Privacy Policy
little haven is a pixel companion for daily well-being practice, provided by Thomas Tjaja, trading as Thomas Tjaja – UX Design & Consultancy, a sole proprietorship registered in the Netherlands (“we,” “us,” “our”). This Privacy Policy explains what limited information the App processes, why, and the rights you have. It should be read together with our Terms of Service.
The short version: little haven does not require an account, does not ask for your name or email, and does not send your journal, mood, gratitude, focus, or pet data anywhere. Everything you write or record stays on your device.
If you have questions about this policy, email hi@thebuddyman.com.
1. The principles we built around
- Local-first. Your personal content — journal entries, mood notes, gratitude entries, focus sessions, routine completions, pet name, custom tags — is stored only in your device’s local storage (AsyncStorage). It is never uploaded to a server we control.
- No accounts, no identifiers. little haven does not require you to sign up, log in, or provide any identifying information. There is no username, email, phone number, or password to manage.
- Privacy-by-default analytics. The limited diagnostic and product-analytics data we do receive is tied only to an anonymous install ID — a random identifier generated on your device that cannot be linked back to you as a person. The contents of what you write are explicitly excluded.
- No selling, no advertising. We do not sell or rent any data, do not run advertising in the App, and do not share data for marketing purposes.
2. Information little haven does NOT collect
We do not collect, store, or transmit any of the following:
- Your name, email address, phone number, postal address, or any other contact details.
- Passwords or login credentials (there is no login).
- Payment-card or bank information (handled entirely by Apple or Google — see Section 4).
- Precise or coarse location data.
- Contacts, calendar entries, photos, or files from your device.
- The text of your journal entries, mood notes, gratitude entries, focus-session tag names, pet name, or any other content you author in the App.
- Demographic information (age, gender, ethnicity, occupation, income, etc.).
- Health data from Apple Health, Google Fit, or any other health platform.
- Microphone, camera, or biometric data.
If a feature requires a permission (for example, notifications), the App will ask you in the standard system prompt, and you can revoke it at any time from your device settings.
3. Information little haven DOES collect
little haven processes a small, deliberately minimal set of data, summarized below.
3.1 Anonymous install ID
When you first open the App, a random identifier (the “install ID”) is generated on your device and stored locally. It is not linked to your name, email, device serial number, advertising ID, or any other identifier from your phone. Its only purpose is to let our analytics and crash-reporting tools recognize that two events came from the same App installation — so that, for example, a crash report can be tied to the events that preceded it.
If you reinstall the App, a new install ID is generated and the old one becomes orphaned.
3.2 Product-analytics events (anonymous)
We send a limited set of in-app events — things like “user completed a breathing session,” “user marked a daily goal complete,” “user opened the mood tool” — to PostHog, our analytics provider hosted in the European Union. Each event includes:
- The anonymous install ID.
- The name of the event and a small set of safe metadata fields (e.g. which breathing exercise, the length of a journal entry as a word count — never the journal text itself).
- The build type (development / tester / production) and basic app/device metadata (App version, OS version, device model).
We use these events to understand which features are useful, which are confusing, and where the App breaks. We do not receive the content of anything you write.
3.3 Crash reports and performance data
When the App crashes or hits a serious error, a diagnostic report is sent to Sentry, our crash-reporting provider hosted in the European Union. The report includes:
- The anonymous install ID.
- A stack trace and basic device/OS information.
- The build type.
Sentry session replay is disabled, and our App is configured with sendDefaultPii: false. Before any event leaves your device, we automatically strip out a list of property names that could carry user-authored text (including but not limited to journal_text, entry_text, mood_note, note, gratitude_items, pet_name, tag_name, text, body, and content) as a safety net.
3.4 Subscription status
If you purchase a little haven Pro subscription, your purchase is processed by Apple (App Store) or Google (Google Play). They share a subscription receipt with RevenueCat, our subscription-management provider, which lets the App know that your subscription is active and which tier you’re on. RevenueCat receives an anonymous app-user ID linked to your install — not your name, email, or payment details.
We never see your card number, your Apple ID or Google account email, your billing address, or any other financial information. That data stays between you and Apple or Google.
4. Third-party services we rely on
The App relies on these third parties to function. Each has its own privacy policy, which we encourage you to review.
| Service | Purpose | Region | What they receive |
|---|---|---|---|
| PostHog | Anonymous product analytics | EU (Frankfurt) | Anonymous install ID, event names, safe metadata, app/device info |
| Sentry | Crash and performance diagnostics | EU (Frankfurt) | Anonymous install ID, stack traces, app/device info |
| RevenueCat | Subscription management | United States | Anonymous app-user ID, subscription receipts from Apple/Google |
| Apple In-App Purchase | Subscription billing on iOS | Global (per Apple’s terms) | Your Apple ID and payment details (we do not see these) |
| Google Play Billing | Subscription billing on Android | Global (per Google’s terms) | Your Google account and payment details (we do not see these) |
We do not use third-party advertising networks, attribution SDKs, social-login providers, push-notification analytics services, or AI-moderation services.
5. How we use this limited information
We use the data described in Section 3 only to:
- Operate the App and deliver the subscription you’ve paid for.
- Diagnose crashes and fix bugs.
- Understand, in aggregate and anonymously, which features are used and which need improvement.
- Comply with legal obligations (for example, tax records related to subscription revenue).
We do not:
- Sell, rent, or lease any data.
- Use any data for targeted advertising.
- Profile you for marketing purposes.
- Combine little haven data with data from other apps or sources to build a fuller picture of you.
6. International data transfers
We operate from the Netherlands, and our primary analytics and crash-reporting providers (PostHog and Sentry) host their EU instances within the EU. RevenueCat is based in the United States, and Apple and Google operate globally, so subscription-related data is transferred internationally as part of normal payment processing.
These transfers are covered by appropriate safeguards under the EU GDPR — typically Standard Contractual Clauses (SCCs) — and, where applicable, the EU-US Data Privacy Framework. By using the App, you understand that this limited, anonymous data may be processed outside your country of residence.
7. Your rights
You have rights over personal data that relates to you. Because we hold very little — essentially just an anonymous install ID and the events tied to it — most of these rights are easy to exercise, and many can be exercised directly from inside the App without contacting us.
7.1 Everyone
- The right to know. This policy is our answer.
- The right to delete. Open the App and go to Settings → Data → Delete all data. This permanently erases your install ID, all on-device content (journal, mood, gratitude, focus, routine, pet), and resets your anonymous analytics identity. Uninstalling the App also removes everything.
- The right to object. You can disable analytics and crash reporting by deleting the App, or contact us if you want us to disregard events tied to a specific install ID (you’ll need to share the install ID — there’s no other way for us to find your data, because we don’t know who you are).
7.2 Residents of the European Economic Area, Switzerland, and the United Kingdom (GDPR / UK GDPR)
You have, in addition to the above:
- The right of access — to ask what data we hold linked to your install ID.
- The right to rectification — to ask us to correct inaccurate data (though we hold no profile data to correct).
- The right to erasure — see “the right to delete” above; for analytics events already in PostHog or Sentry, contact us with your install ID and we will request deletion from those providers.
- The right to restrict processing.
- The right to data portability — to receive a copy of the limited event data tied to your install ID in a structured, machine-readable format.
- The right to object to processing based on legitimate interests.
- The right to lodge a complaint with a supervisory authority — for users in the Netherlands this is the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl). Users in other EEA countries can contact their national data-protection authority. Users in the UK can contact the Information Commissioner’s Office (ico.org.uk).
To exercise any of these rights, email hi@thebuddyman.com with your install ID (visible in Settings → Data in the App). Because we hold no identifying information about you, the install ID is the only way we can locate your data. We will respond within 30 days.
The lawful basis for our limited processing is:
- Performance of a contract (Article 6(1)(b) GDPR) — for subscription management.
- Legitimate interests (Article 6(1)(f) GDPR) — for anonymous analytics and crash diagnostics, balanced against your privacy by the strict no-PII rules described above.
7.3 Residents of California (CCPA / CPRA)
California residents have the right to know what personal information is collected, to request its deletion, to correct it, to opt out of “sale” or “sharing” (we do neither), and not to be discriminated against for exercising these rights. To exercise these rights, email hi@thebuddyman.com with your install ID. We do not sell or share personal information for cross-context behavioral advertising.
7.4 Other regions
If your country has a similar data-protection law (for example, Brazil’s LGPD, Canada’s PIPEDA, or Australia’s Privacy Act), you have equivalent rights under that law and can contact us the same way.
8. Data retention
- On-device data is retained until you delete it from within the App or uninstall.
- Analytics events in PostHog are retained for 24 months and then deleted automatically.
- Crash reports in Sentry are retained for 90 days and then deleted automatically.
- Subscription records in RevenueCat are retained for as long as your subscription is active, plus the period required by tax and accounting law.
When you exercise the right to delete (Section 7), we will request deletion from PostHog, Sentry, and RevenueCat for the install ID(s) you provide.
9. Children’s privacy
little haven is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13, and because the App does not collect identifying information from anyone, this is enforced by design rather than by age-gate. If you are a parent or guardian and believe your child has used the App in a way that concerns you, contact us at hi@thebuddyman.com and we will help.
In jurisdictions where the digital-consent age is higher than 13 (for example, parts of the EU where it is 16), that higher age applies and parental consent is required for users below it.
10. Security
We protect your data through structural choices, not just policy:
- The most sensitive data — what you actually write — never leaves your device, so it cannot be exposed by a server breach on our side.
- Network calls to PostHog, Sentry, RevenueCat, Apple, and Google are made over HTTPS / TLS.
- Our analytics and crash-reporting providers are configured with PII-stripping safeguards (Sentry’s
beforeSendfilter scrubs known content-bearing property names before any event leaves the device). - We do not have a custom backend, so there is no database of user content to be compromised.
No system is perfectly secure. If you believe there is a security issue with the App, please report it to hi@thebuddyman.com so we can investigate.
11. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. Material changes will be announced in the App or via the App Store / Google Play release notes. The “Last updated” date at the top reflects the most recent revision. Continued use of the App after a change takes effect indicates acceptance of the revised policy.
12. Contact
Questions, requests, or complaints related to this Privacy Policy:
- Email: hi@thebuddyman.com
- Address: Thomas Tjaja – UX Design & Consultancy, Lilahof 19, 5044 RH Tilburg, Netherlands
- Web: https://littlehaven.app
We aim to respond to all privacy requests within 30 days.