Your Focus Data Stays Yours
We designed ZoBud to collect the minimum data necessary. No surprises. No hidden trackers.
Important Notice
ZoBud is a wellness and productivity tool, not a medical device. It is not intended to diagnose, treat, cure, or prevent any disease, including ADHD. Always consult qualified healthcare providers for medical advice, diagnosis, or treatment decisions. Do not disregard professional medical guidance based on information from this app.
What We Collect & Why
Data We DO Collect
- Focus Session Metrics: Duration, completion status, timestamps (to track your streaks)
- Task Content: Task titles, energy bucket assignments, AI breakdown requests
- Mood Check-ins: Energy level ratings 1-5 (optional)
- Device Info: OS version, app version, crash logs
- Purchase History: Subscription status via RevenueCat
✕Data We NEVER Collect
- ✕No Real Names Required: Email-only registration, pseudonyms allowed
- ✕No Location Data: We don't track where you focus
- ✕No Contact Access: We never upload your address book
- ✕No Browsing History: We don't see what you do outside ZoBud
- ✕No Biometric Data: No heart rate, facial recognition, or voice prints
- ✕No Diagnoses: We don't ask for or store ADHD diagnosis status
How We Use Your Data — Purpose Limitation
| Data Type | Purpose | Legal Basis | Retention |
|---|---|---|---|
| Email & Password | Account authentication | Contract necessity | Until account deletion |
| Task Content | Core app functionality | Contract necessity | 30 days after deletion |
| Focus Sessions | Streak calculation | Legitimate interest | 1 year (anonymized) |
| Mood Entries | Personalization | Consent (optional) | 90 days |
| Payment Data | Subscription management | Contract necessity | 7 years (tax) |
| Crash Logs | Bug fixing | Legitimate interest | 90 days |
AI & Third-Party Processing
Artificial Intelligence Disclosure
ZoBud uses Google Gemini 2.5 Flash for task breakdown suggestions. When you request AI breakdown:
- Only the task title is sent to Google's API
- No personal identifiers accompany the request
- Processing occurs on Google's secure servers (US/EU regions)
- We never use your data to train Google's models
- You may opt-out in Settings → AI Features
Third-Party SDKs
| Service | Purpose | Data Shared | Privacy Cert |
|---|---|---|---|
| RevenueCat | Subscription management | Purchase history, device ID | SOC 2 Type II |
| Google Gemini | AI task breakdown | Task titles only | GDPR compliant |
| Brevo (Sendinblue) | Waitlist/transactional emails | Email address | ISO 27001 |
| Matomo | Analytics (privacy-focused) | Anonymized usage patterns | Self-hosted |
| Hive (Local) | On-device data storage | None — local only | N/A |
| PostgreSQL | Cloud data storage | Encrypted user data | AWS RDS encryption |
Your Rights — User Control Center
Access Your Data
Profile → Download My Data (JSON) or email [email protected] (30-day response)
Correct Your Data
Edit directly in app or contact support for assistance
Delete Your Data
Settings → Delete Account. 30-day grace period, complete erasure within 90 days.
Object to Processing
Toggle off AI suggestions, analytics, marketing emails. Core functionality unaffected.
Children's Privacy — COPPA/GDPR-K Compliance
ZoBud is not intended for children under 13. We do not knowingly collect data from children under 13. If you are a parent and believe your child has provided us with personal information, contact us immediately at [email protected] and we will delete the information within 24 hours.
Security Measures — Technical Safeguards
Encryption
AES-256 at rest, TLS 1.3 in transit
Authentication
JWT tokens, bcrypt hashing (10 rounds)
Infrastructure
AWS RDS, private subnets, no public DB access
Access Controls
Role-based access, 2FA for admins
Auditing
Annual penetration testing, quarterly reviews
Incident Response
72-hour breach notification, user alerts
International Data Transfers — Jurisdiction Clarity
Primary Servers
EU (Frankfurt) for European users
Backup Servers
US (Virginia) with EU adequacy decision compliance
Transfer Mechanism
Standard Contractual Clauses (SCCs) for EU-US transfers
User Choice
Settings → Data Region → EU-only or Global (default: EU for EU users)
Updates & Contact
Last Updated
March 16, 2026
Change Notification
Email 30 days before material changes, in-app banner 7 days before
Contact Information
Privacy Inquiries: [email protected]
Data Requests: [email protected]
DPO: [email protected]
Response time: 48 hours