We don't sell your data. We barely collect any. 40/12 is a reference app that works almost entirely on your device. We don't require an account, we don't track you across apps, and we don't run ads. The only network request the app makes is to the public USDA FoodData Central API to fetch nutritional data for a specific food — and even that is cached on your device so we don't need to re-fetch it. Your stage, purchase status, and preferences are stored locally in UserDefaults on your device and never sent to us.
Scope
This Privacy Policy applies to the 40/12 iOS application ("the App") published on the Apple App Store. It explains what data is collected, how it is used, and your rights regarding that data.
The App Store privacy nutrition label for 40/12 is the authoritative, Apple-reviewed disclosure. This policy provides additional detail.
Who We Are
Contact: developers@vrunik.com
We are a small independent developer. No designated Data Protection Officer is required under GDPR Article 37 given our processing scale.
What Information We Collect
3.1 Information stored locally on your device only
The following is stored in Apple UserDefaults on your device and never transmitted to us or any third party:
- Your current stage (pregnancy week or postpartum month)
- Whether you have completed onboarding
- Whether you have unlocked the full app (purchase status)
- Whether you have seen the notification permission prompt
- App preferences and navigation state
3.2 Purchase receipts (via RevenueCat)
When you make a one-time purchase, Apple processes the payment. We use RevenueCat to verify and manage entitlements. RevenueCat receives your App Store receipt and assigns it an anonymous identifier. No payment card details or personal financial information pass through our systems. RevenueCat's privacy policy applies: revenuecat.com/privacy.
3.3 USDA FoodData Central API requests
The App may make GET requests to the public USDA FoodData Central API (api.nal.usda.gov) to fetch nutritional data for specific foods. These requests include a food ID and an API key but do not contain any personal information about you. Fetched data is cached locally on your device for 30 days to minimise future requests.
3.4 Performance metrics (MetricKit — on-device only)
The App uses Apple's MetricKit framework to collect on-device performance diagnostics (hang rates, crash logs, memory usage). This data is processed entirely on your device and delivered to us only through Apple's aggregated, privacy-preserving MetricKit reports — we never receive personally identifiable data through this channel.
3.5 Support communications
If you contact us by email, we receive your email address and the contents of your message. We use this solely to respond to your enquiry and retain it for up to 24 months.
3.6 What we do not collect
- Name, date of birth, or health profile
- Location data
- Contacts, photos, microphone, or camera access
- Advertising identifiers (IDFA)
- Behavioural analytics or usage events
- Device fingerprints or cross-app tracking
- Any special-category health data under GDPR Article 9
Why We Use Your Information
We process data only for the following limited purposes:
- Making the App function — local preferences and purchase status are needed to deliver the correct content and experience.
- Verifying your purchase — RevenueCat checks your entitlement so you can access paid content on any device linked to your Apple ID.
- Fetching nutritional data — USDA API calls retrieve public nutritional information you request.
- Performance monitoring — aggregated, anonymised crash and hang diagnostics help us fix bugs.
- Customer support — responding to your emails.
- Legal compliance — retaining purchase records as required for tax purposes.
Legal Bases for Processing (GDPR)
For users in the EU, EEA, UK, and Switzerland, our legal bases under Article 6 GDPR are:
- Contract (Art. 6(1)(b)) — processing necessary to deliver the service you purchased.
- Legitimate interests (Art. 6(1)(f)) — performance monitoring and security, balanced against minimal privacy impact.
- Legal obligation (Art. 6(1)(c)) — retaining purchase records for tax compliance.
- Consent (Art. 6(1)(a)) — notification scheduling, which is opt-in and revocable at any time in iOS Settings.
Who We Share Information With
We share data only with the following categories of recipient, and only to the extent necessary:
- Apple Inc. — processes your App Store payment and delivers MetricKit diagnostics. Apple's privacy policy governs this data.
- RevenueCat, Inc. — manages purchase entitlements using your App Store receipt. No personally identifiable data beyond what Apple includes in the receipt is shared.
- USDA FoodData Central — receives food ID look-up requests containing no personal data.
- Legal authorities — only if required by a valid court order or equivalent legal process.
We do not sell, rent, or share your data for advertising or marketing purposes. We have no advertising partners.
Data Retention
- On-device UserDefaults — retained until you delete the App or reset your device. You can also clear the data by deleting and reinstalling the App.
- RevenueCat entitlement records — retained as long as your Apple ID has a purchase history; governed by RevenueCat's retention policy.
- USDA API cache — stored locally on your device for 30 days, then refreshed or evicted.
- Support emails — 24 months from last contact.
- Purchase records — 7 years for tax compliance.
Security
All data in transit between the App and external services (RevenueCat, USDA API) is encrypted using TLS 1.2 or higher. On-device data is protected by the iOS data protection layer. We do not operate servers that store your personal data, which means there is no central database to breach.
Cookies & Tracking
The App contains no cookies, advertising trackers, analytics SDKs, or cross-app tracking. The App does not request your IDFA (Advertising Identifier). No App Tracking Transparency prompt will appear.
Children
40/12 is designed for adults who are pregnant or in the postpartum period. The App is not directed at children. We do not knowingly collect personal information from anyone under the age of 13 (US), 16 (EU/EEA/UK), or 18 (India). If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
Your Rights
EU / EEA / UK / Switzerland (GDPR & UK GDPR)
You have the right to: access your data · correct inaccurate data · erasure ("right to be forgotten") · restrict processing · data portability · object to processing · withdraw consent at any time · lodge a complaint with your supervisory authority.
We will respond within one calendar month (extendable to three months for complex requests).
United States (California, Colorado, Virginia, and other US states)
You have the right to: know what personal information is collected · delete personal information · correct inaccurate information · opt out of sale or sharing (we do not sell or share your data) · non-discrimination for exercising rights.
We will respond within 45 days (extendable to 90 days).
Because almost all data is stored locally on your device, the most effective way to exercise most of these rights is to delete the App, which removes all locally stored data. For data held by RevenueCat (purchase receipt), contact us at developers@vrunik.com and we will submit a deletion request on your behalf.
International Transfers
RevenueCat is a US-based processor. Data transfers to RevenueCat from the EEA are covered by Standard Contractual Clauses (EU Commission Decision 2021/914). Apple's privacy shield and data processing addendum cover App Store receipt data.
Changes to This Policy
We will update this policy when our practices change. Material changes will be noted prominently in the App or via the App Store update release notes. Continued use of the App after changes take effect constitutes acceptance.