Privacy Policy
DRAFT — pending legal counsel review. This document is an engineering-accurate draft prepared for legal review. Bracketed
[PLACEHOLDER: …]tokens must be filled in before publication. It is not yet legal advice or a final published policy.
Effective date: [PLACEHOLDER: effective date] Provider: [PLACEHOLDER: legal entity] ("Drip Meter", "we", "us", "our") Contact: support@dripmeter.me
The short version
Drip Meter is a subscription tracker built so that your personal data stays with you.
- What you type stays with you. Every subscription, amount, currency, budget, note, payment-method label, and trial date you enter lives on your device. If you choose to back up, it goes to your own iCloud Drive or Google Drive account — never to a Drip Meter server. We have no Drip Meter account system and no Drip Meter database that holds your personal data.
- Diagnostics are optional and off by default. Crash reporting and aggregate analytics are each opt-in. If you never turn them on, no diagnostic data leaves your device for those services.
- We never sell your data and never use it for advertising or cross-app tracking.
The rest of this policy is the complete, precise account of the limited operational data the app does handle.
What we never do
- We never send the subscription data you enter to a Drip Meter server — we operate no such server.
- We never broker bank credentials, card numbers, or transaction data.
- We never read your email, calendar, contacts, or messages.
- We never sell your personal data, and we never use or share any data — operational or otherwise — for advertising or cross-app tracking.
The only third parties that receive any operational data are the processors listed below, under written data-processing agreements, for the limited purposes described.
The data we handle
This is the complete list of data the app transmits off your device or makes available to a third-party service. Data the app keeps strictly on your device (your local database, derived totals, and scheduled local reminders) never leaves it and is not covered here.
1. Content-delivery requests (always on)
To fetch the curated service catalog and currency-exchange rates that make the app useful,
the app makes unauthenticated requests to cdn.dripmeter.me, served by Cloudflare.
- What is sent: standard web request metadata — your IP address, your device's User-Agent, the time, and the requested path. No cookies, no query parameters, and no Drip Meter identifier. (Under the GDPR, an IP address is personal data even when it is not linked to an account.)
- When: on app launch (at most once per hour) and when catalog or rate content changes.
- Where it lives: at Cloudflare's edge, not with Drip Meter. On the plan we use, Cloudflare's access logs are not made available to us — we never receive this data. Cloudflare retains it on its own infrastructure under its published policies for routing and abuse-prevention.
- Your control: there is no in-app toggle, because these requests are how the app stays useful. You can block network access at the device or network level.
- Legal basis (GDPR): our legitimate interest in operating the service.
2. Cloud backup (your choice)
If you turn on backup, the app copies your data file to your own cloud account.
- What is sent: the backup file (your subscription data, budgets, settings, and a currency-rate cache snapshot).
- Where it lives: your own iCloud Drive (iOS) or Google Drive app folder (Android). The transfer is between your device and your cloud account. The file is never sent to Drip Meter. We hold no credentials to either cloud and keep no copy of the file.
- When: after you change data (briefly debounced), when the app goes to the background, and once daily as a safety net.
- Your control: Settings → Backup → off stops further uploads. Settings → "Delete cloud backup" removes the existing file from your cloud account. Uninstalling the app alone does not reliably remove the cloud-stored file — delete it via Settings before uninstall, or via your cloud provider afterwards.
- Legal basis (GDPR): Drip Meter as operator does not receive, store, or access this data; the app initiates the transfer to your own cloud account through platform APIs after you explicitly opt in during onboarding, and you can revoke it at any time in Settings. [PLACEHOLDER: counsel to confirm the precise characterization and lawful basis of the client-side transfer step.]
3. Crash reports (opt-in, off by default)
If you turn on crash reporting, the app sends crash diagnostics to Sentry.
- What is sent: stack traces, app version, operating-system version, device model, and sanitized breadcrumbs we control.
- What is never included: subscription names, amounts, currencies, notes, payment-method labels, budgets, or any string you typed. Personally identifying data is disabled in the crash SDK and pinned by an automated test.
- When: only on a crash, and only while crash reporting is enabled in Settings.
- Where it lives: Sentry, EU region. The EU data region is fixed and built into the app; there is no setting that can move it elsewhere.
- Retention: Sentry's standard retention — 90 days by default.
- Identifier: crash reporting uses its own app-generated, per-install pseudonymous identifier, generated the first time you opt in. It is not derived from any operating-system or device identifier, and it is separate from the analytics identifier below.
- Your control: Settings → Crash reports → off. Your current crash-reports install ID is shown in Settings (tap to copy). Settings → "Reset crash-reports ID" generates a new ID, after which prior reports become orphaned and expire on Sentry's standard 90-day retention. For deletion sooner than that, email support@dripmeter.me with the install ID(s) you want deleted, and we will delete them manually from Sentry. We deliberately do not delete from the app itself, because doing so would require embedding a privileged Sentry token in the app — a security risk. Settings also links a "What crash reports collect" page listing exactly these fields.
- Legal basis (GDPR): your explicit opt-in consent.
4. Aggregate analytics (opt-in, off by default)
If you turn on analytics, the app sends a small set of fixed-schema usage events to PostHog.
- What is sent: named events from a closed, code-defined list (for example: app launched, onboarding completed, a subscription was added, and the paywall/purchase funnel events). Each event carries only fixed, enumerated properties — for example a subscription's billing cycle bucketed to monthly/yearly/weekly/other and its currency code. Free-form payloads are forbidden, and an automated guard rejects any event whose property names look like personal data.
- What is never included: subscription contents, amounts, currency values, names, notes, budgets, or any field you typed. Session recording is disabled at three independent layers. Automatic SDK events (app-opened, screen views, surveys) are disabled.
- When: only when analytics is enabled in Settings.
- Where it lives: PostHog Cloud EU. The EU host is built into the app as a constant; there is no setting that can move it elsewhere.
- Retention: PostHog's configured retention.
- Identifier: an app-generated, per-install pseudonymous identifier, generated the first time you opt in. It is not derived from, and not joined with, any operating-system or device identifier (no IDFA, no Android Advertising ID). It is independent of the crash-reports identifier; resetting one does not affect the other.
- Your control: Settings → Analytics → off. Your current analytics install ID is shown in Settings (tap to copy). Settings → "Reset analytics ID" generates a new ID, after which prior events become orphaned and expire on PostHog's configured retention. For deletion sooner than that, email support@dripmeter.me with the install ID(s) you want deleted, and we will delete them manually from PostHog. As with crash reports, we do not delete from the app to avoid embedding a privileged key. Settings also links a "What analytics collect" page, generated from the code itself, that lists every event the app can send.
- Legal basis (GDPR): your explicit opt-in consent.
Deleting your data
| Data | How to delete it |
|---|---|
| Your subscription data (on this device) | Settings → "Delete all my data" erases this device's subscriptions, budgets, and settings, clears both telemetry install IDs, and restarts onboarding. Your cloud backup is intentionally left intact so an accidental wipe is recoverable. |
| Your subscription data (in the cloud) | Settings → "Delete cloud backup" removes the file from your iCloud/Drive, then delete the app. Or delete the file via your cloud provider. Uninstalling alone does not reliably remove it. |
| Crash reports | Settings → "Reset crash-reports ID" rotates the install ID (future reports orphaned, expiring on Sentry's 90-day retention). For sooner deletion, email support@dripmeter.me with the install ID(s). |
| Analytics events | Settings → "Reset analytics ID" rotates the install ID (future events orphaned, expiring on PostHog's retention). For sooner deletion, email support@dripmeter.me with the install ID(s). |
| Content-delivery logs | Nothing to delete on our side — we never receive Cloudflare's access logs. Cloudflare's retention follows Cloudflare's own policies. |
"Delete all my data" is a local wipe, not a global account deletion — Drip Meter holds no account to delete. It does not delete vendor-side crash or analytics records; those follow the reset-and-email path above.
How this maps to the store privacy labels
The App Store "App Privacy" and Google Play "Data Safety" labels summarize the same facts described above. With both optional features turned on (the worst case), the labels reflect:
- Diagnostics — crash data (via Sentry, EU): not linked to your identity, not used for tracking.
- Usage data — product interaction (the analytics events via PostHog Cloud EU): not linked to your identity, not used for tracking.
- Identifiers — an app-generated per-install identifier (one per opt-in feature): not an operating-system or device identifier, not linked to your identity, not used for tracking.
We do not use any data to track you across apps or websites, and we do not share data with data brokers. If both optional features are off, no data goes to the crash or analytics processors; the content-delivery requests in section 1 still occur. The exact category names on each store's form are finalized when the store privacy questionnaires are filed at submission.
Your rights
Depending on where you live, you may have rights to access, correct, delete, or port your personal data, and to object to or restrict its processing. Because the data you enter never reaches us, most of these rights you exercise directly on your device and your own cloud account. For the opt-in diagnostics we process (crash reports and analytics), contact support@dripmeter.me with your install ID(s). [PLACEHOLDER: counsel to confirm the full rights enumeration and any supervisory-authority complaint language for the chosen jurisdiction.]
Roles under data-protection law
Our role differs by data category:
| Category | Our role | Other parties |
|---|---|---|
| Your subscription data | Not a controller — we never receive it. The app initiates the transfer to your own cloud via platform APIs. | You have a direct relationship with Apple / Google for your iCloud / Drive account. |
| Content-delivery logs | Controller | Cloudflare is our processor. |
| Crash reports (opt-in) | Controller | Sentry is our processor. |
| Analytics events (opt-in) | Controller | PostHog is our processor. |
We maintain data-processing agreements with each processor. [PLACEHOLDER: counsel to confirm these role classifications for the chosen jurisdiction.]
Children
Drip Meter is not directed to children. [PLACEHOLDER: counsel to confirm age threshold and any required children's-privacy language for the chosen jurisdiction.]
Changes to this policy
We may update this policy as the app evolves. Material changes will be reflected by an updated effective date, and the current version is always available in the app (Settings → About → Privacy policy) and at https://dripmeter.me/privacy.
Contact
Questions or requests: support@dripmeter.me.