Sumraf
Privacy Policy

Last Updated: May 5, 2026
General Enquiries: hello@sumraf.com
DPO Contact: dpo@sumraf.com

Introduction

Scope & Applicability

Sumraf ("we," "our," or "us") is committed to protecting your privacy. This General Privacy Policy applies to all mobile applications ("Apps") published under the Sumraf developer account on the Apple App Store and Google Play Store, and to all related services.

By downloading, installing, or using an App, you acknowledge that you have read, understood, and agree to this Policy. If you do not agree, please do not use our Apps.

We prioritize user privacy and rely on your explicit consent for data collection and access to device features. You have the right to withdraw or modify your consent at any time. This can be done directly through the settings within the App or by contacting us at hello@sumraf.com.

Data We Collect

Collection Practices

2.1 Data You Provide Directly

Depending on the features of the specific App you use, we may collect:

Account credentials — email address, password, or third-party sign-in token (where account registration is offered)
Profile information — display name, avatar (if provided)
User-generated content — notes, bookmarks, comments, task descriptions, or other content you create within the App
Voice or audio recordings — when voice-input or speech-recognition features are used by consent.
Support communications — messages you send via in-app feedback forms or email

2.2 Data Collected Automatically

Data Type	Source	Purpose
Device advertising identifiers (IDFA on iOS, AAID on Android)	Device OS	Attribution, personalised advertising (with consent), fraud prevention
Device model, OS version, app version, build number	Device OS	Crash reporting, compatibility, performance optimisation
IP address	Network	Security, approximate region for localisation
Usage events (screens viewed, features used, sessions)	In-app interaction	Analytics, product improvement
Crash logs and error stack traces	Firebase Crashlytics, Sentry	Debugging and stability monitoring
Attribution data (install source, campaign, ad interactions)	Adjust, AppsFlyer, Apple Search Ads, Facebook SDK/Pixel,Revcat,TikTok,Firebase,Playstore	Marketing attribution and campaign measurement
Subscription and purchase status	RevenueCat / App Stores	Entitlement verification
Push notification token (FCM token)	Firebase Cloud Messaging	Push notification delivery (with permission)
Consent status and preferences	Usercentrics CMP / ATT (iOS)	GDPR / CCPA / ATT compliance record-keeping
Ad interaction data (impressions, clicks)	Google AdMob	Serving in-app advertisements (contextual without consent; personalised with consent)
Aggregated behavioural and engagement data	Bi-Dash (data collection)	Product intelligence and user engagement analysis

2.3 Data We Do NOT Collect

Unless user consent or app requirements:

Full payment card details — all payments are processed by Apple App Store or Google Play Store
Precise GPS location
Microphone, camera, or biometric data (biometrics are handled on-device only — see §18)
Audio recordings retained beyond the active processing session
Data from device sensors not required for the App's core function

2.4 AI and Machine-Learning Processing

Some Apps use third-party AI services to provide features such as voice-to-text, content generation, recitation feedback, or task classification. Where an App uses AI (features are intended for entertainment purposes only and may generate inaccurate or incorrect information. They should not be utilized for financial, medical, or other significant real-life decision-making.):

The specific AI processor (e.g., OpenAI, ) is named in the App-Specific.
Inputs (text prompts, audio, images) are transmitted over TLS to the processor.
No model training on your data. Our agreements with AI processors prohibit the use of your inputs to train their models.
Processor-side retention. AI processors may retain inputs for up to 30 days for abuse-monitoring per their contractual terms; thereafter the data is deleted by the processor.
AI-generated outputs are clearly identified within the App. You can report inaccurate or offensive outputs via the in-app reporting mechanism (see §20).
Restricted-content guardrails. AI features are scoped to the App's stated purpose and are not used to generate medical, financial, legal, or safety-critical advice.

Legal Basis for Processing

GDPR / UK GDPR — EEA, UK & Switzerland

Processing Activity	Legal Basis
Account management and core App functionality	Performance of a contract — Art. 6(1)(b) GDPR
Crash reporting and security monitoring	Legitimate interests — Art. 6(1)(f) GDPR
Non-personalised analytics (where consent not required by law)	Legitimate interests — Art. 6(1)(f) GDPR
Personalised advertising and attribution tracking	Consent — Art. 6(1)(a) GDPR
Facebook SDK / Pixel data processing for ad measurement	Consent — Art. 6(1)(a) GDPR
Apple Search Ads attribution	Consent — Art. 6(1)(a) GDPR
AI feature inputs sent to third-party processors	Consent — Art. 6(1)(a) GDPR
Compliance with legal obligations	Legal obligation — Art. 6(1)(c) GDPR

You may withdraw consent at any time via Settings → Privacy Settings in the App, or through your device settings. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Consent Management

CMP, GDPR & ATT (iOS)

We use Usercentrics as our Consent Management Platform (CMP) to comply with GDPR, UK GDPR, ePrivacy, and CCPA/CPRA. Before any advertising, attribution, social, AI-processing, or personalised-analytics SDK is initialised:

A clear consent banner is displayed describing the categories of data and the purposes of processing.
No advertising, attribution, Facebook SDK/Pixel, Apple Search Ads, Adjust, AppsFlyer, Bi-Dash, or personalised-analytics SDKs are activated until valid consent is received.
You can accept all, reject all, or manage preferences granularly per vendor category.
Consent choices are stored locally and respected across all sessions.
You may change your preferences at any time via Settings → Privacy Settings.

iOS — App Tracking Transparency (ATT). On iOS we additionally request ATT permission (App Store Review Guidelines §5.1.2) before accessing your IDFA or enabling any cross-app or cross-website tracking, including probabilistic or fingerprint-based attribution methods. All tracking SDKs — including Adjust, AppsFlyer, Facebook SDK, and Apple Search Ads until ATT permission is granted.

How We Use Your Data

Purposes of Processing

Provide, operate, and personalise the features of our Apps
Manage your account and subscription entitlements via RevenueCat,Google Play Store, and the Apple App Stores
Process and verify in-app purchases through RevenueCat, Apple App Store, and Google Play Store
Send push notifications and account-related communications (with your permission) via Firebase Cloud Messaging
Display advertisements exclusively via Google AdMob (contextual without consent; personalised only with explicit consent)
Measure marketing campaign effectiveness through Adjust attribution, AppsFlyer attribution, Apple Search Ads attribution, and Facebook SDK/Pixel (with consent)
Analyse product engagement and usage patterns using Firebase Analytics, Google Analytics for Firebase, and Bi-Dash
Provide AI-powered features where the App offers them, by transmitting inputs to our disclosed AI processor
Detect, investigate, and fix crashes, bugs, and stability issues via Firebase Crashlytics and Sentry
Remotely configure features and run A/B tests via Firebase Remote Config and Firebase A/B Testing
Detect and prevent fraud, abuse, and security incidents
Comply with applicable laws and regulations

Third-Party Services & Data Sharing

Vendors & Sub-Processors

We share data with carefully selected third-party providers strictly to operate our Apps. We do not sell your personal data. Each provider processes data under its own privacy policy and a Data Processing Agreement with us. The specific providers active in an individual App are disclosed and its iOS Privacy Label / Google Play Data Safety form.

6.1 Hosting, Backend & Core Firebase Suite

Service	Type	Data Shared	Purpose
Firebase / React Native Firebase Google LLC	Essential	User ID, app data, in-app content	Core database storage and account management
Firebase Authentication Google LLC	Essential	Email address, UID, sign-in token	Secure account authentication
Firebase Remote Config Google LLC	Functional	Device info, app version	Remote feature flags and configuration
Firebase Cloud Messaging (FCM) Google LLC	Functional	FCM device token	Push notification delivery (with permission)

6.2 Analytics & A/B Testing

Service	Type	Data Shared	Purpose
Google Firebase Analytics Google LLC	Functional	Pseudonymous user ID, usage events, device info	Product analytics and user behaviour understanding
Google Analytics for Firebase Google LLC	Functional	Session data, screen views, conversion events	Unified analytics reporting
Firebase A/B Testing Google LLC	Functional	Experiment variant assignment, device info	Feature testing and optimisation
Bi-Dash (data collection) Bi-Dash	Functional	Aggregated engagement and behavioural events	Product intelligence and engagement analysis

6.3 Crash & Error Monitoring

Service	Type	Data Shared	Purpose
Firebase Crashlytics Google LLC	Functional	Crash reports, error stack traces, device info	App stability monitoring and bug fixing
Sentry Functional Software, Inc.	Functional	Error logs, stack traces, breadcrumbs, device info	Real-time error tracking and performance monitoring

Sentry Privacy Policy

6.4 Attribution & Marketing Measurement

Service	Type	Data Shared	Purpose
Adjust Adjust GmbH	Essential	Advertising ID, install events, in-app events (with consent)	Mobile marketing attribution and campaign performance measurement
AppsFlyer AppsFlyer Ltd.	Essential	Advertising ID, install events, in-app events (with consent)	Mobile marketing attribution and campaign performance measurement
Apple Search Ads Apple Inc.	Marketing	Attribution token, campaign identifiers (iOS only, with consent)	Measuring installs driven by Apple Search Ads campaigns
Facebook SDK Meta Platforms, Inc.	Essential	Advertising ID, install events, in-app events, app usage data (with consent)	Facebook/Meta campaign attribution and ad measurement
Facebook Pixel Meta Platforms, Inc.	Essential	Event signals, conversion data (with consent)	Measuring ad campaign conversions across Meta platforms

1. Adjust Privacy Policy
2. AppsFlyer Privacy Policy
3. Meta Privacy Policy
4. TikTok Privacy Policy
5. RevnueCat Privacy Policy
6. Apple Privacy Policy
7. Google Privacy Policy
8. Admob Privacy Policy
9.Firebase Privacy Policy
10.Open AI Privacy Policy

Facebook SDK & Pixel — Consent Required The Facebook SDK and Facebook Pixel are initialised only after you grant consent in the Usercentrics CMP banner, and on iOS only after ATT permission is granted. Without consent, no data is transmitted to Meta.

6.5 Advertising

Service	Type	Data Shared	Purpose
Google AdMob Google LLC	Functional	Advertising ID, ad interaction data (contextual only without consent; personalised only with consent)	Serving in-app advertisements on the free tier

We use Google AdMob exclusively for advertising across all Sumraf. No other ad network or mediation platform is used. Ads served in children's Apps are strictly contextual with no behavioural targeting.

6.6 AI & Machine-Learning Processing

Service	Data Shared	Purpose
Generative AI / Speech-to-Text (specific processor named in App Addendum)	Text prompts, audio recordings, image inputs (App-dependent, with consent)	AI-powered features as described in §2.4

6.7 Subscription & In-App Purchase

Service	Type	Data Shared	Purpose
RevenueCat RevenueCat, Inc.	Essential	User ID, purchase events, subscription status, transaction identifiers	In-app purchase and subscription entitlement management
Apple App Store Apple Inc.	—	Purchase records (handled by Apple)	iOS in-app purchase processing
Google Play Store Google LLC	—	Purchase records (handled by Google)	Android in-app purchase processing

6.8 Consent Management

Service	Type	Data Shared	Purpose
Usercentrics CMP Usercentrics GmbH	Essential	Consent choices (no personal data sold)	GDPR / CCPA consent record-keeping

6.9 Third-Party Content APIs

Some Apps call read-only content APIs.

6.10 Legal Disclosure

We may disclose information when required by law, court order, or government authority, or where necessary to protect our rights, user safety, or the integrity of our Apps. We will notify affected users where legally permitted.

6.11 Sub-Processor List

A current list of all sub-processors used across the Sumraf portfolio is maintained. We update this page when sub-processors are added, replaced, or removed.

Advertising

Google AdMob — Free Tier

Free-tier Apps may display advertisements served exclusively by Google AdMob.

With consent — ads may be tailored using your device advertising ID.
Without consent — only contextual (non-personalised) ads are served.
Children's Apps — no behavioural or personalised advertising is ever shown. Only contextual ads via Families Self-Certified ad SDKs are used where permitted by store policy.

Data Retention

Retention Periods

Data Type	Retention Period
Account data	Until account deletion or as required by law
User-generated content	Until deletion by user or account deletion
Firebase Analytics events	Up to 14 months (Firebase Analytics default)
Crash logs (Crashlytics)	Up to 90 days
Crash logs (Sentry)	Up to 90 days
Attribution data (Adjust)	Up to 13 months
Attribution data (AppsFlyer)	Up to 24 months
Facebook SDK / Pixel attribution data	As per Meta data retention policy
Apple Search Ads attribution data	As per Apple data retention policy
Bi-Dash engagement data	As per Bi-Dash data retention policy
Subscription and purchase records	As required by financial, tax, and legal obligations
Voice / audio recordings	Deleted by us after processing; AI processor retention up to 30 days (§2.4)
AI prompts (text)	Deleted by us after processing; AI processor retention up to 30 days (§2.4)
Consent records	Up to 3 years (GDPR accountability obligation)

Where an App requires different retention, the App-Specific states it.

Data Security

Security Measures

We implement industry-standard security measures including:

TLS / HTTPS encryption for all data in transit
Encrypted on-device storage using iOS Keychain / Android Keystore for sensitive credentials
Firebase Security Rules to restrict unauthorised backend access
Role-based access controls limiting internal access to user data
Regular review of third-party SDKs for compliance with our security and privacy standards
Periodic dependency upgrades to patch known vulnerabilities

No method of transmission or storage is 100% secure. While we take reasonable precautions, we cannot guarantee absolute security. If you believe your account or data has been compromised, contact us immediately at hello@sumraf.com.

Children's Privacy

COPPA, GDPR-K & Families Policy

Unless an individual App is specifically designed and rated as a children's app:

Our Apps are not directed to children under 13 (or under 16 in the EEA / UK).
We do not knowingly collect personal data from children below the applicable age threshold without verifiable parental consent.
If we become aware that personal data has been collected from a child without appropriate consent, we will delete it promptly.

Your Privacy Rights

GDPR, CCPA / CPRA & Global Rights

11.1 All Users

Access

Request a copy of the personal data we hold about you.

Correction

Request correction of inaccurate or incomplete data.

Deletion

Request deletion of your personal data (see §11.4).

Opt-Out of Personalised Ads

Through device settings or our in-app consent manager.

11.2 EEA / UK / Swiss Users (GDPR / UK GDPR)

Data Portability — Receive your data in a structured, machine-readable format.
Restriction — Request restriction of processing in certain circumstances.
Objection — Object to processing based on legitimate interests.
Withdraw Consent — At any time, without affecting the lawfulness of prior processing.
Lodge a Complaint — With your local data protection authority (e.g., ICO in the UK; your national DPA in the EEA).

11.3 Account & Data Deletion

In-AppSettings

Emaildpo@sumraf.com (reply within 30 days)

User-Facing Data	Timeline
Removed within 7 days	User-Facing Data
Removed within 30 days	Backend Production Data
Purged within 90 days	Encrypted Backups

Anonymised, aggregated analytics data may be retained indefinitely. To exercise any other privacy right, contact us at dpo@sumraf.com. We respond within statutory deadlines:

GDPR / UK GDPR: within 1 month, extendable to 3 months for complex requests (Art. 12(3))
CCPA / CPRA: within 45 days, extendable to 90 days where reasonably necessary

International Data Transfers

Cross-Border Data Flows

Our Apps operate globally. Your data may be transferred to and processed in countries outside your country of residence, including the United States, where our service providers (Google, Meta, RevenueCat, Adjust, AppsFlyer, Sentry, Usercentrics, Bi-Dash) maintain infrastructure. Where data is transferred outside the EEA, UK, or Switzerland, we rely on appropriate safeguards including:

European Commission Standard Contractual Clauses (SCCs) with Article 28 / Article 46 provisions
UK International Data Transfer Addendum
Where applicable, adequacy decisions issued by the European Commission

Push Notifications

Firebase Cloud Messaging

Where an App offers push notifications, we may send reminders, learning streaks, subscription updates, or feature announcements via Firebase Cloud Messaging (FCM). Notification permission is requested in context (when first relevant), not at launch. You may enable or disable notifications at any time via your device settings or the App's settings. Disabling notifications does not affect your ability to use core features.

Local Data Storage

On-Device Storage

Some App data — preferences, progress, offline content, cached settings — is stored locally on your device using platform-appropriate storage mechanisms (e.g., MMKV, Redux Persist, AsyncStorage on Android; equivalent storage on iOS). Local data is not transmitted to our servers and is removed when you uninstall the App or reset App data in your device settings.

Sensitive credentials are stored in the device secure keystore (iOS Keychain / Android Keystore).

Tracking Technologies

Mobile Identifiers & Attribution

Our Apps do not use browser cookies. Mobile equivalents we may use include:

Device advertising identifiers (IDFA on iOS, AAID on Android) — for attribution and personalised advertising, with your consent.
Firebase Instance IDs — for analytics session tracking.
Facebook SDK / Pixel event signals — for Meta campaign measurement, with your consent.
AppsFlyer SDK — for mobile marketing attribution, with your consent.
Apple Search Ads attribution token — for measuring Apple Search Ads installs on iOS, with your consent.
Probabilistic / fingerprint-based attribution — gated behind ATT consent on iOS and CMP consent on Android, in line with Apple's enforcement guidance and the GDPR ePrivacy framework. We do not rely on fingerprinting to circumvent ATT.

iOS Privacy Manifest Compliance

PrivacyInfo.xcprivacy — Required Since May 2024

Our iOS Apps include the PrivacyInfo.xcprivacy Privacy Manifest required by Apple, declaring required-reason API usage and the data practices of all bundled third-party SDKs — including Firebase, Facebook SDK, Sentry, RevenueCat, Adjust, AppsFlyer, and Usercentrics. We update Privacy Manifests with each SDK upgrade and verify that App Privacy Labels in App Store Connect match the manifest declarations and actual app behaviour, in line with App Store Review Guidelines §5.1.1.

Google Play Data Safety Compliance

Data Safety Section — Google Play Console

Our Android Apps include a fully completed Data Safety declaration in Google Play Console reflecting the actual data collection and sharing behaviour of the App and all integrated SDKs — including Firebase, Facebook SDK, Sentry, Adjust, AppsFlyer, RevenueCat, Google AdMob, and Usercentrics. We review and update Data Safety declarations whenever we update SDK integrations or data practices, in line with Google Play's Developer Program Policy.

Biometric Data

Face ID, Touch ID & Fingerprint

If an App offers biometric features (e.g., Face ID, Touch ID, fingerprint authentication for app lock or premium content):

Biometric data is processed on-device only by the operating system (Apple Secure Enclave or Android BiometricPrompt).
Biometric templates are never transmitted to our servers, never stored by us, and never shared with third parties.
You can disable biometric authentication at any time in the App's settings or your device settings.

AI-Generated Content Disclosure

EU AI Act & Transparency

Where an App generates content using AI (text, audio feedback, suggestions, classifications):

AI-generated outputs are clearly labelled within the App.
AI outputs are informational and may contain inaccuracies; you should not rely on them for medical, legal, financial, or safety-critical decisions.
We comply with the EU AI Act transparency obligations applicable to generative AI systems (Article 50, applicable from August 2026) and with comparable transparency requirements in other jurisdictions.

User Reporting & Content Moderation

In-App Reporting Mechanism

Where an App allows user-generated content or displays AI-generated output, an in-app reporting mechanism is provided — typically Settings → Report Content, or a long-press / "Report" option on the content itself. Reports are reviewed within 48 hours during business days. Content that violates our Community Guidelines or applicable law is removed, and accounts that repeatedly violate guidelines may be suspended or terminated.

This mechanism is also available for reporting:

AI-generated outputs that are inaccurate, harmful, or offensive
Suspected impersonation or deceptive content
Suspected violations of children's safety policies

Data Breach Notification

GDPR Art. 33 & 34 — Incident Response

In the event of a personal data breach that affects your information, we will:

Notify the relevant supervisory authority within 72 hours where required (GDPR Art. 33).
Notify affected users without undue delay where the breach is likely to result in a high risk to your rights and freedoms (GDPR Art. 34).
Comply with breach notification obligations under CCPA, India DPDP Act, Brazil LGPD, and other applicable laws.

We maintain an incident response process, including documentation of all breaches, regardless of whether notification is legally required.

Data Protection Contact

GDPR Art. 27 — DPO & EU Representative

For users in the EEA, UK, and Switzerland, our Data Protection point of contact is reachable at dpo@sumraf.com. Where Article 27 GDPR requires the appointment of an EU Representative, the current Representative's name.

Changes to This Privacy Policy

Notification & Change Log

We may update this Policy periodically to reflect changes in our practices, technology, or legal requirements. For material changes, we will notify you through:

An in-app notification or banner, and / or
Email to your registered address (where available)

The "Last Updated" date at the top reflects the most recent revision. Continued use of our Apps after changes become effective constitutes acceptance of the updated Policy.

Contact Us

Privacy Requests & Enquiries

For questions, concerns, or privacy requests:

Sumraf

General privacy enquiries: hello@sumraf.com

Data Protection contact (EEA / UK): dpo@sumraf.com

Website: sumraf

We respond within statutory deadlines (§11.4) or, where no deadline applies, within 30 days.