Privacy Policy
Last updated: July 11, 2026 · Effective: July 11, 2026 · Terms of Use
Anchor is a calm space to talk things through. It is built privacy-first, and we will be precise about what that means rather than hide behind slogans. Some things never leave your phone: for nearly all languages, your raw voice is transcribed on your device and the audio never leaves it (there is one narrow exception for languages Apple's on-device transcriber does not support, see "Your voice" below), along with the on-device signals that color the screen. But to actually help you, Anchor is a connected app: your messages are sent to Google Gemini to write each reply, and a distilled memory of what helps you, including your mood over time, is stored in your own private cloud space so Anchor can remember you between sessions. There are no ads, no advertising identifier (IDFA) is ever read or linked, your data is never sold or used to train Google's models, and you can erase everything any time. This page explains, plainly, exactly what we collect, what leaves your device, why, who processes it for us, how long it lives, and the rights you have under laws like the GDPR (EU/UK), the CCPA/CPRA (California), the DPDP Act (India), and similar regimes.
The short version
- What stays on your phone. For nearly all languages, your raw voice: it is transcribed on your device and the audio never leaves it. (One exception: a small set of languages Apple's on-device transcriber does not support, there, your spoken words are sent, encrypted, to Google Cloud Speech-to-Text just to be turned into text, then discarded. You can always type instead.) Also local-only: your name, your chosen language and crisis region, and your breathing and grounding sessions.
- What goes to the cloud. Your messages go to Google Gemini to write replies. A distilled memory of what helps you, including your mood over time and the patterns Anchor notices, is stored in your own private cloud space (Google Firestore, locked to your identity) so it can remember you across sessions. Raw conversations are deleted within about a day unless you choose to keep them.
- Google Gemini sees your words only to write a reply, to remember what helps you, and occasionally to sense whether a chat helped (so it knows when to ask for a rating). Never for ads, profiling, or training Google's models. You consent the first time and can revoke any time.
- No accounts required, no ads, no cross-app tracking, no IDFA. Sign in with Apple is optional and only used to back up your private memory across devices.
- Inviting a friend (Give Anchor). If you create a gift code to give someone a free month, we keep an anonymous record of the code and, if it is redeemed, a link between the two accounts, only to deliver the free access and any thank-you credits and to prevent abuse. No names, emails, phone numbers, or contacts are collected, and no payment is involved.
- Anonymous analytics runs by default outside the EU/EEA/UK (disclosed here, with an off switch always available in Settings › Privacy & Data); inside the EU/EEA/UK it is OFF by default and strictly opt-in via an unticked choice at onboarding or in Settings. It covers which screens you visit and what you tap, never the content of anything you write, plus a masked screen recording that is paused on every screen that can show your words (the conversation, vent, crisis, memory, and the onboarding interview screens that display your typed answers). In the EU/EEA/UK, events fired before you choose are held only on your device and are sent only if you opt in; if you don't, they are erased and never left your phone. Crash and performance diagnostics default ON in release and are opt-out from Settings; both carry only diagnostic codes and timings, never your words.
- "Help improve Anchor" is a separate opt-in, OFF by default. Only if you turn it on may our team read your conversations to find and fix problems and make Anchor better. We keep those conversations for 30 days, then delete them. This is never used to train AI models, never sold, never for ads, and you can turn it off any time.
- You're in control. "Forget everything" wipes your memory on your device and in the cloud, instantly. You can delete your account and all cloud data any time from Settings → Account.
Who we are (the data controller)
Anchor is made by SnapSprint AI Private Limited ("we", "us", "Anchor"), an Indian private limited company with its registered office at 712 Mahagun Mastero, Sector 50, Noida 201301, Uttar Pradesh, India. For any privacy question, data-access, correction, deletion, or portability request, or to reach our Data Protection contact, email privacy@snapsprint.org.
You are talking to an AI
Anchor's conversation, Vent, and check-in features are powered by an artificial intelligence system (Google Gemini). You are not speaking with a human. This disclosure is required under EU AI Act Article 52 and similar transparency obligations in other jurisdictions. The AI may produce responses that feel personal or empathetic, but they are generated by a machine learning model, not by a person. If you are uncertain whether you are speaking with a human or AI at any point, assume it is AI.
How we use Google Gemini
Anchor's conversations are powered by Google's Gemini model through Firebase AI Logic on the Vertex AI backend. Google acts as our data processor. We use Google's AI services for four things:
1. To reply to you
When you send a message, your recent conversation, a short summary of what has previously helped you (your "memory brief"), and your first name (if you gave one) are sent to Gemini so it can respond. This is required for the AI to work, treat anything you type or say as shared with Google for processing. Apple's App Store guideline 5.1.2(i) requires us to ask for your consent before this happens, the first time and revocably from Settings.
2. To remember what helps, so it serves you better
So that Anchor can remember what helps you, your conversation turns are processed by our own secure backend (a Google Cloud Function in our Firebase project anchor-app-2026), which uses Gemini to distill a short, private summary: the people who matter to you, recurring themes, what tends to help versus what to avoid, a few stable facts, and a light sense of your mood over time. Alongside it, the backend maintains an evolving picture of your emotional patterns, for example what tends to set you off and what steadies you, so support can meet you where you are. Together, that is what lets Anchor pick up where you left off and tailor support to you, instead of starting from zero every time. This distilled memory and pattern picture persist in your private cloud space even when raw conversations are transient (see below), until you erase them.
This happens server-side, periodically as you talk and when a conversation ends, so it works reliably even if you close the app. To make that possible, your conversation turns are written to your own private, access-controlled space in our Firestore database, where the backend reads them to distill the summary. Google acts as our data processor for both the Gemini call and the database, under the agreements linked below.
What happens to those raw turns depends on a separate choice you make. By default ("Remember our conversations" OFF), they are transient: the backend distills them and then deletes the raw turns within about a day (a 24-hour safety window), and we keep only the distilled summary. If you turn "Remember our conversations" ON (a distinct, explicit opt-in in Settings), we retain your conversations so you can read and search them, and so Anchor can recall specific past moments and understand you better over time. Retained conversations are kept until you delete them, you can delete any single conversation, all of your history, or everything Anchor has learned, at any time from Settings, and you can export a full copy of your data any time from Settings › Account › Export my data. You can turn this off whenever you like.
3. To sense whether a conversation helped
Occasionally, after a conversation, Anchor sends your recent turns to Gemini once more to gauge whether you seem to feel steadier or more settled than when you started. We use this only to decide whether it is a good moment to ask if Anchor helped (a brief, optional rating prompt). This is an inference about your emotional state, which is treated as sensitive (special category) data under the GDPR and similar laws. We rely on your explicit consent (the same AI consent you give before any message is sent to Gemini) to make this inference, and you can withdraw it at any time by turning off AI replies in Settings. The result is not stored, profiled, or shared; it only gates whether the rating card appears.
We do not use Gemini, or anything you share, to serve ads, build an advertising profile, or track you across apps. Per Google's terms for Firebase AI Logic and Vertex AI, your data is not used to train Google's foundation models. Google processes it under its own terms and the Google Cloud Data Processing Addendum (our controller-processor agreement with Google, as required by GDPR Article 28). See also Google's Privacy Policy and the Firebase Privacy & Security information.
4. To read replies aloud, if you ask it to (off by default)
If you turn on "Speak replies" in Settings › Privacy & Data, Anchor voices its replies aloud. To do this, only the text of Anchor's own reply is sent through our secure backend to Google's Cloud Text-to-Speech and Vertex AI (Gemini) speech services to synthesize the audio. We never send your words or any recording of your voice to the speech service, and no audio of you is ever captured for this. The reply text is processed transiently to generate the sound; the resulting audio is streamed to your device and not stored, and none of it is used for ads or to train Google's models. Google acts as our processor under the same Data Processing Addendum referenced above. This feature is off until you enable it and can be switched off at any time in Settings.
Legal bases for processing (GDPR)
For users in the EU/EEA/UK, we process personal data on the following legal bases:
- Consent (Art. 6(1)(a)): Sending your messages to Google Gemini for AI replies and memory distillation. You consent the first time and can withdraw at any time from Settings.
- Explicit consent (Art. 9(2)(a)): Because your conversations and mood touch on your mental and emotional wellbeing, any inference Anchor makes about how you feel (for memory and to sense whether a conversation helped) involves special category data. We process it only on your explicit consent, given through the AI consent prompt, and only to provide the support features you asked for. We never use it for any other purpose.
- Explicit consent (Art. 9(2)(a)) for product improvement: Separately and only if you turn on "Help improve Anchor", you give explicit consent for our authorised team to keep (for 30 days) and read your conversations to debug and improve the app. This is independent of the consent above, off by default, and withdrawable any time in Settings.
- Contract performance (Art. 6(1)(b)): Storing your distilled memory in Firestore so that paid features (long-term memory, cross-device sync) work as promised.
- Legitimate interests (Art. 6(1)(f)): Crash diagnostics and performance monitoring (our interest: keeping the app stable and safe). You can opt out at any time. Note: for EU/EEA/UK users, product analytics (PostHog and Firebase Analytics) are consent-based, not legitimate interests: off by default, active only if you tick the unticked analytics choice at onboarding or turn it on in Settings, and withdrawable any time. Events fired before you choose are held only on your device and are sent only on your opt-in; otherwise they are erased without ever leaving your phone.
- Legal obligation (Art. 6(1)(c)): Retaining transaction records as required by applicable tax and financial law.
Where we rely on legitimate interests, we have assessed that those interests are not overridden by your privacy rights. You may request a copy of that assessment by emailing privacy@snapsprint.org.
Sensitive (special category) data
Anchor is about feelings, so some of what you share, and the inferences Anchor draws from it (your mood, emotional tone, whether a conversation helped), is treated as special category data concerning your mental health under GDPR Article 9 and equivalent protections under the DPDP Act and other laws. We process this data only with your explicit consent, only on your device or via Google as our processor to deliver the features you use, and never to target ads or share it with anyone for their own purposes. The only "profile" Anchor builds is the memory described on this page, including the emotional patterns it notices, and you can see and erase it yourself, in Settings. Turning off AI replies in Settings stops all such processing, and "Forget everything" erases what was kept.
Automated processing and crisis detection (GDPR Art. 22)
Anchor's crisis detection analyses your words in real time to decide whether to surface a helpline card. It works in two layers: an on-device keyword check that runs entirely on your phone, and, when AI is enabled, a brief AI safety check that sends your recent words to Gemini (the same processor and consent as your replies) purely to assess risk, so the helpline can also appear for indirect phrasing the on-device check would miss. This is automated processing that may produce an effect on you (showing or not showing emergency resources). It does not constitute a "solely automated decision producing legal or similarly significant effects" under GDPR Art. 22 because: (a) no legal or equivalent decision about you is made; (b) the detection only adds a resource, it never removes or restricts access; and (c) the risk assessment is not stored, profiled, or reported externally. You can always dismiss the helpline card. If you have concerns about this feature, contact us.
What stays on your device
- Your name, if you choose to give one, is stored in local app settings. It only leaves your device as part of a message's context (above). It is optional; you can stay anonymous.
- Your voice. For every language Apple's on-device Speech framework supports (the overwhelming majority of Anchor's languages), your voice is transcribed entirely on your device: audio is not stored and never leaves your phone; only the resulting text becomes your message. The one exception: if your chosen language is not supported by Apple's on-device transcriber (for example, some regional languages such as Assamese or Odia), Anchor records your spoken utterance and sends it, encrypted, through our secure backend to Google Cloud Speech-to-Text (Google acting as our data processor) solely to convert it to text. The audio is processed transiently for that transcription and is not retained by us; it is never used for ads, profiling, or to train models. If you would rather no audio ever leave your device, you can type instead, the mic is always optional.
- Breathing and grounding sessions, and gentle nudges are not transmitted on their own. Your mood check-ins are recorded on your device, but your mood over time becomes part of the distilled memory that syncs to your private cloud space (see "What Anchor remembers" below).
- Emotional tone and crisis-word detection run entirely on your device to color the screen and surface a helpline when needed. These checks are never logged or sent anywhere.
- Your chosen language and crisis region are stored locally only.
What Anchor remembers (your memory)
To support you across sessions, Anchor keeps a private memory, a distilled, structured summary (not raw transcripts): people in your life and how those relationships feel, recurring threads, what helps and what to avoid, a few stable facts, your mood timeline, an evolving picture of your emotional patterns (what tends to set you off and what steadies you), and a brief recap of recent talks.
This memory is stored encrypted on your device and, so it can sync, in your own private cloud space in Google Firestore (the Firebase project anchor-app-2026, operated and billed by us). Access is locked to an anonymous per-install identity (anonymous Firebase Authentication) or, if you opt in, your Sign in with Apple identity. The only systems that can read or write it are your own device(s) and Anchor's own secure backend acting on your behalf (to distill your memory, as described above); no other user, and no advertiser, can ever access it.
To build this memory, individual conversation turns are written to your private space in Firestore so our backend can distill them (see "How we use Google Gemini" above). By default these raw turns are transient (distilled, then deleted within about a day) and only the structured summary persists. If you opt in to "Remember our conversations", your full conversations are retained (readable and searchable by you, and used to recall past moments and deepen Anchor's understanding) until you delete them. Either way, you can read and delete your data at any time from Settings, and export a full copy from Settings › Account.
Inviting friends and gift codes (Give Anchor)
Anchor lets you give another adult a free month by creating a one-time gift code to share with them however you choose (for example by message or in person). To run this feature and prevent abuse, we keep a small record in your private cloud space (Google Firestore, the same anchor-app-2026 project): the codes you create and their status (created, redeemed, expired), and, when someone redeems your code or you redeem someone else's, a link between the two accounts so we can deliver the free access, add any thank-you credits, and guard against fraud. This record uses the same anonymous per-install identities described above, not names, email addresses, or phone numbers. You share the code yourself through your own device and the app you choose: we do not send messages on your behalf and we do not access your contacts. Gift access is a self-managed 30-day entitlement in our system, not an Apple subscription: no payment information is involved and nothing auto-renews. We never sell this data or use it for advertising, and erasing your account from Settings removes your gift records. The rules of the gifting program are in the Terms.
Helping us improve Anchor (optional, OFF by default)
Anchor only gets better if we can see where it falls short, when a reply lands wrong, when memory misfires, when something confuses or upsets you. To do that responsibly, we ask for your separate, explicit permission with the Settings › Privacy & Data › "Help improve Anchor" toggle. It is off by default, and it is distinct from both your AI consent and the "Remember our conversations" setting.
If, and only if, you turn it on:
- A small, authorised group of the Anchor team may read your conversations (the messages you send and Anchor's replies) to find and fix problems and improve the app.
- Those conversations are kept on a rolling 30-day window, measured per message from when you send it: each message is automatically deleted 30 days after it was sent, regardless of when you last opened the app. (If you also turn on "Remember our conversations", your own readable History is kept until you delete it, as described above.)
- Access is restricted to authorised staff, requires a stated reason, and every access is logged in an internal audit trail.
- We use this only to debug and improve Anchor. It is never used to train AI models, never sold, never shared for advertising, and never used to profile you.
- You can turn it off any time; turning it off stops any new conversations from being kept for review, and you can delete what was already kept from Settings at any moment.
Because your conversations concern your mental and emotional wellbeing, this is special category data and we process it under your explicit consent (GDPR Art. 9(2)(a) and equivalents). If you never turn this on, no member of our team can read your conversations: by default raw turns are deleted within about a day of being distilled, as described above.
Sign in with Apple (optional)
Anchor works fully without signing in. If you choose Settings › Account › Sign in with Apple, your anonymous memory is linked to your Apple ID so it survives reinstalls and follows you across your devices. We receive only a stable opaque identifier and, optionally, your name (whatever Apple gives us, you can also choose to share a relay email address that hides your real one). We never sell or share this identifier with third parties.
If you later choose Delete account & data, we revoke your Apple authorization and permanently delete the linked memory.
Apple Health (opt-in, off by default)
If you turn on Settings › Save mood to Apple Health, Anchor writes your check-ins to Apple's State of Mind and breathing sessions to Mindful Sessions, on your device. Anchor only writes to Health, we never read your Health data. The toggle is off until you enable it; iOS prompts you for permission the first time, and you can revoke it any time in the iOS Settings app.
Diagnostics and anonymous analytics
To keep the app stable and improve where it falls short, Anchor uses the services below. None of these ever send the content of your messages, your name, or anything you check in about. All are controllable from Settings › Privacy & Data:
PostHog (on by default outside the EU/EEA/UK; opt-in and OFF by default within it)
When anonymous analytics is enabled, Anchor sends product-usage events to PostHog, Inc., a US-based product analytics platform (PostHog Privacy Policy). PostHog acts as our data processor. Outside the EU/EEA/UK, analytics is enabled from first launch under this policy and can be turned off any time in Settings › Privacy & Data. Within the EU/EEA/UK it is off until you tick the unticked analytics choice at onboarding (or turn it on in Settings); events fired before that choice are held only on your device and are either sent on your opt-in or erased without ever leaving your phone.
What PostHog collects when analytics is on:
- Usage events, which screens you visited, whether exercises started or completed, whether a suggestion was accepted, whether the crisis card was shown. Events carry only a small set of non-content parameters (e.g. "breathing technique: box", "subscription tier: free"). String values are capped at 64 characters; any value over that limit is dropped before leaving your device to prevent content from leaking.
- Rage-click detection, when analytics is on, PostHog flags moments where you tap a UI element repeatedly (only tap coordinates and element metadata, never content), so we can find frustrating screens.
- Session recording (a masked screen recording), runs with analytics, when analytics is on, Anchor sends PostHog a masked recording of the app's screens to help us find where the app is confusing. Everything you type and all images are masked, and recording is paused on any screen that can show your words or saved personal content (the conversation, vent, crisis, the memory, people, and history screens, and the onboarding interview screens that display your typed answers), so your messages, your saved memory, and any crisis content are never captured. It follows the same regional default as analytics above and can be turned off any time in Settings. Because this is a mental-health app, we never record the screens that can show sensitive things you have written.
- An anonymous stable identifier, PostHog receives the same anonymous Firebase UID your memory is stored under (a random string, not your name or email) so events from the same install can be grouped. If you sign in with Apple, PostHog upgrades this to a stable person profile keyed on that same Firebase UID. No email address, real name, or Apple ID is sent.
- Super-properties, attached to every event: app version, device language, subscription tier, and whether AI consent was given. None of these identify you personally.
PostHog is a US-based service. Event data is sent to PostHog's US infrastructure (us.i.posthog.com). For EU/UK users, Google's Standard Contractual Clauses and PostHog's EU data transfer mechanisms apply. Turning off anonymous analytics in Settings stops all PostHog data collection immediately.
Firebase Analytics (same regional default as PostHog above)
Anonymous usage counts sent to Google Firebase Analytics, mirroring the PostHog events above (same zero-content parameters). The IDFA is never collected or linked, so iOS does not show an App Tracking Transparency prompt. We declare NSPrivacyTracking = false in our app's PrivacyInfo.xcprivacy.
Firebase Crashlytics (opt-out, ON in release)
Crash stack traces, an anonymous session id, device model, OS version, and locale. We strip your own error messages to a short non-PII code before recording, so the underlying text never appears in a crash report.
Firebase Performance Monitoring (opt-out, ON in release)
App-start time and a few render traces (e.g. "how long did the conversation reply take"). No user content. No network payload bodies.
Rating prompt (when analytics is on)
If you respond to the occasional "did Anchor help?" prompt, we log the star count and, if you write optional feedback, only its length (a character count), never the words you wrote. The feedback text itself stays on your device unless you choose to email it to us.
In-app feedback (only when you send it)
If you deliberately send us feedback from inside the app, that feedback (what you wrote, plus basic context like app version and category) is stored in our own Firestore database so we can act on it. To alert the team, an automated notification containing only a metadata summary, the category, severity, sentiment, and a one-line summary, never the full text of your feedback and never any conversation content, is sent to two internal tools we use for triage: a private Google Sheet (Google LLC, as our processor) and a private Discord channel (Discord Inc.). The full feedback stays in Firestore, visible only to authorised staff, and you can ask us to delete it at any time.
Google acts as our data processor for Firebase services under the Firebase Data Processing & Security Terms. PostHog acts as our data processor under its own DPA. We do not sell or share this data with anyone, and it is never used for advertising.
App Check (abuse prevention)
Anchor uses Firebase App Check (Apple's App Attest on real devices) to keep automated tools from abusing the AI or memory backends. App Check produces short-lived, app-attestation tokens. It does not collect personal data and is never used for tracking or analytics.
Subscriptions (in-app purchases)
Anchor's paid tiers are processed by Apple's App Store. We receive only the receipt and transaction information needed to entitle your device to the right tier; we never receive your payment card details or Apple ID password. Your entitlement is observed on-device via StoreKit 2; we keep a private usage counter (conversations and voice minutes remaining) locally. See the Terms for subscription details, billing cycles, trials, and Apple's renewal terms.
Security, and if something goes wrong
Everything Anchor sends leaves your device over encrypted connections (TLS), and your cloud data is encrypted at rest in Google Cloud. Access to your private space in Firestore is locked to your own identity by security rules; our backend runs in our own Firebase project; team access to opt-in review data is restricted to authorised staff and logged (see "Helping us improve Anchor" above); and Firebase App Check attestation keeps automated tools away from the AI and memory backends. No system is perfectly secure, so we also make this commitment: if a security incident affects your personal data in a way the law treats as a breach, we will notify you and the relevant authorities as required by the laws that apply to you, including the GDPR (without undue delay, and within 72 hours to supervisory authorities), the FTC's Health Breach Notification Rule for US users of consumer health apps, and India's DPDP Act breach-notification rules.
Consumer health data (Washington & Nevada)
This section is our Consumer Health Data Privacy Policy for residents of Washington (My Health My Data Act) and Nevada (SB 370). Because Anchor is a wellbeing app, some of what it handles is "consumer health data" under those laws:
- Categories we collect: the messages you choose to send about your emotional state and relationships; your mood check-ins and mood over time; the distilled memory summary (patterns, what helps you); transient inferences about your wellbeing (whether a conversation helped, whether crisis resources should be shown).
- Sources: you (what you type or say in the app), and inferences generated from that content by the AI processing you consented to. We do not buy, collect, or receive health data about you from anyone else.
- Why we collect it: solely to provide the features you use, AI replies, memory across sessions, calming exercises, the crisis card, and, only if you separately opt in, to debug and improve the app.
- Who it is shared with: only service providers (processors) acting on our instructions: Google LLC (Gemini AI replies and distillation, Firestore storage, Cloud Speech-to-Text for unsupported-language voice input, Cloud Text-to-Speech for spoken replies); PostHog, Inc. (opt-in product analytics, receives usage events and masked recordings only, never your message content); and Apple Inc. (optional Sign in with Apple, optional write-only Apple Health saving, and App Store purchases). We share consumer health data with no affiliates and no advertisers, and we do not sell it, ever.
- Your rights: you can access what we hold, withdraw consent, and delete your data (in-app via "Forget everything" and account deletion, or by emailing privacy@snapsprint.org). We will never discriminate against you for exercising these rights. Washington residents who believe we have violated the My Health My Data Act may complain to the Washington Attorney General.
What we DO NOT do
- No tracking. Anchor declares
NSPrivacyTracking = false, uses no advertising identifiers (IDFA), and runs no tracking pixels. - No advertising SDKs. No Facebook, no Mixpanel, no AppsFlyer, no Adjust, no Branch, no third-party attribution. PostHog is a product analytics tool (used to understand how we can improve Anchor), not an advertising or tracking network, and we never share your PostHog data with any advertiser.
- No selling or sharing of personal information for cross-context behavioral advertising, ever (this is your CCPA/CPRA right, and it is our default).
- No biometric or facial recognition.
- No background location, no microphone access except when you tap to listen.
- No recording of your conversations. The optional masked session recording (above) is paused entirely on the conversation, vent, and crisis screens, so your messages and any crisis content are never recorded. Everywhere it does run, text you type and images are masked, and it only runs if you opt in.
Where data lives, and for how long
Our backend Firebase project (anchor-app-2026) hosts Firestore in the multi-region nam5 location (primarily the United States). Crashlytics and Analytics aggregates live in Google's global infrastructure under Firebase. The retention table below applies unless you delete sooner from in-app controls.
| What | Where | How long |
|---|---|---|
| Your distilled memory (people, themes, emotional patterns, what helps) | Firestore (per anonymous uid) | Until you erase it, or 24 months after the last activity (we auto-purge inactive accounts) |
| Gift codes and invite links (codes you created, their status, and the account link when one is redeemed) | Firestore (per uid, our backend) | Kept while your account is active to run the gifting program and prevent abuse; deleted when you delete your account |
| Local cache of your memory + name + settings | Your device only | Until you delete the app or erase from Settings |
| Conversation turns, "Remember" OFF (default) | Firestore (per uid, our backend) | Transient. Distilled, then deleted within about a day (24-hour backstop). |
| Retained conversations, "Remember" ON (opt-in) | Firestore (per uid, our backend) | Kept until you delete them (single conversation, all history, or everything). Disclosed inactivity purge after 24 months of no use. |
| Conversations kept for team review, "Help improve Anchor" ON (opt-in) | Firestore (per uid, our backend), readable by authorised staff (audited) | Rolling 30 days, then automatically deleted. Stops being kept as soon as you turn the setting off; deletable sooner from Settings. |
| Conversation messages sent to Gemini | Google (Firebase AI Logic / Vertex AI), called by the app and by our backend | Not retained by Google for training; per the Google Cloud DPA, Vertex AI does not store prompts or responses beyond serving the request. Google's standard infrastructure logs (not content) may be retained up to 30 days per Google's platform terms. |
| Anonymous analytics events (if you opted in) | PostHog (US) + Firebase Analytics | PostHog: 1 year by default (configurable). Firebase Analytics: 14 months (platform default). |
| Feedback you deliberately send us | Firestore (our backend); metadata-only alert to Google Sheets + Discord | Until resolved, at most 12 months; deletable on request any time |
| Crash reports (if not opted out) | Firebase Crashlytics | 90 days for the symbolicated trace |
| Performance traces (if not opted out) | Firebase Performance | 90 days for the trace; aggregates 60 days |
International transfers
Because Google's Firebase services and PostHog are operated globally, your data may be processed outside your country of residence, typically in the United States. The processors we use and the safeguards in place are:
- Google Firebase (Analytics, Crashlytics, Performance, Firestore, AI Logic), data processed under the Firebase Data Processing & Security Terms and Google Standard Contractual Clauses for EU/UK transfers.
- PostHog, Inc. (product analytics + masked session recording, opt-in; recording paused on the conversation, vent, and crisis screens), data processed in the United States under PostHog's Data Processing Agreement and Standard Contractual Clauses for EU/UK transfers. PostHog is SOC 2 Type II certified.
India users: Your distilled memory is stored in Google Firestore in the United States (nam5 region), and if you opt into analytics, your usage events are sent to PostHog in the United States. By using Anchor and consenting to AI features, you consent to this cross-border transfer of your personal data to the United States, as permitted under the Digital Personal Data Protection Act 2023. You may withdraw this consent at any time by turning off AI replies and erasing your memory from Settings, after which no further data will be transferred.
Your rights
Depending on where you live, you may have rights to access, correct, port, delete, or restrict our processing of your personal data, and to object to certain processing. Most of these you can exercise directly in the app:
- Withdraw AI consent any time, turn off "AI replies via Google Gemini" in Settings. Withdrawal does not affect the lawfulness of processing that occurred before you withdrew.
- Erase your memory, "Forget everything Anchor remembers" wipes the device and cloud copies instantly.
- Delete your account & data from Settings › Account (when you signed in with Apple), removes both your auth identity and your memory.
- Opt out of analytics from Settings › Anonymous usage analytics (it is off by default anyway).
- Turn off "Help improve Anchor" from Settings › Privacy & Data to stop our team keeping or reading your conversations (it is off by default anyway).
- Opt out of crash diagnostics from Settings › Crash diagnostics.
- Opt out of performance metrics from Settings › Performance metrics.
- Access or portability, export a full copy of the data we hold for you (your memory, conversations, and profile) any time, instantly, from Settings › Account › Export my data. You can also email privacy@snapsprint.org and we will respond within 30 days.
- Do Not Sell or Share (CCPA/CPRA), we do not, and never will, sell or share personal information for cross-context behavioral advertising.
- Delete the app to remove everything stored locally.
- For any request not above (including under GDPR, CCPA/CPRA, or the DPDP Act), email privacy@snapsprint.org and we will respond within 30 days.
If you are in the EU/UK and you believe we have not addressed your concern, you may lodge a complaint with your local supervisory authority. EU residents may also contact our representative; please email us for details if needed.
Age requirement (18+) and children
Anchor is for adults (18 and older). The in-app consent you give before any AI features work includes confirming that you are 18 or older, and our Terms of Use require the same. Anchor is not directed at children, and we do not knowingly collect personal data from anyone under 18. If you are a parent or guardian and believe someone under 18 has used the app or submitted personal data, please contact us at privacy@snapsprint.org and we will promptly delete the associated data from our systems.
Crisis & medical disclaimer
Anchor is a supportive companion, not therapy, medical advice, or a crisis service, and it is not a substitute for professional care. If you are in immediate danger, call your local emergency number. For crisis support, the in-app helpline card connects you to findahelpline.com, a professionally maintained directory of free, confidential crisis lines in over 175 countries, matched to your region. Crisis support is always free, never gated by consent, subscription, or usage limits.
Our website (getanchor.fit)
Our marketing site at getanchor.fit uses no third-party advertising trackers and no tracking pixels. Where product analytics is used on this site, it runs in a privacy-conscious mode and is never linked to what you share inside the app. Firebase Hosting retains standard server-side access logs (IP address, browser, request path, timestamp) for up to 30 days as part of Google's infrastructure operations; these are not used for advertising or shared with us. The only other third-party requests the page makes are for standard web fonts; per those providers' policies, font requests are logged as standard web traffic but are not associated with a Google account and are not used for ad personalization.
Business transfers
If SnapSprint AI Private Limited is involved in a merger, acquisition, asset sale, restructuring, or insolvency proceeding, your personal data may be transferred as part of that transaction. If such a transfer occurs, we will post a notice on our website and, where required by law, notify you directly before your data is transferred and becomes subject to a different privacy policy. You may have the right to object to such a transfer under applicable law.
Your rights (expanded)
In addition to the self-service controls listed above, the following rights apply depending on your jurisdiction:
- GDPR (EU/EEA/UK): You have the right to access, rectify, erase, restrict, and port your personal data, to object to processing based on legitimate interests, and to withdraw consent at any time without affecting the lawfulness of prior processing. If you believe we have not handled your data lawfully, you may lodge a complaint with your national data protection authority (find yours at edpb.europa.eu). For direct requests or complaints, email privacy@snapsprint.org. EU representative (GDPR Art. 27): We are in the process of formally appointing an EU representative; this page will be updated with their contact details once confirmed. In the interim, direct your request to privacy@snapsprint.org and we will handle it within the applicable statutory deadline.
- CCPA/CPRA (California): You have the right to know what personal information we collect and how it is used, the right to delete, the right to correct, the right to opt out of sale or sharing (we do not sell or share), and the right to non-discrimination for exercising these rights. We do not sell personal information and have not done so in the preceding 12 months.
- DPDP Act (India): You have the right to access, correct, and erase your personal data; the right to grievance redressal; and the right to nominate a representative (someone who may exercise your data rights on your behalf in the event of your death or incapacity). Our grievance contact is privacy@snapsprint.org; we respond within 30 days or any shorter period the DPDP Rules prescribe. If you are not satisfied with our response, you may escalate your complaint to the Data Protection Board of India, established under the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025.
- Other jurisdictions: If you reside in a jurisdiction with applicable data protection laws not listed above, you retain any rights granted to you under those laws. Email us at privacy@snapsprint.org to exercise them.
We will respond to all verifiable data rights requests within 30 days (or sooner if required by applicable law). We may need to verify your identity before processing certain requests.
Changes
If this policy changes, we will update the date above and, for meaningful changes, surface a notice in the app before the change takes effect.