Privacy Policy

1. Privacy Summary

Your privacy is very important to us. Before reading the complete policy, here is a comprehensive summary of our key privacy practices organized by topic.

1.1 Data Collection and Use

1.2 Your Privacy Controls

1.3 Location and Tracking

1.4 Communication

2. Introduction and Scope

2.1 About This Privacy Policy

AllTime Time Labs ("Company," "we," "our," or "us") operates the AllTime: AI Daily Planner mobile application (the "App") and related websites, services, and features (collectively, the "Services"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Services.

This Privacy Policy applies to all users of our Services worldwide, including users who access the Services through our mobile applications for iOS and Android, our website at usealltimeapp.com, any subdomains or related domains, our customer support channels, and any other platforms or interfaces we may offer.

We are committed to protecting your privacy and handling your personal information with transparency, care, and in accordance with applicable laws. We believe you should always know what data we collect from you and how we use it, and that you should have meaningful control over both.

2.2 Our Commitment to Privacy

At AllTime Time Labs, we believe that privacy is a fundamental right. Our commitment to your privacy is built on the following core principles:

• Transparency: We clearly explain what data we collect, why we collect it, and how we use it. We avoid hidden practices, dark patterns, or confusing language.
• User Control: You have meaningful control over your data. We provide easy-to-use tools to access, correct, delete, and export your information.
• Data Security: We implement strong technical and organizational security measures to protect your information from unauthorized access, disclosure, alteration, or destruction.
• Data Minimization: We only collect data that is necessary to provide and improve our Services. We do not collect data for its own sake.
• Purpose Limitation: We use your data only for the purposes we disclose to you. We do not use your data in unexpected ways or sell it to third parties.
• Accountability: We take responsibility for our data practices. We have designated a Data Protection Officer and maintain compliance programs.
• Privacy by Design: We build privacy considerations into our products and services from the ground up, not as an afterthought.

2.3 Scope and Application

This Privacy Policy applies to all information collected through our Services, including:

• Our mobile applications (AllTime for iOS and AllTime for Android)
• Our website (usealltimeapp.com and related domains)
• Our customer support channels (email, in-app support, help center)
• Our social media pages and interactions
• Marketing and promotional communications
• Any other services, features, or content we offer

This Privacy Policy does not apply to:

• Third-party websites or services linked from our Services
• Information collected by third parties through integrations you authorize
• Information collected by third-party analytics providers, except as described in this policy
• Services or products offered by third parties, even if they integrate with our Services

2.4 Agreement to This Policy

By accessing or using the Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Services.

3. Information We Collect

We collect information about you from various sources. This section describes in detail the categories of information we collect, the sources from which we collect it, and the specific data points within each category.

3.1 Information You Provide Directly

3.1.1 Account Registration Information

When you create an account with AllTime, we collect:

• Your name (first and last name, or a display name of your choosing)
• Email address (used for account verification, authentication, and communication)
• Password (stored in encrypted/hashed form; we never store plain-text passwords)
• Date of birth (used to verify age requirements and personalize your experience)
• Optional profile photo

3.1.2 Profile Information

You may choose to provide additional profile information including biographical information, time zone preferences, preferred language, and notification preferences.

3.1.3 Calendar and Scheduling Data

When you use our calendar and planning features, we collect information about your events including titles, descriptions, dates, times, locations, recurrence patterns, reminders, and categories.

3.1.4 Habits and Goals Data

When you use our habit tracking and goal management features, we collect habit names, frequencies, completion records, streak counts, goal definitions, and progress data.

3.1.5 Food Photos

When you use the AI nutrition analysis feature, we collect photos of food that you capture using the in-app camera. These photos are sent to Google's Gemini AI service via our secure servers for nutritional analysis. Photos are compressed, stripped of metadata, and are not stored beyond what is needed to generate the analysis response.

3.1.6 Health and Wellness Data (Sensitive Personal Information)

With your explicit consent, we collect sensitive health-related information including:

• Workout and Exercise Data: Activity type, duration, intensity, calories burned, distance, pace, and exercise notes
• Nutrition and Diet Data: Food logs, calorie intake, macronutrients, hydration tracking, and dietary preferences
• Menstrual and Reproductive Health Data: Cycle dates, patterns, symptoms, and related tracking
• Sleep Data: Bedtime, wake time, sleep duration, and quality ratings
• Body Measurements: Weight, height, BMI, and body composition data
• Mental Wellness Data: Mood tracking, stress levels, journaling entries, and meditation logs

Important: We require your explicit consent before collecting any health data. You can withdraw consent at any time. Health data is stored with additional encryption and access controls. We never share health data with insurers, employers, or data brokers.

3.2 Information Collected Automatically

When you access the Services, we automatically collect device information (type, model, OS), usage data (features accessed, actions taken), log data (IP address, timestamps), and location information (only with your consent and only while actively using location features).

3.2.1 Advertising Identifier (IDFA / Device ID)

If you grant permission through the iOS App Tracking Transparency (ATT) system prompt, we collect your device's Advertising Identifier (IDFA on iOS). We use this identifier solely for marketing attribution — that is, to measure whether visitors who saw or clicked our ads went on to subscribe to AllTime. The IDFA is forwarded to RevenueCat (our subscription management provider) and from there to Meta (Facebook) via the Meta Conversions API. Separately, the Facebook iOS SDK is also installed in the AllTime app and sends standard install and activation events directly to Meta when ATT consent has been granted, independently of the RevenueCat pipeline.

If you do not grant ATT consent, no IDFA is collected, no IDFA is shared with RevenueCat or Meta, and you will not be measured for advertising attribution. You can change this decision at any time:

• To revoke ATT consent: iOS Settings → Privacy & Security → Tracking → toggle "Allow Apps to Request to Track" off, or go to iOS Settings → AllTime → toggle "Allow Tracking" off.
• Effect of revoking: The app stops collecting and forwarding the IDFA immediately. We instruct RevenueCat to stop attaching the IDFA to your subscription events. Meta receives a "limited-data" version of subscription events that cannot be tied back to you personally.

See Section 8 for the full disclosure on the IDFA, Meta Conversions API, and your rights.

3.2.2 Crash and Diagnostic Data

We collect anonymized crash reports, performance metrics, and error logs through Sentry to identify and fix bugs. This includes device model, OS version, app version, stack traces, and the sequence of in-app actions that preceded a crash. We configure Sentry to scrub personally-identifying fields (email, name, IP) before transmission. Crash data is retained for 90 days.

3.2.3 Subscription and Purchase Data

When you subscribe to AllTime Pro or AllTime Premium, your purchase is processed by Apple (App Store) and the resulting subscription state — tier, renewal date, trial status, country, platform — is stored by RevenueCat on our behalf. Apple does not share your name, email, or payment-method details with us; we receive only the subscription-tier metadata. RevenueCat is also the system that forwards subscription events to Meta when ATT consent has been granted (see Section 8).

3.3 Information from Third-Party Sources

If you connect third-party services, we receive data from those services including sign-in information, health and fitness data from connected apps (Apple Health, Google Fit, wearables), and calendar data from connected calendar services.

3.4 Information We Do NOT Collect

We explicitly do NOT:

• Access your contacts without permission
• Read your emails or text messages
• Record audio through your microphone
• Track your location when not using location features
• Collect data from other apps on your device
• Purchase data from data brokers
• Collect genetic or biometric data for identification

4. How We Use Your Information

We use the information we collect for specific, legitimate purposes:

4.1 To Provide and Maintain the Services

Account management, core features, notifications and reminders, data synchronization, and customer support.

4.2 To Provide AI-Powered Features

When you consent to AI data sharing, we use your data to power the following AI features:

• AI Chat Assistant: Uses your calendar events, goals, health data, and conversation history to provide personalized planning advice
• Food Nutrition Analysis: Uses photos you capture to identify foods and estimate nutritional content
• Workout and Nutrition Coaching: Uses your workout history, nutrition logs, and health metrics to generate insights
• Daily Briefings: Uses your upcoming events, weather data, and goals to generate personalized morning and evening summaries
• Smart Suggestions: Uses your event patterns, active goals, and schedule gaps to suggest events
• Event Subtask Generation: Uses event titles and details to suggest sub-tasks

All AI processing is performed by Google's Gemini AI service via our secure servers hosted by Supabase. See Section 7 for full details.

4.3 To Personalize Your Experience

Recommending features, customizing the interface, and adapting to your preferences.

4.4 To Communicate with You

Service communications and marketing communications (with your consent).

4.5 To Improve the Services

Analyzing usage patterns, identifying improvements, and conducting research using aggregated data.

4.6 To Ensure Safety and Security

Detecting fraud, enforcing our terms, and protecting users and systems.

5. How We Share Your Information

We share your information only in the following circumstances:

• Service Providers: With vendors who help us operate the Services (hosting, analytics, payment processing)
• AI Processing Providers: When you enable AI features and grant consent, your data is sent to Google's Gemini AI service via our secure servers (hosted by Supabase) for processing. The data sent may include calendar event titles and times, health and workout metrics, food photos, and conversation history. Google processes this data solely to generate responses and does not use it to train AI models. See Section 7 for full details on what data is sent and how it is protected.
• Subscription & Attribution Providers: Subscription state is shared with RevenueCat. If — and only if — you grant Apple's App Tracking Transparency (ATT) permission, your IDFA and subscription events are forwarded from RevenueCat to Meta (Facebook) via the Conversions API for ad-campaign attribution. See Section 8.
• Crash Reporting: Anonymized crash reports and diagnostics are sent to Sentry.
• With Your Consent: When you explicitly authorize sharing
• Legal Requirements: When required by law or to protect rights and safety
• Business Transfers: In connection with mergers, acquisitions, or asset sales

We do NOT sell your personal information for monetary value. We do NOT run third-party ads inside the App. The only marketing-related sharing we engage in is the IDFA-based attribution described in Section 8, which only occurs with your explicit ATT consent and which you can revoke at any time. Under California privacy law (CCPA/CPRA), this attribution sharing may be classified as "sharing for cross-context behavioral advertising"; California residents have the right to opt out, which is satisfied by declining or revoking ATT consent.

6. Categories of Personal Information

Under various privacy laws, we collect the following categories: Identifiers, personal information, protected characteristics, commercial information, internet activity, geolocation data, sensory data, professional information, education information, and inferences.

7. Artificial Intelligence and Machine Learning

AllTime uses artificial intelligence to provide personalized planning, coaching, and nutrition features. This section describes in detail what data is sent, to whom, and how we protect it.

7.1 AI Service Provider

AI features are powered by Google's Gemini AI service. Your data is sent from the AllTime app to our secure backend servers hosted by Supabase, which then forwards it to Google's Gemini API for processing. Google processes this data solely to generate responses to your requests and does not use it to train or improve their AI models.

• Provider: Google LLC (Gemini AI)
• Infrastructure: Supabase Edge Functions (secure intermediary)
• Google's Privacy Policy: policies.google.com/privacy
• Google's AI Terms: ai.google.dev/gemini-api/terms

7.2 Data Sent to AI Services

When you use AI features, the following categories of data may be sent to Google's Gemini AI for processing:

• Calendar Data: Event titles, start and end times, locations, descriptions, and calendar names
• Health and Fitness Data: Recent workouts (type, duration, calories), workout streaks, average sleep hours, resting heart rate, stress level, and menstrual cycle phase (if cycle tracking is enabled)
• Nutrition Data: Calorie intake, nutritional targets, and meal event details
• Food Photos: Images captured using the in-app camera for nutrition analysis (compressed and stripped of metadata before transmission)
• Conversation History: Your recent chat messages with the AI assistant (up to 8 prior messages for context)
• Goals Data: Active goal names, progress, and targets
• Weather Data: Current weather forecast for daily briefing generation
• Device Context: Platform (iOS/macOS), current date and time, and time zone

7.3 Consent and Control

We require your explicit consent before any personal data is sent to AI services:

• A consent sheet is presented the first time you attempt to use any AI feature, clearly disclosing what data will be sent and to whom
• No data is transmitted to AI services until you tap "Allow"
• You can revoke consent at any time from Settings > Privacy > AI Data Sharing
• When consent is revoked, all AI features immediately stop sending data; the app falls back to non-AI alternatives where available
• Background AI features (such as smart notifications) silently use local fallback messages when consent is not granted

7.4 Data Protection and Retention

• All data is transmitted over encrypted connections (TLS 1.3)
• Food photos are compressed and have metadata (EXIF data) stripped before transmission
• Data sent to Google Gemini is processed in real-time to generate a response and is not stored by Google beyond the duration of the API request
• We do not store AI request/response data on our servers beyond what is needed to deliver the response to your device
• Your data is not used to train, improve, or fine-tune any AI models

7.5 AI Features Requiring Data Sharing

The following features require AI data sharing consent to function:

• AI Chat Assistant
• Food Nutrition Analysis (camera-based)
• Workout Coach Insights
• Nutrition Coach Insights
• Rise (morning) and Rest (evening) Daily Briefings
• Smart Event Suggestions
• Event Subtask Generation
• AI-Powered Smart Notifications

If you do not consent to AI data sharing, these features will be unavailable, but all other app functionality (calendar, event management, goals, health tracking, etc.) will continue to work normally.

8. Advertising Identifier and Marketing Attribution

This section describes how AllTime uses Apple's App Tracking Transparency (ATT) framework, the iOS Advertising Identifier (IDFA), and the Meta Conversions API. We've broken this out as its own section because it's the one place AllTime processes data that touches the broader advertising ecosystem.

8.1 What We Collect and When

The first time you reach the AllTime subscription upsell screen during onboarding, iOS shows the standard App Tracking Transparency prompt, asking whether AllTime can track you across apps and websites. Your choice determines what happens next:

• If you tap "Ask App Not to Track": No IDFA is collected. No advertising identifier is sent to any third party. You will not be measured for ad attribution.
• If you tap "Allow": AllTime reads your iOS Advertising Identifier (IDFA) and forwards it to RevenueCat together with your subscription events. RevenueCat in turn forwards those events plus the IDFA to Meta (Facebook) via the Meta Conversions API (CAPI).

8.2 What This Is Used For

The sole purpose of the IDFA-based attribution is to measure the effectiveness of our own advertising campaigns — for example, to learn that visitors who saw our Instagram ad subscribed at a higher rate than visitors who saw a different ad. This helps us spend our marketing budget effectively. It is not used to:

• Target you with ads inside AllTime (we don't run any in-app ads).
• Build a behavioral profile of you for sale to third parties.
• Match you to data brokers, lookalike audiences, or third-party ad networks beyond Meta.
• Train or improve any AI model.

8.3 Third Parties Involved

• RevenueCat — Manages subscription state and orchestrates attribution forwarding. Receives: IDFA (only with ATT consent), subscription events, app user ID, country, platform. RevenueCat Privacy Policy
• Meta (Facebook) — Conversions API — Receives: IDFA (only with ATT consent), event type (purchase/trial start/cancellation), event timestamp, currency, and value. Used for ad-campaign attribution. Meta Privacy Policy
• Meta (Facebook) — iOS SDK — Separately from the RevenueCat → Conversions API pipeline above, the Facebook iOS SDK is installed in the AllTime app and sends standard install and activation events directly to Meta when ATT consent has been granted. These events do not include your name, email, calendar, or health data. Meta Privacy Policy

Neither RevenueCat nor Meta receives your name, email, calendar data, health data, or any other content from your AllTime account through these pipelines.

8.4 Your Controls

• Revoke ATT consent at any time: iOS Settings → Privacy & Security → Tracking → toggle "Allow Apps to Request to Track" off (revokes for all apps), or iOS Settings → AllTime → toggle "Allow Tracking" off (revokes for AllTime only).
• Effect of revoking: The app stops reading the IDFA immediately. We instruct RevenueCat to remove the IDFA from your subscription events. Meta receives only a limited, non-identifying version of subscription events that cannot be tied back to you personally.
• Reset your IDFA: iOS Settings → Privacy & Security → Tracking → "Reset Advertising Identifier" (or the equivalent on newer iOS versions). This rotates the identifier and disconnects future events from past ones.
• Delete your account: Deleting your AllTime account also instructs RevenueCat to delete your subscription record, which cuts off any future attribution events. (Past events already sent to Meta cannot be recalled, but Meta's own data-retention policies apply — typically 24 months for ad event data.)

8.5 Legal Classification

Under California's CCPA/CPRA, the IDFA + subscription-event sharing described above is classified as "sharing for cross-context behavioral advertising," even though we do not target you with ads inside AllTime. California residents have the right to opt out of this sharing, which is fully satisfied by declining or revoking ATT consent. We do not sell personal information for monetary value.

Under the EU's GDPR, the IDFA is personal data and our legal basis for processing it is your explicit consent via the ATT prompt. You may withdraw that consent at any time as described above, which immediately stops further processing.

9. Data Security

We implement comprehensive security measures including encryption (TLS 1.3, AES-256), access controls, security monitoring, regular audits, and incident response procedures. Health data receives enhanced protection with additional encryption and restricted access.

10. Data Retention

We retain your data for as long as your account is active or as needed to provide Services. Upon account deletion, we permanently delete your data within 30 days, except where retention is required by law.

11. Your Rights and Choices

You have the right to access, correct, delete, and export your data. You can withdraw consent, object to processing, and lodge complaints with supervisory authorities. We honor these rights for all users regardless of location.

12. Privacy Controls and Settings

You can manage your privacy through in-app settings, device permissions, communication preferences, and connected services management.

13. Children's Privacy

Our Services are not intended for children under 13. We do not knowingly collect data from children under 13. If we learn we have collected such data, we will delete it promptly.

14. International Data Transfers

Your data may be transferred to and processed in the United States. We use appropriate safeguards for international transfers, including Standard Contractual Clauses.

15. Third-Party Services and Integrations

Our Services integrate with the following third-party services:

• Google Gemini AI — Powers all AI features (chat, food analysis, coaching, briefings, suggestions). Data is sent only with your explicit consent. Google Privacy Policy
• Supabase — Hosts our backend servers and edge functions that securely relay data to AI services, manage user authentication, and store synced data. Supabase Privacy Policy
• RevenueCat — Manages your AllTime subscription state and forwards subscription events to Meta for ad-campaign attribution (only when ATT consent has been granted). See Section 8. RevenueCat Privacy Policy
• Meta (Facebook) Conversions API — Receives your IDFA and subscription events for ad-campaign attribution, only when ATT consent has been granted. See Section 8. Meta Privacy Policy
• Sentry — Receives anonymized crash reports and performance diagnostics. No personally-identifying data is included. Sentry Privacy Policy
• Apple Health / HealthKit — Syncs workout and health data with your consent
• Google Calendar / Outlook — Syncs calendar events when you connect these services
• TelemetryDeck — Privacy-first aggregate analytics (no personal data collected). TelemetryDeck Privacy Policy

Each third-party service has its own privacy policy. We encourage you to review them. We only share the minimum data necessary for each service to function, and we require that all third-party providers maintain privacy protections equal to or greater than our own.

16. Cookies and Tracking Technologies

We use cookies and similar technologies on our website for essential functionality, analytics, and preferences. You can manage cookie preferences through our cookie banner.

17. Do Not Track Signals

We honor Do Not Track signals and do not track users across third-party websites.

18. California Privacy Rights (CCPA/CPRA)

California residents have the right to know what personal information we collect, the right to delete it, the right to correct inaccurate information, and the right to opt out of the sale or sharing of personal information for cross-context behavioral advertising.

Do Not Sell or Share My Personal Information. We do not sell your personal information for monetary value. The only sharing of personal information that may qualify as "sharing for cross-context behavioral advertising" under CCPA is the IDFA + subscription-event forwarding to Meta described in Section 8, which only occurs with your explicit App Tracking Transparency (ATT) consent. To opt out, decline the ATT prompt or revoke ATT consent at any time via iOS Settings → AllTime → Allow Tracking → off. This satisfies your CCPA opt-out right with respect to the App. To opt out of any other potential sharing, contact us at privacy@usealltimeapp.com and we will process your request within the time required by law.

We honor authorized agent requests submitted under California Civil Code § 1798.135. To exercise any CCPA right, contact us at the email above.

19. Virginia Privacy Rights (VCDPA)

Virginia residents have rights to access, correct, delete, and obtain a copy of their data, and to opt out of targeted advertising and sales.

20. Colorado Privacy Rights (CPA)

Colorado residents have similar rights under the Colorado Privacy Act.

21. Other U.S. State Privacy Rights

We comply with applicable state privacy laws including those in Connecticut, Utah, and other states with privacy legislation.

22. European Privacy Rights (GDPR)

EEA residents have rights under GDPR including access, rectification, erasure, restriction, portability, and objection. Our legal bases for processing include consent, contract performance, and legitimate interests.

23. United Kingdom Privacy Rights

UK residents have similar rights under UK GDPR and the Data Protection Act 2018.

24. Brazilian Privacy Rights (LGPD)

Brazilian residents have rights under LGPD including confirmation, access, correction, anonymization, portability, and deletion.

25. Canadian Privacy Rights (PIPEDA)

Canadian residents have rights under PIPEDA including access and correction of personal information.

26. Australian Privacy Rights

Australian residents have rights under the Privacy Act 1988 including access and correction.

27. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes at least 30 days before they take effect via email and/or in-app notification. Your continued use after changes take effect constitutes acceptance.

28. Dispute Resolution

If you have concerns about our privacy practices, please contact us first. We will work to resolve any issues. You may also file complaints with applicable regulatory authorities.

29. Contact Information

For privacy-related inquiries, please contact us:

• Email: privacy@usealltimeapp.com
• Website: usealltimeapp.com

30. Definitions and Glossary

• Personal Information: Information that identifies, relates to, or could reasonably be linked with you
• Sensitive Personal Information: Personal information revealing health data, precise geolocation, or other sensitive categories
• Processing: Any operation performed on personal information
• Data Controller: The entity that determines the purposes and means of processing
• Data Processor: An entity that processes data on behalf of the controller
• Services: The AllTime App and related websites, features, and services