privacy policy

effective March 30, 2026 · v1.4

who we are

dull is operated by Kaspar Noor, a sole proprietor based in Estonia (Mäe 3, Kiili, Harjumaa, Estonia). Kaspar Noor is the data controller for the purposes of applicable data protection laws. you can reach us at [email protected].

the short version

dull is an app that loads social media websites in a web view and applies filters to make them less sticky — hiding short-form feeds, removing algorithmic content, enabling grayscale mode, adding friction gates before opening apps, enforcing daily time limits and scheduled quiet hours, and letting you lock settings behind a PIN. everything runs on your device. here's what it doesn't do:

no server-side tracking or analytics SDKs

no Google Analytics, no Facebook SDK, no crash reporters. your browsing history, the content you view, and your detailed usage statistics (time spent per platform, session history) are all stored locally on your device and never transmitted anywhere. the only usage signals we send externally are a small set of anonymous, aggregate attributes sent to RevenueCat for subscription management — described in detail in the third-party services section below.

no data collection

we don't collect, store, or transmit your browsing data. your web sessions stay on your device.

no accounts

dull doesn't have user accounts. there's nothing to sign up for and no profile to create.

local storage only

your preferences (which platforms you've enabled, appearance settings, friction gate configuration, grayscale settings, time limit settings, scheduled quiet hours, commitment delay state) and any usage statistics are stored locally on your device using UserDefaults. if you set a PIN lock, a SHA-256 hash of your PIN — not the PIN itself — is stored in the iOS Keychain on your device. nothing in UserDefaults or the Keychain ever leaves your phone.

cookies stay on-device

when you log into Instagram or YouTube through dull, those platforms set cookies in the web view. these cookies are stored locally on your device. we can't see them and don't access them.

third-party services

RevenueCat (subscription management)

RevenueCat manages subscription status and processes transaction data from Apple. the legal basis for this processing is performance of a contract and legitimate interest — we need RevenueCat to provide and manage your subscription, and to understand whether the app is working for subscribers. RevenueCat may receive:

  • an anonymous app user ID (generated by RevenueCat, not linked to your identity)
  • transaction and purchase data from Apple
  • device type, OS version, and app version
  • where you heard about dull (if you choose to tell us during or after sign-up)
  • which platforms you selected during onboarding
  • anonymous usage signals for subscription management: whether you have ever opened a platform browser, total number of browse sessions, number of days you have used the app, which platforms you have opened, and which optional features are enabled (e.g. grayscale mode, time limits, quiet hours, opening challenge)

none of this is linked to your name, email, or Apple ID. it is used solely to manage your subscription, identify whether the app is delivering value during your trial, and improve the product. RevenueCat retains transaction data in accordance with their own data retention policies. see RevenueCat's privacy policy for full details.

Apple Ads attribution

dull uses Apple's AdServices framework to measure whether app installs came from an Apple Ads campaign. on first launch, the app requests an anonymous attribution token from Apple. this token does not contain your Apple ID, device identifier, or any personal information — it is a privacy-safe, aggregated signal provided by Apple. the token is forwarded to RevenueCat so we can understand which search terms lead to subscriptions. no tracking prompt is required because AdServices does not use the IDFA or track you across apps. see Apple's AdServices documentation for details.

Apple

when you purchase a subscription, Apple processes your payment and may collect data as described in Apple's privacy policy. we do not receive your payment details from Apple.

the longer version

dull functions as a specialized browser. when you tap a platform, it loads that platform's mobile website inside a WKWebView and applies filters — injecting CSS/JavaScript to hide short-form content feeds and algorithmic content. grayscale mode, friction gates (challenges shown before opening an app), daily time limits, scheduled quiet hours, commitment delay (a 24-hour cooldown before loosening filters), and PIN lock (which protects settings behind a hashed PIN stored in the iOS Keychain) are all applied locally. all of this happens entirely on your device.

we have no servers that process your data. we have no database of users. we don't know who you are, what you look at, or when you use the app.

if you delete the app, everything goes with it — preferences, cookies, all of it.

pre-launch waitlist

prior to launch, we collected email addresses from people who signed up to be notified when dull became available. the app is now live on the App Store. waitlist emails were used only to send a single launch notification. if you signed up and would like your email removed from our records, contact us at [email protected].

children's privacy

dull is intended for users aged 13 and older. we do not knowingly collect personal information from children under 13. if you are a parent or guardian and believe your child under 13 has provided us with personal information, please contact us at [email protected] and we will take steps to delete such information.

your rights

since we collect virtually no personal data, most data rights don't apply in practice. however, depending on where you live, you may have the following rights:

EU/EEA residents (GDPR)

you have the right to access, rectify, erase, restrict processing, and port your personal data. you also have the right to object to processing. since we don't collect personal data beyond waitlist emails (if applicable), these rights primarily apply to your waitlist email. to exercise any of these rights, contact us at [email protected]. we will respond to your request within 30 days.

you also have the right to lodge a complaint with a supervisory authority. the relevant authority for dull is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), aki.ee.

California residents (CCPA)

you have the right to know what personal information we collect, to request deletion of your personal information, and to opt out of the sale of your personal information. we do not sell your personal information to anyone. to exercise any of these rights, contact us at [email protected]. we will respond to your request within 30 days.

data we do not collect

for clarity, dull does not collect any of the following:

changes to this policy

we may update this policy. when we do, we will revise the effective date and version number at the top of this page. if we make material changes, we'll notify you in the app or on our website. your continued use of dull after any changes constitutes acceptance of the updated policy.

questions? [email protected]