Privacy Policy

1.1 Information You Provide Directly

• Account information: full name, email address, phone number, username, password, optional profile photo, and optional bio.
• Habit and challenge data: habit titles, descriptions, cadence, completion logs, proof photos, and notes you submit.
• User content: posts, comments, club content, messages, and other content you create or share in the Service.
• Accountability partner data: shared habits and challenges visible to your designated partners.
• AI coach conversations: messages you send to the Fern AI support coach (Premium feature).
• Referral codes you enter or share.
• Reports you submit about other users.

1.2 Information Collected Automatically

• Usage and analytics data: app events you trigger (e.g., app opens, habit completions, feature interactions), session identifiers, timestamps, and your email address for internal analytics and user-level insights.
• Device information: device name, operating system (iOS/Android/web), app version, and platform.
• Push notification tokens: device tokens required to deliver push notifications to your device.
• IP address and network metadata: collected by our infrastructure provider as part of normal server operation.
• Subscription status and transaction metadata: premium status, trial dates, and entitlement information (payment details are handled entirely by Apple or Google and are not stored by Fernara).

1.3 Information from Third Parties

• Google Sign-In: if you register or log in via Google, we receive your name, email address, and profile picture from Google.
• Apple Sign-In: if you register or log in via Apple, we receive the information Apple provides in accordance with Apple's privacy policies.
• RevenueCat: subscription status and entitlement data from our subscription management provider.

1.4 Contacts (Optional, Permission-Based)

If you grant permission, the Service may access your device's contact list to help you find and connect with people you know. We access your contacts locally on your device for this purpose. Email addresses from your contacts may be sent to our server to match against existing Fernara users. We do not store your full contact list on our servers. You may revoke this permission at any time through your device settings.

1.5 Information We Do Not Collect

We do not collect precise GPS location data, medical records, health metrics (such as heart rate, weight, or sleep data from wearables), biometric data, or financial payment information. Payment processing is handled entirely by Apple or Google.

We use the information we collect to:

• Provide, operate, and maintain the Service, including account management, habit and challenge tracking, social features, and community functions.
• Verify your identity during account registration via SMS verification codes.
• Process and manage Premium subscriptions and in-app virtual items.
• Power the Fern AI coach feature by passing relevant context (such as your active habits and challenges) to our AI provider to generate personalized responses.
• Send push notifications and in-app notifications relevant to your account activity, based on your notification preferences.
• Analyze usage patterns and measure product metrics (such as retention, feature adoption, and conversion rates) to improve the Service.
• Detect, investigate, and prevent fraud, abuse, or violations of our Terms of Service.
• Respond to support requests and inquiries.
• Comply with applicable legal obligations.

We do not sell your personal information to third parties.

3.1 With Other Users

Certain information is visible to other users by design, including your username, display name, profile photo, bio, public habits and challenges, club memberships, challenge participation, social feed posts, comments, and XP/streak data. You can control the visibility of certain information through your privacy settings. Messages and accountability partner data are shared only with the specific users you designate.

3.2 With Service Providers

We share information with trusted third-party service providers who process data on our behalf, including:

• Supabase: database hosting, authentication, file storage, and backend infrastructure.
• RevenueCat: subscription and entitlement management.
• OpenAI: processing AI coach (Fern) conversations. Messages sent to Fern, along with limited habit and challenge context, are transmitted to OpenAI's API. OpenAI's data use is governed by their privacy policy and API data usage policies.
• Expo / Expo Push Notifications: mobile app framework and push notification delivery.
• Daily.co: video and audio call infrastructure for in-app calling features. Call metadata including display name and room identifiers may be processed by Daily.co's servers.
• Twilio: SMS delivery for phone number verification during account registration. Your phone number is transmitted to Twilio for the sole purpose of delivering verification codes. Twilio's data use is governed by their privacy policy.
• Apple / Google: app distribution, in-app purchase processing, and sign-in services.

All service providers are contractually required to use your information only as necessary to provide services to us and in accordance with this Privacy Policy.

3.3 Legal and Safety Disclosures

We may disclose your information if we believe in good faith that such disclosure is necessary to: (a) comply with a legal obligation or valid legal process; (b) protect the rights, property, or safety of Fernara, our users, or the public; (c) detect or prevent fraud or security issues; or (d) enforce our Terms of Service.

3.4 Business Transfers

In connection with a merger, acquisition, financing, reorganization, or sale of assets, your information may be transferred to a successor entity. We will notify you of any such transfer and any choices you may have regarding your information.

We retain your personal information for as long as your account is active or as needed to provide the Service. When you delete your account, we will delete your profile and directly associated personal data. Certain data may be retained for longer periods where required by law, necessary for legitimate business purposes (such as fraud prevention or financial auditing), or where data has been aggregated and anonymized such that it no longer identifies you. Analytics event data may be retained in anonymized or aggregated form following account deletion.

User-generated content you posted in public spaces (such as club posts or the social feed) may persist in a de-identified or anonymized form after account deletion to preserve community context, unless you specifically request its removal.

Depending on your location, you may have certain rights regarding your personal information, including:

• Access: the right to request a copy of the personal data we hold about you.
• Correction: the right to request correction of inaccurate or incomplete personal data.
• Deletion: the right to request deletion of your personal data ("right to be forgotten"), subject to legal and legitimate business exceptions.
• Data portability: the right to receive a copy of your data in a structured, machine-readable format where technically feasible.
• Objection and restriction: the right to object to or request restriction of certain processing activities.
• Withdraw consent: where processing is based on your consent, the right to withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at francisco@fernara.com. We will respond to verifiable requests within the timeframe required by applicable law. We may need to verify your identity before processing your request.

California Residents: Under the California Consumer Privacy Act (CCPA), you have additional rights including the right to know what personal information is collected, the right to opt out of the sale of personal information (we do not sell your personal information), and the right to non-discrimination for exercising your rights. To submit a request, contact francisco@fernara.com.

The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child under 13 has provided us with personal information without your consent, please contact us immediately at francisco@fernara.com and we will take steps to delete that information. Users between ages 13 and 17 should obtain parental or guardian consent before using the Service.

We implement reasonable technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These include encrypted data transmission (TLS), row-level database security policies, and secure credential storage on devices. However, no method of transmission or storage is 100% secure. We cannot guarantee the absolute security of your information, and you use the Service at your own risk. You are responsible for maintaining the security of your account credentials.

If you believe your account has been compromised, please contact us immediately at francisco@fernara.com.

Fernara operates globally and your information may be stored and processed in countries outside your country of residence, including the United States, where data protection laws may differ from those in your jurisdiction. By using the Service, you consent to the transfer of your information to these countries. Where required, we ensure appropriate safeguards are in place for such transfers, consistent with applicable law.

When you use the Fern AI coach feature (Premium), messages you send and limited contextual data about your habits and challenges are transmitted to OpenAI's API to generate responses. This data is processed in accordance with OpenAI's API data usage policies. We do not use your AI coach conversations to train our own models. However, please be aware that information you voluntarily share with Fern is transmitted to a third-party AI provider and you should not share sensitive personal, medical, financial, or confidential information through this feature.

On iOS devices, we request App Tracking Transparency (ATT) permission in accordance with Apple's requirements. We use analytics data collected through the Service solely for internal product analytics and improvement purposes. We do not currently serve third-party advertisements within the Service. We do not share your information with advertising networks or data brokers for advertising purposes.

With your permission, we send push notifications to your device regarding habit reminders, social activity, challenge updates, messages, and other Service-related events. You may manage or disable push notifications at any time through your in-app notification settings or your device settings. Disabling push notifications does not delete your account or affect your access to the Service.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes through the Service or via email. The "Last Updated" date at the top of this policy reflects the most recent revision. Your continued use of the Service after changes take effect constitutes your acceptance of the updated Privacy Policy.

When you register for an account, you may be asked to provide your phone number for identity verification. We use Twilio, a third-party SMS provider, to send one-time verification codes to your phone number. Your phone number is stored in our database for account identification and security purposes. We do not use your phone number for marketing, promotional messages, or any purpose other than account verification and security. Message and data rates from your mobile carrier may apply. You may request deletion of your phone number by deleting your account or contacting us at francisco@fernara.com.

For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact:

Fernara
Email: francisco@fernara.com

We will respond to all inquiries within a reasonable time and within any timeframe required by applicable law.