العربية · Čeština · Dansk · Deutsch · English · Español (LatAm) · Suomi · Français · हिन्दी · Magyar · Bahasa Indonesia · Italiano · עברית · 日本語 · 한국어 · Nederlands · Norsk · Polski · Português (BR) · Română · Русский · Slovenčina · Svenska · ไทย · Türkçe · Українська · Tiếng Việt · 简体中文

Privacy Policy — Mote

Last updated: 2026-05-06 · Effective date: 2026-05-06

1. Who we are

Mote is a mobile app for couples that helps share everyday moments of appreciation between partners. Privacy is the foundation of the product: data is end-to-end encrypted, the app is offline-first, and most content never leaves your device in a form readable by anyone other than you and your partner.

Data controller: Maciej Siemiński — the developer of Mote. Contact: mail@macsiem.dev

For the version of the app distributed via Google Play, the data controller is LICENCEPRO POLSKA Sp. z o.o., ul. Huculska 6, 00-730 Warszawa, Polska.

This Privacy Policy explains what personal data Mote processes, how, why, and what rights you have.

2. Plain-language summary

We do not store the content of your entries on our servers. Your messages, photos, voice notes, mood check-ins and tags are encrypted on your device and, when synced with your partner, end-to-end encrypted in transit. We use Google AdMob for non-invasive banner ads on auxiliary screens and Apple/Google billing to process in-app purchases. Sentry is used only when explicitly enabled in a build to report crashes. You have full GDPR rights including access, deletion, and portability — most exercisable directly in the app.

3. Data we process

3.1 Local-only data

Entries, messages, tags, mood check-ins, photos and voice notes you add are stored locally on your device in encrypted form (MMKV with a device-derived key kept in Apple Keychain / Android Keystore). When synced with your paired partner's device, content is end-to-end encrypted using tweetnacl keys generated on each device — Mote's developer cannot read your entries.

3.2 Pairing relay (Cloudflare)

To pair two devices, Mote uses a 6-character invitation code or QR code. The pairing relay runs on a Cloudflare Worker + Durable Object (SQLite-backed) hosted by Cloudflare. The relay:

holds an ephemeral, encrypted handshake message for at most 24 hours,
handles real-time E2E encrypted message delivery between paired devices (the relay never sees plaintext),
stores no user identity, no email, no phone number, no analytics.

When two devices are paired, they are linked by a random opaque identifier that does not identify a person.

3.3 Diagnostic data (Sentry)

Mote integrates Sentry (sentry.io) for crash and error reporting. Sentry collects:

error stack traces (crash logs),
device info (model, OS version, locale),
app version and build number.

Sentry does not collect your content (entries, files, vaccination records, photos, archives), usernames, or other PII. Diagnostic data is retained by Sentry for up to 90 days. In some production builds Sentry is intentionally disabled (no DSN configured) — in that case no diagnostic data leaves your device.

3.4 Advertising (AdMob)

Mote shows non-invasive ads on Settings, Empty state, and Export. Ads are delivered by Google AdMob, whose SDK collects:

the Advertising ID (Android Advertising ID / Apple IDFA), shared with Google to serve ads;
diagnostic data (device model, country-level location, language).

Ads may also be delivered through AdMob mediation partners: Meta Platforms, Inc. (Meta Audience Network, privacy policy) and Unity Technologies (Unity Ads, privacy policy). These partners receive ad requests under the same configuration — non-personalized ads.

Default mode is non-personalized ads. On iOS, the App Tracking Transparency (ATT) prompt asks for your consent before any tracking-grade identifier is used; on Android you control the Advertising ID under system Settings. Ads can be permanently disabled via the Lifetime / Premium IAP.

3.5 In-app purchases (IAP)

Mote offers paid features through Apple In-App Purchase (iOS) and Google Play Billing (Android). When you make a purchase:

Apple / Google process all card and account data — we never see your card number, billing address, or full account information;
Apple / Google return a purchase token / transaction receipt that Mote stores locally to validate entitlement;
restore purchases re-fetches your existing entitlements from Apple / Google.

Available products: annual subscription, lifetime unlock, optional tip jar.

3.6 Device permissions

Camera (CAMERA): take photos for entries (optional).
Microphone (RECORD_AUDIO): record voice messages (optional).
Photos / Media (READ_MEDIA_IMAGES / PHPhotoLibrary): add or process images from the gallery (optional unless required for app's core function).
Notifications (POST_NOTIFICATIONS / UNUserNotificationCenter): reminders and operation status (optional).
Vibrate (VIBRATE): haptic UI feedback (optional).

Each permission is requested contextually. You can deny any permission and still use the core features (where applicable).

3.7 What we do NOT collect

Your name, email, phone number, address (no account is required).
Contacts list, calendar, SMS, call logs.
Precise location.
Browsing history outside the app.
Biometric data (Face ID / Touch ID is used only as a system-level lock and never leaves your device).
Health, financial, or payment card data.

4. Why we process this data (purposes)

Run the app on your device — local storage and (where present) encryption let your data persist between sessions.
Sync with your partner — pairing relay enables real-time E2E delivery of your encrypted content.
Improve stability — Sentry diagnostics help fix crashes that affect your usage.
Sustain the free tier — AdMob delivers non-invasive ads to fund users who do not buy premium.
Process purchases — Apple / Google billing fulfils premium entitlements you choose to buy.

5. Legal basis (GDPR Article 6)

For users in the European Economic Area, United Kingdom, and Switzerland:

Performance of a contract (Art. 6(1)(b)) — running the app, syncing with your partner, processing your purchases.
Legitimate interest (Art. 6(1)(f)) — Sentry diagnostics, fraud / abuse prevention, non-personalized advertising. Our interest is improving stability and sustaining the free tier; this does not override your fundamental rights.
Consent (Art. 6(1)(a)) — personalized advertising, where you grant consent via the ATT prompt (iOS) or in-app preference. You may withdraw consent at any time without affecting prior processing.
Legal obligation (Art. 6(1)(c)) — only when we must respond to a lawful request from authorities.

6. Recipients (with whom we share data)

We do not sell personal data. The categories of recipients are limited to providers strictly required to run the app:

Recipient	Purpose	Data category	Privacy policy
Cloudflare, Inc.	Pairing relay (encrypted handshake + ephemeral E2E messages)	Random pair ID, encrypted blob	https://www.cloudflare.com/privacypolicy/
Google LLC (AdMob)	Serve ads	Advertising ID, device & ad metrics	https://policies.google.com/privacy
Meta Platforms, Inc. (Meta Audience Network)	Serve ads	Advertising ID, device & ad metrics	https://www.facebook.com/privacy/policy/
Unity Technologies (Unity Ads)	Serve ads	Advertising ID, device & ad metrics	https://unity.com/legal/privacy-policy
Functional Software Inc. (Sentry)	Crash reporting	Stack traces, device metadata	https://sentry.io/privacy/
Apple Inc. (App Store / IAP)	In-app purchase processing on iOS	Purchase token, account-level entitlement	https://www.apple.com/legal/privacy/
Google LLC (Play Billing)	In-app purchase processing on Android	Purchase token, account-level entitlement	https://policies.google.com/privacy

We may disclose data if required by a valid court order or other binding legal process, after verifying the request and notifying you where lawful.

7. International transfers

Some of the recipients above are located outside the European Economic Area (mainly in the United States). Where transfers occur, they are protected by:

the European Commission's adequacy decision (EU-US Data Privacy Framework) for providers certified under the Framework, including Google LLC, Cloudflare, Inc.;
Standard Contractual Clauses (SCCs) as adopted by the European Commission, supplemented by additional safeguards where applicable;
the recipients' own published transfer mechanisms (e.g. Apple's binding corporate privacy commitments).

You can request a copy of the relevant safeguards by writing to mail@macsiem.dev.

8. Retention

Data	Where it lives	How long
Your in-app data	Your device only (encrypted)	Until you delete it, uninstall the app, or wipe app data
Pair handshake blob	Cloudflare relay (encrypted)	Up to 24 hours, then automatically expired
Real-time E2E messages	Cloudflare relay (encrypted)	Stored only until delivered to the paired device, then deleted
Random pair ID	Both devices + relay	Until you unpair or delete app data
Advertising ID	Google AdMob systems	Per Google's retention policy (typically up to 14 months for ad metrics)
Sentry crash data	Sentry systems	Up to 90 days from the event
IAP purchase token / receipt	Your device + Apple / Google	Until you uninstall; Apple / Google keep transaction records per their own policies

9. Your rights (GDPR Art. 15–22)

You have the following rights regarding your personal data:

Right of access (Art. 15) — confirmation whether we process your data and a copy of it. Most of your data is already on your device; export from the app or write to us for the rest.
Right to rectification (Art. 16) — correct inaccurate data. Edit data directly in the app.
Right to erasure / "right to be forgotten" (Art. 17) — delete all data via Settings → "Erase all data", or by uninstalling the app. Pair relay data expires automatically.
Right to restrict processing (Art. 18) — request a temporary halt; write to us.
Right to data portability (Art. 20) — Settings → "Export data" produces a JSON / Markdown bundle.
Right to object (Art. 21) — object to processing based on legitimate interest, especially profiling-style ads. Disable personalized ads in app settings or via system controls.
Right not to be subject to automated decisions (Art. 22) — Mote does not make automated decisions with legal or similarly significant effect about you.

To exercise any right, write to mail@macsiem.dev. We respond within 30 days (extendable by 60 days for complex requests, with notice).

10. Right to lodge a complaint (GDPR Art. 77)

If you believe we are processing your data unlawfully, you may file a complaint with a supervisory authority. For Polish residents:

Prezes Urzędu Ochrony Danych Osobowych (PUODO) ul. Stawki 2, 00-193 Warszawa, Poland https://uodo.gov.pl

You may also file a complaint with the supervisory authority of your habitual residence, place of work, or place of the alleged infringement in another EEA country.

11. Children's privacy

Mote is not directed at children under 13 (under 16 where applicable per local law). We do not knowingly collect personal data from children under that age. If you believe a child has provided us personal data without parental consent, contact us at mail@macsiem.dev and we will delete it promptly.

The "Designed for Families" / "Ages 5+" Apple / Google flags are not set on Mote — the app is rated for general audiences 13+.

12. Security

Local encryption at rest — entries stored in MMKV with a device-derived key kept in Apple Keychain (iOS) / Android Keystore (Android). The key never leaves your device.
End-to-end encryption in transit — pair-to-pair messages use tweetnacl (X25519 + XSalsa20-Poly1305). Each device generates its own key pair; private keys never leave the device.
Transport security — all network calls use HTTPS / TLS 1.2+.
Minimization — we collect only what is required for the listed purposes.
No backups to our servers — your entries are not backed up to Mote infrastructure. Optional system-level backups (iCloud Backup on iOS, Auto Backup on Android) remain entirely under your control.

No system is 100% secure; please keep your device updated and use strong device locks.

13. App Tracking Transparency (iOS) and Advertising ID

On iOS, before any tracking-grade identifier is used by AdMob, Mote shows the system App Tracking Transparency prompt. If you decline, Mote serves only non-personalized ads.

On Android, you can reset or limit your Advertising ID under Settings → Google → Ads. Choosing "Delete advertising ID" stops AdMob from using a personal identifier; non-personalized ads continue to be shown.

14. In-app purchases

Mote offers the following in-app products through Apple App Store and Google Play: annual subscription, lifetime unlock, optional tip jar.

All payment data is handled by Apple Inc. (App Store / iTunes account) or Google LLC (Play Billing). We never see your card number, your billing address, or your full Apple ID / Google account. Apple and Google return only an opaque purchase token and entitlement metadata that we use to unlock features. Subscriptions can be cancelled at any time in iOS Settings → Apple ID → Subscriptions or in the Google Play app → Subscriptions; cancellation rules are governed by Apple / Google.

15. Changes to this policy

We may update this policy as the app, third-party SDKs, or applicable law change. Material changes will be announced in-app and the "Last updated" date at the top will change. Continuing to use Mote after a change constitutes acceptance of the updated policy.

16. Contact

For privacy questions, exercise of rights, or concerns about this policy:

Maciej Siemiński Email: mail@macsiem.dev

Canonical version of this policy: https://macsiem.github.io/mote-privacy/ Source: https://github.com/MacSiem/mote-privacy