DOPA Privacy Policy
Version: v1.1 Effective Date: v1.0 release (TBD) Last Updated: 2026-06-11 Scope: DOPA mobile application (“the App”), version 1.0 Frameworks: Apple App Privacy / Google Play Data Safety / California CCPA·CPRA / Children’s COPPA / EU GDPR (informational) / South Korea PIPA (parallel — see Korean version)
This policy reflects the actual behavior of the App verbatim. All cognitive performance data is stored exclusively on the user’s device. As of policy v1.1, the App additionally offers an anonymous, opt-in usage statistics feature (default OFF, §2.6): if — and only if — you enable it, the App transmits counts-only aggregates of whitelisted event names over HTTPS, with no individual records and no identifiers. With the toggle OFF (the default), the App performs no outbound network transmission, preserving the v1.0 baseline. (See ADR-016 anonymous opt-in telemetry — a conditional extension, not a reversal, of ADR-014 v1 telemetry defer.) Crash reporting (Sentry) remains not integrated; if it is introduced in a later version, this policy will be versioned again and the corresponding Apple App Privacy / Google Play Data Safety forms will be re-submitted.
1. At a Glance — What the App Does and Does Not Do
- The App is a wellness self-observation tool. It is not a medical device. It does not diagnose, treat, or prevent any disease. (See
health_disclaimer_v1.md.) - The App does not collect data by default. The only outbound transmission the App can ever perform is the anonymous, opt-in usage statistics described in §2.6 — counts-only aggregates with no identifiers, sent only if you explicitly turn the toggle ON (default OFF).
- The App does not sell any personal information. The App does not share any personal information with third parties for cross-context behavioral advertising.
- The App is not directed to children. The App’s age rating is 12+ on Apple; under IARC (Google Play) the estimated rating is region-dependent (estimated; final attestation by operator).
- The App does not use the IDFA / advertising identifiers, and does not request App Tracking Transparency (ATT) permission.
NSPrivacyTrackingis set tofalse. The iOS privacy manifest declares the opt-in usage statistics as Usage Data / Not Linked to You / No Tracking.
2. Information Stored On Your Device
The App stores the following items, all of which remain on your device. (If you enable the anonymous usage statistics of §2.6, only counts-only aggregates leave the device — never the items below in raw form.)
2.1 Identifiers (local-only)
- Local anonymous ID — a random identifier generated on the device at install time. The App does not collect names, email addresses, phone numbers, postal addresses, government IDs, social security numbers, or any direct identifier.
2.2 Cognitive Performance Data
- Session timestamps, cycle counts, response times, and accuracy for the three cognitive tasks (task switching, N-back, digit-symbol substitution)
- Breath pacer cycle completion (cycles_completed: 0~3)
- User-chosen goal (focus chip), and prior video / task history
2.3 Device Environment
- Device model name (used locally for device-specific normalization of cognitive metrics)
2.4 Consent and Settings
- Acknowledgment of the medical-device-disclaimer (disclaimer_accepted)
- Notification permission status
- Calibration completion status
- Analytics opt-in flag (
analytics_opt_in— default OFF). Controls the anonymous usage statistics transmission described in §2.6; you can turn it ON or OFF at any time via the Settings toggle. - Selected language (i18n)
Items the App does not collect: name, contact information, email, phone number, government ID numbers, GPS location, photos / contacts / calendar, advertising identifiers (IDFA / GAID), demographic data, payment information, biometric identifiers.
2.5 Sensitive / Health Data — Position Statement
The cognitive performance data and breath pacer records processed by the App are not treated as “sensitive health data” by the App, on the following grounds.
- Non-medical processing — the App is not a medical device and does not pursue diagnosis, treatment, or prevention. The data is used as self-observation performance metrics, not as a measure of medical health.
- No external transmission or diagnostic use — there is no pathway for these records themselves to leave the device or be used for clinical decisions. (The opt-in telemetry of §2.6 transmits only counts of event names per anonymous segment — never reaction times, accuracy values, scores, or any other performance values.)
- Anonymous local processing — without direct identifiers, the records cannot be combined into identifiable health information outside the device.
This is the App’s good-faith interpretation. If future authoritative legal review, regulator interpretation, or relevant precedent reclassifies these records as sensitive / special-category data, the App will introduce additional consent flows and version this policy. Any medical-context feature (e.g., clinical scale outputs, medical-institution integration) triggers re-evaluation of §2.5. (The §2.6 telemetry was evaluated under this clause for policy v1.1: because it transmits only event-name counts and never the performance values themselves, the position above is unchanged.)
2.6 Anonymous Usage Statistics (Opt-In, Default OFF)
If — and only if — you enable the “Share anonymous usage stats” toggle in Settings (default: OFF), the App transmits the following, and nothing else:
- Counts-only aggregates of event names. The App counts occurrences of event names drawn from a fixed whitelist of 53 event names (e.g., how many times a session was started or completed) and transmits those counts. No individual event rows, no precise timestamps, no user or session identifiers, and no event payloads (cognitive scores, goal text, device model, etc.) are ever transmitted.
- Coarse segment dimensions attached to those counts:
- region —
KR/US/OTHER(3 values only, derived from the device’s Region setting; never GPS or precise location, which the App does not request or use) - timezone-offset bucket (e.g., UTC+9 — derived from the device clock’s UTC offset; not your precise time, not an IANA timezone string)
- platform (
ios/android) - app version
- event-contract version
- region —
- A batch deduplication identifier and a schema identifier.
batch_idis a deterministic hash of the transmitted batch (used only so duplicate retransmissions of the same batch can be absorbed); it is unrelated to you or your device and cannot be linked to any identity. The schema identifier (dopa_telemetry_v1) names the aggregation format version.
Protections:
- Opt-in only — the toggle defaults to OFF. With the toggle OFF, the App performs no outbound transmission whatsoever (the v1.0 baseline behavior is preserved exactly).
- Immediate withdrawal — turning the toggle OFF stops transmission immediately (see §6).
- k-anonymity (k = 5) — the transmitted and stored unit is per-batch counts; when segment statistics are produced (server-side aggregation / analysis), a k = 5 rule (measured in uploaded batches) merges any segment with fewer than 5 samples into an “other” bucket, so sparse segment combinations cannot single out an individual. (k is a server-side parameter and may be raised as the user base grows.)
- No tracking — no IDFA / GAID, no per-install identifier is transmitted, no cross-app or cross-site tracking. The iOS privacy manifest declares this data as Usage Data / Not Linked to You / No Tracking.
- No new SDKs — transmission uses the platform’s built-in HTTPS client only; no third-party analytics SDK is embedded, so no third party can auto-collect anything beyond the fields listed above.
Operational note (verbatim disclosure): as of this policy version, the collection endpoint is not yet deployed — the App’s telemetry client is configured with an empty endpoint and performs no transmission even when the toggle is ON. This section governs the App’s behavior from the moment the endpoint is activated.
3. Data Location and Retention
3.1 Storage Location
All on-device, locally only.
- Cognitive performance / session data: device-local SQLite database (
dopa.db) - Settings / language selection: device-local MMKV key-value store
- Audio / video assets: bundled within the App’s static assets
No cloud sync, no advertising network, no analytics SDK. With the anonymous-usage-statistics toggle OFF (the default), the App makes no outbound network requests during normal operation. With the toggle ON, the only outbound transmission is the counts-only aggregates described in §2.6, sent over HTTPS to a collection endpoint operated for the App on Cloudflare infrastructure (see §4).
You can export a copy of your own data via Settings > Data Export (JSON). This is a user-initiated share (OS share sheet) — the App never transmits your records externally on its own. (The only automatic transmission the App can perform is the opt-in, counts-only aggregates of §2.6, which never include your records.)
3.2 Retention
- Data is retained while the App is installed and you do not actively delete it.
- Uninstalling the App causes the operating system to remove the SQLite / MMKV areas, deleting all records.
- Settings > Delete All Data performs an immediate in-app wipe of all local data (all SQLite tables + MMKV). It also clears the analytics opt-in consent record, so no further §2.6 transmission occurs afterwards.
- Anonymous aggregates transmitted under §2.6 (only if you opted in) are retained server-side as statistical records. They contain no identifiers and cannot be traced back to you or your device; see §6 for the honest consequence of this for per-person deletion.
4. Third Parties / Service Providers
The App engages one infrastructure service provider, and only for the opt-in anonymous usage statistics described in §2.6:
| Processor | Role | Data received | Location |
|---|---|---|---|
| Cloudflare, Inc. (United States) | Serverless receipt and storage infrastructure (Cloudflare Worker + D1 database) for the anonymous usage statistics | Counts-only anonymous aggregates (§2.6) — no identifiers; the App’s ingestion endpoint does not store IP addresses | US legal entity; database placement uses a data residency hint of Asia-Pacific (apac) |
Cloudflare acts as an infrastructure processor only — it receives no personal information from the App, and no data is shared with any third party for advertising, profiling, or any purpose other than hosting the App’s own anonymous aggregates. With the §2.6 toggle OFF (default), Cloudflare receives nothing.
Sentry (crash reporting) is not active — the Sentry SDK is included in the App’s code but is never initialized (no DSN is configured), so no crash data is collected or transmitted. Crash reporting and the §2.6 usage statistics are two independent transmission tracks and are never merged. If Sentry (or an alternative) is activated in a future version, prior notice will be given, this policy will be versioned, and the Apple App Privacy / Google Play Data Safety records will be updated.
5. International Data Transfers
Opt-in usage statistics only. If you enable the anonymous usage statistics (§2.6), the counts-only aggregates are received and stored on infrastructure operated by Cloudflare, Inc., a United States corporation. The storage placement uses an Asia-Pacific data residency hint, but because the infrastructure operator is a US legal entity, this is disclosed as a cross-border transfer for the purposes of South Korea’s PIPA (see the Korean-language version of this policy for the PIPA narrative).
With the toggle OFF (the default), no data leaves the device and no international transfer occurs. (If a future version uses additional providers hosted outside your jurisdiction, prior notice and any required consents will be obtained before activation.)
6. Your Choices and Rights
You have the following choices regarding the App:
- Access — all your performance records are visible in the App’s Weekly Mirror and Result screens. There is no separate access request required, because the records reside on your device. You can also obtain a full copy via Settings > Data Export (JSON, user-initiated share).
- Deletion — Settings > Delete All Data performs an immediate in-app wipe of all local data (SQLite + MMKV) and also clears the analytics opt-in consent. Uninstalling the App likewise deletes all data on your device.
- Stop processing — declining notification permission stops notification processing; not using the App stops all measurement.
- Anonymous usage statistics (§2.6) — strictly opt-in via the Settings toggle (default OFF). Turning the toggle OFF at any time stops all transmission immediately. Honest limitation: aggregates already transmitted contain no identifiers, so your individual contribution to an anonymous count cannot be located or deleted afterwards — the same property that makes the data incapable of identifying you also makes per-person erasure technically impossible.
California residents (CCPA / CPRA): The App processes no personal information for “sale” or “sharing” as defined under California law. The App does not collect personal information beyond the on-device records described above. The anonymous usage statistics of §2.6 are counts-only aggregates that are not reasonably capable of being associated with, or linked to, a particular consumer or household. Categories of personal information defined under the California Consumer Privacy Act, as amended by CPRA, collected: none (the App does transmit the anonymous, aggregate usage statistics described in §2.6 if you opt in; these are not “personal information” under the CCPA because they are not reasonably capable of being associated with, or linked to, a particular consumer or household).
Children (COPPA): The App is not directed to children under 13 and does not knowingly collect personal information from children. The App’s age rating is 12+ (informational, attestation by operator).
EU residents (GDPR — informational): The anonymous usage statistics (§2.6) are designed to fall outside the scope of personal data (counts-only, no identifiers, k-anonymity with k = 5). To the extent the transmission is nonetheless treated as processing of personal data, the legal basis is consent — the explicit opt-in toggle, off by default — and withdrawal of consent is the same toggle turned OFF, effective immediately and as easy as giving consent. As honestly disclosed above, aggregates already transmitted cannot be erased on a per-person basis because no identifier exists by which to locate them. If GDPR-relevant processing beyond this is introduced in a future version, separate notice and lawful basis will be established at that time.
South Korea residents (PIPA): See the Korean-language version of this policy (privacy_policy_v1.md) for the PIPA §30 narrative.
7. Device Permissions
| Permission | Purpose | Effect of Denial |
|---|---|---|
| Notifications | Trigger local notifications at user-configured times | No notifications; all measurement features continue to work |
Remote push, camera, location, photos, microphone, contacts, and calendar permissions are not requested.
8. Security
- With the §2.6 toggle OFF (the default), data does not leave the device and communication-channel exposure is not applicable.
- The opt-in usage statistics (§2.6) are transmitted exclusively over HTTPS (TLS) — encrypted in transit.
- The App’s ingestion endpoint does not store IP addresses, and ingestion is idempotent — duplicate retransmissions of the same batch are designed to be absorbed without inflating counts (in rare edge cases anonymous totals may be slightly overcounted; no personal records exist to be duplicated).
- k-anonymity (k = 5) merging is applied server-side at aggregation / analysis time — when segment statistics are produced — so that sparse segments cannot single out an individual (§2.6).
- On-device security depends on device-level protections (OS passcode, app sandbox).
- Code integrity: official Apple App Store / Google Play distribution channels only.
9. Contact
- Operator (Publisher): Seo YeJin
- Email: rlagnl333@gmail.com
- App Store / Play Store developer page: TBD
10. Changes to This Policy
If this policy changes, the App will display an in-App notice or use a store update notice. Material changes (including changes adverse to users) become effective 30 days after notice. Non-material / routine changes become effective 7 days after notice. (Aligned with terms_of_service_v1.en.md §13.)
11. Version History
| Version | Date | Change |
|---|---|---|
| v1.0 | 2026-05-29 | Initial release — DOPA v1.0 no outbound transmission, on-device SQLite only verbatim |
| v1.0 (amend) | 2026-06-10 | §3.1 / §6 Access updated for the new Settings > Data Export (JSON, user-initiated share) feature (DATA-A1 implementation, DATA-A7 alignment) — no change to the no-outbound-transmission position (export is user-driven) |
| v1.1 | 2026-06-11 | Anonymous opt-in usage statistics introduced (ADR-016, conditional extension of ADR-014) — new §2.6 (counts-only aggregation of 53-event-name whitelist, segment dimensions region KR/US/OTHER · timezone-offset bucket · platform · app version, default OFF, k = 5); §4 names Cloudflare, Inc. (US) as infrastructure processor (Asia-Pacific residency hint); §5 cross-border transfer disclosure; §6 consent / immediate withdrawal / per-person-deletion-impossibility honest notice; §8 HTTPS · no IP storage · k-anonymity; iOS privacy manifest declared as Usage Data / Not Linked to You / No Tracking. Sentry remains not integrated (zero SDK code) |
| v1.1 (rev) | 2026-06-11 | Verification-driven corrections — §3.2 / §6 now reflect the implemented Settings > Delete All Data in-app wipe (under-declaration fix); §2.6 k = 5 precisely described as a server-side aggregation/analysis-time rule (measured in uploaded batches, “never lowered” over-promise removed), batch_id / schema identifier disclosed; §8 idempotency wording honestly qualified; toggle name aligned with the actual UI label (“Share anonymous usage stats”); §1 age-rating wording qualified (Apple 12+ / IARC region-dependent); §6 CCPA “none” qualified with the §2.6 transmission fact |
Appendix: Connection to ADR-014 / ADR-016
The v1.0 minimalism of this policy was anchored in the decision to defer telemetry (ADR-014 v1 telemetry defer). As of policy v1.1, ADR-014 is conditionally extended — not reversed — by ADR-016 (anonymous opt-in telemetry): anonymous, opt-in, counts-only usage statistics are now permitted, under the invariants the original decision protected:
- “We know exactly what we send” — no third-party SDK auto-collection; the App’s own endpoint receives only the fields the App explicitly transmits (§2.6).
- Explicit opt-in, immediate withdrawal —
analytics_opt_indefaults to OFF; the Settings toggle is the consent and the withdrawal mechanism. - No identity linkage — no user/session identifiers transmitted, no account, no tracking.
Accordingly, this v1.1 updates §2.6 / §3 / §4 / §5 / §6 / §8, the Apple App Privacy declaration moves from effectively “Data Not Collected” to “Usage Data / Not Linked to You / No Tracking” (the iOS privacy manifest already declares this), and the Apple App Privacy / Google Play Data Safety forms are re-filed to match.
Sentry (crash reporting) remains a separate, not-yet-activated transmission track — the Sentry SDK is included in the App but is never initialized (no DSN is configured), so zero crash data is collected or transmitted today, and crash reporting is never merged with the §2.6 aggregates. When Sentry (or an alternative) is activated in a future version:
- §2 will add crash data, diagnostics
- §4 will name Sentry Inc. (or alternative)
- §5 will be updated for the corresponding international transfer with notice and any required consent
- App Tracking Transparency status will be re-evaluated (currently
false— no tracking) - Apple App Privacy / Google Play Data Safety records will be re-filed
- this policy will be versioned again (v1.2+)
This is the normal release lifecycle, not a workaround. This policy describes only what is actually implemented — pre-declaring unimplemented telemetry would be a misrepresentation and could itself be a basis for store rejection (over-declaration vs. actual behavior).