PRIVACY POLICY

Your data never leaves your iCloud.

// LAST UPDATED · 2026-05-08

// THE SHORT VERSION

We have no servers. We have no databases. We have no logins. Your check-ins, identity declaration, slips, badges, and toolkit live in your iCloud private database, encrypted end-to-end by Apple with keys held by your devices. Apple cannot read this data. We cannot read this data. There is no copy of it on infrastructure we run, because we run no infrastructure for it.

// DATA STORED ON YOUR DEVICE

All product data is stored locally with SwiftData and synced to your private iCloud database via CloudKit. We never have access to it. It is never transmitted to any server we run, because we don't run a server for it.

  • · Daily check-in records, including status (sober / slipped) and optional mood
  • · Identity statement (Q7), reasons (Q8), and identity goal (Q6) free-text answers
  • · Redirect habits selected and added during onboarding
  • · Streak values (derived, not stored: computed from check-ins)
  • · Earned badges and acknowledgement state
  • · Reminder time and notification preferences
  • · Blocking-setup completion state
  • · Subscription / trial state

// THIRD PARTIES WE USE

Paladin uses four external services, each with a narrow, named role. None receive product data. None receive personal identifiers.

Apple iCloud (CloudKit)
Your private CloudKit database, attached to your existing Apple ID. End-to-end encrypted by Apple. We have no read or write access. No account creation flow.
Apple StoreKit 2
Handles your subscription purchase, renewal, and cancellation. Apple is the merchant; we never see your card or name. We store only an opaque trial-state flag locally.
Aptabase (analytics)
Anonymous, EU-hosted, event-only analytics. Tracks event names like "check_in_completed" or "panic_flow_started" with no user identifier attached. We use this to know what's working at the population level. There is no per-user analytics ID and no way to link an event back to a person.
Sentry (crash reporting)
Captures crashes and unhandled errors only. PII is scrubbed before send: identity statements, reasons, free-text answers, and check-in payloads are never included. Used to fix bugs.

// WHAT WE NEVER COLLECT

  • · Email, username, password, or any account credential
  • · Real name or phone number
  • · Browsing history, URLs visited, screenshots, or screen recordings
  • · Location data
  • · Contacts, photos, or messages
  • · Behavioural fingerprint or per-user analytics ID
  • · Any free-text content you write inside the app

// EMAIL COLLECTION (WEBSITE ONLY)

If you submit your email on this website, it goes to Kit (formerly ConvertKit) so we can send you a single notification when Paladin ships. We don't sell your email, share it with third parties, or use it for anything other than launch communication. Unsubscribe via the link in any email.

// LLMs AND AI

Paladin uses no LLM, no inference API, and no machine-learning inference path. Your declaration, reasons, panic flow logic, and personalization all run as deterministic local code. Your words are never sent to a model provider. Your moments are not training data.

// DELETION

Settings → "Delete all my data" performs a nuclear wipe of your local SwiftData store and your CloudKit private database. Once it completes, there is nothing left to delete on our side because we never had anything. Uninstalling the app also removes your local data immediately.

To remove your email from the launch list, use the unsubscribe link in any email or contact us directly.

// ADULTS ONLY

Paladin is built for adults (18+). We do not knowingly collect any information from minors. If you believe a minor has provided us with information, contact us and we'll remove it.

// CONTACT

Questions about your data, this policy, or our architecture:

support@getpaladinapp.com