Privacy Policy

Effective date: 18 April 2026 Last updated: 18 April 2026

This Privacy Policy explains how Unfold ("Unfold", "we", "us", or "our") collects, uses, shares, and protects your personal data when you use our mobile application and related services (together, the "Service").

We've written this policy in plain language. We've tried to be specific about what we collect, why, and who we share it with — because you're trusting us with information about what you're avoiding, and that trust matters more to us than any marketing message.

1. Who we are (Data Controller)

The person responsible for your personal data is: Ruslan Rustemov, sole proprietor, A. Hlinku 63/109, 921 01 Piešťany, Slovakia IČO: 54844274
Email: support@unfoldfocus.com Website: unfoldfocus.com
For all questions about this policy, your data, or to exercise any of your privacy rights, contact us at the email above. We respond to privacy requests within 30 days.

2. Summary — the short version

We collect only what’s needed to run the app. Task text you type, the time and energy state you select, the sessions you complete, and — if you sign in — your email address.
Your task text is sent to OpenAI to generate your action plan. OpenAI processes it, does not use it to train their models, and discards it shortly after. We explain this in detail in Section 5.
We do not sell your data. Ever. To anyone.
We do not use your data for advertising. There are no ads in Unfold.
You can use Unfold anonymously without creating an account. If you do create one, it’s to sync your sessions across devices.
You can delete your account and all your data at any time from within the app (Settings → Delete account) or by emailing us.
We are based in the EU and comply with the GDPR. If you are in the EU, UK, California, or elsewhere, you have specific rights, explained in Section 11.

3. What data we collect

3.1 Data you provide directly

When you use Unfold, you directly provide us with the following information:

Task text — what you want to work on. Collected every time you start a session. Required to generate your action plan.
Time selection — 10, 15, or 25 minutes. Collected at intake. Shapes session length.
Energy state — Low energy, Pressured by deadline, Distracted, or Procrastinating. Collected at intake. Shapes how the AI breaks down steps.
Session outcome selection — only when the original task is too vague or too broad and we ask a coaching question. Scopes the plan to your goal.
Rescue selections — your choices in the „I’m stuck“ helper during active sessions. Used to adjust step difficulty in real time.
Email address — only collected if you create an account. Used for account identification and sync.
Feedback text — only collected if you use Send Feedback in Settings. Helps us improve the app.

3.2 Data collected automatically

As you use Unfold, some information is generated or collected automatically:

Session history — task name, duration, steps completed, and completion status. Generated as you use the app, shown to you in History, and synced across devices if you are signed in.
App version, device type, and OS version — collected from device metadata. Used for troubleshooting and compatibility.
Crash logs and diagnostic data — collected through Firebase Crashlytics. Used for fixing bugs.
Aggregated usage events — such as „session started“ or „paywall shown“. Collected through Firebase Analytics. Used to understand how features perform. These events are never tied to your task text.
Subscription status — provided by Apple App Store or Google Play. Used to enforce the 3-sessions-per-week free limit and to unlock premium access.

3.3 Data we do NOT collect

We want to be explicit about what we don’t touch, because a lot of apps in this space do:

We do not access your contacts, calendar, photos, microphone, or camera.
We do not track your location.
We do not use advertising identifiers (IDFA / GAID) for advertising.
We do not collect your real name, unless you choose to include it in the task text or send it via feedback.
We do not read data from other apps on your device.
We do not build behavioural profiles for advertising.
We do not sell or rent your data to any third party.

3.4 Data collected before you sign in

If you use Unfold without creating an account, we still store your sessions — but only on your device. Your task text is still sent to OpenAI for plan generation (see Section 5), but your session history stays local. If you later sign up, your local history is migrated to your account.

4. Why we process your data (Legal basis under GDPR)

Under the GDPR, we need a legal basis for every type of processing we do. Here is ours:

Generating your action plan from your task text — based on contract performance. We cannot provide the Service without this.
Storing your session history on your device — based on contract performance.
Syncing your sessions across devices for signed-in users — based on contract performance.
Account creation and authentication — based on contract performance.
Processing subscription payments — based on contract performance and on legal obligation (tax records).
Enforcing the 3 free sessions per week limit — based on our legitimate interest in sustaining the service.
Crash reports and diagnostic data — based on our legitimate interest in keeping the app stable.
Aggregated analytics on feature usage — based on our legitimate interest in improving the product.
Sending a reminder notification — based on your consent, which you can withdraw at any time in Settings.
Responding to your support and feedback messages — based on our legitimate interest.
Complying with legal requests — based on legal obligation.

You have the right to object to processing based on legitimate interest. See Section 11.

5. How your task text is processed by OpenAI

This is the section most users care about, so we are giving it a dedicated explanation.

What happens to your task text

When you type what you want to work on — for example, „prepare for job interview“, „write difficult email“, or „clean the room“ — that text is sent to OpenAI over a secure connection. OpenAI’s models process your text and return a structured action plan (session goal, micro-steps, success condition). We then display that plan to you.

What OpenAI does with it

We use OpenAI through their API, not the ChatGPT consumer product. Under OpenAI’s API terms:

Your task text is not used to train OpenAI’s models.
OpenAI may temporarily retain your text for up to 30 days for the sole purpose of abuse monitoring, then deletes it.
OpenAI employees do not read your text, except in the case of a suspected Terms of Service violation.

You can read OpenAI’s full enterprise privacy commitments at openai.com/enterprise-privacy.

What we do with it

We send OpenAI only what is needed to generate the plan — your task text, the time you selected, and your energy state. We do not send your email address, name, account ID, or any directly identifying information alongside the task text. From OpenAI’s perspective, the request is effectively anonymous.

We store the generated plan (the steps, not the raw request) in your session history so you can see what you worked on. If you signed in, this history is stored on our backend (Supabase, see Section 6). If you’re anonymous, it stays on your device.

A note of honesty

Please do not enter information in the task field that you would not be comfortable sending to a US-based AI provider. The app is designed for work tasks and everyday avoidance — not for highly sensitive personal information. If your task involves sensitive data (medical details, financial account numbers, other people’s private information), we recommend describing the task in general terms rather than including the specifics.

6. Where your data is stored

Different types of data are stored in different places:

Task text in transit, during plan generation — sent to OpenAI in the USA; discarded after no more than 30 days.
Account data (email, authentication tokens) — stored at Supabase, in the EU region (Frankfurt, Germany), hosted on AWS.
Session history for signed-in users — stored at Supabase, in the EU region (Frankfurt, Germany).
Session history for anonymous users — stored on your device only.
Crash and diagnostic logs — stored at Firebase (Google LLC), in the EU and USA.
Subscription and payment data — handled by Apple App Store (Apple Inc.) and Google Play (Google LLC). We never see your payment card details.

We chose the EU region for our backend specifically to keep personal data inside the European Economic Area wherever possible.

International data transfers

Some of our service providers — OpenAI, Firebase, Apple, Google — are based in the United States. When your data is transferred outside the EEA, we rely on the following legal safeguards under GDPR Chapter V:

Standard Contractual Clauses (SCCs) approved by the European Commission, or
EU–U.S. Data Privacy Framework certifications where applicable. Google and Apple are certified under the Framework; OpenAI operates under SCCs.

You can request a copy of the relevant safeguards by emailing us.

7. Who we share your data with

We share data only with the specific processors listed below, each for a specific purpose. We do not share your data with any third party for their own marketing, advertising, or analytics purposes.

OpenAI, L.L.C. (USA) receives your task text, the time you selected, and your energy state, for the purpose of generating your action plan. Their privacy policy is at openai.com/policies/privacy-policy.
Supabase Inc. (USA, with EU hosting) receives your account data and session history, but only if you are signed in. Used for backend storage and sync. Their privacy policy is at supabase.com/privacy.
Google LLC — Firebase (USA and EU) receives crash logs, aggregated events, and device metadata, for stability and product analytics. Their privacy policy is at firebase.google.com/support/privacy.
Apple Inc. receives your subscription status and Sign in with Apple tokens, for payments and authentication. Their privacy policy is at apple.com/legal/privacy.
Google LLC — Play Store receives your subscription status and Sign in with Google tokens, for payments and authentication. Their privacy policy is at policies.google.com/privacy.

Legal disclosures

We may disclose your data if we are required to do so by Slovak law, EU law, or a valid court order. If that happens and we are not legally prohibited from notifying you, we will.

Business transfers

If Unfold is ever sold, merged, or transferred to another entity, your data may be transferred as part of that transaction. We will notify you by email (if you have an account) or in-app before any such transfer, and the new entity will be bound by this Privacy Policy or a policy at least as protective.

8. How long we keep your data

We keep your data only as long as needed for the purposes described in this policy:

Task text at OpenAI — up to 30 days, then deleted by OpenAI.
Session history for anonymous users — until you uninstall the app or clear app data.
Session history for signed-in users — until you delete your account.
Account data (email, auth tokens) — until you delete your account.
Crash logs — up to 90 days.
Aggregated analytics — up to 14 months (Firebase default).
Support emails — up to 3 years after the last exchange.
Subscription and payment records — up to 10 years (Slovak tax law obligation).
Deleted account data — purged from active systems within 30 days; may persist in encrypted backups for up to 90 days before full deletion.

9. How we keep your data secure

We take security seriously. Our technical and organisational measures include:

Encryption in transit — all data is transmitted over HTTPS and TLS.
Encryption at rest — Supabase databases and backups are encrypted.
Authentication — passwords are never stored in plain text; we use Sign in with Apple, Google, or email magic-links.
Access control — only Ruslan Rustemov has administrative access to production systems. No employees, contractors, or third parties have access to your personal data.
Data minimisation — we collect only what we need, so there is less that could ever be exposed.

No system is 100% secure. If a data breach affects your personal data and presents a risk to your rights, we will notify you and the Slovak Data Protection Authority (Úrad na ochranu osobných údajov SR) within 72 hours, as required by GDPR Article 33.

10. Children

Unfold is intended for users aged 16 and over. We do not knowingly collect personal data from anyone under 16.

If you are a parent or guardian and believe your child under 16 has provided us with personal data, please contact us at support@unfoldfocus.com and we will delete it immediately.

In jurisdictions where the minimum age for data processing consent is higher than 16 (for example, some US states under COPPA apply a limit of 13), the higher local minimum applies.

11. Your privacy rights

Depending on where you live, you have specific rights over your personal data. You can exercise any of these by emailing us at support@unfoldfocus.com. We will respond within 30 days and will not charge you for exercising your rights (unless requests are manifestly unfounded or excessive).

11.1 Rights under GDPR (EU, EEA, UK residents)

Right of access — get a copy of the personal data we hold about you.
Right to rectification — correct inaccurate or incomplete data.
Right to erasure („right to be forgotten“) — delete your data. You can also do this yourself via Settings → Delete account.
Right to restrict processing — pause our processing while a dispute is resolved.
Right to data portability — receive your data in a machine-readable format (JSON).
Right to object — object to processing based on legitimate interest, including analytics.
Right to withdraw consent — where processing is based on consent (for example, notifications), withdraw it any time.
Right to lodge a complaint with a supervisory authority. For Slovakia: Úrad na ochranu osobných údajov SR (dataprotection.gov.sk). You can also complain to the authority in your EU country of residence.

11.2 Rights under CCPA / CPRA (California residents)

If you are a California resident, you have the right to:

Know what personal information we collect, use, and disclose.
Delete your personal information.
Correct inaccurate personal information.
Opt out of the „sale“ or „sharing“ of personal information. We do not sell or share your personal information as those terms are defined under the CCPA.
Limit the use of sensitive personal information.
Be free from discrimination for exercising your rights.

11.3 Rights under other US state laws

Residents of Virginia, Colorado, Connecticut, Utah, Texas, and other US states with comprehensive privacy laws have rights similar to those above. Contact us to exercise them.

12. Cookies and similar technologies

The Unfold mobile app does not use cookies.

Our website (unfoldfocus.com) uses only essential cookies needed for the site to function. We do not use marketing, tracking, or advertising cookies on our website. If this changes, we will update this policy and, where required, ask for your consent.

13. Do Not Track and Global Privacy Control

We do not track you across other websites or apps, so there is nothing to opt out of. We honour Global Privacy Control (GPC) signals where applicable.

14. Changes to this policy

We may update this Privacy Policy from time to time — for example, if we add a new feature, change a service provider, or adjust to new legal requirements.

When we make material changes, we will:

Update the „Last updated“ date at the top of this policy.
Notify you by email (if you have an account) at least 14 days before the change takes effect.
Show an in-app notice on your next session start.

Continuing to use Unfold after the effective date of an update means you accept the updated policy. If you don’t agree with a change, you can delete your account and stop using the Service.

15. Contact us

Any question, concern, or privacy request — please get in touch. We read every message personally.

Email: support@unfoldfocus.com

Terms and Conditions