# Privacy Policy for TACIT

**Last Updated:** October 22, 2025

**Effective Date:** October 22, 2025

## 1. Overview

TACIT („we,” „our,” „us”) is an iOS app that curates AI news and video courses. This policy explains what information we collect, how we use and protect it, which permissions the app requests, and the choices available to you. By using TACIT, you agree to the practices described here.

## 2. Data We Collect

### 2.1 Information You Provide

– **Account credentials** collected during Google Sign-In or Sign in with Apple: display name, email address, provider identifiers, profile photo URL, and a TACIT user ID stored in Firebase.

– **Profile metadata** managed in Firestore: purchased course IDs, subscription status, role flags (e.g., admin access), member-since timestamps.

– **Support interactions** you initiate (email or GitHub issues): the contact details and content you submit.

– **Marketing choices** such as opting in to promotional emails (disabled by default).

### 2.2 Automatically Collected Information

– **App usage & analytics** captured through Firebase Analytics: feed impressions (e.g., `feed_item_viewed`, `feed_item_swiped`), course/video engagement (e.g., `video_played`, `video_completed`), sign-in and purchase lifecycle events, and anonymized parameters like item IDs, durations, swipe direction, and currency.

– **Crash and diagnostics data** via Firebase Crashlytics: device model, OS version, app version, stack traces, and non-fieldable error metadata (no raw content payloads).

– **Device and performance metrics** such as device type, operating system, locale, preferred language, and network timing supplied by Firebase SDKs.

– **Backend access logs** on our Railway-hosted API when you request feed or course content (timestamp, request path, user ID if authenticated).

### 2.3 Purchase and Subscription Data

– **In-app purchase details** obtained through StoreKit 2: Apple transaction IDs, original transaction IDs, product identifiers, purchase date, price tier, and currency.

– **Entitlement records** persisted in Firestore: course ownership, subscription state, purchase platform (iOS or web), receipt audit trail, and status (active, expired, refunded, pending).

– **Backend validation payloads** sent to Firebase Cloud Functions to confirm purchase authenticity (transaction metadata only; no card numbers or payment credentials).

### 2.4 Data Stored Locally on Your Device

– **Video progress** (current time, duration, completion status, last-watched date) saved in `UserDefaults` by `VideoProgressManager`. This remains on-device unless you delete the app or reset it from Settings.

– **Preference settings** stored via `@AppStorage`: theme, preferred language, video quality, autoplay, download-on-Wi-Fi, notification toggles, analytics/crash opt-outs, haptics, and sound effects.

– **Cached content** for faster browsing: URLCache entries of feed/course assets and in-memory caches maintained by `ContentService`. You can clear cached data through the in-app Settings.

– **Exported user data** generated on demand (`exportUserData`) as a JSON file saved to your device’s Documents directory; we do not receive a copy.

### 2.5 Information from Third Parties

– **Google** supplies basic profile data and authentication tokens when you sign in with Google.

– **Apple** provides full-name/email (if permitted) and identity tokens for Sign in with Apple and transaction receipts for StoreKit purchases.

– **Vimeo** delivers course and feed videos via embedded players; Vimeo may process playback diagnostics per its own privacy policy.

## 3. How We Use Your Information

– **Account & authentication**: create and secure your profile, keep you signed in, and sync purchases across devices.

– **Content delivery**: fetch personalized feed content, unlock purchased courses, track course progress, and manage entitlements.

– **Purchases & billing**: validate StoreKit transactions, restore prior purchases, reconcile web/iOS purchases, and meet accounting requirements.

– **Notifications & reminders**: (if enabled) send daily reminders, course updates, or transactional alerts.

– **Customer support**: respond to questions, troubleshoot issues, and honor your privacy requests.

– **Analytics & product improvement**: understand feature usage, optimize performance, diagnose crashes, and prioritize roadmap decisions.

– **Security & compliance**: detect fraud, enforce access controls, comply with legal obligations, and maintain audit logs.

## 4. Legal Bases (EEA/UK Users)

We rely on (a) contract performance (providing the app and purchased content), (b) legitimate interests (securing the service, preventing fraud, improving features), and (c) your consent (analytics, crash logging, notifications, marketing). You may withdraw consent at any time via in-app settings or by contacting us.

## 5. How We Share Information

| Provider | Purpose | Data Shared | Policy |

| — | — | — | — |

| **Firebase (Google LLC)** – Auth, Firestore, Storage, Analytics, Crashlytics, Cloud Functions | Account management, data storage, telemetry, crash reporting, purchase validation | User IDs, email, profile metadata, purchase records, analytics events, crash reports | https://firebase.google.com/support/privacy |

| **Google Sign-In** | OAuth authentication | Email, display name, profile photo, auth tokens | https://policies.google.com/privacy |

| **Apple (StoreKit & Sign in with Apple)** | Payments, subscription restoration, authentication | Transaction identifiers, product IDs, Apple ID tokens (tied to your Apple account) | https://www.apple.com/legal/privacy/ |

| **Railway-hosted TACIT API** | Content delivery, course catalog, entitlement sync | Authenticated user ID, course progress signals, purchase metadata | https://railway.app/legal/privacy |

| **Vimeo** | Streaming hosted video lessons and feed clips | Embedded player events (e.g., playback state, IP address) | https://vimeo.com/privacy |

| **Customer support channels (Email/GitHub)** | Handling requests, bug reports | Contact details and message content you provide | https://github.com/privacy |

We may also disclose information (1) when required by law or lawful requests, (2) to enforce our terms or protect rights, (3) during corporate transactions (merger, acquisition, asset sale) with appropriate notice, and (4) in aggregated or de-identified form that cannot reasonably identify you. We never sell personal information or share it for third-party advertising.

## 6. Permissions & Platform Access

– **Push notifications (UserNotifications)**: Requested only if you enable reminders or course updates. Declining keeps the app functional; no notification tokens are stored when disabled.

– **Background audio playback**: Enabled so video audio can continue when the device locks; we do not record or transmit audio.

– **Camera and microphone**: The bundle declares `NSCameraUsageDescription` and `NSMicrophoneUsageDescription` with “This app does not use the camera/microphone” text to satisfy App Store metadata. The app does not request runtime access or collect photo/audio data.

– **Network access**: Required to pull news, courses, user entitlements, and to validate purchases.

– **Sign-in providers**: Using Google or Apple is optional, but an account is needed for personalized features and purchases.

## 7. Storage, Retention, and Security

– **Primary storage**: Firebase (Google Cloud, US regions) and Railway-managed infrastructure.

– **Retention**:

– Account profile and course entitlements: while your account is active plus up to 30 days after deletion (to settle purchases).

– Transaction records: up to 7 years for tax and audit compliance.

– Analytics data: aggregated for up to 24 months (anonymized sooner if you opt out).

– Crash reports: 90 days by default.

– Support communications: up to 24 months after resolution.

– Local caches, settings, and video progress: remain on your device until you clear them or uninstall the app.

– **Security measures**: TLS for all network traffic, Firebase Auth tokens scoped per user, Firestore security rules, role-based access on back-office tools, purchase verification via Cloud Functions, least-privilege service accounts, monitoring for unusual activity, and regular dependency updates. Despite safeguards, no system is fully immune to breaches; we will notify affected users of a qualifying incident per applicable law.

## 8. Your Choices and Rights

– **Manage preferences**: In Settings, toggle analytics and crash reporting, manage notifications, choose video quality, and switch themes.

– **Export data**: Use “Export Data” in Settings to create a JSON file of your saved preferences on-device.

– **Clear cache**: Use the Settings option to purge cached feed/course content.

– **Delete account**: Go to Profile → Settings → Delete Account. We sign you out, queue deletion of Firestore data, and retain only legally required purchase records. Contact us if you need help restoring access during the 30-day grace period.

– **Access, correct, restrict**: Email privacy@tacitapp.com to request a copy, correction, suppression, or transfer of your data. We respond within 30 days (45 days for complex CCPA requests).

– **Withdraw consent**: Disable analytics/crash logging at any time in Settings; the app immediately stops sending telemetry and resets Firebase Analytics data.

– **Regional rights**:

-**CCPA/CPRA** (California): right to know, delete, correct, and opt out of sale/share. TACIT does not sell personal information.

-**GDPR/UK GDPR**: rights to access, rectification, erasure, restriction, portability, and objection. You may also lodge a complaint with your local supervisory authority.

## 9. International Data Transfers

Data may be processed in the United States and other jurisdictions where our vendors operate. We rely on standard contractual clauses or equivalent safeguards when transferring data from the EEA/UK/Switzerland to countries without an adequacy decision.

## 10. Children’s Privacy

TACIT is not intended for children under 13, and we do not knowingly collect their personal information. If you believe a child has provided data, contact us so we can delete it.

## 11. Changes to This Policy

We may update this policy to reflect new features, legal requirements, or security practices. Material changes will be announced in-app and/or via email. The “Last Updated” date indicates the latest revision. Continued use of TACIT after changes become effective constitutes acceptance.

## 12. Contact Us

Questions or privacy requests?

– Email: info@tacitproject.hu

## 13. Summary of Your Choices

– Access, update, export, or delete your data from in-app settings or by contacting us.

– Toggle analytics, crash reporting, and notifications at any time.

– Clear cached content and video progress whenever you choose.

– No data is sold or used for targeted advertising.

—

**Thank you for trusting TACIT with your information.**