Privacy Policy
Last updated: May 26, 2026 · Effective: May 26, 2026
Anchor is a calm space to talk things through. It is built privacy-first: most of what happens stays on your device, there are no ads, no advertising identifier (IDFA) is ever read or linked, and you can erase everything any time. This page explains, plainly, exactly what we collect, what leaves your device, why, who processes it for us, how long it lives, and the rights you have under laws like the GDPR (EU/UK), the CCPA/CPRA (California), the DPDP Act (India), and similar regimes.
The short version
- On-device first. Your name, speech-to-text, mood, breathing and grounding sessions stay on your phone unless explicitly noted below.
- Google Gemini sees your words only to write a reply and to remember what helps you. Never for ads, profiling, or training Google's models. You consent the first time and can revoke any time.
- No accounts required, no ads, no cross-app tracking, no IDFA. Sign in with Apple is optional and only used to back up your private memory across devices.
- Anonymous analytics is opt-in and OFF by default. Crash and performance diagnostics default ON in release and are opt-out from Settings; both carry only diagnostic codes and timings, never your words.
- You're in control. "Forget everything" wipes your memory on your device and in the cloud, instantly. You can delete your account and all cloud data any time from Settings → Account.
Who we are (the data controller)
Anchor is made by SnapSprint AI Private Limited ("we", "us", "Anchor"), an Indian private limited company. For any privacy question, data-access, correction, deletion, or portability request, or to reach our Data Protection contact, email shared@questly.life.
How we use Google Gemini
Anchor's conversations are powered by Google's Gemini model (currently gemini-3.5-flash with thinking disabled for speed) through Firebase AI Logic on the Vertex AI backend. Google acts as our data processor. We use Gemini for exactly two things:
1. To reply to you
When you send a message, your recent conversation, a short summary of what has previously helped you (your "memory brief"), and your first name (if you gave one) are sent to Gemini so it can respond. This is required for the AI to work, treat anything you type or say as shared with Google for processing. Apple's App Store guideline 5.1.2(i) requires us to ask for your consent before this happens, the first time and revocably from Settings.
2. To remember what helps, so it serves you better
At the end of a conversation, your recent messages are sent to Gemini once more so Anchor can distill a short, private summary: the people who matter to you, recurring themes, what tends to help versus what to avoid, a few stable facts, and a light sense of your mood over time. That summary is what lets Anchor pick up where you left off and tailor support to you, instead of starting from zero every time.
We do not use Gemini, or anything you share, to serve ads, build an advertising profile, or track you across apps. Per Google's terms for Firebase AI Logic and Vertex AI, your data is not used to train Google's foundation models. Google processes it under its own terms, see Google's Privacy Policy and the Firebase Privacy & Security information.
What stays on your device
- Your name, if you choose to give one, is stored in local app settings. It only leaves your device as part of a message's context (above). It is optional; you can stay anonymous.
- Your voice is transcribed on your device by Apple's Speech framework. We never record, store, or upload audio. Only the resulting text becomes your message.
- Mood check-ins, breathing and grounding sessions, and gentle nudges are not transmitted on their own.
- Emotional tone and crisis-word detection run entirely on your device to color the screen and surface a helpline when needed. These checks are never logged or sent anywhere.
- Your chosen language and crisis region are stored locally only.
What Anchor remembers (your memory)
To support you across sessions, Anchor keeps a private memory, a distilled, structured summary (not raw transcripts): people in your life and how those relationships feel, recurring threads, what helps and what to avoid, a few stable facts, your mood timeline, and a brief recap of recent talks.
This memory is stored encrypted on your device and, so it can sync, in your own private cloud space in Google Firestore (the Firebase project anchor-app-2026, operated and billed by us). Access is locked to an anonymous per-install identity (anonymous Firebase Authentication) or, if you opt in, your Sign in with Apple identity. Only your device(s) can read or write it. Full conversation transcripts are not stored in the cloud.
Sign in with Apple (optional)
Anchor works fully without signing in. If you choose Settings › Account › Sign in with Apple, your anonymous memory is linked to your Apple ID so it survives reinstalls and follows you across your devices. We receive only a stable opaque identifier and, optionally, your name (whatever Apple gives us, you can also choose to share a relay email address that hides your real one). We never sell or share this identifier with third parties.
If you later choose Delete account & data, we revoke your Apple authorization and permanently delete the linked memory.
Apple Health (opt-in, off by default)
If you turn on Settings › Save mood to Apple Health, Anchor writes your check-ins to Apple's State of Mind and breathing sessions to Mindful Sessions, on your device. Anchor only writes to Health, we never read your Health data. The toggle is off until you enable it; iOS prompts you for permission the first time, and you can revoke it any time in the iOS Settings app.
Diagnostics and anonymous analytics
To keep the app stable and improve where it falls short, Anchor uses three Firebase services with careful, opt-in defaults. None of these ever send the content of your messages, your name, or anything you check in about. All three are controllable from Settings › Privacy & Data:
- Firebase Analytics (opt-in, OFF by default). Anonymous usage events: which screens you visited, whether a breathing exercise completed, whether a check-in went up after an exercise (bucketed: low/mid/high, never the raw number). String parameters longer than 32 characters are dropped at the source so content can't leak. The IDFA is never collected or linked, so iOS does not show an App Tracking Transparency prompt. We declare
NSPrivacyTracking = falsein our app'sPrivacyInfo.xcprivacy. - Firebase Crashlytics (opt-out, ON in release). Crash stack traces, an anonymous session id, device model, OS version, and locale. We strip your own error messages to a short non-PII code before recording, so the underlying text never appears in a crash report.
- Firebase Performance Monitoring (opt-out, ON in release). App-start time and a few render traces (e.g. "how long did the conversation reply take"). No user content. No network payload bodies.
Google acts as our data processor for these services and processes the data under the Firebase Data Processing & Security Terms. We do not sell or share this data with anyone, and it is never used for advertising.
App Check (abuse prevention)
Anchor uses Firebase App Check (Apple's App Attest on real devices) to keep automated tools from abusing the AI or memory backends. App Check produces short-lived, app-attestation tokens. It does not collect personal data and is never used for tracking or analytics.
Subscriptions (in-app purchases)
Anchor's Plus and Pro tiers are processed by Apple's App Store. We receive only the receipt and transaction information needed to entitle your device to the right tier; we never receive your payment card details or Apple ID password. Your Plus or Pro entitlement is observed on-device via StoreKit 2; we keep a private usage counter (messages remaining this month/day) locally. See the Terms for subscription details, billing cycles, trials, and Apple's renewal terms.
What we DO NOT do
- No tracking. Anchor declares
NSPrivacyTracking = false, uses no advertising identifiers (IDFA), and runs no tracking pixels. - No advertising SDKs. No Facebook, no Mixpanel, no AppsFlyer, no Adjust, no Branch, no third-party attribution.
- No selling or sharing of personal information for cross-context behavioral advertising, ever (this is your CCPA/CPRA right, and it is our default).
- No biometric or facial recognition.
- No background location, no microphone access except when you tap to listen.
Where data lives, and for how long
Our backend Firebase project (anchor-app-2026) hosts Firestore in the multi-region nam5 location (primarily the United States). Crashlytics and Analytics aggregates live in Google's global infrastructure under Firebase. The retention table below applies unless you delete sooner from in-app controls.
| What | Where | How long |
|---|---|---|
| Your distilled memory (people, themes, what helps) | Firestore (per anonymous uid) | Until you erase it, or 24 months after the last activity (we auto-purge inactive accounts) |
| Local cache of your memory + name + settings | Your device only | Until you delete the app or erase from Settings |
| Conversation messages sent to Gemini | Google (Firebase AI Logic / Vertex AI) | Per Google's terms, not retained for training; processed and discarded after the response |
| Anonymous analytics events (if you opted in) | Firebase Analytics | 14 months from the event (the platform default we use) |
| Crash reports (if not opted out) | Firebase Crashlytics | 90 days for the symbolicated trace |
| Performance traces (if not opted out) | Firebase Performance | 90 days for the trace; aggregates 60 days |
International transfers
Because Google's Firebase services are operated globally, your data may be processed outside your country of residence (typically the United States and the European Union). Where required, we rely on Google's Standard Contractual Clauses and the Firebase Data Processing & Security Terms.
Your rights
Depending on where you live, you may have rights to access, correct, port, delete, or restrict our processing of your personal data, and to object to certain processing. Most of these you can exercise directly in the app:
- Withdraw AI consent any time, turn off "AI replies via Google Gemini" in Settings.
- Erase your memory, "Forget everything Anchor remembers" wipes the device and cloud copies instantly.
- Delete your account & data from Settings › Account (when you signed in with Apple), removes both your auth identity and your memory.
- Opt out of analytics from Settings › Anonymous usage analytics (it is off by default anyway).
- Opt out of crash diagnostics from Settings › Crash diagnostics.
- Opt out of performance metrics from Settings › Performance metrics.
- Access or portability, ask in writing and we will provide a copy of the memory we hold for you.
- Do Not Sell or Share (CCPA/CPRA), we do not, and never will, sell or share personal information for cross-context behavioral advertising.
- Delete the app to remove everything stored locally.
- For any request not above (including under GDPR, CCPA/CPRA, or the DPDP Act), email shared@questly.life and we will respond within 30 days.
If you are in the EU/UK and you believe we have not addressed your concern, you may lodge a complaint with your local supervisory authority. EU residents may also contact our representative; please email us for details if needed.
Children
Anchor is not directed at children under 13, and we do not knowingly collect data from them. The app is rated 17+ on the App Store. If you are a parent or guardian and believe a child has used the app, contact us and we will delete the associated data.
Crisis & medical disclaimer
Anchor is a supportive companion, not therapy, medical advice, or a crisis service, and it is not a substitute for professional care. If you are in danger or crisis, use the in-app helpline card or contact your local emergency number. The card supports many regions (US 988, UK Samaritans 116 123 / SHOUT 85258, Ireland 116 123 / 50808, Australia Lifeline 13 11 14, NZ 1737, India iCall 9152987821 / 112, Canada 988, and others). Crisis support is always free, never gated by consent, subscription, or usage limits.
Our website (getanchor.fit)
Our marketing site at getanchor.fit is a static page hosted on Firebase Hosting. It uses no cookies, no analytics scripts, and no tracking pixels. The only third-party request the page makes is to Google Fonts for the display typeface; per Google's policies, font requests are logged on Google's servers as standard web traffic (browser, IP) but are not associated with a Google account and are not used for ad personalization.
Changes
If this policy changes, we will update the date above and, for meaningful changes, surface a notice in the app before the change takes effect.