Privacy Policy
SafePhrase helps families and trusted circles confirm each other’s identity using a rotating phrase, to help stop impersonation scams. We built it to protect people, and that includes protecting your data. This policy explains what we collect, why, and the choices you have.
1. Who we are
SafePhrase (“SafePhrase”, “we”, “us”) is operated by Luke Green, a sole trader based in the United Kingdom, trading as SafePhrase. For the purposes of UK data protection law (the UK GDPR and the Data Protection Act 2018), Luke Green is the data controller for personal data processed through the app.
Contact for privacy matters: privacy@safephrase.me.
2. What we collect and why
| Data | Why we process it | Lawful basis (UK GDPR) |
|---|---|---|
| Account details — your email address and name from Apple or Google sign-in, your chosen display name, and an optional profile image. | To create and secure your account and let other people in your circles recognise you. | Performance of our contract with you. |
| Circle data — the circles you create or join, your role (admin or member), your verification status, and an activity log of events within your circles. | To provide the core verification service and show your circles their current status. | Performance of our contract; our legitimate interest in operating a secure service. |
| Your circle seed — a random secret generated on your device when a circle is created. It is stored in your device’s secure storage and, encrypted at rest, on our backend so your devices can compute phrases. | To let each member’s device calculate the same rotating phrase, including offline. | Performance of our contract. |
| Notification token — a push token issued by Apple/Expo. | To send reminders and circle alerts you’ve asked for. | Consent (you can disable notifications at any time). |
| Subscription status — whether you have an active Plus or Pro subscription. | To unlock paid features. Payment is taken by Apple; we never see your card details. | Performance of our contract. |
| Technical and diagnostic data — basic device and app information and error logs. | To keep the app working, secure, and to fix problems. | Our legitimate interest in maintaining a reliable, secure service. |
3. We do not sell or share your data
We do not sell your personal data. We do not share it with third parties for their own advertising or marketing. We do not build advertising profiles about you.
We share data only with the service providers that operate parts of the app on our behalf (“processors”), and only so they can perform that function under contract:
| Provider | Purpose |
|---|---|
| Supabase | Database, authentication and backend hosting. |
| Apple | Sign in with Apple, push notifications, and subscription billing. |
| Google sign-in (if you choose it). | |
| RevenueCat | Managing subscription entitlements. |
| Expo | Delivering push notifications. |
We may also disclose data if required by law, to protect the safety of our users, or in connection with a sale or transfer of the business (in which case this policy will continue to apply, or you will be told of any change).
4. Aggregated and de-identified use (“circle composition”)
To understand how SafePhrase is used, to improve it, and to develop related or ancillary features in future, we may analyse information about how circles are structured — for example, typical circle sizes, membership patterns and verification rates. We do this using de-identified, aggregated information that does not identify you, your contacts, or the contents of your circles.
If we ever wanted to use circle-composition information in a way that could identify a specific person, or to offer you an optional related service based on it, we would tell you first and obtain your consent where the law requires it. We will never sell this information.
5. Where your data is held
Our providers may process data outside the UK, including in the United States. Where data leaves the UK, we rely on appropriate safeguards (such as the UK International Data Transfer Agreement / Addendum or equivalent contractual protections) to keep it protected to UK standards.
6. How long we keep it
We keep your personal data for as long as your account is active. If you delete your account, we delete or anonymise your personal data within a reasonable period, except where we must retain limited information to comply with the law or resolve disputes. When you leave or are removed from a circle, the seed for that circle is removed from your device.
7. Your rights
Under UK data protection law you have the right to access your data; to have it corrected or erased; to restrict or object to certain processing; to data portability; and to withdraw consent at any time (without affecting earlier processing). To exercise any of these, email privacy@safephrase.me.
You also have the right to complain to the UK Information Commissioner’s Office (ICO) at ico.org.uk, though we’d appreciate the chance to help first.
8. Children
SafePhrase is a family-safety tool that may be used by younger family members within a circle. We do not knowingly create accounts for children under 13. If a child under 13 is to use the app, their account should be set up and managed by a parent or guardian. If you believe a child has provided us personal data without appropriate consent, contact us and we will remove it.
9. Security
We use industry-standard measures to protect your data, including encryption in transit, storage of secrets in your device’s secure storage, and access controls on our backend. No system is perfectly secure, but we take protecting your data seriously.
10. Changes to this policy
We may update this policy from time to time. If we make material changes we will update the date above and, where appropriate, notify you in the app.