tool+ Logo
tool+

Privacy Policy for tool+

Last updated: 16.11.2024

Use of this app constitutes acceptance of these terms.

1. Controller / Data Controller

tool+ (Sole Proprietorship)
Anton Schiller
Pohlstr. 48
10785 Berlin, Germany
Email: support@toolplus.app
Data Protection Officer: Anton Schiller

2. Supervisory Authority

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Alt Moabit 59-61
10555 Berlin, Germany

3. App Overview

tool+ is a self-improvement application that combines various tools for personal growth. Users can individually combine features for mindfulness, productivity, values, goals, habits, and more.

4. Age Requirement

tool+ is intended for users aged 9 and older. Users under 9 are not permitted to create accounts or use the service.

5. Data We Collect

5.1 Account Information

  • Email address (for authentication)
  • Username (chosen by user)
  • Password (encrypted)
  • Apple ID data (if using Sign in with Apple - name and email, or private relay email)
  • Google profile data (if using Google Sign-In)

5.2 User-Generated Content

Encrypted (End-to-End):

  • Personal notes, gratitude entries, and journal entries
  • Goals, todos, and mission data
  • Mood tracking data and reflections
  • Sleep data (dreams, notes)
  • Questions and personal reflections

Unencrypted (for social features):

  • Username and profile information
  • Experience points (XP) and level data
  • Sports statistics (push-ups, pull-ups, distance)
  • Friend connections and visibility settings

5.3 Technical Data

  • Device push notification tokens
  • App usage data and preferences
  • Error logs and crash reports

6. How We Use Your Data

6.1 Primary Purposes

  • Provide and maintain app functionality
  • Authenticate users and manage accounts
  • Store and sync user-generated content
  • Enable social features and friend connections
  • Send push notifications (if enabled)

6.2 AI-Powered Features

When you choose to use our AI-powered values analysis feature, your responses are sent to OpenAI's servers for processing. This requires your explicit consent, which can be withdrawn at any time without affecting other app functionality.

7. Data Commercialization and Sharing Policy

7.1 No Data Sales

We do not sell, rent, or trade your personal data to third parties for monetary or other consideration. Your data belongs to you, and we are committed to keeping it that way.

7.2 Business Model

Our business model is based on providing premium features and subscriptions, not on monetizing your personal information. We generate revenue through optional in-app purchases and premium subscriptions, ensuring that your privacy remains our priority.

7.3 Data Sharing Limitations

We only share your data in the following limited circumstances:

  • With your explicit consent for specific features (e.g., social features with friends)
  • With service providers who process data on our behalf (see Section 10 - Third-Party Services)
  • When required by law or to protect our legal rights

All third-party service providers are contractually bound to protect your data and prohibited from using it for their own purposes.

8. Legal Basis for Processing (GDPR)

  • Consent (Art. 6(1)(a)): AI features, push notifications
  • Contract Performance (Art. 6(1)(b)): Account management, core app features
  • Legitimate Interest (Art. 6(1)(f)): App improvement, security

9. Data Storage and Security

9.1 Storage Location

Your data is stored using Google Firebase Firestore in the europe-west3 region (Frankfurt, Germany), ensuring data remains within the European Union.

9.2 Security Measures

End-to-End Encryption (E2E):

Your personal data is protected with end-to-end encryption. This means that your journal entries, notes, goals, and other sensitive content are encrypted on your device before being sent to our servers. Only you can decrypt this data with your password-derived encryption key, which is stored securely in your device's secure hardware enclave (iOS Keychain or Android Keystore).

Important:

  • We cannot access your encrypted data - only you can
  • If you forget your password, encrypted data cannot be recovered
  • Like WhatsApp, this ensures maximum privacy but means we cannot help with password recovery
  • Social features (username, level, sports stats) remain unencrypted for sharing with friends

Additional Security:

  • Transport encryption (HTTPS/TLS)
  • Firebase security rules and authentication
  • Regular security updates and monitoring
  • Access controls and user authentication

9.3 Data Retention

Your data is stored as long as your account exists. You can delete your account and all associated data at any time. Deleted data is immediately removed from our active systems. Firebase backup retention follows Google's standard policies.

10. Third-Party Services

10.1 Apple Sign In

  • Authentication service provided by Apple
  • Supports "Hide My Email" feature for privacy
  • We only receive the data you authorize Apple to share
  • Privacy Policy: https://www.apple.com/legal/privacy/

10.2 Firebase (Google)

  • Authentication and data storage
  • Server location: europe-west3 (EU)
  • Privacy Policy: https://policies.google.com/privacy

10.3 OpenAI

  • AI-powered values analysis (with explicit consent)
  • Data transmitted: User responses to values questions
  • Privacy Policy: https://openai.com/privacy/

10.4 RevenueCat

  • In-app purchase management
  • User ID and purchase history
  • Privacy Policy: https://www.revenuecat.com/privacy/

10.5 Apple/Google Payment Processing

Payment data is processed directly by Apple App Store or Google Play Store. tool+ does not store payment information or credit card details.

11. Your Rights (GDPR & Privacy Laws)

11.1 EU/EEA Users (GDPR Rights)

  • Access: Request copies of your personal data
  • Rectification: Correct inaccurate data
  • Erasure: Delete your account and data
  • Portability: Receive your data in structured format (planned feature)
  • Restrict Processing: Limit how we use your data
  • Object: Object to processing based on legitimate interests
  • Withdraw Consent: Revoke consent for AI features

11.2 US Users

Depending on your state, you may have rights to access, delete, correct, or opt-out of the sale of personal information (we do not sell personal data).

11.3 How to Exercise Rights

To exercise any of these rights, contact us at support@toolplus.app. We will respond within 30 days for GDPR requests and as required by applicable local laws.

12. Push Notifications

If you enable push notifications, we store your device's push token in our database. You can disable notifications at any time through the app settings or your device settings.

13. Social Features

Our app includes social features like friend connections and profile sharing. You control what information is visible to other users through privacy settings. Friend requests and connections are stored to enable these features.

14. Children's Privacy

tool+ is not intended for children under 9. We do not knowingly collect personal information from children under 9. If you believe a child has provided us with personal information, please contact us immediately at support@toolplus.app.

15. End-to-End Encryption Details

15.1 How It Works

When you create an account or log in, an encryption key is derived from your password using cryptographic hashing with a random salt. This key is stored securely on your device in hardware-backed secure storage:

  • iOS: Apple Keychain (hardware-encrypted)
  • Android: Android Keystore (hardware-encrypted)

15.2 What Gets Encrypted

All your personal journal entries, notes, goals, todos, gratitude entries, mood data, sleep data, questions, and mission data are encrypted before leaving your device.

15.3 Password Changes

When you change your password, all encrypted data is automatically re-encrypted with a new key derived from your new password. This ensures continuous security even after password changes.

15.4 Data Migration

For existing users, when you first log in after this update, your existing data will be automatically encrypted during a one-time migration process. This happens transparently and securely.

16. Data Breaches

In the event of a data breach that may affect your personal information, we will notify you via email within 72 hours and report to relevant authorities as required by law. Due to end-to-end encryption, even in a breach, your encrypted personal data would remain unreadable without your encryption key.

17. International Data Transfers

While our primary data storage is in the EU (Firebase europe-west3), some services like OpenAI operate from the United States. These transfers are based on your explicit consent and adequate safeguards.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy in the app and updating the "Last updated" date. Continued use of the app after changes constitutes acceptance of the updated policy.

19. Contact Information

For questions about this Privacy Policy or our data practices, contact us at:

Email: support@toolplus.app

20. Complaints

If you believe we have not complied with data protection laws, you can file a complaint with:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Alt Moabit 59-61
10555 Berlin, Germany
Phone: +49 30 13889-0
Email: mailbox@datenschutz-berlin.de

By using tool+, you acknowledge that you have read, understood, and agree to this Privacy Policy.