← Home

Privacy Policy — No Panic

Effective date: To be set before store submission
Last updated: 2026-05-07

Publisher: No Panic Labs (temporary working name until legal entity is finalized), Ukraine.
Support contact: denysdubov88@gmail.com (also the sole channel for privacy / GDPR requests).
Canonical URL: https://denid88.github.io/nopanic-app/privacy-policy.html

This Privacy Policy explains how No Panic Labs ("we", "us", "our") handles information in connection with the No Panic mobile application (the "App"). By using the App you acknowledge that you have read this Policy.

We designed No Panic to be privacy-respecting by default:

• No account, no sign-up, no login. The App is fully anonymous.
• No advertising and no crash-reporting SDK. The App does not read your advertising ID (IDFA / GAID) directly. On iOS, if — and only if — you opt in to analytics, the App presents Apple's App Tracking Transparency (ATT) prompt so Firebase Analytics may include the IDFA in its measurement; declining the ATT prompt is fully respected and the App keeps working the same way.
• Analytics are strictly opt-in. The App uses Firebase Analytics to understand aggregate usage, but collection is disabled by default and only turns on after you explicitly agree — during onboarding or later in Settings → Privacy. You can disable it again at any time and the SDK is instructed to stop collecting immediately.
• Journal entries and favorites stay on your device. They are never uploaded to us.
• The external services the App talks to are: the subscription provider (RevenueCat + Apple / Google) when you interact with the paywall, Google Fonts when loading typography, and — only if you consented — Firebase Analytics.

Read below for the details.

1. Who is the controller

The data controller is No Panic Labs, established in Ukraine. Contact: denysdubov88@gmail.com. We have not appointed a formal Data Protection Officer — all privacy requests go to the same email.

2. What the App stores on your device

The App keeps the following information locally on your device only. We do not receive or read this data.

All of the above is removed when you uninstall the App or use your operating system's "Clear data" / "Offload app" action.

The App does not collect or store:

• your name, email address, phone number, or precise location;
• advertising ID (IDFA / GAID) — the App does not read the IDFA or GAID itself. On iOS, when you tap "Agree" on the Analytics Consent screen, the App presents Apple's App Tracking Transparency (ATT) prompt so Firebase Analytics can access the IDFA for measurement; if you decline the ATT prompt, or decline analytics entirely, the IDFA is not shared with Firebase. On Android, the App does not request or read the Google Advertising ID (GAID);
• contacts, calendars, photos, microphone or camera input;
• browsing history, or any usage outside the App;
• push tokens (the App has no push notifications).

Medication data — Names, dosages, schedules, and dose history you enter in the Medication Tracker are stored only on your device using the local database (SQLite). They are never transmitted to our servers, third-party services, or analytics providers. Anonymized event counts (e.g., a dose was logged) may be sent if you opted in to analytics, but never the medication name or any identifying detail.

3. Third parties that may process data about you

Using the App triggers a minimal, specific set of third-party interactions. We list them exhaustively.

3.1 Apple (App Store) and Google (Google Play)

• What they process: your purchase and subscription transactions, transaction receipts, your store account (Apple ID / Google account), and whatever telemetry your device platform collects at the OS level.
• Why: billing, subscription management, refunds.
• Where: governed by Apple's and Google's own privacy policies.
• Our visibility: we can see anonymous purchase outcomes via RevenueCat (see below). We do not see your name, email, or payment details.

3.2 RevenueCat

• What they process: a pseudonymous RevenueCat App User ID that the SDK generates on your device, your purchase events, subscription status, platform and country, and the RevenueCat API key in use. See RevenueCat's privacy policy for the complete picture.
• Why: we use RevenueCat to configure subscription products, check whether you currently have the pro entitlement, and handle purchase / restore flows, without building our own receipt-validation backend.
• When the App contacts RevenueCat: at app start (to fetch the current entitlement and cache it), when you open the paywall (to load product offerings), and when you tap Subscribe or Restore.
• Where: RevenueCat's servers. RevenueCat's infrastructure is primarily in the United States; transfers are covered by their standard data-protection terms.

3.3 Google Fonts (runtime font fetch)

• What they process: a standard HTTP request to Google's font CDN for the "Quicksand" typeface, including your IP address and basic request metadata.
• Why: the App uses the google_fonts package, which fetches the font file on first use. Once fetched, it is cached locally by the package.
• Note: if you disable this, some text will fall back to system fonts. We may ship the font as a bundled asset in a future version to remove this external call.

3.4 Firebase Analytics (opt-in only)

• What it is: Google's Firebase Analytics SDK (firebase_core + firebase_analytics), integrated to help us understand aggregate usage — which features people use, where flows drop off, which exercises help most. No raw content (journal text, favorites, messages) ever leaves the device.
• Consent model: disabled by default. The SDK is initialized with collection off. We show an Analytics Consent screen during onboarding and surface the same toggle in Settings → Privacy. Only after you tap "Agree" / enable the toggle do we call setAnalyticsCollectionEnabled(true). Revoking consent calls setAnalyticsCollectionEnabled(false) immediately and suppresses all event and user-property calls in process.
• App Tracking Transparency (iOS only): when you tap "Agree" on the Analytics Consent screen on iOS, the App calls Apple's ATT API (via the app_tracking_transparency package) to show the system prompt. Your choice governs whether Firebase Analytics may associate the advertising identifier (IDFA) with analytics events. If you tap "Ask App Not to Track" (or had tracking disabled globally), no IDFA is ever shared with Firebase — analytics still work using only the pseudonymous Firebase Instance ID. We never read the IDFA ourselves. For our own measurement of opt-in rates, we attach the outcome (authorized / denied / restricted / not_determined / not_supported) as an att_status parameter on the analytics_consent_set event. You can change your tracking choice at any time in iOS Settings → Privacy & Security → Tracking.
• What is collected (only while enabled):
  • Screen views (via Firebase's FirebaseAnalyticsObserver wired to GoRouter).
  • Product events we explicitly log — e.g. emergency_tapped, panic_flow_started / panic_flow_tip_viewed / panic_flow_completed / panic_flow_exited, exercise_opened / exercise_session_started / exercise_session_completed, games_opened / game_started / game_completed / game_exited, journal_entry_saved (with a bucketed word-count like 1-25, never the raw count or text), affirmation_favorited, paywall_shown / paywall_subscribe_tapped / purchase / restore_completed, settings_opened, legal_opened, support_opened, language_changed, onboarding_*, analytics_consent_shown / analytics_consent_set. The full list lives in lib/core/services/analytics_event.dart.
  • Event parameters limited to non-identifying metadata: scenario IDs, tip indexes, preset IDs, exercise names, game names (e.g. snake, tetris, bubble_pop, mandala, memory_pairs), numeric game scores (e.g. snake length, tetris lines cleared, bubble-pop accuracy %, memory-pairs moves), product IDs, currency, plan value, duration in seconds, progress percentage, word-count bucket, source of a screen open, from/to language code, ATT outcome (att_status: authorized / denied / restricted / not_determined / not_supported).
  • User properties: has_pro (true / false — whether you currently have the Pro entitlement), app_language (your UI language code), onboarding_completed (true / false).
  • Automatic Firebase-collected identifiers: a pseudonymous Firebase Instance ID (app-scoped, reset on uninstall or on revoking consent), IP address (used for approximate geo and then discarded per Google's retention policy), device model, OS version, app version.
• What is never sent: journal text, journal titles, affirmation text, the content of tips, notes, audio being played, favorite lists, precise location, advertising ID, email, phone, or any identifier tied to your name.
• Where: Google's Firebase servers (United States and other Google regions), governed by Google's privacy policy and Firebase data-processing terms.
• Retention: we configure the Firebase project to use Google's default user-data retention window (currently 14 months for user-level data); aggregated reporting data is retained indefinitely.
• How to turn it off: Settings → Privacy → Analytics toggle. This flips analytics_consent to false, calls setAnalyticsCollectionEnabled(false), and the SDK stops collecting on this device.

3.5 Services that do not run

For transparency, the App does not include:

• Amplitude, Mixpanel, PostHog, or any analytics SDK other than the Firebase Analytics described in §3.4;
• Sentry, Crashlytics, Bugsnag, or any other crash-reporting SDK;
• advertising SDKs;
• social-login SDKs;
• Facebook SDK, TikTok SDK, AppsFlyer, Adjust, Branch, or similar attribution SDKs;
• push notification services (FCM/APNs messaging is not integrated, even though Firebase Core is present).

4. Permissions the App requests

The App does not request the microphone, camera, location, contacts, photos, calendar, or Bluetooth. On iOS, the App does request Apple's App Tracking Transparency (ATT) permission — only when you affirmatively opt in to analytics on the Analytics Consent screen, never on first launch and never if you decline analytics. The purpose is described in §3.4.

The App plays bundled audio using standard OS APIs. To enable background playback for the Sleep exercise — so the music keeps playing when you lock the screen and lock-screen / Control Center / Notification controls remain available — the App declares the following non-prompting OS capabilities: on Android, the WAKE_LOCK, FOREGROUND_SERVICE, and FOREGROUND_SERVICE_MEDIA_PLAYBACK permissions and a media-playback foreground service (provided by the audio_service package); on iOS, the audio value in the UIBackgroundModes array of Info.plist. None of these capabilities show an interactive permission prompt or grant the App access to any of your data — they only allow the App's own audio engine to keep playing while the App is backgrounded or the screen is off.

5. Children

The App is not directed at children under 13 and does not knowingly collect personal data from them. If you believe a child under the minimum age has used the App, contact us so we can assist.

6. Your legal rights (GDPR, UA, UK GDPR, CCPA)

Because the App does not associate any data with your identity, many traditional rights (access, export, erasure of "your personal data") do not apply in the usual sense — there is no server-side record linked to you. You nonetheless have the right to:

• Access / portability: export your Journal entries manually by copying them from the App. A built-in export feature is not yet available; contact us if you need help.
• Erasure: delete individual Journal entries from within the App; delete all App data by uninstalling, using your OS's "Clear data" / "Offload app" / "Reset" action, or resetting the device.
• Subscription data: for purchase and subscription records held by Apple, Google, or RevenueCat, please exercise your rights directly with those providers — they are in a position to identify you by store account. We will assist if you contact us.
• Object / restrict / complain: you may object to processing or restrict it. If you are in the EU/EEA, UK, or Switzerland, you can also lodge a complaint with your national data-protection authority. Ukrainian users may contact the Ukrainian Parliament Commissioner for Human Rights (Уповноважений Верховної Ради України з прав людини). California residents may exercise CCPA rights; we do not "sell" or "share" personal information for cross-context behavioral advertising.

To exercise any right, email denysdubov88@gmail.com.

7. Legal basis (EU/EEA, UK, Switzerland)

Where the GDPR or an equivalent law applies, the legal bases for the minimal processing described above are:

• Contract (Art. 6(1)(b) GDPR) — providing the App and, where applicable, processing your subscription.
• Legitimate interest (Art. 6(1)(f) GDPR) — caching entitlement state so the App works offline, fetching the font used by the UI, and maintaining the integrity of the paywall.
• Consent (Art. 6(1)(a) GDPR) — the sole legal basis for Firebase Analytics. Collection is off by default and is only activated after you affirmatively opt in on the Analytics Consent screen (or in Settings → Privacy). You can withdraw consent at any time with the same toggle, with no effect on your ability to use the App. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

8. International transfers

The App itself stores data on your device in your country of residence. When you interact with the paywall, RevenueCat and the App Store / Google Play may transfer data internationally (primarily to the United States) under their own safeguards (Standard Contractual Clauses and equivalent mechanisms). If you have enabled analytics, Firebase Analytics also transfers event data to Google's infrastructure (primarily the United States) under Google's Standard Contractual Clauses and equivalent mechanisms.

9. Retention

• On-device data: kept until you delete it or uninstall the App.
• RevenueCat: retained according to RevenueCat's retention policy for subscription data.
• Apple / Google: retained according to their respective policies.
• Firebase Analytics (only if you opted in): user-level data retained for the default 14-month window configured on our Firebase project; aggregated reporting data retained indefinitely. Revoking consent or uninstalling stops further collection; existing uploaded events can be deleted on request (see §6).
• Support correspondence: if you email us at denysdubov88@gmail.com, we keep the email thread for up to 24 months, then delete it.

10. Security

We keep server-side processing to a minimum and rely on Apple's and Google's sandboxing to protect data stored on your device. Journal entries are not encrypted by the App beyond what the operating system provides at rest; if your device supports full-disk encryption and you have enabled a passcode, your data benefits from it. We recommend keeping your OS up to date and using a passcode or biometric lock.

11. Changes to this Policy

We may update this Policy as the App evolves. Changes will be reflected in the "Last updated" date above and, if material, highlighted in the App or at the store listing. Continued use after the updated Policy takes effect constitutes acknowledgement.

12. Contact

Questions, requests, or complaints about this Policy: denysdubov88@gmail.com.

Appendix A — Technical inventory (for completeness)

This section mirrors what a developer or auditor would see in the codebase, so that nothing in the App is undisclosed.

• Platform: Flutter (Dart ^3.11.3), distributed globally on the Apple App Store and Google Play; package name / bundle identifier app.nopanic.
• Third-party packages used that may touch the network or OS storage: purchases_flutter (RevenueCat), firebase_core + firebase_analytics (Firebase Analytics — gated on opt-in consent), app_tracking_transparency (iOS only — shows the system ATT prompt when analytics is opted in, as described in §3.4), google_fonts (runtime font fetch), just_audio + audio_service + audio_session (local audio playback, including background playback and lock-screen / Control Center / Notification controls for the Sleep exercise via a custom AudioHandler; other exercises use plain just_audio only), shared_preferences (local key-value storage, including the analytics_consent flag), sqflite (local SQLite), url_launcher (opens external URLs in the system browser when you tap Terms, Privacy, or Support), package_info_plus (reads local app version/build number).
• External URLs opened (only when you tap them): the Terms URL, the Privacy URL, and the Support email's mailto: link.
• API keys: a RevenueCat public SDK key is compiled into the build via --dart-define. Firebase configuration (GoogleService-Info.plist / google-services.json) is bundled at build time. These keys identify the app, not you.
• No backend owned by the Publisher processes user data at the time of writing; analytics data is processed by Google on our behalf only after explicit consent.

Appendix B — Data deletion summary (for store review)

If a store reviewer asks "how does a user delete their data?":

1. Inside the App: open Journaling, delete entries individually. In the Medication Tracker, delete medications and dose-history entries individually.
2. Uninstall the App, or use your device's "Clear data" (Android) / "Offload App + Delete" (iOS) action. This removes all on-device App data, including Journal entries, affirmation favorites, onboarding flag, the Pro entitlement cache, the analytics_consent flag, and the Firebase Instance ID.
3. To stop ongoing analytics collection, open Settings → Privacy and disable the Analytics toggle. To also delete previously uploaded analytics events, email denysdubov88@gmail.com and we will initiate a deletion request against the Firebase project.
4. To cancel or delete subscription data held by Apple, Google, or RevenueCat, use the subscription management tools in your App Store or Google Play account, or email denysdubov88@gmail.com for assistance.

← Home