Privacy Policy — 3act

Privacy Policy

Effective Date: December 23, 2024  ·  Last Updated: December 23, 2024

1. Introduction

This Privacy Policy explains how SFG Consulting Limited, trading as "3act" ("we", "us", "our", "3act", or the "Company"), collects, uses, stores, shares, and protects your personal information when you use the 3act mobile application (the "App") and any related services (collectively, the "Service").

By downloading, installing, accessing, or using the App, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree to this Privacy Policy, please do not use the Service.

Company Name: SFG Consulting Limited

Company Number: 16111570

Registered Address: 42 Goulds Close, Bletchley, Milton Keynes, England, MK1 1EQ

Contact Email: [email protected]

Data Controller: Sean Thomas Hammond

2. Summary of Key Points

At a Glance

3act is designed with privacy in mind. Most of your habit, metric, journal, and photo data is stored locally on your device and never leaves it unless you explicitly choose to use features that require server storage (such as Crews, account sync, or Backup & Restore). We do not sell your personal data to third parties.

  • Local-first architecture: Your core tracking data (habits, actions, metrics, journals, photos) is stored on your device.
  • Optional cloud features: If you create an account, certain data is synced to our servers to enable social features (Crews), cross-device identity, and optional backups.
  • No data selling: We do not sell, rent, or trade your personal information to third parties for marketing purposes.
  • Your control: You can export, delete, or manage your data at any time through the App's settings.
  • Third-party services: We use select third-party services (Supabase, Apple, RevenueCat) to operate the App.

3. Information We Collect

3.1 Information You Provide Directly

Account Information: If you choose to create an account, we collect:

  • Email address (if you sign in with email, or if provided by your identity provider)
  • Display name and username
  • Profile avatar/photo (if you upload one)
  • Unique user identifier

App Content: The following data is created by you and stored primarily on your device:

  • Cycles (habits) and their completion status
  • Actions (tasks) and their completion status
  • Tracking metrics and historical entries (e.g., weight, steps, custom metrics)
  • Daily logs, scores, and streaks
  • Journal entries and reflections
  • Photos attached to daily logs
  • XP, levels, and gamification data

Social/Crew Data: If you use social features, we collect:

  • Crew memberships and roles
  • Posts, comments, and reactions you create
  • Images you upload to crew feeds
  • Accountability partner connections

Backup Data: If you use the Backup & Restore feature, we collect:

  • A complete snapshot of your app data
  • Associated photo files
  • Backup metadata (date, size, version)

Communications: If you contact us for support, we collect:

  • Your email address and name
  • The content of your communications
  • Any attachments you send

3.2 Information Collected Automatically

Device Information:

  • Device type and model
  • Operating system version
  • App version
  • Unique device identifiers (for crash reporting and diagnostics only)
  • Timezone and locale settings

Usage Data:

  • App launch and session data
  • Feature usage patterns (anonymized)
  • Crash reports and error logs
  • Performance metrics

Subscription Data:

  • Subscription status and tier
  • Purchase history (processed by Apple and RevenueCat)
  • Entitlement verification data

3.3 Information from Third-Party Sources

Apple HealthKit (Optional): With your explicit permission, we may read:

  • Step count
  • Sleep analysis
  • Active energy/calories
  • Workout duration and type
  • Body weight
  • Other health metrics you authorize

Important: Apple Health Data

Apple HealthKit data is used solely to reduce manual data entry in the App. We do not store HealthKit data on our servers, share it with third parties, or use it for advertising purposes. HealthKit data remains on your device unless you explicitly choose to include it in a manual backup. You can revoke HealthKit access at any time through iOS Settings → Health → Data Access & Devices → 3act.

Sign-In Providers: If you sign in with Apple or Google, we receive:

  • Your name (if provided)
  • Email address (if provided/authorized)
  • Unique identifier from the provider

4. How We Use Your Information

We use the information we collect for the following purposes:

Purpose Legal Basis (GDPR/UK GDPR)
Provide and operate the Service (tracking, streaks, XP, etc.) Contract performance
Enable account creation, authentication, and sync Contract performance
Enable social features (Crews, posts, reactions) Contract performance
Process and manage subscriptions Contract performance
Provide Backup & Restore functionality Contract performance
Respond to support requests Legitimate interest
Improve and optimize the App Legitimate interest
Fix bugs and ensure security Legitimate interest
Prevent fraud and abuse Legitimate interest
Comply with legal obligations Legal obligation
Send service-related notifications Contract performance / Legitimate interest

We do not use your data for:

  • Selling to third parties
  • Targeted advertising or ad networks
  • Building advertising profiles
  • Sharing with data brokers

5. Where Your Data Is Stored

5.1 On-Device Storage

The majority of your data is stored locally on your device using Apple's secure storage frameworks. This includes:

  • All habits, actions, metrics, and their history
  • Daily logs and journal entries
  • Photos attached to daily logs
  • XP, level, and streak data
  • App preferences and settings

This data does not leave your device unless you: (a) create an account and use social features, (b) use Backup & Restore, or (c) use Data Export.

5.2 Cloud Storage (Supabase)

If you create an account, the following is stored on our servers (hosted by Supabase):

  • Account profile (user ID, email, display name, avatar URL)
  • Crew membership and roles
  • Activity feed posts, reactions, and comments
  • Uploaded images (crew posts, avatars)
  • Backup files (if you use Backup & Restore)
  • Push notification tokens

Supabase infrastructure is hosted on secure cloud providers with data centers in multiple regions. Data may be transferred to and stored in countries outside your jurisdiction, including the United States and European Union.

5.3 Third-Party Services

  • Apple: Subscription purchase data, App Store account information
  • RevenueCat: Subscription status, entitlement verification, anonymous usage analytics
  • Apple Push Notification Service: Device tokens for push notifications

6. How We Share Your Information

We do not sell, rent, or trade your personal information. We may share your information only in the following circumstances:

6.1 With Your Consent or Direction

  • Crew members: When you join a Crew or add an Accountability Partner, those users can see your profile, posts, streaks, levels, and activity you choose to share.
  • Public sharing: If you choose to share content externally (e.g., sharing a milestone to social media), that content becomes public.

6.2 Service Providers

We share data with third-party service providers who help us operate the Service:

  • Supabase: Database hosting, authentication, file storage
  • Apple: App distribution, subscription processing, push notifications
  • RevenueCat: Subscription management and analytics

These providers are bound by contractual obligations to protect your data and use it only for the purposes we specify.

6.3 Legal Requirements

We may disclose your information if required by law, legal process, or government request, or if we believe disclosure is necessary to:

  • Comply with applicable laws or legal processes
  • Protect the rights, property, or safety of 3act, our users, or the public
  • Detect, prevent, or address fraud, security, or technical issues
  • Enforce our Terms of Service

6.4 Business Transfers

If 3act is involved in a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

7. Data Retention

7.1 On-Device Data

Data stored on your device remains until you:

  • Delete it within the App
  • Delete the App from your device
  • Reset your device

7.2 Server-Side Data

Account and server-side data is retained until you delete your account, at which point we will:

  • Delete your profile information
  • Delete your posts, comments, and reactions
  • Delete uploaded images and backup files
  • Remove you from all Crews

Some data may be retained for a limited period after deletion for the following purposes:

  • Legal compliance: We may retain certain data as required by applicable laws (e.g., financial records for tax purposes)
  • Fraud prevention: We may retain data to prevent abuse or repeat policy violations
  • Backup cycles: Deleted data may persist in system backups for up to 30 days before being permanently removed

Important Notice

When you delete your account, we cannot recover your data. Please use the Data Export feature before deleting your account if you wish to retain a copy of your information.

8. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal information:

8.1 Access and Portability

You can access and export your data at any time:

  • In-App Export: Settings → Data Export (generates a JSON file with all your data)
  • Request: Email [email protected] for a copy of server-side data

8.2 Correction

You can update your profile information (name, avatar, email) in the App's Profile settings. For other corrections, contact us at [email protected].

8.3 Deletion

You can delete your data in several ways:

  • Individual items: Delete specific habits, metrics, logs, or photos within the App
  • Full account deletion: Settings → Account → Delete Account (permanently removes all server-side data)
  • Request: Email [email protected] to request deletion

8.4 Restriction and Objection

You may request that we restrict processing of your data or object to certain processing activities by contacting [email protected].

8.5 Withdraw Consent

Where processing is based on consent, you may withdraw consent at any time:

  • Apple Health: iOS Settings → Health → Data Access & Devices → 3act
  • Push Notifications: iOS Settings → Notifications → 3act
  • Marketing: Unsubscribe links in emails or contact us

8.6 Complaint

If you believe we have violated your privacy rights, you may lodge a complaint with your local data protection authority. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk.

8.7 Response Time

We will respond to all legitimate requests within 30 days. In complex cases, we may extend this period by an additional 60 days, in which case we will notify you.

9. Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

9.1 Right to Know

You have the right to request disclosure of:

  • Categories of personal information we collect
  • Sources of personal information
  • Business purposes for collection
  • Categories of third parties with whom we share information
  • Specific pieces of personal information we hold about you

9.2 Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions.

9.3 Right to Correct

You have the right to request correction of inaccurate personal information.

9.4 Right to Opt-Out of Sale/Sharing

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.

9.5 Right to Non-Discrimination

We will not discriminate against you for exercising your privacy rights.

9.6 Authorized Agents

You may designate an authorized agent to make requests on your behalf. We may require verification of your identity and authorization.

9.7 Categories of Information

In the past 12 months, we have collected the following categories of personal information:

  • Identifiers (name, email, user ID)
  • Commercial information (subscription status)
  • Internet or network activity (usage data, device information)
  • Geolocation data (timezone only, not precise location)
  • Inferences (app preferences)

To exercise your California rights, contact us at [email protected] with "California Privacy Request" in the subject line.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal information, including:

  • Encryption: Data transmitted between your device and our servers is encrypted using TLS/SSL. Sensitive data at rest is encrypted.
  • Access Controls: Access to personal data is restricted to authorized personnel on a need-to-know basis.
  • Secure Infrastructure: Our servers are hosted by reputable cloud providers with industry-standard security certifications.
  • Regular Updates: We regularly update our systems and dependencies to address security vulnerabilities.
  • Secure Authentication: We use secure authentication methods including OAuth 2.0 and Sign in with Apple.
  • Photo Privacy: GPS metadata is stripped from photos before upload to protect your location privacy.

No Guarantee of Security

While we strive to protect your information, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your data. You acknowledge and accept this inherent risk when using the Service. Please avoid storing highly sensitive personal information (such as financial details, passwords, or government identifiers) in journals, photos, or other App content.

11. Data Loss and Recovery

Important Disclaimer

You acknowledge and agree that:

  • Local data is your responsibility: Data stored on your device may be lost if you delete the App, reset your device, lose your device, or experience device failure. We are not responsible for data loss resulting from these circumstances.
  • Backups are optional: The Backup & Restore feature is provided as a convenience. We do not guarantee the availability, integrity, or successful restoration of backup data.
  • No automatic sync: Unless you use server-side features (account, Crews, Backup), your data exists only on your device.
  • Account deletion is permanent: When you delete your account, all associated server-side data is permanently deleted and cannot be recovered.
  • Service interruptions: We may experience technical issues, maintenance periods, or service interruptions that temporarily prevent access to server-side features or backups.

Recommendations:

  • Regularly use the Backup & Restore feature if you want cloud copies of your data
  • Use the Data Export feature to create local copies of your data
  • Enable iCloud backup on your device for additional protection

To the maximum extent permitted by law, we disclaim all liability for data loss, corruption, or inability to recover data, regardless of the cause.

12. Children's Privacy

3act is not intended for children under the age of 13 (or the minimum age required by applicable law in your jurisdiction, such as 16 in certain EU member states).

We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without parental consent, we will take steps to delete that information promptly.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [email protected].

13. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States and countries in the European Economic Area.

When we transfer data internationally, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses approved by the European Commission or UK ICO
  • Data processing agreements with our service providers
  • Compliance with applicable data protection frameworks

By using the Service, you consent to the transfer of your information to countries that may have different data protection laws than your jurisdiction.

14. Third-Party Links and Services

The App may contain links to third-party websites or services. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access.

We are not responsible for the privacy practices, content, or security of third-party websites or services.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this policy
  • Notify you through the App or via email (if you have an account)
  • Where required by law, obtain your consent to material changes

Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy.

We encourage you to review this Privacy Policy periodically.

16. Do Not Track Signals

Some browsers include a "Do Not Track" (DNT) feature that signals to websites that you do not want your online activity tracked. The App does not currently respond to DNT signals, as there is no industry-wide standard for handling such signals in mobile applications.

However, as stated throughout this policy, we do not engage in cross-site tracking or targeted advertising.

17. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: [email protected]

Company: SFG Consulting Limited

Company Number: 16111570

Address: 42 Goulds Close, Bletchley, Milton Keynes, England, MK1 1EQ

Data Controller: Sean Thomas Hammon

For data protection inquiries or to exercise your rights, please include "Privacy Request" in your email subject line. We aim to respond to all requests within 30 days.

18. Definitions

  • "Personal Information" or "Personal Data": Any information that identifies, relates to, or could reasonably be linked to you or your household.
  • "Processing": Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
  • "Service": The 3act mobile application and any related services provided by SFG Consulting Limited.
  • "Device": The mobile phone, tablet, or other device on which you install and use the App.
  • "Crew": A group feature within the App that allows users to share progress and activity with other users.