Privacy Policy

ActionPoints mobile application

Last updated / Effective date: 31 May 2026

This Privacy Policy explains how your personal data is collected, used, stored, shared and protected when you use the ActionPoints mobile application (the “App”). It is written to comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and Polish data-protection law. Please read it together with our Terms of Use.

Contents

Who we are (Data Controller)
Scope of this policy
Data we collect — at a glance
Personal data we collect and why
What we do not collect
Artificial intelligence (AI) features
Voice dictation
Legal bases for processing
How we share data — sub-processors & recipients
International data transfers
Data retention
Your privacy rights
Security
Children
Sensitive data & content you enter
Third-party services and links
Changes to this policy
Contact & complaints

1. Who we are (Data Controller)

The App is provided by JDG Ilya Kavalenka, a sole proprietorship (jednoosobowa działalność gospodarcza) registered in Poland (the “Developer”, “we”, “us”, “our”). For the purposes of the GDPR, the Developer is the data controller of the personal data described in this policy.

You can contact us about privacy at any time:

Email: [email protected]
Website: https://actionpoints.app

We have not appointed a Data Protection Officer (DPO), as we are not legally required to do so. Privacy enquiries are handled directly via the email above.

2. Scope of this policy

This policy applies to the ActionPoints App on iOS and Android and to the back-end services that support it. It does not apply to third-party products or services that have their own privacy policies (for example Apple, Google, and Amazon Web Services), even where you reach them through the App. See section 16.

3. Data we collect — at a glance

Category	Examples	Source
Account & identity	Email address; a unique account ID; name and identifier supplied by Apple or Google if you use those sign-in options	You / your sign-in provider
Content you create	Titles of your tasks (“Actions”); the free-text goal descriptions you type or dictate; schedules you set	You
AI inputs & outputs	Goal prompts and Action titles you submit to AI features, and the suggestions the AI returns	You / AI service
Progress & gameplay data	Experience points, levels, streaks, skill points, virtual currency (“Silver”), collectible items (“Jokers”), completion logs and timestamps	Generated by your use of the App
Subscription & purchase data	Store platform, product ID, transaction identifiers, purchase/expiry dates, environment, the store purchase receipt/token, and your premium status	Apple / Google / you
Device & technical data	App language/locale and time-zone-related local date; IP address (received automatically by our servers)	Your device
Diagnostics	Crash reports, error logs, performance traces and related device/OS metadata, plus your account ID, sent to our error-monitoring provider	Your device

4. Personal data we collect and why

4.1 Account & identity data

To create and secure your account we use Amazon Cognito. Depending on how you sign in, we process: your email address, a unique account identifier, and — if you choose “Sign in with Apple” or “Sign in with Google” — the identifier and basic profile information (such as name and email) shared by that provider. Your password (for email sign-up) is managed by Amazon Cognito and is never visible to us. We use this data to authenticate you, keep your account secure, and send essential service messages (such as email verification or password reset).

4.2 Content you create

The App lets you create tasks (“Actions”) and goals. We store the text you enter, including Action titles, the free-text goal descriptions you type or dictate, and any schedules you set. This content is stored so the App can function and sync across your sessions. Your content is private to your account — the App has no social, sharing, public-posting, friend, leaderboard or multiplayer features, and your content is not shown to other users.

4.3 AI inputs & outputs

When you use an AI feature, the relevant text you provide (your goal prompt, or an Action title) and an optional language hint are sent to an AI service to generate suggestions. Both your input and the generated output may be stored in your account. See section 6 for full detail.

4.4 Progress & gameplay data

As you use the App we generate and store gameplay data tied to your account: experience points and levels, streaks, skill points across categories (Health, Mind, Family, Social, Career, Finance, Creativity), virtual currency (“Silver”), collectible perks (“Jokers”), reward outcomes, and logs of completed Actions with timestamps. This is needed to provide the App’s core gamified experience.

4.5 Subscription & purchase data

If you buy a subscription (“ActionPoints Premium”), purchases are processed by the Apple App Store or Google Play. We do not receive or store your full payment-card details. To activate and validate your subscription we store: the store platform, product ID, transaction identifiers, purchase and expiry dates, the purchase environment, the store-issued purchase receipt/token, and your resulting premium status. We use this to grant premium access, validate purchases, prevent fraud, handle renewals/refunds, and meet our accounting and tax obligations.

4.6 Device, technical & diagnostic data

We process your App language/locale and a local date string used for time-zone-correct features (such as daily streaks). When your device connects to our servers and third-party services, those servers automatically receive your IP address and standard connection metadata. To keep the App stable we use the Sentry error-monitoring service, which collects crash reports, error logs, performance traces and device/operating-system metadata, and is associated with your account identifier. Diagnostics are disabled in development builds.

5. What we do not collect

To be clear, we do not:

sell or rent your personal data to anyone;
use advertising networks, ad identifiers (IDFA/GAID), or cross-app/cross-site tracking;
use third-party marketing or product-analytics SDKs (such as Google Analytics, Firebase Analytics, Facebook, Amplitude, Mixpanel or similar);
collect your precise GPS location;
collect push-notification tokens (the App does not send push notifications);
access your photos, camera, contacts or calendars, or your microphone except when you actively start voice dictation (see section 7);
store audio recordings of your voice on our servers.

Note on the photo-library permission. On iOS the App declares a photo-library usage string for technical reasons (a system framework linked by a dependency). The App has no photo or camera feature and does not access, collect or upload your photos.

6. Artificial intelligence (AI) features

The App offers optional AI features — breaking a free-text goal into suggested Actions, and automatically suggesting skills for an Action. These run on Amazon Bedrock (an Amazon Web Services product) using a third-party large-language model (an Anthropic “Claude” model) hosted within AWS. AI requests are processed server-side; your device does not talk to the AI provider directly.

What is sent: the goal text or Action title you submit (subject to length limits), plus an optional two-letter language hint. We do not attach your name or email to the AI request.
Where it is processed: within AWS data centres in the United States. See section 10 on international transfers.
Model training: we do not use your content to train AI models, and Amazon Bedrock does not use inputs or outputs to train its base models or share them with the underlying model provider.
Storage of output: AI suggestions you choose to keep are stored in your account as your content (for example as Actions or goals).
Quality: AI output is generated automatically and may be inaccurate, incomplete, unexpected or unsuitable, and is not professional advice. Please review the AI section of our Terms of Use.

7. Voice dictation

You can optionally dictate Action titles and goal descriptions. When you start dictation, the App requests microphone (and, on iOS, speech-recognition) permission and your speech is converted to text by your device’s operating system. On iOS the App prefers on-device recognition where available and may fall back to Apple’s speech service; on Android, recognition is performed by the speech service installed on your device (typically Google’s). In those cases your audio is processed by Apple or Google under their own privacy policies. We do not receive your audio — only the resulting text, which is then saved as your content. You can use the App fully by typing instead.

8. Legal bases for processing

We rely on the following legal bases under Article 6(1) GDPR:

Performance of a contract (Art. 6(1)(b)): creating and operating your account, storing and syncing your Actions, goals and progress, providing AI features you request, and processing your subscription.
Consent (Art. 6(1)(a)): using your microphone for voice dictation, which you enable through your device’s permission prompt. You can withdraw it at any time in your device settings.
Legitimate interests (Art. 6(1)(f)): securing the service, preventing fraud and abuse, validating purchases, diagnosing crashes and errors to keep the App working, and establishing or defending legal claims. We balance these interests against your rights.
Legal obligation (Art. 6(1)(c)): retaining transaction records for accounting and tax purposes and responding to lawful requests from authorities.

We do not sell your personal data. We share it only with the service providers below, who process it on our behalf or as independent controllers in order to operate the App. Each has its own privacy commitments.

Recipient	Purpose	Data involved	Location
Amazon Web Services (AWS) — Cognito, AppSync/DynamoDB, Lambda	Authentication, secure storage and processing of your account, content, gameplay and purchase data	All categories above except audio	USA (Oregon)
Amazon Web Services (AWS) — Amazon Bedrock (Anthropic Claude model)	Generating AI suggestions you request	Goal prompts / Action titles + language hint	USA
Sentry (Functional Software, Inc.)	Crash and error monitoring to keep the App stable	Error/crash reports, performance traces, device/OS metadata, account ID, IP	USA
Apple	Sign in with Apple, App Store subscriptions & billing, device speech recognition	Identity, purchase and (for dictation) voice data	Per Apple
Google	Google sign-in, Google Play billing, Android speech recognition	Identity, purchase and (for dictation) voice data	Per Google

We may also disclose personal data where strictly necessary to:

comply with a legal obligation, court order or lawful request from a public authority;
enforce our Terms of Use or protect our rights, property or safety, or those of our users or the public;
detect, prevent or address fraud, security or technical issues;
complete a merger, acquisition or sale of assets, in which case we will notify you and this policy will continue to apply.

10. International data transfers

Our infrastructure and sub-processors are located in the United States. This means that when you use the App, your personal data is transferred from Poland/the European Economic Area (EEA) to the United States. Where personal data is transferred outside the EEA, it is protected by appropriate safeguards under the GDPR — primarily the European Commission’s Standard Contractual Clauses and/or the provider’s certification under the EU–U.S. Data Privacy Framework, together with supplementary technical and organisational measures. You may request more information about these safeguards using the contact details in section 18.

11. Data retention

We keep your personal data only for as long as needed for the purposes described in this policy:

Account & content data: kept while your account exists. When you delete your account (see section 12), this data is permanently deleted from our active databases.
Backups: point-in-time recovery backups are retained for a limited rolling period and then automatically overwritten.
Diagnostic logs: server processing logs are retained for a short period (around one month) and then deleted.
Transaction records: after account deletion, purchase records are de-identified (your account link and the raw receipt are removed) and may be retained in that anonymised form for accounting, tax and audit purposes for the period required by law (generally up to five years). Once de-identified they no longer identify you.

12. Your privacy rights

Under the GDPR you have the right to:

Access the personal data we hold about you;
Rectify inaccurate or incomplete data;
Erase your data (“right to be forgotten”);
Restrict or object to certain processing, including processing based on legitimate interests;
Data portability — receive your data in a structured, commonly used, machine-readable format;
Withdraw consent at any time, without affecting prior lawful processing;
Lodge a complaint with a supervisory authority (see section 18).

How to exercise your rights:

Delete your account and data directly in the App: open Settings → Your Account & Privacy → Delete my data and account. This permanently removes your account and associated content from our active systems.
For access, correction, portability or other requests: email [email protected] (the App can pre-fill this for you under Settings → Your Account & Privacy → Request my data). We handle these requests manually and will respond within the time required by law (normally one month).

Exercising your rights is free of charge. We may ask you to verify your identity before acting on a request, to protect your data. Where a sub-processor independently holds data, we will pass on deletion/access requests as required.

13. Security

We take reasonable technical and organisational measures to protect your personal data, including: encryption of data in transit (HTTPS/TLS) and encryption of stored data at rest; per-user authorisation rules so that each account can access only its own data, enforced on the server; disabled anonymous/guest access; server-side validation of purchases; and restricted, least-privilege access to back-end systems. No method of transmission or storage is completely secure, so while we strive to protect your data we cannot guarantee absolute security.

14. Children

The App is not directed to children. You must be at least 16 years old to create an account and use the App. We do not knowingly collect personal data from anyone under 16. If you believe a child under 16 has provided us with personal data, please contact us and we will delete it.

15. Sensitive data & content you enter

We do not ask for special categories of personal data (such as data about health, religion or political views). However, the goal and Action fields are free text and you may choose to write personal or sensitive information in them (for example a fitness, health, financial or wellbeing goal). If you do, you provide that information on your own initiative and consent to its processing as described here. Please do not enter other people’s personal data, or any sensitive data you are not comfortable storing, into free-text or AI fields.

16. Third-party services and links

The App relies on and may link to services operated by third parties, including Apple, Google and Amazon Web Services. Your use of those services is governed by their own terms and privacy policies, over which we have no control:

Apple: https://www.apple.com/legal/privacy/
Google: https://policies.google.com/privacy
Amazon Web Services: https://aws.amazon.com/privacy/
Sentry: https://sentry.io/privacy/

We are not responsible for the privacy practices or content of these third parties.

17. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes to the App, our practices, or legal requirements. When we make material changes we will update the “Last updated” date above and, where appropriate, notify you in the App. Your continued use of the App after an update takes effect means you acknowledge the revised policy.

18. Contact & complaints

If you have any questions, requests or concerns about this policy or your personal data, contact us at [email protected].

If you are in Poland or the EEA and believe your data has been handled unlawfully, you have the right to lodge a complaint with a data-protection supervisory authority. In Poland this is the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych, “UODO”), https://uodo.gov.pl. We would, however, appreciate the chance to address your concerns directly first.