gymrotter Privacy Policy

§1. Summary of key points

The short version. Every point links to the section with full detail.

Daps Dev ("we," "us," or "our") operates gymrotter. gymrotter is an iOS rest-timer for between gym sets. It runs a countdown ring, slams a fullscreen lockout at zero, and uses Apple's FamilyControls / ManagedSettings frameworks to shield the apps you've selected during the rest interval so you can't doom-scroll between sets. You can optionally sign in with Apple, set a username and display name, add other gymrotter users as training partners, and share a barbell certificate after a workout — but the core rest-timer works fully offline without any of that.
What personal information do we process? Account information you provide (where applicable), the username and display name you choose, the friend connections you create, and technical/diagnostic data about your device. We process only what's necessary to deliver the Services.
Do we use AI? No. gymrotter does not send your content to a third-party AI provider.
Do we process sensitive personal information? We try not to. gymrotter is not designed to collect special-category data (race, religion, health, sexual orientation, biometrics, precise geolocation, government IDs, financial-account numbers). If you submit such data inside content you upload, you do so at your own risk.
Do we collect information from third parties? Outside of the sub-processors and platform-provided data described in this Privacy Notice, no.
How do we share your information? Only with the sub-processors that operate the Services on our behalf (listed in Section 6 (Sub-processors)), service providers under contract, or where legally required. We do not sell your personal information and we do not share it for cross-context behavioural advertising.
What about international transfers? gymrotter is operated from the United States. Where we transfer EEA/UK/Swiss data to the U.S., we rely on Standard Contractual Clauses or equivalent transfer mechanisms.
What are your rights? Depending on where you live, you may have rights to access, correct, delete, port, or restrict our processing of your personal information, and to object or withdraw consent. See Section 13 (Your privacy rights) and Section 14 (U.S. state privacy rights).
How do you contact us? Email idelrio@ucsd.edu from the email associated with your gymrotter account (or, for guests, the device used).

§2. Information we collect

We collect only what we need to make the Services work.

Anonymous device session: When you first open gymrotter, we issue an anonymous authentication session so your device has a stable user identifier (a UUID) to attach local state to. The anonymous session is not linked to any real-world identity. If you later choose to sign in (for example with Sign in with Apple), we upgrade that anonymous row to a permanent identity rather than creating a duplicate account.
Account information: When you create an account we collect your email address and a unique account identifier. We do not request your real name or date of birth. If you sign in with Apple, you may choose to share your real email or use Apple's private relay; we receive whichever you choose. We also receive an Apple-issued user identifier so we can recognize your account on future sign-ins. We do not receive your Apple ID password or your real name unless you explicitly share it.
Public profile (username and display name): If you set a username, gymrotter stores it in lowercase so other gymrotter users can look you up case-insensitively. Your display name is the friendly form (e.g. "Ivan") shown next to your activity inside the app. Both fields are visible to other gymrotter users who can already see your account (for example, anyone you have added as a friend, or anyone searching by your exact username). We do not publish your username or display name to the open web.
Friend connections: When you add another gymrotter user as a friend, we store a row in our friends table linking your user ID to theirs. The graph is directed: adding someone does not automatically give them access to your account. Row-Level Security restricts each friend row to (a) the person who created it and (b) the person it points at — no other gymrotter user can see your connections. You can remove a friend at any time from inside the app, which deletes the row.
Device and usage information: We automatically collect technical information about your device (model, operating system, language, time zone, app version), a randomly generated installation identifier, an IP address (used at the moment of the request and not stored long-term), and basic usage events (which screens you visit, when you tap a feature). This helps us debug issues and understand which features are useful.
Diagnostics and crash reports: If gymrotter crashes or hits an error, we may collect a stack trace, the OS version, and the app state at the time of the crash so we can fix the bug. These reports do not include the contents of your photos or text inputs.
Information from people you invite: When you share a gymrotter link with another person, the recipient may interact with the Services without creating an account. We collect only what is necessary to provide the shared experience (a temporary identifier and the choices they make on the shared link). Recipients are not added to any marketing list.
Sensitive personal information: gymrotter is not designed to collect "special category" data under GDPR (Article 9) or "sensitive personal information" under the CPRA — including racial or ethnic origin, religious or philosophical beliefs, genetic or biometric data for unique identification, health data, sex life or sexual orientation, government IDs, precise geolocation (within 1,750 feet), or financial-account numbers. We will not knowingly process such data, and we ask that you not include it in your inputs.

Data we do not collect

For the avoidance of doubt, gymrotter does not collect the following categories of personal information. If a category is on this list it is not declared on our App Store privacy label, it does not appear in our database, and it is not transmitted to any sub-processor.

HealthKit or health data of any kind. gymrotter does not request HealthKit access and never reads heart rate, body weight, workouts, sleep, or any other health field.
Location. No GPS, no Core Location, no IP-based geolocation lookup. The only locale signal we collect is the device locale string (e.g. "en-US") used to choose the right copy.
Financial information. gymrotter is free — there are no payments, no in-app purchases, no subscriptions, and no payment cards or bank-account details collected.
Sensitive personal information (race, ethnicity, religion, sexual orientation, biometrics, government IDs, precise geolocation, or financial-account numbers).
Contacts. We never read your Address Book or phone contacts. The friend graph is built from exact-match usernames that you type in, not from your address book.
Photos, camera, microphone, audio, or video. The app never asks for any of these permissions and has no surface that records or uploads media.
Files or documents from your filesystem.
Search history or browsing history. gymrotter has no in-app browser and no search surface.
Advertising data. No IDFA, no ad networks, no third-party advertising SDKs. The App Tracking Transparency prompt is never requested.
Purchase history. There is nothing to purchase.
Game Center identifiers.
The names of the apps you choose to shield during rest. Apple's FamilyActivitySelection token, the shield state, and every DeviceActivity / ManagedSettings event stay on your device — see the Apple Screen Time section below.
Live Activity / Dynamic Island payloads. ActivityKit state is rendered by iOS on your device and is never transmitted to any server.

§3. How we use your information

We use the information described above to:

Provide, operate, and maintain gymrotter, including delivering the core feature you asked for (analyzing an image, generating a recommendation, splitting a bill, etc.).
Authenticate you, secure your session, and remember your preferences across devices.
Communicate with you about your account, your subscription, security alerts, and customer support requests.
Detect, investigate, and prevent fraudulent, abusive, or unsafe activity, and to enforce our Terms of Service.
Improve the Services — for example, by analyzing aggregate usage to decide which features to prioritize and to fix bugs.
Apply any account-level settings or saved preferences across your devices.
Let other gymrotter users look you up by your exact username so they can add you as a friend, and display your display name next to your in-app activity to the people authorised to see it.
Maintain the friend graph you create inside gymrotter so we can show you the activity of people you have added as friends and surface them in the friends feed. We never message the people you add and we never expose your friend list to anyone outside the relationship.
Comply with our legal obligations, including responding to lawful requests from public authorities.
With your express consent, for any other purpose disclosed at the time we ask for that consent.

§4. Legal bases for processing

If you are in the EEA, UK, Switzerland, Canada, Quebec, Australia, New Zealand, or Brazil, this section explains the legal grounds on which we process your personal information.

Where the GDPR or UK GDPR applies, we rely on the following legal bases under Article 6 GDPR:

Performance of a contract — to provide gymrotter once you have downloaded it and accepted our Terms of Service (Article 6(1)(b)).
Legitimate interests — to keep the Services secure, prevent abuse, debug issues, and improve features in ways you would reasonably expect (Article 6(1)(f)). We balance our interests against your rights and freedoms in each case.
Consent — for any processing where we ask for it (e.g. push notifications, optional analytics in jurisdictions that require opt-in). You can withdraw consent at any time without affecting the lawfulness of processing performed before withdrawal (Article 6(1)(a)).
Legal obligation — to respond to lawful requests, retain financial records, and meet other regulatory duties (Article 6(1)(c)).
Vital interests — in the rare case we process information to protect someone's life or physical safety (Article 6(1)(d)).

Canada (PIPEDA / Quebec Law 25)

If you are in Canada, we process your personal information with your express or implied consent, except where we are permitted or required by law to do so without consent (for example, to investigate fraud, comply with a subpoena, or in an emergency affecting someone's safety). You may withdraw consent at any time by emailing idelrio@ucsd.edu; some withdrawals will mean we can no longer provide the Services to you.

If you are in Quebec under An Act respecting the protection of personal information in the private sector (Law 25), you have additional rights to know whether your information has been disclosed outside Quebec, to be informed about automated decisions made about you, and to data portability where required by law. Our person in charge of the protection of personal information is reachable at idelrio@ucsd.edu.

Australia, New Zealand, Brazil

If you are in Australia, we comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988. If you are in New Zealand, we comply with the Privacy Act 2020. If you are in Brazil, we process your personal data in accordance with the Lei Geral de Proteção de Dados (LGPD) on the bases of consent, contract performance, legitimate interest, regular exercise of rights, and our other legal bases under Article 7 LGPD. Brazilian residents have all rights granted by Article 18 LGPD.

§6. Sub-processors

The third-party services that operate behind gymrotter on our behalf.

We engage the following sub-processors. Each is bound by a written contract that limits the use of your personal information to the purposes described in this Privacy Policy and requires appropriate technical and organizational security measures.

Supabase, Inc. — backend, database, auth, storage: Hosts your account, content, and metadata in PostgreSQL with row-level security. Data centres in the United States. Privacy policy: https://supabase.com/privacy.
Apple Inc. — App Store distribution, Sign in with Apple: Distributes the iOS app and provides crash logs. When you choose Sign in with Apple, Apple shares with us either your real email or an Apple-issued private-relay address, plus a stable Apple user identifier so we can recognise your account on future sign-ins. Apple does not share your Apple ID password and does not share your real name unless you explicitly elect to. United States. Privacy policy: https://www.apple.com/legal/privacy/.
PostHog, Inc. — product analytics: Receives anonymous or pseudonymous usage events so we can understand how the Services are used in aggregate. We disable session replay and IP collection where the SDK supports it. United States / EU. Privacy policy: https://posthog.com/privacy.
Vercel, Inc. — web hosting for https://dapsdev.vercel.app: Hosts the public Daps website (the page you are reading). Receives standard web-server logs (request URL, IP, user-agent) for security and abuse prevention. United States. Privacy policy: https://vercel.com/legal/privacy-policy.
Email service providers: If we email you about your account, the email is delivered via a transactional email provider that processes your address solely to deliver our message and does not use it for any other purpose.

§7. Apple Screen Time (FamilyControls, DeviceActivity, ManagedSettings)

Explicit disclosure of how the Screen Time frameworks are used inside the app. App Review consistently asks about this.

gymrotter uses Apple's FamilyControls, DeviceActivity, and ManagedSettings frameworks (together, "Screen Time") to block other apps on your device for a defined window — for example, while a timer is running. You grant the FamilyControls authorization the first time you turn the feature on; you can revoke it at any time from iOS Settings > Screen Time.

Every Screen Time operation is performed on your device. gymrotter never receives, logs, or transmits (a) which apps you selected, (b) the FamilyActivitySelection token that represents that selection, (c) the shield state, (d) any DeviceActivity event, or (e) any ManagedSettings data. The selection is stored only on your device under a stable native identifier.

If you uninstall gymrotter, iOS automatically clears any active shields it set.

§8. Live Activities (Lock Screen and Dynamic Island)

On iOS 16.1+ devices, gymrotter can show a Live Activity on the Lock Screen and in the Dynamic Island via Apple's ActivityKit framework. The activity is rendered by iOS using on-device data; gymrotter does not transmit Live Activity content, snapshots, or push tokens to any server. The activity ends automatically when its underlying state ends or when you dismiss it.

§9. Cookies and tracking technologies

gymrotter is an iOS application and does not use HTTP cookies for in-app functionality. We use Apple-provided device identifiers (the IDFV — vendor identifier) and randomly generated installation identifiers to keep you signed in and to debug issues; these reset when you reinstall the app.

gymrotter does not include the App Tracking Transparency tracking domain pattern, does not use the IDFA (advertising identifier), and does not call `requestTrackingAuthorization`. We do not engage in cross-app or cross-website tracking, and our App Privacy Manifest declares no third-party "tracking" SDKs as defined by Apple.

Our website at https://dapsdev.vercel.app sets only the minimum cookies necessary to operate the site. We do not run ad networks, retargeting pixels, or third-party analytics that share data with advertising networks. If we ever introduce non-essential cookies, we will surface a consent banner to users in jurisdictions that require opt-in (EEA, UK, Switzerland, Brazil) before they are set.

§10. How long we keep information

We keep information only as long as necessary to deliver the Services, comply with law, or protect our rights — and never longer than the periods listed below.

Inputs you submit are retained only as long as needed to deliver a response.
Text inputs are retained only briefly to produce a response, then discarded.
Account information is retained for as long as your account is active. You can delete your account at any time from inside gymrotter (look for the "Delete account" control on the account screen). Deletion removes your user row and cascades to every row that references your user ID under Row-Level Security — your profile, your friend connections, your install record, and any other rows scoped to you. We delete or de-identify the data within 30 days, except where we are required to keep it for legal, accounting, or fraud-prevention purposes.
Your username and display name are retained for as long as your account is active. They are deleted alongside your account when you tap "Delete account."
Friend connection rows are retained for as long as both endpoints exist. Removing a friend from inside gymrotter deletes the row immediately; deleting either user's account cascades to every row that references that user's ID.
Records of customer support communications are retained for as long as needed to address your request and for a reasonable period afterward (up to 24 months).
Diagnostics, crash reports, and aggregate usage data are retained for up to 12 months for engineering and product purposes.
Records of any free-trial usage are retained for up to 24 months for fraud prevention.
Backup copies on encrypted, isolated storage may persist for up to 60 days after deletion before being permanently overwritten.

§11. Security and breach notification

We use commercially reasonable administrative, technical, and physical safeguards designed to protect your information, including encryption in transit (TLS 1.2+), encryption at rest, scoped database access controls (Row-Level Security and the principle of least privilege), audit logging, multi-factor authentication for our internal tools, and routine review of our infrastructure dependencies.

No method of transmission over the internet, however, is 100% secure, and we cannot guarantee absolute security. You use the Services at your own risk, and we encourage you to use a strong, unique password and to keep your device's operating system up to date.

If we become aware of a security incident affecting your personal information, we will notify you and any required regulator without undue delay and, where feasible, within the timeframes required by applicable law (e.g. 72 hours under GDPR/UK GDPR Article 33). Notification will describe the nature of the incident, the categories of data affected, and the steps we are taking in response.

§12. International data transfers

gymrotter is operated from California, USA. If you access the Services from outside the United States, your information may be transferred to, stored, and processed in the United States or in any other country where our service providers maintain facilities.

Where we transfer personal data of EEA, UK, or Swiss residents to a country that has not been recognised by the European Commission as providing an adequate level of protection, we rely on the European Commission's Standard Contractual Clauses (Module 2 or 3 as applicable), the UK Addendum to the SCCs, and/or the Swiss FDPIC's standard contractual clauses, supplemented by additional technical and organizational measures (encryption, access controls, transparency reporting). A copy of the relevant clauses is available on request to idelrio@ucsd.edu.

For users in Brazil, we transfer personal data outside Brazil only on a basis permitted by Article 33 LGPD.

§13. Your privacy rights

Depending on where you live, you may have rights under privacy laws such as the EU GDPR, UK GDPR, Swiss FADP, Canadian PIPEDA, Quebec Law 25, the Australian Privacy Principles, the New Zealand Privacy Act 2020, and Brazil's LGPD. These rights may include:

The right to access the personal information we hold about you, and to receive a copy.
The right to correct inaccurate or incomplete personal information.
The right to delete your personal information, subject to certain exceptions.
The right to object to or restrict certain processing, including processing based on legitimate interests.
The right to data portability — to receive your information in a structured, commonly used, machine-readable format and to transmit it to another controller.
The right to withdraw consent where we rely on consent as our legal basis (this does not affect the lawfulness of prior processing).
The right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects (see Section 16 (Automated decision-making and profiling)).
The right to lodge a complaint with a supervisory authority — for example, your EEA Member State data protection authority, the UK Information Commissioner's Office (ICO), the Swiss Federal Data Protection and Information Commissioner (FDPIC), the Office of the Privacy Commissioner of Canada, the Commission d'accès à l'information du Québec, the Office of the Australian Information Commissioner (OAIC), the Office of the Privacy Commissioner of New Zealand, or Brazil's ANPD.

How to exercise your rights

The fastest way to delete your data is to tap "Delete account" inside gymrotter (on the account screen). That removes your user row from our authentication provider and cascades to every row that references your user ID under Row-Level Security, so we no longer have anything to attribute to you. For all other rights — access, correction, portability, restriction, objection, or withdrawal of consent — email idelrio@ucsd.edu from the email address associated with your account. We may need to verify your identity before responding, typically by confirming control of that email or by asking you to confirm a one-time code sent to it.

We will respond within the time required by applicable law (typically 30 days, extendable by another 60 days for complex requests with notice to you), and we will not discriminate against you for exercising your rights. If we decline a request in whole or part, we will explain why and tell you how to appeal.

Authorized agents

Where applicable law allows, you may use an authorized agent to make a privacy request on your behalf. We may ask the agent for written, signed permission from you and may verify your identity directly. We will reject agent requests that are not properly authorized.

§14. U.S. state privacy rights

If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you have specific rights under your state's privacy laws.

The table below describes the categories of personal information that gymrotter has collected over the preceding 12 months under the California Consumer Privacy Act (as amended by the CPRA). The categories track the CCPA's enumerated list. Your state's law may use slightly different category labels, but the substance is the same.

A. Identifiers: Email address (if you have an account), randomly generated user identifier, lowercase username, device identifier (IDFV), IP address used at the moment of a request. Collected: Yes.
B. Customer records (Cal. Civ. Code §1798.80(e)): Name, contact information, financial details. Collected: A self-set display name (the friendly form of your username, e.g. "Ivan") shown next to your in-app activity. We do not collect a legal name, postal address, phone number, or financial-account information.
C. Protected classifications: Age, race, religion, sexual orientation, etc. Collected: No.
D. Commercial information: Subscription tier, purchase history. Collected: No.
E. Biometric information: Fingerprints, voiceprints, faceprints. Collected: No.
F. Internet or network activity: App screens visited, features used, error events. Collected: Yes (in-app only; we do not track you across other apps or websites).
G. Geolocation data: Approximate location derived from IP for security; precise geolocation. Collected: Approximate IP-based only. Precise (GPS) geolocation: No.
H. Audio, electronic, sensory information: Audio recordings, photos and videos. Collected: No.
I. Professional / employment information: Employer, job title, work history. Collected: No.
J. Education information: Student records, grades, transcripts. Collected: No.
K. Inferences: Profiles drawn from the data above to predict your preferences. Collected: We use aggregated, de-identified usage information to improve features; we do not build behavioural profiles about identifiable users.
L. Sensitive personal information: Government IDs, account log-in credentials, precise geolocation, racial/ethnic origin, religious beliefs, mail/email/text contents, genetic/biometric data, health, sex life or sexual orientation. Collected: No. gymrotter does not collect or use sensitive personal information for purposes other than those permitted by Cal. Civ. Code §1798.121(a) (delivering the Service requested).

Sources of personal information

Directly from you, when you create an account, submit content, or contact us.
Automatically from your device, as described in Section 2 (Information we collect).
From other gymrotter users who add you as a friend — the existence of such a connection is visible to both endpoints under Row-Level Security.
From our sub-processors (e.g. subscription state from Apple/RevenueCat) and from people who share a gymrotter link with you.

Sale, sharing, and targeted advertising

We do NOT sell or share your personal information for cross-context behavioural advertising as those terms are defined under the CCPA/CPRA, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Virginia Consumer Data Protection Act, or any similar state law. We do not engage in profiling that produces legal or similarly significant effects about you. We have not sold or shared personal information in the preceding 12 months and have no current plans to do so.

Your rights as a U.S. state resident

Right to know whether we are processing your personal data.
Right to access your personal data and obtain a copy in a portable format.
Right to correct inaccuracies in your personal data.
Right to delete personal data about you, subject to permitted exceptions.
Right to opt out of the sale, sharing, or processing for targeted advertising of personal data (we do not engage in any of these — see above).
Right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects (we do not engage in such profiling).
Right to limit use and disclosure of sensitive personal information, where collected (we do not collect SPI for purposes outside §1798.121(a)).
Right to non-discrimination for exercising any of these rights.
Right to obtain the categories of third parties to whom we have disclosed personal data (Connecticut, Delaware, Maryland, Minnesota, Oregon).
Right to question and, where allowed, correct profiling decisions (Connecticut, Minnesota).
Where required by Florida law, right to opt out of the collection of sensitive data and personal data collected through voice/facial-recognition features.

How to exercise U.S. state rights

Email idelrio@ucsd.edu with the subject line "Privacy Request – [your state]" from the email associated with your gymrotter account, or use the in-app account-deletion option. We will verify your identity by confirming control of that email or by sending you a one-time code, and we will respond within the timeframes required by your state's law (typically 45 days, extendable by another 45 days with notice).

Authorized-agent requests must include written, signed permission from the consumer; we may verify directly with you in any case.

Right to appeal

If we decline to take action on your request, you may appeal that decision by replying to our response email or sending a new email to idelrio@ucsd.edu with the subject "Privacy Appeal". We will respond to the appeal within the time required by your state's law (typically 60 days). If your appeal is denied, you may file a complaint with your state attorney general — the Texas, Virginia, and Colorado attorneys general publish complaint pages, and the California Privacy Protection Agency accepts complaints at https://cppa.ca.gov.

California Shine the Light

California Civil Code §1798.83 entitles California residents who have an established business relationship with us to request, once per calendar year and free of charge, information about the personal information (if any) we have shared with third parties for those parties' direct marketing purposes. We do not share personal information for third-party direct marketing.

Notice of Financial Incentive

gymrotter does not offer a financial incentive (such as a price or service difference) in exchange for the collection, retention, sale, or sharing of personal information. If we ever introduce one, we will provide a separate Notice of Financial Incentive that complies with Cal. Civ. Code §1798.125.

§15. Children's privacy

gymrotter is not directed to children under 13 (or under 16 in the European Economic Area, the United Kingdom, Switzerland, Brazil, and any other jurisdiction where that is the applicable digital-consent age), and we do not knowingly collect personal information from children below those ages. The App Store age rating for gymrotter is set accordingly.

If you believe a child has provided us with personal information, please contact us at idelrio@ucsd.edu. We will delete the information, terminate the associated account, and take reasonable steps to prevent further collection. Parents and guardians who would like to review or delete a child's information may also contact us at the same address.

Consistent with the U.S. Children's Online Privacy Protection Act (COPPA), the EU GDPR (Article 8), the UK Age Appropriate Design Code, and the California Age-Appropriate Design Code, we have considered the categories of data we collect, the way we present choices, and the absence of behavioural-advertising and targeting features in light of the possibility that some users may be under the relevant age threshold despite our age-gating.

§16. Automated decision-making and profiling

gymrotter does not produce decisions about you using automated processing.

Where AI features are involved, you can request a copy of the inputs and outputs we have stored about you, ask us to correct an output you believe is wrong, or stop using AI features entirely without losing access to the rest of the Services. To do any of these, contact idelrio@ucsd.edu.

If you are in the EEA, UK, or Quebec, you have the right under Article 22 GDPR (and the equivalent provisions of UK GDPR and Quebec Law 25) not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning you or similarly significantly affects you. We do not engage in any such processing today, and we will give you advance notice and a meaningful opt-out before we ever do.

§17. Do-Not-Track and Global Privacy Control signals

Some browsers transmit a "Do-Not-Track" (DNT) header. Because there is currently no industry-wide consensus on how to interpret DNT, our website does not currently respond to DNT signals.

Where required by law (including the California Privacy Rights Act regulations), we treat the Global Privacy Control (GPC) signal sent by your browser as a valid request to opt out of "sale" or "sharing" of personal information for cross-context behavioural advertising. Because we do not engage in either practice, we have nothing to opt you out of — but we will continue to honour the signal in our future operations.

§18. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Effective date" at the top of this page. For material changes — for example, a new category of personal information, a new sub-processor that handles your content, or a change in legal basis — we will provide notice through the app or by email at least 14 days before the change takes effect, and where required by law we will obtain your consent before applying the change to data already collected.

We encourage you to review this page periodically. Continued use of the Services after the effective date of an update constitutes acceptance of the updated Privacy Policy.

§19. Contact us

Daps Dev is the data controller for personal information described in this Privacy Policy. If you have questions about this Privacy Policy or want to exercise any of your privacy rights, contact us at idelrio@ucsd.edu.

We have not appointed a separate Data Protection Officer; questions formally directed to a DPO will be handled by the same address. EEA and UK residents may also write to the supervisory authority in their country of habitual residence — a list is available on the European Data Protection Board's site (https://edpb.europa.eu) and on the UK ICO's site (https://ico.org.uk).