provide a clear description of the nature of the breach, the types of data affected, and the approximate number of users impacted
• Describe the measures we have taken or propose to take to address the breach, including steps to mitigate any potential harm
• Notify relevant supervisory authorities where required by applicable law
• Provide guidance on steps you can take to protect yourself, if applicable

Notification will be sent via the email address associated with your account. If we do not have a valid email address on file (e.g., guest accounts), we will post a prominent notice within the app.

5.4 Security Limitations

While we strive to use commercially acceptable means to protect your personal data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we are committed to following industry best practices and addressing any security issues promptly.

6. Cookies

We use a minimal number of cookies strictly necessary to operate the Service. We do not use cookies for advertising, analytics, or tracking purposes.

6.1 Cookies We Use

• Session Cookie: A single session cookie is set when you log in to maintain your authenticated session. This cookie contains a randomly generated session identifier — it does not contain your personal data, password, or any identifying information. It is configured with the following protections:
  • HttpOnly: The cookie cannot be accessed by JavaScript running in your browser, protecting against cross-site scripting (XSS) attacks
  • Secure: In production, the cookie is only transmitted over encrypted HTTPS connections
  • SameSite (Lax): The cookie is not sent with cross-site requests, protecting against cross-site request forgery (CSRF) attacks

6.2 Cookie Retention

The session cookie expires after 30 days of inactivity. When you log out, the session cookie is immediately invalidated and deleted. You can also clear cookies at any time through your browser or device settings, which will end your session and require you to log in again.

6.3 No Third-Party Cookies

We do not set or allow any third-party cookies. No advertising networks, analytics services, or social media trackers place cookies through our Service.

7. On-Device Storage

To provide offline functionality and a responsive user experience, the app stores certain data locally on your device:

• Cached Data: Your habits, entries, goals, to-do items, events, and other app data may be cached locally so you can use the app without an internet connection. This data is synchronized with our servers when connectivity is available
• Authentication Tokens: A cryptographically secure token is stored on your device to keep you logged in between sessions. On mobile devices, this token is encrypted using the device's secure keychain (Secure Store). Tokens expire automatically after 90 days
• User Preferences: Settings such as your theme preference and display options are stored locally for immediate access

Data stored on your device is protected by your device's own security features (passcode, biometric lock, encryption). You are responsible for securing your device. If your device is lost, stolen, or accessed by an unauthorized person, locally stored app data could be accessible. We recommend:

• Using a strong passcode or biometric lock on your device
• Keeping your device's operating system up to date
• Logging out of the app if you share your device with others

Uninstalling the app will remove all locally stored data from your device.

8. Weekly Email Summaries

If you have an account with a verified email address and have opted in, we may send you weekly email summaries of your habit tracking progress. These summaries contain personalized content based on your habits, goals, and journal entries. You can manage your email preferences at any time in the app's settings, including disabling all email communications.

9. Third-Party Services

We use the following third-party services to operate the Service:

• Authentication Providers (Google, Apple): For secure account sign-in. We receive only basic profile information (name, email) and never your provider password. Subject to Google's Privacy Policy and Apple's Privacy Policy.
• Replit AI Integrations: AI requests from the Service are routed through Replit's managed AI infrastructure, which acts as a secure proxy to OpenAI's API. This means your data passes through Replit's servers before reaching OpenAI. Replit's handling of this data is subject to Replit's Privacy Policy.
• OpenAI: To power the AI Coach and Quick Add features. Data sent to OpenAI is processed according to OpenAI's Privacy Policy. We use the API (not the consumer ChatGPT product), and OpenAI states that API data is not used to train their models by default. We do not opt in to having your data used for model training.
• Mailgun: To deliver optional weekly email summaries. Only your email address is shared with Mailgun, subject to Mailgun's Privacy Policy.

We carefully select third-party providers and only share the minimum data necessary for them to perform their services.

10. AI Features and Your Data

Our AI-powered features (AI Coach and Quick Add) require sending some of your data to external AI services to generate responses. We believe in full transparency about exactly what data is shared and how it is handled.

10.1 Data Sent to AI Services

When you use the AI Coach ("My Corner"), the following data is included in your request to provide personalized advice:

• Your profile information (name, date of birth, gender)
• Your personal background information (if you have provided it)
• Your habit names, categories, and recent performance averages (up to 90 days)
• Your goals and progress toward them
• Your recent journal entries (up to 30 days)
• Your pending to-do items and upcoming events (including due dates and times)
• Your current date, time, and timezone
• Your full conversation history with the AI Coach for that conversation

When you use Quick Add, the following data is sent:

• The text description you type or dictate
• Any image you submit (e.g., a photo of food or a nutrition label)
• Your list of tracked habits (names, types, and categories)
• Your country (if provided, to help interpret local foods and products)
• The selected category context (e.g., "activity" or "nutrition")

When you use voice input, your audio recording is sent to OpenAI's transcription service to convert speech to text. The resulting text is then processed as described above.

10.2 How AI Data is Processed

• All AI requests are made server-side (from our servers, not directly from your device), over encrypted connections
• Data is sent to AI services only when you actively use an AI feature (tap the Coach, use Quick Add, or send a voice message). Your data is never sent to AI services in the background or without your action
• AI services process your data to generate an immediate response and do not retain your data for training purposes. OpenAI's API data retention policy states that API inputs and outputs are retained for up to 30 days for abuse monitoring, after which they are deleted
• We do not opt in to any programs that would allow AI providers to use your data for model improvement or training
• Images submitted through Quick Add are sent to the AI service for analysis and are not stored on our servers after processing is complete

10.3 Your Control Over AI Data Sharing

• Using AI features is entirely optional. You can use all habit tracking, journaling, to-do, and event features without ever interacting with the AI Coach or Quick Add
• If you choose not to use AI features, none of your data is sent to AI services
• You can delete AI conversations at any time, which removes them from our database. Note that data already processed by AI providers is subject to their retention policies
• The personal background information you provide is optional and is only used for AI personalization. You can clear it at any time in your profile settings

10.4 Limitations and Transparency

While we take reasonable measures to protect your data when using AI features, please be aware of the following:

• Once data is transmitted to third-party AI providers, it is subject to their privacy policies and data handling practices, which are outside our direct control
• AI-generated responses may occasionally reflect or reference your personal data in ways that are unexpected. Do not share your screen or AI conversations with others if you are concerned about the privacy of the information discussed
• We recommend avoiding entering highly sensitive information (such as financial account numbers, medical record numbers, or government ID numbers) into AI features, as this data would be transmitted to external AI services

11. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you services. Specifically:

• Active account data is retained for the duration of your account
• Guest account data may be cleaned up periodically if the account has not been used for an extended period
• Upon account deletion, all associated data is permanently removed from our active databases within 30 days
• Backup copies may persist for up to 90 days after deletion as part of routine infrastructure backup processes, after which they are purged
• We may retain anonymized, aggregated data that cannot identify you for analytical purposes

12. Account Deletion

You have the right to delete your account at any time. You can do this directly from the Settings screen within the app. When you delete your account:

• All of your personal data is permanently deleted, including habits, entries, journal entries, goals, to-do items, events, conversations, background information, and activity logs
• This action is irreversible and cannot be undone
• Your authentication credentials with Google or Apple are not affected; you can revoke those separately through your provider's settings
• Any active email subscriptions are immediately terminated

13. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Right of Access: You can access all your personal data directly within the app at any time
• Right to Rectification: You can edit and correct your data directly within the app
• Right to Erasure: You can delete your account and all associated data through the app's settings
• Right to Data Portability: You can request a copy of your data in a portable format by contacting us
• Right to Withdraw Consent: You can withdraw consent for data processing at any time by deleting your account
• Right to Object: You can object to certain processing activities by contacting us
• Right to Restriction: You can request restriction of processing in certain circumstances

To exercise any of these rights, you may use the in-app settings or contact us at the email address below. We will respond to your request within 30 days.

14. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws. By using the Service, you consent to such transfers. We take steps to ensure that your data is treated securely and in accordance with this Privacy Policy regardless of where it is processed.

15. Children's Privacy

Our Service is not intended for children under 13 years of age (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately. If we become aware that we have collected personal information from a child under 13, we will take steps to promptly delete that information.

16. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• The right to know what personal information is collected, used, shared, or sold
• The right to delete personal information held by businesses
• The right to opt out of the sale of personal information (we do not sell personal information)
• The right to non-discrimination for exercising your CCPA rights

17. European Data Protection (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal bases:

• Performance of Contract: Processing necessary to provide the Service you have requested
• Legitimate Interest: Processing for purposes such as improving the Service, ensuring security, and preventing fraud
• Consent: Where you have given us explicit consent for specific processing activities (e.g., optional email summaries)

You have the right to lodge a complaint with your local data protection authority if you believe your rights have been violated.

18. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. For significant changes, we may also provide notice through the app or via email. Your continued use of the Service after changes are posted constitutes your acceptance of the updated Privacy Policy.

19. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Email: privacy@locked-in.app