privacy policy

your browsing stays on your device

we don't collect, store, or transmit the content you view inside dull. your web sessions — the pages, posts, videos, and accounts you look at — never leave your device. detailed on-device usage statistics (time spent per platform, session history) are also stored locally and never transmitted.

no behavioral tracking or profiling

no Google Analytics, no crash reporters, no behavioral retargeting, no lookalike audiences from in-app behavior, no profile of you. what we do collect is a small set of pseudonymous product-analytics events — which screens you reached, which features you enabled, whether a nudge was shown, whether a platform browser was opened — to understand how the app is used and where it can be improved. for users who install dull after May 7, 2026, we also use the Meta SDK in supported regions (currently outside the EU/EEA and Korea) to send pseudonymous install and "paywall viewed" events so we can measure whether ad spend leads to subscriptions. these events describe app behavior, not browsing behavior, and none of them are linked to your identity or to the content you view inside the app. third-party services details below.

no accounts

dull doesn't have user accounts. there's nothing to sign up for and no profile to create.

local storage only

your preferences (which platforms you've enabled, appearance settings, friction gate configuration, grayscale settings, time limit settings, scheduled quiet hours, commitment delay state) and any usage statistics are stored locally on your device using UserDefaults. if you set a PIN lock, a SHA-256 hash of your PIN — not the PIN itself — is stored in the iOS Keychain on your device. nothing in UserDefaults or the Keychain ever leaves your phone.

cookies stay on-device

when you log into Instagram or YouTube through dull, those platforms set cookies in the web view. these cookies are stored locally on your device. we can't see them and don't access them.

RevenueCat (subscription management)

RevenueCat manages subscription status and processes transaction data from Apple. the legal basis for this processing is performance of a contract and legitimate interest — we need RevenueCat to provide and manage your subscription, and to understand whether the app is working for subscribers. RevenueCat may receive:

• a pseudonymous app user ID (generated by RevenueCat, not linked to your identity)
• transaction and purchase data from Apple
• device type, OS version, and app version
• where you heard about dull (if you choose to tell us during or after sign-up)
• which platforms you selected during onboarding
• pseudonymous usage signals for subscription management: whether you have ever opened a platform browser, total number of browse sessions, number of days you have used the app, which platforms you have opened, and which optional features are enabled (e.g. grayscale mode, time limits, quiet hours, opening challenge)

none of this is linked to your name, email, or Apple ID. it is used solely to manage your subscription, identify whether the app is delivering value during your trial, and improve the product. retention: subscription and transaction data is retained for the period required by applicable accounting and tax law (typically 5 years from the end of the financial year of the transaction); other RevenueCat customer attributes are retained for as long as the subscription is active and for a reasonable wind-down period thereafter, in accordance with RevenueCat's own retention policy. see RevenueCat's privacy policy for full details.

Mixpanel (pseudonymous product analytics)

dull uses Mixpanel to understand where users drop off, which features get adopted, and whether the product is working — so we can improve it. Mixpanel receives:

• a pseudonymous device ID (vendor ID — not linked to your Apple ID, name, or email; resets on app reinstall)
• when the app is opened (whether it's a fresh launch or a return from the background), whether it is the very first time you have ever opened the app, and your current subscription status at the time (active, lapsed, or no subscription — not linked to any identity or payment data)
• which onboarding screens you saw, the aspirations you selected, the pain points you selected (e.g. "I open it for one thing, lose 40 minutes" — these are pre-written multiple-choice options, not free-text input), the screen-time bucket you entered along with the underlying numeric value (in hours), the time limit you set during onboarding (in minutes), which specific platforms you selected, whether you completed onboarding, and a summary of which features (time limits, grayscale, friction gate) were enabled at completion
• paywall events: when the paywall was shown, where it was shown from, whether it was a first-time or reactivation view (i.e. whether you had subscribed before), whether it was dismissed, whether a trial or purchase completed (product ID and whether it was a free trial), whether a restore happened
• where you told us you heard about dull (referral source), if you chose to share that
• which steps of the post-paywall setup flow you reached and whether you completed it
• when a platform browser is opened (which platform — Instagram, YouTube, Facebook, X, Reddit) and how long each session lasts (in seconds)
• when you enable or disable key features in settings (friction gate, time limits, commitment delay, PIN lock, grayscale — including which platform grayscale was toggled for)
• anti-bypass events: when you activate or end a session bypass, when you start a 24-hour commitment delay, when a filter becomes loosened after the delay
• contextual nudge events: when a nudge was shown, tapped, or dismissed (rule ID only)
• time limit events: when a time limit gate appears (platform and whether it was a daily limit or scheduled block), when a bonus-time extension is used
• friction gate events: when a friction gate challenge is shown (platform and challenge type — e.g. wait timer, breathing exercise, math problem), when it is completed (including how many seconds the challenge took), and when it is abandoned without completing
• when you view your weekly usage receipt
• app version and iOS version

we do not pass any browsing data, the content you view, social media activity, on-device usage statistics, or personal information to Mixpanel. events describe whether and when something happened, not what you looked at. we do not call Mixpanel's identify API — all events are attached to the device-level pseudonymous vendor ID described above. your IP address is used transiently by Mixpanel's servers to derive approximate city and country, then discarded — it is not stored or linked to your events. the legal basis for this processing is legitimate interest — understanding product usage is necessary for us to improve dull and sustain the business. you have the right to object to this processing at any time under GDPR Art. 21; email [email protected] and we will stop. retention: Mixpanel retains event-level data for up to 14 months on our project configuration, after which it is anonymized or deleted. see Mixpanel's privacy policy for full details.

Apple Ads attribution

dull uses Apple's AdServices framework to measure whether app installs came from an Apple Ads campaign. on first launch, the app requests an anonymous attribution token from Apple. this token does not contain your Apple ID, device identifier, or any personal information — it is a privacy-safe, aggregated signal provided by Apple. the token is forwarded to RevenueCat so we can understand which search terms lead to subscriptions. no tracking prompt is required because AdServices does not use the IDFA or track you across apps. see Apple's AdServices documentation for details.

ad network measurement (Meta, Google, TikTok)

if dull runs paid advertising campaigns on Meta (Facebook/Instagram), Google, or TikTok, we use the following mechanisms to measure whether those campaigns are effective. the legal basis is legitimate interest — understanding whether our advertising spend leads to subscriptions. we do not run behavioral retargeting, lookalike audiences from in-app behavior, or any tracking that follows you across other apps or websites. the purpose is aggregate ad performance measurement (ROAS). you have the right to object to this processing at any time under GDPR Art. 21.

• SKAdNetwork: Apple's privacy-preserving attribution framework. when you install dull after seeing an ad, Apple may send an aggregated, anonymous signal to the relevant ad network confirming that an install occurred. no personal data, browsing history, or user identifier is included. no ATT prompt is required for this mechanism.
• RevenueCat server-side attribution (Conversions API): when a subscription purchase occurs, RevenueCat may forward a pseudonymous conversion event (that a purchase happened, the subscription tier, and the revenue value) to the ad network's API. this is sent server-to-server — RevenueCat's servers to the ad network's API — using pseudonymous match identifiers (described below).
• Meta SDK (new users only, from May 2026): for users who install dull after May 7, 2026, the Meta SDK (FBSDKCoreKit) is embedded in the app to send install and "paywall viewed" events to Meta. the SDK sends a pseudonymous Meta-generated ID ($fbAnonId), your app version, and the event name. it does not send your browsing data, anything inside the app, or any account information. existing users (installed before May 7, 2026) are grandfathered out. in the EU/EEA and Korea, the Meta SDK is not initialized at all in the current release; no Meta SDK events leave your device in those regions. before we change this, we will ship a separate in-app consent step that meets EU ePrivacy and Korean PIPA standards. retention: Meta retains attribution events under its own retention policy.
• App Tracking Transparency / IDFA (new users only): after a new user completes the post-paywall setup flow, dull shows iOS's standard ATT prompt. this is the system-level "allow tracking?" prompt Apple requires before any app may access the IDFA (a device-level advertising identifier). if you tap allow, dull sends your IDFA to RevenueCat, which uses it to improve match accuracy when forwarding subscription events to the ad network's Conversions API. if you tap "ask app not to track," nothing changes about how the app works — same features, same experience — and only the pseudonymous match identifiers are used. no rewards or restrictions are tied to your choice. dull will never ask again unless you reset the prompt in iOS Settings. note that under EU ePrivacy and Korean PIPA, the ATT prompt alone is not treated as consent for the Meta SDK; in those regions, the Meta SDK is currently not initialized, and we will only enable it after shipping a separate in-app consent step.

match identifiers used for server-side attribution: $fbAnonId (Meta-generated pseudonymous ID), IDFV (Apple vendor ID — different per developer, so it can't follow you across other companies' apps), IP address (used by ad networks transiently for matching, then dropped), and IDFA (only when you tap allow on the ATT prompt). RevenueCat keeps these as customer attributes solely to forward them on subscription events.

Apple

when you purchase a subscription, Apple processes your payment and may collect data as described in Apple's privacy policy. we do not receive your payment details from Apple.

Resend (email delivery)

if you submit your email through one of our forms (e.g. the Android waitlist at getdull.app/android) we use Resend to store the address and send you email from us. Resend receives:

• the email address you submitted
• which form or list you joined (e.g. android-waitlist)
• a coarse referral source if available (UTM parameter, referring page, or "direct") — never a precise URL or anything that would identify you
• the email address as the sole identifier for delivery

we do not pass your IP address, browser fingerprint, or any data from the Dull app itself to Resend. submissions are handled by a server-side endpoint hosted on Cloudflare; the endpoint receives your IP transiently to process the request and apply abuse protection, but does not store it.

by submitting your email you consent to receiving the specific notification you signed up for (e.g. an email when the Android version ships, plus a one-time confirmation). product updates, new feature announcements, and any future marketing emails are sent only if you separately opt in to those — we ask for that as a distinct checkbox on the form, unchecked by default. we do not sell your email address, share it with other companies for their own marketing, or use it for behavioural targeting on third-party platforms.

the legal basis for this processing is consent. you can withdraw consent at any time by clicking the unsubscribe link on any email we send, or by emailing [email protected] — we'll remove your address from all our lists. retention: we keep waitlist and marketing contacts for up to 36 months from your last interaction with our email, or until you unsubscribe, whichever comes first. see Resend's privacy policy for full details.

EU/EEA and UK (GDPR / UK GDPR)

access, rectification, erasure, restriction, portability, objection (including to processing based on legitimate interest, per Art. 21), withdrawal of consent at any time without affecting prior lawful processing, the right not to be subject to automated decision-making (we don't do any — see below), and the right to lodge a complaint with a supervisory authority. the lead authority for dull is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), aki.ee. EU/EEA residents may also bring complaints to their local supervisory authority. UK residents may contact the Information Commissioner's Office (ICO) at ico.org.uk.

automated decision-making: we do not make decisions about you based solely on automated processing that produce legal or similarly significant effects.

source of data: all personal data we hold comes either directly from you (e.g. an email you submitted) or from your device and the third-party services described above (Apple, RevenueCat). we do not buy data, append data from data brokers, or enrich your profile from third-party sources.

United States — state privacy laws

if you live in California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Delaware, New Hampshire, New Jersey, Maryland, or Minnesota, you have some or all of the following rights under your state's privacy law: the right to know what personal information we have, the right to delete it, the right to correct it, the right to portability, the right to opt out of targeted advertising, the right to opt out of any "sale" or "sharing" of personal information, the right to opt out of profiling for decisions with legal or similarly significant effects, and the right to limit the use of sensitive personal information. some state laws are narrower than others — Texas's TDPSA, for example, focuses on the sale of sensitive personal data — so the specific rights that apply depend on your state. we honor verified requests within the time required by your state's law (typically 45 days). we will not discriminate against you for exercising these rights.

California (CCPA/CPRA — additional specifics)

• categories of personal information collected in the past 12 months under Cal. Civ. Code §1798.140(v): identifiers (pseudonymous device IDs, IP address transiently for geolocation, email if submitted), internet/electronic activity (app-event analytics), commercial information (subscription transactions via Apple/RevenueCat), inferences (none drawn for profiling).
• sources: directly from you, your device, Apple, RevenueCat.
• purposes: to provide and support dull, manage subscriptions, measure ad effectiveness, improve the app.
• retention: for the periods listed in each third-party section above, or until you ask us to delete it, whichever is shorter.
• sensitive personal information under §1798.121: we do not collect SPI. you do not need to exercise the right to limit use of SPI.
• do not sell or share my personal information: we do not sell your personal information. we do not engage in cross-context behavioral advertising in the sense the CCPA defines as "sharing" — the ad-network measurement described above is aggregate ROAS measurement, not retargeting or lookalike modeling from your in-app behavior. if you wish to opt out of any future processing that may qualify as a "sale" or "share," email us at [email protected]. we honor Global Privacy Control (GPC) signals on getdull.app as a valid opt-out signal, and we show visible confirmation on the page when a GPC signal is received, in line with CCPA Regs §7025(c)(6) effective January 1, 2026.
• shine the light (Cal. Civ. Code §1798.83): we do not disclose personal information to third parties for their own direct marketing purposes.
• non-discrimination: we do not deny service, charge different prices, or provide a different level of quality to consumers who exercise CCPA rights.

Korea (PIPA)

see the Korean PIPA disclosures section below for the items required by PIPA Art. 30 (CPO, processors, breach procedure, automatic data-collection tools, overseas transfer details).

Japan (APPI)

see the Japan APPI disclosures section below for cross-border transfer and personal-related-information specifics.

Singapore (PDPA)

you have the right to withdraw consent (we will action withdrawal within 10 business days), the right to access your personal data, the right to request correction of your personal data, and the right to lodge a complaint with the Personal Data Protection Commission (PDPC) at pdpc.gov.sg. our Data Protection Officer for PDPA purposes is Kaspar Noor, reachable at [email protected].

Australia (Privacy Act / APPs)

you have rights under APP 12 (access) and APP 13 (correction) of the Australian Privacy Principles. you may complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au. for cross-border disclosures, see the international data transfers section above.