Privacy Policy
"Lockin" SIA · Registration Nr. 40203724495
Latvia, European Union
Email: support@lockinapp.org
1. Overview
Lockin is an accountability app that helps you build habits by staking real money on self-improvement challenges. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, who we share it with, and your rights regarding your data.
We collect only the data necessary to operate the app and verify your challenge progress. We do not sell your personal data to anyone.
2. Data We Collect
2.1 Account Information
| Data | When Collected | Purpose |
|---|---|---|
| Email address | Google or Apple sign-in | Account identification, payment receipts, support |
| Display name | Google or Apple sign-in | Profile display |
| Authentication tokens | Sign-in | Secure access to your account |
| Country | Account creation (detected from IP or device locale) | Currency selection, regulatory compliance |
| Locale and timezone | Account creation (from device settings) | Date/time formatting, leaderboard scheduling |
| Currency preference | Account creation | Payment display |
2.2 Location Data
| Data | When Collected | Purpose |
|---|---|---|
| GPS coordinates (latitude/longitude) | When you create or check in to a location-based challenge | Verify you visited your chosen location |
| Reverse-geocoded address | When you select a challenge location | Display a human-readable address |
2.3 Health & Fitness Data
| Data | When Collected | Purpose |
|---|---|---|
| Daily step count | While a steps challenge is active (polled every 10 seconds in foreground) | Verify you met your daily step target |
2.4 Screen Time Data
| Data | When Collected | Purpose |
|---|---|---|
| Per-app usage time (minutes) | When validating a screen time challenge | Verify you stayed within your chosen app time limits |
| App names (packages you selected) | Challenge creation | Track the specific apps you chose to limit |
2.5 Payment & Financial Data
| Data | When Collected | Purpose |
|---|---|---|
| Stripe Payment Intent ID | When you stake money on a challenge | Process payments and refunds |
| Transaction amounts and currency | Payment processing | Record keeping, refund processing |
| Payment status and timestamps | Payment processing | Transaction lifecycle management |
| Subscription status | If you subscribe to Pro | Feature access, billing |
2.6 Challenge & Activity Data
| Data | When Collected | Purpose |
|---|---|---|
| Challenge type, duration, and stake amount | Challenge creation | Core app functionality |
| Challenge completion/failure status | Throughout challenge | Determine refund or forfeiture |
| Check-in timestamps | Each check-in | Verify daily compliance |
| XP, achievements, league rank | Ongoing | Gamification and leaderboards |
| Friends list and friend challenges | When you add friends | Social features |
2.7 Device Information
| Data | When Collected | Purpose |
|---|---|---|
| Device fingerprint (SHA-256 hash) | Account creation | Prevent multi-account abuse |
| Push notification token | When you enable notifications | Send challenge reminders and deadline warnings |
| Platform (iOS/Android) | App launch | Platform-specific functionality |
We store a one-way hash of your device identifier — we cannot reverse this to identify your specific device.
2.8 Analytics Data
| Data | When Collected | Purpose |
|---|---|---|
| App usage events (screens viewed, features used) | During app use (release builds only) | Improve the app, fix bugs, understand user behavior |
| Session recordings (text and images masked) | During app use (release builds only) | Debug issues, improve user experience |
Analytics are collected via PostHog. All session recordings have text and image masking enabled — we cannot read your personal content in recordings.
3. Why We Process Your Data (Legal Basis)
Under the General Data Protection Regulation (GDPR), we process your data based on the following legal grounds:
| Legal Basis | Data | Explanation |
|---|---|---|
| Contract performance (Art. 6(1)(b)) | Account info, payment data, challenge data, check-in verification data | Necessary to provide the Lockin service |
| Explicit consent (Art. 9(2)(a)) | Location data, health/fitness data, screen time data | Sensitive data categories. We request your explicit permission before accessing them, and you can revoke permission at any time |
| Legitimate interest (Art. 6(1)(f)) | Analytics, device fingerprint, crash reports | Improving app quality, preventing fraud, ensuring platform security |
| Legal obligation (Art. 6(1)(c)) | Transaction records, tax-relevant data | Financial record-keeping requirements under Latvian and EU law |
4. Who We Share Your Data With
We share your data only with the service providers necessary to operate Lockin. We do not sell your data to anyone.
4.1 Sub-Processors
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase | Database, authentication, server functions | Account data, challenge data, payment records | US/EU |
| Stripe | Payment processing | Payment details, email, transaction amounts | US/EU |
| Firebase (Google) | Authentication, push notifications, crash reporting | Auth tokens, email, push tokens, crash logs | US/EU |
| PostHog | Product analytics, session replay | Usage events, masked session recordings | EU |
| RevenueCat | Subscription management | User ID, purchase history, subscription status | US |
| Google Maps | Map display, address lookup | GPS coordinates (location challenges only) | US |
| Google AdMob | Advertising (free-tier users) | Device identifiers, ad interaction data | US |
All sub-processors are bound by Data Processing Agreements (DPAs) that require them to process your data only as instructed and to maintain appropriate security measures.
4.2 International Data Transfers
Your data may be transferred to and processed in the United States by our sub-processors. These transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, EU-US Data Privacy Framework certifications.
4.3 Leaderboard Visibility
Your username, XP, league rank, and avatar are visible to other Lockin users on the weekly leaderboard. Your real name, email, location, health data, financial data, and challenge details are never visible to other users (except friends you've added, who can see shared challenge progress).
5. Data Retention
| Data Category | Retention Period | Reason |
|---|---|---|
| Account data | Until you delete your account | Service operation |
| Challenge and completion data | Until you delete your account | Historical records, dispute resolution |
| Payment and transaction records | 7 years after transaction | Latvian tax and financial reporting obligations |
| Step count cache (local) | 7-day rolling window (auto-deleted) | Challenge verification |
| Screen time data (local) | Session-based (cleared on app exit) | Challenge verification |
| Location check-in data | Until you delete your account | Challenge verification records |
| Analytics events | 1 year | Product improvement |
| Session recordings | 30 days | Debugging |
When you delete your account, we delete or anonymize all personal data within 30 days, except where retention is required by law (e.g., financial records).
6. Your Rights
Under GDPR, you have the following rights:
| Right | Description |
|---|---|
| Access | Request a copy of all personal data we hold about you |
| Rectification | Correct inaccurate personal data |
| Erasure | Request deletion of your personal data |
| Restriction | Request we stop processing your data while we resolve a dispute |
| Portability | Receive your data in a machine-readable format |
| Objection | Object to processing based on legitimate interest |
| Withdraw consent | Revoke consent for location, health, or screen time data at any time via your device settings |
| Lodge a complaint | File a complaint with a data protection authority |
To exercise any right: Email support@lockinapp.org with the subject "Privacy Request." We will respond within 30 days.
Withdrawing permissions: You can revoke location, health/fitness, and screen time permissions at any time through your device settings. This will prevent you from using those specific challenge types but will not affect the rest of the app.
7. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption of all data in transit (TLS/HTTPS)
- Encryption of sensitive local data at rest
- Row-Level Security ensuring you can only access your own data
- Identity verification on all server-side operations
- One-way hashing of device identifiers
- Text and image masking in analytics session recordings
No system is 100% secure. If we discover a data breach that affects your personal data, we will notify you and the relevant data protection authority within 72 hours as required by GDPR.
8. Children's Privacy
Lockin is not intended for anyone under the age of 18. We do not knowingly collect personal data from children. The app involves real financial transactions, which require users to be of legal age.
If we learn that we have collected data from a user under 18, we will delete that data promptly. If you believe a minor is using Lockin, please contact us at support@lockinapp.org.
9. Cookies and Tracking Technologies
The Lockin mobile app does not use cookies. However:
- PostHog uses a device-local identifier for analytics session tracking
- Google AdMob may use your device's advertising identifier to serve relevant ads. You can opt out of personalized ads in your device's privacy settings
- Firebase may use instance identifiers for push notification delivery and crash reporting
10. Advertising
Free-tier users see ads served by Google AdMob. AdMob may collect device identifiers, IP address, advertising ID, and app interaction data.
You can opt out of personalized advertising:
- Android: Settings → Google → Ads → Opt out of Ads Personalization
- iOS: Settings → Privacy → Apple Advertising → Personalized Ads → Off
Pro subscribers do not see ads.
11. Third-Party Links
Lockin may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy in the app, updating the "Last Updated" date, and sending a notification for significant changes.
Your continued use of Lockin after a policy update constitutes acceptance of the updated terms.
13. Contact Us
For any privacy-related questions, concerns, or requests:
"Lockin" SIA
Registration Nr. 40203724495
Latvia, European Union
Email: support@lockinapp.org
We aim to respond to all privacy inquiries within 30 days.
14. Supervisory Authority
If you are unsatisfied with our handling of your personal data, you have the right to lodge a complaint with:
Datu valsts inspekcija (Data State Inspectorate)
Latvia's national data protection authority
Website: www.dvi.gov.lv
Email: pasts@dvi.gov.lv
You may also contact the data protection authority in your country of residence.