Daily Affirm

Privacy Policy — Daily Affirm

Effective date: May 25, 2026 · Last updated: July 4, 2026

1. Who We Are

Daily Affirmations: Widget ("Daily Affirm," "the App," "we," "us," or "our") is operated by Roman Samoilenko, a Ukrainian sole proprietor (FOP) trading as TidyBit ("Developer"). Roman Samoilenko is the data controller for personal data processed under this policy. If you have questions about this policy or wish to exercise your privacy rights, contact us at:

Email: support@dailyaffirm.app
Privacy request form: dailyaffirm.app/privacy-request.html

2. Scope

This policy applies to the Daily Affirm iOS and Android applications and describes how we collect, use, and protect information when you use the App. It does not cover third-party websites or services that we link to.

Our own marketing website (dailyaffirm.app) sets no cookies and stores nothing on your device. It records only aggregate daily visit and tap counts (per day and referral channel) through a Cloud Function we operate; it never stores raw events, IP addresses, cookies, or user-agent strings — only a short-lived, salted one-way hash of your IP is used to throttle abuse.

3. Information We Collect

3.1 Information Collected Automatically via Firebase Analytics

When you use the App, Firebase Analytics (a Google service) automatically collects:

Firebase Analytics data is processed by Google in accordance with Google's privacy policy. Google may aggregate and anonymize this data for its own analytical purposes.

3.2 Crash and Diagnostics Data (Firebase Crashlytics)

If the App crashes or encounters an error, Firebase Crashlytics automatically collects a crash report containing:

Crash reports do not contain your name, email address, location, or any content you have interacted with.

3.3 Advertising Identifiers (AdMob — Free Tier Only)

This section applies only if you are using the free tier of the App and advertising is active. If you have unlocked the premium tier, banner ads are removed and AdMob is not used.

Daily Affirm's free tier displays banner ads served by Google AdMob. To serve and measure these ads, AdMob may collect:

AdMob ad data is processed by Google in accordance with Google's privacy policy.

If ad serving is not active in the version of the App you have installed (for example, if ads have not yet launched in your region or on your platform), none of the AdMob data above is collected.

3.4 In-App Purchase Transactions

If you make an in-app purchase, the transaction is processed entirely by the platform store (Apple App Store or Google Play Store). We do not see or store your payment card number, billing address, or any payment credential.

We receive from the platform:

This information is used solely to unlock the premium tier locally on your device. The transaction ID and product identifier are not transmitted to any server we operate, with the single Android-only exception described immediately below.

Android only — Play Integrity verification. On Android, before each in-app purchase, the App requests a Play Integrity verdict from Google Play Services and forwards the resulting attestation token, together with the product identifier you are attempting to purchase, to a Firebase Cloud Function we operate. The Cloud Function validates the token with Google's Play Integrity API and returns a pass/fail decision to your device. The token itself contains your app-licensing status (whether your Google account owns the App) and a device-integrity verdict (whether your device is recognized as a genuine Android device). We do not store the token or its contents beyond the in-process verification, but Google Cloud Logging records the HTTP request metadata (including the originating IP address) for up to 30 days as standard operational logging (see §7). On iOS, this flow does not apply — purchase receipts are verified locally via Apple's StoreKit 2 JWS signatures, with no developer-side server involvement.

3.5 Information You Provide — Favorites and Custom Affirmations

Affirmations you mark as favorites are stored locally on your device only. They are never uploaded to any server or cloud service, and they are not accessible to us. Uninstalling the App permanently deletes your favorites.

Any custom affirmations you write yourself are likewise stored locally on your device only. The text you type is never uploaded to any server we operate, is never included in analytics or crash reports, and is not accessible to us. Uninstalling the App permanently deletes your custom affirmations.

3.6 Notifications

If you enable daily affirmation notifications, the scheduling is handled entirely on your device. No push token or device registration is sent to any server we operate.

3.7 Information We Do NOT Collect Within the App

Within the App itself, we do not collect:

Information you voluntarily provide by email or via our privacy-request form is described separately in §3.8.

3.8 Information You Voluntarily Provide When Contacting Us

If you email us at support@dailyaffirm.app or submit our online privacy-request form at dailyaffirm.app/privacy-request.html, the following information is collected outside the App and processed by us:

The form is served from our Firebase-hosted website (dailyaffirm.app); submissions are sent to a Firebase Cloud Function we operate, which validates the input and stores the submission in a private Cloud Firestore database. The Firestore database is not publicly readable — only Roman Samoilenko (the data controller) can access submissions via the Firebase console. Hosting, Cloud Functions, and Cloud Firestore are provided by Google LLC in the United States (region: us-central1).

We use this information solely to verify and respond to your privacy request and to maintain a record of our compliance with applicable privacy laws (including the 24-month consumer-request recordkeeping requirement under 11 CCR § 7101 and the response-time documentation obligations under GDPR Art. 12). We retain this information for no longer than 24 months after the request is fulfilled, after which it is deleted. We do not use it for marketing, profiling, advertising, or any unrelated purpose, and we do not sell or share it.

Google LLC (Firebase Hosting, Cloud Functions, Cloud Firestore) acts as our data processor for the privacy-request form; see §6 and §11.

4. No User Accounts

Daily Affirm does not offer user accounts, sign-in, or registration. All preferences, favorites, and purchase entitlements are stored locally on your device.

5. How We Use Information

PurposeData usedLegal basis (GDPR)
Understand how the App is used and improve itFirebase Analytics eventsInside EEA / UK: Consent (Art. 6(1)(a)) — under Google Consent Mode v2, analytics_storage stays withheld until the in-app UMP dialog grants it; events are not transmitted or linked to you unless you consent. Outside EEA / UK: Legitimate interest (Art. 6(1)(f)).
Diagnose and fix crashesCrashlytics crash reportsInside EEA / UK: Consent (Art. 6(1)(a)) — Crashlytics is disabled at install time and only enabled after the same UMP grant flow. Outside EEA / UK: Legitimate interest (Art. 6(1)(f)).
Serve and measure banner ads (free tier, when active)AdMob identifiersConsent (Art. 6(1)(a)) — collected only after ATT / UMP consent
Fulfill your in-app purchaseTransaction status from platform storePerformance of contract (Art. 6(1)(b))

We do not sell your personal information. We do not use your data for automated decision-making or profiling.

6. Third-Party Services and Data Processors

ServiceProviderPurposePrivacy policy
Firebase AnalyticsGoogle LLCApp usage analyticspolicies.google.com/privacy
Firebase CrashlyticsGoogle LLCCrash reportingpolicies.google.com/privacy
Google AdMobGoogle LLCBanner advertising (free tier, when active)policies.google.com/privacy
Firebase Cloud FunctionsGoogle LLCPre-IAP integrity verification (Android only, §3.4)policies.google.com/privacy
Firebase App CheckGoogle LLCAnti-abuse attestation for the Cloud Function (Android only)policies.google.com/privacy
Google Cloud LoggingGoogle LLCOperational logging of Cloud Function HTTP requests — IP, timestamp, status (Android only, §3.4 / §7)cloud.google.com/terms/data-processing-addendum
Google Play Integrity APIGoogle LLCDevice-integrity attestation for Android IAP (token contents described in §3.4)policies.google.com/privacy
Apple App StoreApple Inc.In-app purchase processing (iOS)apple.com/legal/privacy
Google Play StoreGoogle LLCIn-app purchase processing (Android)policies.google.com/privacy
Firebase HostingGoogle LLCHosting of the privacy-request form web page (§3.8)policies.google.com/privacy
Cloud FirestoreGoogle LLCStorage of privacy-request submissions (§3.8)policies.google.com/privacy
Cloudflare (R2 + CDN)Cloudflare, Inc.Delivery of on-demand language fonts for Japanese / Korean / Chinese (your device's IP address is processed to serve the file; see below)cloudflare.com/privacypolicy

App content (affirmations, themes, strings) is bundled with the App and works offline, with one exception. The only network endpoints operated by us that the App contacts are the Firebase Cloud Function described in §3.4 (Android only), the Firebase-hosted privacy-request form described in §3.8 (web only, opt-in), and the font content delivery network described immediately below.

When you use a Japanese, Korean, or Chinese language, the App downloads the matching display fonts once from our content delivery network at fonts.dailyaffirm.app (hosted by Cloudflare). This is a one-time download of font files only; no information about you is sent, and the fonts are then cached on your device for offline use. As with any internet request, Cloudflare processes your device's IP address to deliver the files.

7. Data Retention and Deletion

To delete your Firebase analytics data: You can reset your advertising identifier or app instance ID in your device settings, which unlinks future data from past data. On iOS: Settings → Privacy & Security → Tracking (for IDFA) or reset via the "Reset advertising identifier" option. On Android: Settings → Google → Ads → Reset advertising ID.

8. Your Rights

GDPR (European Economic Area and UK residents)

If you are located in the EEA or UK, you have the right to:

Because we do not operate a user account system, the personal data we directly hold is limited to (a) Cloud Functions request logs for Android in-app-purchase verification (IP address and HTTP request metadata, retained 30 days — see §3.4 and §7) and (b) information you voluntarily provide via email or our privacy-request form (§3.8). All other personal data is held by our third-party processors (Firebase / Google). To exercise these rights against Google-held data, contact Google directly or use your device settings; for data we directly hold, contact support@dailyaffirm.app.

You also have the right to lodge a complaint with your local data protection authority.

CCPA / CPRA (California residents)

California residents have the right to:

We do not sell your personal information. Because we do not operate a user account system, we do not maintain a database of identified users. The personal data we directly hold is limited to Cloud Functions request logs for Android in-app-purchase verification (30 days, see §3.4 and §7) and information you voluntarily provide via email or our privacy-request form (§3.8). All other data is held by Google (Firebase, AdMob).

We do, however, "share" an advertising identifier for cross-context behavioral advertising on the free tier. The free tier shows a single AdMob banner that may use your device advertising identifier to personalize ads. Under the CPRA this is "sharing" for cross-context behavioral advertising, even though it is not a "sale." You can opt out of this sharing without leaving the App:

Our website sets no cookies and serves no advertising, so there is no web-based sharing to which a Global Privacy Control (GPC) signal would apply; in-app sharing is controlled through the device settings above.

To submit a deletion or access request for the data we directly hold, you may either:

  1. Email us at support@dailyaffirm.app, or
  2. Submit our online privacy-request form at dailyaffirm.app/privacy-request.html.

We provide these two methods to meet the California Consumer Privacy Act (§1798.130(a)(1)(B)) requirement that businesses designate at least two methods for consumer rights requests.

Other U.S. State Privacy Laws

If you are a resident of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Iowa (ICDPA), Texas (TDPSA), Montana (MCDPA), Oregon (OCPA), Tennessee (TIPA), Florida (FDBR), Delaware (DPDPA), New Hampshire (NHPA), New Jersey (NJDPA), Indiana (INCDPA), Kentucky (KCDPA), Rhode Island (RIDTPPA), Maryland (MODPA), Minnesota (MCDPA), or Nebraska (NDPA), you have rights substantially similar to those described above for California — to know and access the personal data we hold about you, to correct inaccuracies, to request deletion, and (where applicable) to opt out of targeted advertising, sale of personal data, or profiling that has significant effects.

Maryland (MODPA) additionally imposes a strict data-minimization standard: we collect only personal data that is reasonably necessary and proportionate to provide the App's functionality. We do not sell sensitive personal data of Maryland consumers, including any data that would qualify as sensitive under MODPA's heightened standard.

Appeal rights (VA / CO / CT / TX / OR / DE / NJ / IN / KY / RI / MD / MN / NE). If we decline to act on your rights request, you may appeal our decision within a reasonable time of receiving it. To appeal, email support@dailyaffirm.app with the subject line "Privacy Request Appeal" and a brief explanation of why you believe the original decision should be reconsidered. We will respond to your appeal in writing within 60 days. If your appeal is denied, you may contact your state Attorney General to submit a complaint.

To exercise any of the rights described in this section, use either of the two methods listed above (email or the online privacy-request form).

9. Children's Privacy (COPPA)

Daily Affirm is a general-audience application not directed at children under 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe that your child under 13 has provided personal information through the App, please contact us at support@dailyaffirm.app and we will take prompt steps to delete that information from our processors.

If we learn that we have collected personal information from a child under 13 without parental consent, we will delete that information as quickly as possible.

10. Data Security

We take reasonable technical and organizational measures to protect information from unauthorized access, alteration, disclosure, or destruction. Because favorites, preferences, and purchase entitlements are stored locally on your device, they are protected by your device's own security measures (passcode, Face ID / fingerprint). Analytics and crash data transmitted to Firebase is sent over HTTPS.

No method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.

11. International Data Transfers

The data processors named in §6 are all based in the United States:

If you use the App from outside the United States, or if you contact us from outside the United States via email or the privacy-request form, your data may be transferred to and processed in the United States or other countries where these providers operate data centers.

12. Platform-Specific Disclosures

The tables in this section describe data collected by the App itself. Information you voluntarily provide by email or via our online privacy-request form (§3.8) is not in-app collection and is not represented in these tables.

Apple App Privacy (App Store)

For the purposes of Apple's App Privacy nutrition label:

Data type (Apple taxonomy)Collected?Linked to identity?Used to track you?Purpose
Identifiers — device ID, app-instance / user IDYes — Firebase Analytics; AdMob ad ID (free tier)NoYes — via the AdMob banner (free tier, when active, ATT-gated)Analytics; ad serving
Usage Data — product interaction, advertising dataYes — Firebase Analytics events; AdMobNoYes — via the AdMob banner (free tier, when active)Analytics; ad serving
Purchases — purchase historyYes — in-app-purchase eventsNoNoAnalytics
Diagnostics — crash dataYes — CrashlyticsNoNoApp functionality
Location, Contacts, Health, Financial, Photos, MessagesNo

"Linked to identity" means linked to your name, email, or Apple ID — none of the above is linked to your identity because we have no account system. The "used to track you" flags on Identifiers and Usage Data reflect the bundled Google AdMob SDK's use of the advertising identifier for cross-context advertising on the free tier; they mirror the App's live App Store privacy label. See the CCPA / CPRA section for how to opt out.

Google Play Data Safety

Data categoryCollected?Shared with third parties?Purpose
Device or other IDsYes — Firebase app instance ID; Ad ID (free tier, when active)Yes — Google (Firebase, AdMob)Analytics; ad serving
Device or other IDs (Play Integrity verdict via developer Cloud Function, Android only, pre-IAP)Yes — appLicensingVerdict, deviceRecognitionVerdict, request hash + IP address (server-log only)Yes — Google (Play Integrity API); also processed by a Firebase Cloud Function we operate (see §3.4)Anti-fraud / purchase verification
App interactionsYes — Firebase Analytics eventsYes — Google (Firebase)Analytics
Crash logsYes — CrashlyticsYes — Google (Firebase)Crash diagnostics
Advertising dataYes — AdMob, free tier only, when activeYes — Google (AdMob)Ad serving and measurement
Personal info (name, email, address)No
Financial infoNo
Location (precise or coarse)No
Photos, audio, files, health, contacts, messagesNo

Data collection is required for core app analytics functionality. Data is encrypted in transit. Users can request deletion by resetting their device advertising identifier.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. If the changes are material, we will provide a prominent notice within the App or via the App Store / Play Store listing update notes. Your continued use of the App after any changes constitutes acceptance of the updated policy.

We encourage you to review this policy periodically.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact:

Trader / Data Controller
Roman Samoilenko (Ukrainian sole proprietor — FOP)
Email: support@dailyaffirm.app
Privacy request form: dailyaffirm.app/privacy-request.html

The geographic trader address and telephone number required under EU DSA Art. 30(5) are published in the "Developer Contact" section of our App Store and Google Play product pages.

This policy is written in English. The App is shipped in English, English (UK), German, Spanish, French, Italian, Dutch, Polish, Portuguese (Brazil), Portuguese (Portugal), Ukrainian, Japanese, Korean, Chinese (Simplified), and Chinese (Traditional); translations of this policy into those languages may be provided in the App for convenience, but the English version controls in the event of a conflict.