Privacy Policy

Effective 2026-04-29 · Last updated 2026-04-29

This privacy policy explains how the UUTA app and the website at uuta.io handle information. Both are published by Srutva Labs LLC, a limited liability company registered in the State of Texas, United States ("Srutva," "we," "us"). The policy is written to comply with the EU/UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by CPRA (CCPA/CPRA), and similar laws elsewhere.

UUTA does not collect personal data from you. There is no account to sign in to, no analytics, no advertising, no telemetry, and no third-party SDKs. We operate no server that receives your data.

What you write — your goals, your daily notes, your tags — stays on your device. If you turn on iCloud sync (your choice during onboarding), what you write is stored in your own private iCloud, encrypted in transit and at rest by Apple. We do not access your iCloud data; under Apple's standard encryption model for CloudKit private databases, we have no technical means to read it.

Data we collect

None.

We do not collect, store, transmit, or receive any personal information, usage data, diagnostic data, identifiers, contact information, location, content, or any other category of personal data through the app. Data the user creates inside the app stays on the user's device, as described below.

CCPA categories of personal information

The California Consumer Privacy Act, as amended by CPRA, defines specific categories of personal information. For each category, here is what UUTA collects:

• Identifiers (name, email, IP, device ID): None.
• Customer records (Cal. Civ. Code §1798.80(e) categories): None.
• Protected classifications (race, gender, age, etc.): None.
• Commercial information (purchase history, products considered): None. Apple processes purchases.
• Biometric information: None.
• Internet or network activity (browsing, search, ad interactions): None.
• Geolocation data: None.
• Audio, electronic, visual, thermal, olfactory, or similar information: None.
• Professional or employment information: None.
• Education information: None.
• Inferences drawn from any of the above to create profiles: None.
• Sensitive personal information (precise geolocation, race, religion, health, sexual orientation, contents of communications, biometrics for ID, etc.): None.

We have not collected, sold, or shared any of these categories in the previous 12 months and have no plans to.

Apple App Tracking Transparency (ATT)

UUTA does not engage in tracking as defined by Apple's App Tracking Transparency framework. We do not link your activity in UUTA to your activity in apps or websites owned by other companies for advertising or measurement purposes, and we do not share data with data brokers. Because we do not track, no ATT permission prompt is required or shown.

Data stored on your device

UUTA stores the following on your device, in a private SwiftData store readable only by the app:

• Goals you create (name, symbol, sort order, archive timestamp).
• Notes you write (date, text, optional tags, optional "showed up" mark).
• App preferences (daily check-in time, app lock setting, appearance preference, language).

This data is stored in the app's sandboxed container managed by your operating system. When you delete the app, this data is deleted. We never see this data and have no way to retrieve it.

iCloud sync (optional)

If you enable iCloud sync in Settings, the data above is synchronized to your private iCloud container (iCloud.io.uuta.uutaapp) using Apple's CloudKit service. This means:

• Your data is encrypted by Apple in transit and at rest.
• Your data is stored in your iCloud, not ours. You can see, export, and delete it at any time from device Settings → [your name] → iCloud → Manage Account Storage → UUTA.
• We do not access this data; under Apple's standard CloudKit private-database encryption, we have no technical means to read, recover, or transmit it.
• Apple may transfer your iCloud data to data centers in other countries (including the United States) as part of running CloudKit. This transfer is governed by Apple's privacy policy and contractual safeguards. See apple.com/legal/privacy.

You can turn iCloud sync off at any time. Doing so stops new data from syncing; data already in iCloud remains until you remove it via device Settings.

Notifications

UUTA can send a single local notification per day (the daily check-in) only if you enable it in Settings. This notification is scheduled by the app on your device. It is not a push notification, has no server, and uses no remote infrastructure. You can disable it at any time.

App lock

UUTA can lock the app behind your device unlock — Face ID, Touch ID, Optic ID, or your device passcode — using Apple's standard authentication APIs. UUTA does not store, transmit, or have access to your biometric data or your device passcode.

Export

You can export everything UUTA has stored to a JSON file using the Export feature in Settings. This file is generated on your device and shared via the system share sheet. UUTA does not transmit this file anywhere.

Purchases

All purchases are handled by Apple through the App Store. We never see your payment details, billing address, or Apple ID. Apple shares with us only an anonymized purchase confirmation. To request a refund, contact Apple at reportaproblem.apple.com.

This website

uuta.io is a static site hosted on Cloudflare Pages. It loads no third-party scripts, sets no cookies, and uses no analytics. Standard server access logs (visitor IP address, user agent, requested URL, timestamp) may be retained by Cloudflare for up to 30 days for operational, security, and abuse-prevention purposes. We do not access these logs and they are not linked to any account or identifier. The lawful basis for this processing is our legitimate interest (GDPR Art. 6(1)(f)) in operating a secure website. Cloudflare is the data controller for these logs; see cloudflare.com/privacypolicy.

Children

UUTA contains no objectionable content and is rated 4+. We do not knowingly collect any data from children, because we do not collect any data from anyone. The app is not directed at children under 13 (or under 16, in jurisdictions where that age applies).

Automated decision-making

We do not use your data for automated decision-making, profiling, or any algorithmic processing of any kind, because we do not have your data.

Data retention

We retain no data about you. Data on your device is retained until you delete it or uninstall the app. iCloud data is retained until you remove it via device Settings. Cloudflare server logs are retained for up to 30 days, then deleted.

EEA, United Kingdom, and Switzerland (GDPR / UK GDPR / FADP)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the rights to:

• Access any personal data we hold about you (Art. 15 GDPR).
• Request correction of inaccurate data (Art. 16).
• Request deletion of your data — the "right to be forgotten" (Art. 17).
• Restrict or object to processing (Art. 18, 21).
• Receive your data in a portable format (Art. 20).
• Withdraw consent, where consent was the lawful basis.
• Lodge a complaint with a data protection authority — for the UK, the Information Commissioner's Office at ico.org.uk; for the EU, your national supervisory authority (a directory is at edpb.europa.eu); for Switzerland, the FDPIC at edoeb.admin.ch.

Because UUTA does not collect personal data from you, in practice we have nothing to disclose, correct, port, or delete. For server access logs (see "This website"), Cloudflare is the controller. We will respond to verifiable rights requests within 30 days.

California (CCPA / CPRA)

If you are a California resident, you have the rights to know, delete, correct, and opt out of the sale or sharing of your personal information. We do not sell or share your personal information for advertising or any other purpose. We have not done so in the previous 12 months and have no plans to. We do not collect any of the categories of personal information defined under the CCPA. Submit any request to [email protected].

Other jurisdictions

If you reside in Brazil (LGPD), Canada (PIPEDA), Australia (Privacy Act 1988), South Korea (PIPA), India (DPDP Act 2023), or another jurisdiction with similar laws, you have similar rights. Contact us to exercise them. Because we do not collect personal data, the practical answer to most requests will be the same: we have nothing to disclose or delete.

EU representative

Where required by Article 27 GDPR, an EU representative will be appointed prior to the processing of EU residents' personal data at scale. As we do not currently collect or process personal data from EU residents in a manner that triggers the Article 27 obligation, no representative is currently designated. EU residents may contact us directly at [email protected] to exercise any of the rights described above.

International transfers

Srutva Labs LLC is based in the United States. Cloudflare operates a global network. Apple operates iCloud globally. Where data we (or our service providers) handle is transferred between jurisdictions, the transfer is protected by the receiving party's standard contractual clauses, adequacy decisions, or other lawful safeguards.

Security

Because we do not collect data, there is no central database to breach. Data on your device is protected by your operating system's standard sandboxing. iCloud data is encrypted by Apple. Server logs at Cloudflare are protected by Cloudflare's security program.

Breach notification

In the unlikely event of a security incident affecting any data we control, we will notify affected individuals and relevant supervisory authorities as required by applicable law (under GDPR, within 72 hours of becoming aware).

Changes to this policy

If this policy ever changes, the new version will be published at this URL with an updated "Last updated" date. Material changes will be flagged in the app on next launch.

Legal entity

Srutva Labs LLC
State of Texas, United States
[email protected]

Contact

Privacy questions, data requests, complaints, and any other concerns: [email protected]

We respond to verifiable requests within 30 days, as required by GDPR Art. 12. We may need to verify your identity (for example, by asking for the email address you used to contact us) before fulfilling a request.

This is a faithful description of UUTA's behavior as of version 1.0. The app's source code uses only standard Apple frameworks (SwiftUI, SwiftData, CloudKit, UserNotifications, LocalAuthentication, Security/Keychain). It does not include any third-party analytics, advertising, or telemetry SDKs.