← Back

Privacy Policy

Effective: May 24, 2026 · Last updated: May 24, 2026

1. Information We Collect

We collect the following categories of personal information:

CategoryExamplesPurpose
Contact informationEmail address (if provided via Apple Sign In)Account creation and authentication
IdentifiersApple-issued anonymized user IDLink your data to your account securely
User-generated contentWorry text, category, deadline, outcome, intensity rating, reflections, chat messages with MiraCore app functionality — storing and syncing your entries
Audio data (voice input)Voice transcripts from speech-to-text (processed on-device by Apple's Speech Recognition framework). Raw audio is never transmitted to our servers.Convert spoken worries to text using your device's native speech recognition
Auto-extracted memoriesPeople names, relationships, life facts, worry patterns (extracted by AI analysis of your entries)Pattern detection and personalized insight generation
Usage dataCrash logs, error messages (anonymous)App stability and bug fixes
PreferencesFirst name, primary worry category, notification settingsPersonalization

We do not collect precise geolocation, biometric data, browsing history, contacts, photos, or any data not listed above.

2. Voice Input and Audio Data Processing

When you use voice input to describe worries, the following happens:

  • On-device transcription: Your voice is transcribed into text using Apple's built-in Speech Recognition framework. This transcription happens entirely on your device and is not shared with us.
  • Raw audio is never sent: Only the resulting text transcript is transmitted to our servers. Your raw audio file is not retained or transmitted.
  • Transcript storage: The text transcript is stored in your Supabase account as a worry entry (encrypted in transit and at rest).
  • Apple's involvement: Apple's Speech Recognition API may collect minimal usage data as part of iOS system services; see Apple's Privacy Policy for details.

2b. Auto-Extracted Memory Processing

Mira's backend automatically extracts structured information from your worry entries and chat messages to power pattern detection and personalized insights. This processing includes:

  • Data extracted: Key people mentioned, relationships described, recurring life events, worry patterns, emotional themes, and importance scores.
  • AI model used: OpenAI's gpt-4o-mini API analyzes your text to identify these entities and relationships. This model input is not used to train OpenAI's models (covered by our API DPA below).
  • Storage: Extracted entities are stored as structured data in your Supabase account (tables: user_entities, user_facts) and are used only to improve your personalized insights.
  • Your control: Extracted memories appear in your account data export (when you export your data). You can request deletion of extracted data by contacting info@vibecodingturkey.com.
  • No third-party sharing: Extracted memories are never sold, shared with advertisers, or used for purposes beyond providing you insight recommendations.

3. How We Use Your Information

  • To create and maintain your account.
  • To store, sync, and display your worry entries across devices.
  • To calculate your personal Reality Gap score and statistics.
  • To send you push notifications you have opted into (deadline reminders, morning check-ins). You can withdraw consent at any time in iOS Settings.
  • To diagnose crashes and improve app stability using anonymous error logs.
  • To comply with our legal obligations.

We do not use your data for targeted advertising, behavioral profiling, or any purpose beyond providing the app service to you.

4. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data. We share data only as follows:

  • Supabase (database provider): Your worry entries and account data are stored on Supabase servers (PostgreSQL) in the Frankfurt, EU region. Supabase acts as a data processor under our instructions (Data Processing Addendum in place) and does not use your data for its own purposes. Data encrypted in transit (TLS) and at rest (AES-256).
  • Apple: Sign In with Apple transactions are processed by Apple. We receive only the anonymized identifier and optional email Apple provides.
  • Legal requirements: We may disclose information if required by law, court order, or to protect the safety of users or the public.

No other third parties receive your personal data.

5. Data Retention

  • Your account data and worry entries are retained while your account is active.
  • If you delete your account (Settings → Delete Account), all personal data is permanently deleted from our servers within 30 days.
  • Anonymous crash logs are retained for up to 90 days, after which they are automatically purged.
  • OpenAI API data: Text sent to OpenAI for Mira's responses is retained by OpenAI for abuse monitoring for up to 30 days unless we have a Zero Data Retention agreement (ZDR). Our standard API agreement does not include ZDR, so 30-day retention applies. OpenAI does not use this data to train models under the API DPA.
  • You may request earlier deletion by contacting us at info@vibecodingturkey.com.

6. Security

We implement the following security measures:

  • Encryption in transit: All data is transmitted over HTTPS/TLS.
  • Encryption at rest: Data stored in Supabase is encrypted at rest.
  • Row-level security: Database policies ensure each user can only access their own data — no other user or process can read your worry entries.
  • Authentication: Account access is protected by Sign In with Apple or email/password authentication.

No method of transmission over the Internet is 100% secure. While we use commercially reasonable means to protect your data, we cannot guarantee absolute security.

7. Your Rights and Choices

Depending on your location, you may have the following rights:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate data.
  • Deletion: Delete your account and all associated data from within the app (Settings → Delete Account), or by contacting us.
  • Data portability: Export your worry data in JSON format from the app's Settings screen.
  • Withdraw consent: Disable push notifications at any time in iOS Settings → DidntHappen → Notifications.
  • Opt out of telemetry: Crash reporting is anonymous and cannot be linked back to you.

To exercise any rights, contact us at info@vibecodingturkey.com. We will respond within 30 days.

8. Children's Privacy (COPPA)

DidntHappen is rated 4+ on the App Store and is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at info@vibecodingturkey.com and we will delete the information promptly.

9. Sign In with Apple

We support Sign In with Apple as an authentication method. When you use this feature:
  • Apple generates a unique anonymized identifier for your account on our service.
  • You choose whether to share your real email or use Apple's private relay email.
  • We never receive your Apple ID password.
  • Apple's Privacy Policy governs the data Apple collects during authentication.

10. Subscriptions and Payments

All subscription payments for DidntHappen Pro are processed by Apple through the App Store. We do not collect, store, or process payment card information. Your subscription can be managed through your Apple ID account settings. Apple's Privacy Policy applies to payment processing.

11. Sub-processors and Third-Party Services

The app and our backend rely on the following independent sub-processors. Each receives only the data needed for the stated purpose. None of them are advertising or cross-app tracking providers.

ServiceLocationPurposeData shared
SupabaseFrankfurt, EUDatabase, authentication, file storage, DPA in placeAccount ID, email (if Email sign-in), worry entries, chat messages, profile fields, extracted memories
Apple StoreKit 2VariesSubscription billing and entitlementApple-managed (we do not see payment details)
Apple Push Notification ServiceVariesLocal reminders, deadline alertsDevice push token only
RevenueCatUSSubscription receipt validation and analyticsAnonymous in-app user ID, subscription status
SentryFrankfurt, EUCrash and error reporting for stabilityAnonymous in-app user ID, crash stack trace, OS version, app version
OpenAI (gpt-4o-mini API)USGenerates Mira's reflective text responses; extracts memory entities (server-to-server)Your recent messages, extracted context, memory analysis. DPA in place; data retained 30 days for abuse monitoring; no training on API traffic
Microsoft Edge TTS (Bing endpoint)USSynthesizes Mira's AI-generated reply text into speechOnly the generated reply text (not your private worry text); no audio retained after synthesis
RenderFrankfurt, EUHosts voice backend that orchestrates OpenAI + Edge TTSTransient request payload; no persistent storage
VercelUSHosts this website (didnthappen-web)Standard web request logs only; no sensitive app data

Note on Edge TTS: Microsoft's Edge TTS endpoint is provided by the open-source edge-tts library. It is not an official Microsoft service with a standard Data Processing Addendum. We use it for cost efficiency and developer convenience. If you require official Microsoft Azure Speech Service compliance, please contact info@vibecodingturkey.com.

We do not use third-party advertising, behavioural analytics, or cross-app tracking SDKs. Our SDKs do not request App Tracking Transparency authorisation because no tracking occurs.

12. International Data Transfers

Your personal data may be stored and processed in multiple jurisdictions:

  • Primary storage (Supabase): Frankfurt, EU (encrypted at rest and in transit).
  • API services: OpenAI (US), Microsoft Edge TTS (US), RevenueCat (US), Vercel (US).
  • Error reporting: Sentry (Frankfurt, EU).
  • Voice backend: Render (Frankfurt, EU).

By using the app, you consent to these transfers. For transfers to the US, we rely on Standard Contractual Clauses (SCCs) and other mechanisms available under applicable law (including the UK/EU adequacy frameworks where applicable).

13. California and EEA Residents

California (CCPA/CPRA): We do not sell or share personal information. You have the right to know, delete, and correct personal information we collect. Contact us to exercise your rights within 45 days. We do not discriminate against users for exercising their rights.

European Economic Area (GDPR): Our legal basis for processing is contract performance (providing the app service). You have the right to access, rectify, erase, restrict, and port your data, and to lodge a complaint with your supervisory authority. We respond within 30 days of your rights request.

13b. CCPA/CPRA Categories of Personal Information

Under California law, we collect the following categories of personal information:

Category (CCPA SPI)ExamplesSold/Shared?
IdentifiersEmail, Apple ID, Apple-generated UUIDNo
Commercial informationSubscription plan, trial status, purchase historyNo
Biometric informationSpeech transcripts (audio converted to text only)No
Internet activityApp crash reports, stability logsNo
GeolocationNone collectedN/A
Sensitive personal information (Article 9 GDPR)Worry entries, mental health data, chat with MiraNo — processed only with explicit consent
Inferred informationPatterns of anxiety, worry themes, relationship networks (AI-extracted)No

Right to know: Contact info@vibecodingturkey.com to request what personal information we hold and the purposes for processing.

Right to delete: Request deletion of your personal information via Settings → Delete Account or info@vibecodingturkey.com.

Right to correct: Contact us to correct inaccurate personal information.

13c. California Shine the Light (CA Civil Code 1798.100)

If you are a California resident, you may request information about the types of personal information we share with third parties for their direct marketing purposes. We do not sell or share personal information with third parties for commercial purposes, so we have nothing to disclose under this law. If your circumstances change and we begin selling or sharing, we will update this policy and honor opt-out requests.

14. EU AI Act Transparency Notice

Under the EU AI Act (in force from 2 August 2026), this notice informs you that DidntHappen uses AI systems in the following limited-risk categories:

  • Mira reflective companion: Uses OpenAI's generative AI model (gpt-4o-mini) to produce conversational text responses to your worry descriptions. This system is designed to be informational and reflective, not clinical or diagnostic.
  • Memory extraction and pattern detection: Uses AI to identify people, relationships, and recurring themes in your entries. This processing is used only to personalize your experience and generate insights.
  • Transparency: You are informed in this policy and at key points in the app that AI-generated content is computer-generated. Mira is not a therapist, and AI outputs should not be relied upon for medical decisions.
  • Human oversight: Our mental health disclaimers (see /mental-health-disclaimer) ensure you understand the limitations and encourage you to seek professional help when needed.

We do not use AI for content moderation decisions that restrict your access to the service. We do not use emotion-recognition or facial-recognition AI.

15. Sensitive Data (Mental Health)

Worry entries and chat messages can describe how you feel, which may amount to special category personal data under GDPR Article 9. Our legal basis for processing this data is your explicit consent, given when you agree to these terms during onboarding. You may withdraw consent at any time by deleting your account (see /delete-account); withdrawal does not affect the lawfulness of processing before withdrawal.

16. Data Breach Notification

If we discover a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware, as required by GDPR Article 33, and we will notify you without undue delay where the risk is high (Article 34).

17. Encryption and Security Posture

Data is encrypted in transit (TLS 1.2+) and at rest (AES-256 at Supabase). Row-level security enforces account isolation at the database. Crash logs sent to Sentry have personal identifiers stripped. No system is risk-free — we describe what we do and how to reach us if you suspect a problem (info@vibecodingturkey.com).

18. Changes to This Policy

We may update this Privacy Policy. We will notify you of material changes via an in-app banner before the change takes effect. The updated policy will also be posted at this URL with a new effective date. Continued use after changes constitutes acceptance.

19. Data Protection Officer and GDPR Accountability

DidntHappen is a small developer without mandatory Data Protection Officer appointment under GDPR Article 37 (not a public authority, not carrying out systematic monitoring of data subjects at scale). However, we comply with all GDPR requirements including lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, integrity, confidentiality, and accountability. Data processing is documented and requests for data rights are handled within 30 days under Articles 15–22.

For GDPR inquiries: info@vibecodingturkey.com. If you are not satisfied with our response, you may file a complaint with the supervisory authority in your country (list: edpb.europa.eu).

20. Legal Basis and Lawfulness

Performance of contract: Your use of DidntHappen is based on the contract between you and us. We process your account data, worry entries, and preferences to perform this service.

Consent: You consent to process mental-health sensitive data (worry entries) by accepting these terms. You withdraw consent by deleting your account.

Legal compliance: We may process data where required by law (e.g., tax records, abuse investigation).

Legitimate interests: We process crash logs and usage patterns to improve app stability and security.

21. Contact and Data Controller

Data controller: DidntHappen

Email: info@vibecodingturkey.com

Support: https://didnthappen-web.vercel.app/support

Right to lodge a complaint with a supervisory authority: EEA/UK residents may complain to their local data-protection authority. A list is published at edpb.europa.eu.

HomePrivacyTermsCookiesAcceptable UseCommunity GuidelinesCopyright / DMCAUser Content PolicyAI DisclaimerMental Health DisclaimerRefundsSubscriptionsContactReport AbuseDelete AccountUnsubscribeSupport