Privacy Policy

1. Information We Collect

We collect the following types of data:

• Usage Data: App interactions, feature usage, and preferences — stored locally on your device.
• Analytics Data: Anonymous usage events (app opens, core actions, feature usage) sent to Mixpanel for product improvement. No personal information is tied to this data.
• Advertising Data: Device advertising identifier (IDFA) used by Google AdMob to serve relevant ads, subject to your App Tracking Transparency (ATT) consent.
• Purchase Data: In-app purchase and subscription records managed by Apple — we do not collect or store payment information.

2. How We Use Your Information

• To provide and improve app features
• To track your progress and usage streaks
• To display relevant advertisements (free users only)
• To analyze app performance and user behavior anonymously
• To send reminders and notifications (with your permission)

3. Third-Party Services

Our apps use the following third-party services:

• Google AdMob — Advertising. Google Privacy Policy
• Mixpanel — Analytics. Mixpanel Privacy Policy
• Apple StoreKit — In-app purchases and subscriptions.

4. Advertising & Tracking

We use Google AdMob to display ads to free users. Before collecting your IDFA for personalized advertising, we request your consent via Apple's App Tracking Transparency (ATT) framework. We also implement Google UMP (User Messaging Platform) for GDPR consent before loading any ads.

You can change your tracking preference at any time in your device Settings. Users who have purchased ad removal do not see any advertisements.

5. In-App Purchases & Subscriptions

Our apps may offer one-time purchases and/or auto-renewable subscriptions. All transactions are processed by Apple through the App Store. We do not collect or store any payment information.

For subscriptions:

• Payment is charged to your Apple ID account at confirmation of purchase.
• Subscriptions automatically renew unless canceled at least 24 hours before the end of the current period.
• You can manage and cancel subscriptions in your Apple ID account settings.
• Any unused portion of a free trial period will be forfeited when you purchase a subscription.

6. Data Storage & Security

Your data (preferences, favorites, progress) is stored locally on your device. We do not maintain user accounts or store personal data on external servers.

Analytics data sent to Mixpanel is anonymous and cannot be used to identify you personally.

7. Children's Privacy

Our apps are not directed at children under 13. We do not knowingly collect personal information from children.

8. Your Rights

You can:

• Opt out of ad tracking via Settings → Privacy → Tracking
• Delete all local app data by uninstalling the app
• Manage subscriptions via Settings → Apple ID → Subscriptions
• Request information about your data by contacting us

9. Apps That Store Credentials (One Time Password)

The One Time Password app stores sensitive credentials on your device. This section describes how that data is protected.

• 2FA seeds (TOTP secrets): Encrypted with ChaChaPoly using a master key stored in the iOS Keychain (hardware-protected by the Secure Enclave). The plaintext seed never leaves the device unencrypted.
• Passwords: Each password field is encrypted with the same master key before being written to local storage (SwiftData). Titles, usernames, and URLs are stored in plaintext so search works — passwords themselves are never readable from the database file.
• iCloud Sync (Pro, optional): When enabled, encrypted records sync via Apple's CKRecord.encryptedValues API in your private CloudKit database. With Apple Advanced Data Protection on, sync is end-to-end encrypted — Apple cannot read your data. We never see your data either way.
• Master key: Generated on first launch using SecRandomCopyBytes and stored with the Keychain accessibility flag kSecAttrAccessibleWhenUnlockedThisDeviceOnly. It is never transmitted to any server we control.
• Camera: Used solely to scan QR codes for adding 2FA accounts. No images are stored, recorded, or transmitted. Camera access is requested only when you open the QR scanner.
• Clipboard auto-clear: When you copy a code or password, the clipboard is automatically cleared after 60 seconds to reduce exposure to other apps.
• App Lock: Optional Face ID / Touch ID / passcode lock gates access to the vault. The PIN (if set) is salted and hashed before being stored in the Keychain.
• Encrypted backup export (Pro): Optionally produces a passphrase-encrypted file you save to Files or AirDrop. Loss of the passphrase makes the backup unrecoverable.
• Legacy data migration: If you used a previous version of One Time Password to store passwords, those records are read from local storage, re-encrypted with the new master key, and made available in the Passwords tab. The legacy file is never deleted automatically.
• No backend: We do not operate a server that stores your credentials. There is no APP26 account, no APP26 cloud, and no APP26 employee with access to your data.
• Auto-renewable subscription: Annual Pro renews yearly via your Apple ID. Cancel anytime in Settings → Apple ID → Subscriptions; cancellation takes effect at the end of the current period.
• Analytics scope: Mixpanel events for One Time Password contain only metadata (counts, action types, timestamps). Seed values and password contents are never sent to analytics.

10. Changes to This Policy

We may update this policy from time to time. Changes will be posted on this page with an updated date.

11. Contact Us

If you have questions about this privacy policy, contact us at:

Email: nattahon@gmail.com