1. Who We Are (Data Controller)
This Privacy Policy explains how Netcore Solutions LLC ("we," "our," or "us"), a Wyoming limited liability company, collects, uses, stores, and protects your personal data when you use the DEBRIEF mobile application ("App") and related services ("Service").
Data Controller: Netcore Solutions LLC
30 N Gould St Ste R, Sheridan, WY 82801, United States
Privacy contact: [email protected]
For users in the European Union and European Economic Area, we act as the data controller under the General Data Protection Regulation (GDPR). For users in California, this policy also addresses your rights under the California Consumer Privacy Act (CCPA/CPRA).
2. Data We Collect
2.1 Account & Profile Data
| Data | How collected | Purpose |
|---|---|---|
| Email address | Registration / Sign in with Apple or Google | Account identification, communications |
| Display name | Provided by you during onboarding | Personalization (shown in app) |
| Authentication tokens | Generated at sign-in | Secure session management |
| Subscription status & trial dates | App Store / StoreKit | Access control, billing |
| Onboarding completion flag | App interaction | App state management |
2.2 Debrief Content (Journal Data)
| Data | Description |
|---|---|
| Debrief entries | Daily evening reviews and morning briefs you create |
| Debrief answers | Your written responses to structured questions (wins, improvements, goals) |
| Performance scores | Numeric scores associated with each entry |
| Pattern alerts | System-detected trends derived from your entries |
2.3 AI Coach Data
When you use the Coach feature, your debrief entries and a generated profile summary are sent to our server-side proxy (Supabase Edge Function), which forwards them to OpenAI's API to generate responses. Your data is not sent directly from your device to OpenAI — it passes through our authenticated, JWT-secured backend.
Coach session metadata (session IDs, timestamps) is stored in our database. We do not retain the full content of individual Coach conversations on our servers beyond what is needed to provide the feature.
2.4 Notification Data
If you grant notification permissions, we collect your Apple Push Notification Service (APNs) token. This token is used exclusively to send you smart reminders (evening debrief prompts and morning brief notifications) based on your configured schedule. We do not use push tokens for marketing or promotional messages.
2.5 Technical & Usage Data
We collect minimal technical data necessary to operate the Service:
- Device type, iOS version (collected by Apple infrastructure)
- App interaction timestamps (for sync and reminder scheduling)
- Error logs (server-side, for debugging — no personal content included)
We do not use third-party analytics SDKs (e.g., Mixpanel, Amplitude, Firebase Analytics) or advertising/attribution SDKs (e.g., Adjust, AppsFlyer) in the App.
3. Legal Basis for Processing (GDPR)
For users in the EU/EEA, we process your personal data on the following legal bases:
| Processing activity | Legal basis (GDPR Art.) |
|---|---|
| Account creation and authentication | Contract performance (Art. 6(1)(b)) |
| Providing the debrief and journaling features | Contract performance (Art. 6(1)(b)) |
| Subscription management and billing | Contract performance (Art. 6(1)(b)) |
| AI Coach responses | Contract performance + Consent (Art. 6(1)(b) & (a)) |
| Push notifications (reminders) | Consent (Art. 6(1)(a)) |
| Security, fraud prevention, and abuse detection | Legitimate interests (Art. 6(1)(f)) |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) |
4. How We Use Your Data
We use personal data only for the following purposes:
- Creating and managing your account
- Providing, maintaining, and improving the Service
- Processing subscription payments (via Apple)
- Generating AI Coach responses (via server-side proxy)
- Sending scheduled reminders you have requested
- Detecting patterns in your debrief data to surface insights
- Syncing your data across devices
- Responding to your support requests
- Complying with legal obligations
We do not sell, rent, or trade your personal data to third parties. We do not use your data for targeted advertising.
5. Third-Party Service Providers
We share data with the following sub-processors strictly to deliver the Service:
| Provider | Purpose | Data transferred | Location |
|---|---|---|---|
| Supabase Inc. | Database, authentication, backend infrastructure, Edge Functions | Account data, journal entries, session data | United States (AWS us-east-1) |
| OpenAI, LLC | AI Coach responses (via Supabase Edge Function proxy) | Debrief summaries, profile context — no direct device-to-OpenAI transfer | United States |
| Apple Inc. | Sign in with Apple, App Store payments, push notifications | Authentication tokens, APNs push token, subscription data | United States |
| Google LLC | Sign in with Google (optional authentication method) | OAuth token, email address (if chosen by user) | United States |
All sub-processors are contractually required to process data only on our behalf and in accordance with our instructions. We do not authorize sub-processors to use your data for their own independent purposes.
6. International Data Transfers
We are a US-based company and our infrastructure is hosted in the United States. If you are located in the European Union or EEA, your personal data is transferred to and processed in the United States.
We rely on the following transfer mechanisms to ensure adequate protection:
- Standard Contractual Clauses (SCCs) — our sub-processors (Supabase, Google) have implemented EU SCCs as approved by the European Commission
- EU–US Data Privacy Framework — where applicable, certified providers operating under the DPF
By using the Service, you acknowledge that your data will be processed in the United States, subject to these protective measures.
7. Data Security
We implement industry-standard technical and organizational measures to protect your personal data:
Technical Measures
- Encryption in transit: All data transmitted between the App and our servers uses TLS 1.2+ encryption
- Encryption at rest: Database encryption is provided by Supabase (AES-256) at the infrastructure level
- Authentication: JWT-based session tokens; all API calls are authenticated
- Row-Level Security (RLS): Database policies ensure each user can only access their own data — enforced at the database level, not just application level
- API key security: The OpenAI API key is stored exclusively as a server-side secret in Supabase Vault — it is never embedded in the app binary or transmitted to user devices
- Edge Function authentication: All AI Coach requests are routed through JWT-authenticated server functions — unauthenticated requests are rejected
- Secrets management: Supabase URL and anonymous key are stored in a gitignored configuration file and are never committed to source control
Organizational Measures
- Access to production data is restricted to authorized personnel only
- We follow a principle of data minimization — we collect only what is necessary for the Service
- Security incidents are investigated promptly; affected users are notified in accordance with applicable law
Despite these measures, no security system is impenetrable. We cannot guarantee absolute security, and you use the Service at your own risk. If you become aware of a security vulnerability, please report it to [email protected].
8. Data Retention
We retain your personal data only for as long as necessary to provide the Service or as required by law.
| Data type | Retention period |
|---|---|
| Account and profile data | Until account deletion request is received |
| Debrief entries and answers | Until account deletion request is received |
| Push notification tokens | Until account deletion or token refresh |
| Subscription records | Up to 7 years (tax and legal compliance) |
| Server logs (anonymized) | Up to 90 days |
Account deletion: When you request account deletion, we delete your personal data (account, profile, journal entries, coach sessions) immediately upon processing your request. Subscription transaction records may be retained for up to 7 years as required by applicable tax law. Backup systems may retain data for up to 30 days before permanent purge.
To delete your account, contact us at [email protected] or use the account deletion option within the App settings.
9. Your Rights
9.1 Rights for All Users
- Access: Request a copy of the personal data we hold about you
- Deletion: Request deletion of your account and personal data
- Correction: Request correction of inaccurate personal data
- Portability: Request your data in a structured, machine-readable format
- Withdraw consent: Withdraw consent for processing based on consent (e.g., push notifications) at any time without affecting lawfulness of prior processing
9.2 Additional Rights for EU/EEA Users (GDPR)
- Restriction: Request restriction of processing in certain circumstances
- Object: Object to processing based on legitimate interests
- Automated decision-making: Not to be subject to decisions based solely on automated processing that significantly affect you (note: pattern detection in DEBRIEF produces informational insights only and does not make decisions affecting your rights)
- Lodge a complaint: You have the right to lodge a complaint with the data protection authority in your EU member state. A list of EU DPAs is available at edpb.europa.eu
9.3 Additional Rights for California Residents (CCPA/CPRA)
California residents have the following additional rights:
- Right to Know: The categories and specific pieces of personal information we collect, use, and disclose
- Right to Delete: Deletion of personal information we have collected
- Right to Correct: Correction of inaccurate personal information
- Right to Opt-Out of Sale/Sharing: We do not sell or share personal information for cross-context behavioral advertising. This right is not applicable to our practices.
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights
To exercise any of your rights, contact us at [email protected]. We will respond within 30 days (GDPR) or 45 days (CCPA). We may need to verify your identity before processing your request.
10. Children's Privacy
The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided personal data to us, please contact us immediately at [email protected]. We will delete such data promptly upon verification.
Compliance note: For U.S. users under 13, we comply with the Children's Online Privacy Protection Act (COPPA). For EU users under 16, we comply with GDPR Article 8.
11. Cookies and Tracking
The DEBRIEF iOS App does not use cookies. Web-based authentication flows (Sign in with Google) may use session cookies managed by the respective provider's secure web view. We do not use tracking pixels, web beacons, or cross-site tracking technologies.
If you visit our website at netcore-solutions.com, that site may have a separate cookie policy.
12. AI and Automated Processing
The App uses two forms of automated processing:
12.1 AI Coach (OpenAI GPT-4o)
Your debrief entries and a profile summary are processed by OpenAI's language model to generate coaching responses. This is a generative AI system — responses are probabilistic and may not always be accurate or appropriate. AI Coach responses do not constitute professional advice.
Data sent to OpenAI via our server proxy is subject to OpenAI's API data usage policy. Per OpenAI's enterprise API terms, data submitted via the API is not used to train OpenAI models by default.
12.2 Pattern Detection
The App automatically analyzes your historical debrief entries to identify recurring patterns (e.g., consistent wins or improvement areas). This processing occurs on our servers and produces informational alerts only. It does not make decisions that produce legal or similarly significant effects on you.
13. Subscriptions and Payment Data
All subscription payments are processed by Apple through the App Store. We do not collect, process, or store your payment card information. Apple may collect and process payment data in accordance with its own Privacy Policy.
We receive from Apple: subscription status, product ID, and transaction dates — sufficient to manage your access to the Service.
14. Links to Third-Party Services
The App may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to review the privacy policies of any third-party service you access through the App.
15. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you via the App or by email at least 14 days before the changes take effect.
The "Last updated" date at the top of this page reflects the most recent revision. We encourage you to review this policy periodically. Your continued use of the Service after changes take effect constitutes acceptance of the revised policy.
16. Contact & Data Requests
For any privacy-related inquiries, data access requests, deletion requests, or to exercise any of your rights, please contact us:
Netcore Solutions LLC
30 N Gould St Ste R, Sheridan, WY 82801
United States
Email: [email protected]
Website: netcore-solutions.com
We aim to respond to all legitimate requests within 30 days. For complex requests, we may extend this period by a further 30 days and will notify you of the extension.
EU/EEA users: If you are not satisfied with our response, you have the right to complain to your local data protection authority.