Effective Date: February 27, 2026Last Updated: February 27, 2026
1. INTRODUCTION
This Privacy Policy explains how POCKET IMPLEMENTATION S.R.L., a Romanian limited liability company ("Company," "we," "us," "our"), acting as the Data Controller, collects, uses, stores, shares, and protects your information when you use the Teafinity mobile application, including its iOS widget and watchOS companion app (collectively, the "App").
We are committed to protecting your privacy and complying with applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and other applicable privacy regulations.
The App does not require account creation. Most data remains stored locally on your device.
For questions or concerns, contact us at: contact@pocketimplementation.com
2. INFORMATION WE COLLECT
2.1 Data Stored Locally on Your Device (Not Transmitted to Us)
The following data is stored ONLY on your device and is NOT transmitted to our servers:
Your tea preferences and profile (tea experience level, caffeine preference, flavor preferences, time preference, health goals)
Favorite teas collection (tea IDs, names, and timestamps)
Brewing history and timer data (tea names, brew times, completion timestamps)
App settings and preferences (theme mode, sort preferences)
Recently viewed tea information
Onboarding completion status
This data is stored in your device's local storage (SharedPreferences on Android, NSUserDefaults on iOS). Deleting the App removes this data. On iOS, some data may persist in the device keychain across app reinstallation.
2.2 Attribution and Advertising Data
We use the Kochava SDK (a third-party attribution analytics platform) to understand how users discover and install the App. The following data may be collected:
On iOS:
Identifier for Advertisers (IDFA) — collected ONLY if you grant permission via Apple's App Tracking Transparency (ATT) prompt. If you deny permission, IDFA is not collected.
Identifier for Vendors (IDFV) — a device identifier scoped to our apps. No permission required.
Kochava install identifier — a unique identifier for attribution purposes.
SKAdNetwork (SKAN) conversion events — Subscribe, StartTrial, and RegistrationComplete events are processed on-device using Apple's privacy-preserving attribution framework. Only aggregated, anonymized conversion data is shared with participating ad networks. No personal data leaves your device via SKAN.
Campaign and network attribution data — the advertising network and campaign that referred you to the App, retrieved from Kochava servers.
On Android:
Google Advertising ID (ADID/GAID) — collected via the AD_ID permission on Android 13+. You can reset or opt out in your device settings.
Kochava device identifier — a unique identifier for attribution purposes.
Campaign and network attribution data — same as iOS.
Attribution data (including Kochava device ID, media source, and campaign name) is forwarded to RevenueCat (our subscription management platform) as subscriber attributes to enable revenue attribution to marketing channels.
The App registers 18 SKAdNetwork participant identifiers (including Google, Meta, TikTok, Snap, AppLovin, Unity, ironSource, Chartboost, Vungle, Moloco, Liftoff, Mintegral, AdColony, and Yahoo) to support privacy-preserving attribution from advertising networks.
2.3 Analytics and Crash Reporting Data
Firebase Analytics: We collect usage data through Google Firebase Analytics to understand how the App is used and to improve its features and performance. This includes:
Screen views and navigation events (which screens you visit and transitions between them)
Tea interaction events (which teas you view, brew, favorite, or unfavorite, including tea identifiers, names, and types)
Brewing events (tea name, target brew time, actual brew time, timer completion status)
Search and filter events (search queries, result counts, category selections, filter types and values)
Subscription events (paywall views, subscription starts and cancellations, plan types)
First-time engagement milestones (first tea favorited, first brew completed, first tea recognized)
Feature discovery events
Firebase Analytics also sets the following user properties: your self-reported attribution source (see Section 2.8).
Firebase Crashlytics: We collect crash and error reporting data to identify and fix bugs, including:
Exception logs with technical stack traces
Custom diagnostic key-value pairs for debugging
An anonymous user identifier for correlating crash reports
Device information (device model, OS version)
Log messages recorded before a crash
While individual analytics events do not include your name or email, the combination of device identifiers, event timestamps, and behavioral patterns may constitute personal data under GDPR and other privacy laws.
2.4 Subscription and Payment Data
We use RevenueCat, a third-party subscription management and revenue analytics platform, to manage in-app subscriptions. RevenueCat is NOT merely a payment processor — it processes and stores subscription-related data for analytics and entitlement management.
Data sent to RevenueCat includes:
An anonymous user ID (automatically generated, not linked to your name or email)
Device identifiers collected via platform APIs (IDFV on iOS, ADID on Android if available)
IP address flag (enables RevenueCat to collect your IP address server-side for geo-location)
Device version flag (enables RevenueCat to collect device model server-side)
Media source (the advertising network or self-reported channel that referred you)
Campaign name (the advertising campaign that referred you)
Subscription status, plan type, expiration dates, and entitlement information
Actual payment transactions (credit card processing, billing) are handled exclusively by Apple App Store or Google Play Store. We do not directly process, store, or have access to your payment card details.
2.5 Tea Recognition Data
When you use the tea recognition feature (Premium):
The image you capture or select is transmitted to our servers over an encrypted connection
Images are processed by third-party AI providers (including OpenAI) to identify tea types
Images and analysis results are retained in server logs for up to 48 hours for processing and quality improvement
Images may be reviewed by our team to improve recognition accuracy
After 48 hours, all image data is automatically deleted from our servers
2.6 Tea Request Data
When you request a tea to be added to our database:
The tea name and brand you provide are collected
The tea image you provide is uploaded to our servers
Any additional notes or information URL you provide are collected
This information is reviewed by our team for addition to the database
Request data is retained until the tea is added or the request is declined (typically 7-14 days)
2.7 Server Communication Data
When the App communicates with our servers, the following data is transmitted automatically:
Your IP address (collected automatically by server infrastructure)
A User-Agent header containing: app name, app version, operating system name and version, device manufacturer, and device model
Request timestamps
An API authentication key
Your device's timezone identifier (used for seasonal event detection)
Server logs containing this data are retained for 48 hours, then automatically deleted.
2.8 Self-Reported Attribution Data
During onboarding, you are asked "Where did you hear about us?" and may select from options including social media platforms, app stores, friends/family, TV, or other. This self-reported attribution source is:
Sent to RevenueCat as a subscriber attribute (media source) to enable revenue attribution
Recorded as a Firebase Analytics user property for acquisition channel analysis
Tracked via Firebase Analytics events (source selected, source changed)
This data is collected to help us understand which channels are most effective in reaching new users.
2.9 Widget and watchOS Data Sharing
On iOS, the main app shares limited data with the home screen widget and watchOS companion app via a shared App Group container (group.com.pocketimplementation.tea). This shared data includes timer state and tea information for display purposes. This data remains entirely on your device and connected Apple devices and is not transmitted to our servers.
3. LEGAL BASIS FOR PROCESSING (GDPR Article 6)
For users in the European Economic Area (EEA) and other jurisdictions that require a legal basis for processing personal data, we rely on the following:
Consent (Article 6(1)(a)):
Collection of IDFA via App Tracking Transparency (you can deny or revoke at any time)
Push notification delivery (you can disable at any time in device settings)
Processing of images for tea recognition (you choose to use this feature)
Self-reported attribution data (you voluntarily provide this during onboarding)
Contractual Necessity (Article 6(1)(b)):
Subscription management and payment processing via RevenueCat and Apple/Google
Delivery of Premium features you have purchased (tea recognition, full tea library)
Verification of subscription entitlements
Legitimate Interest (Article 6(1)(f)):
Analytics for app improvement, feature development, and bug fixing (Firebase Analytics)
Crash reporting for app stability and reliability (Firebase Crashlytics)
Server logs for security, abuse prevention, and operational monitoring
Attribution tracking for understanding user acquisition channels and measuring marketing effectiveness (Kochava)
SKAdNetwork conversion events for privacy-preserving attribution measurement
We have conducted a legitimate interest assessment and determined that these processing activities are proportionate and do not override your fundamental rights and freedoms. You have the right to object to processing based on legitimate interest (see Section 10).
We do NOT rely on "consent by continued use." Each processing activity has a specific legal basis as described above.
4. HOW WE USE YOUR INFORMATION
We use collected information to:
Provide and operate the App and its features
Process and deliver tea recognition results
Manage subscriptions and verify Premium entitlements
Process and review tea addition requests submitted by users
Measure advertising campaign effectiveness and understand user acquisition channels
Attribute app installs to marketing channels for advertising optimization
Improve app performance, features, and user experience through analytics
Identify and fix bugs, crashes, and technical issues
Analyze usage patterns to prioritize feature development
RevenueCat Inc. — Subscription management and revenue analytics
Data shared: Anonymous user ID, device identifiers (IDFV, ADID/IDFA), Kochava device ID, IP address, device version, media source, campaign name, subscription status
18 registered ad networks (Google, Meta, TikTok, Snap, AppLovin, Unity, ironSource, Chartboost, Vungle, Moloco, Liftoff, Mintegral, AdColony, Yahoo, and others)
Data shared: Only aggregated, on-device conversion data processed by Apple's SKAdNetwork framework. No personal data is transmitted to these networks by us.
We do not sell, rent, or trade your personal information to third parties. Data is shared only as described above for the specified purposes.
We may also disclose information if required by law, regulation, legal process, or governmental request, or to protect our rights, property, safety, or the rights, property, or safety of others.
6. ADVERTISING AND TRACKING TECHNOLOGIES
6.1 App Tracking Transparency (iOS)
On iOS, we request your permission to track via Apple's App Tracking Transparency (ATT) framework before collecting your Identifier for Advertisers (IDFA). The ATT prompt is displayed during onboarding. If you deny permission, your IDFA is not collected and cross-app tracking does not occur. Your Identifier for Vendors (IDFV) may still be collected regardless of your ATT choice. You can change your ATT choice at any time in iOS Settings > Privacy & Security > Tracking.
6.2 Google Advertising ID (Android)
On Android, the App declares the AD_ID permission to access your Google Advertising ID for attribution purposes. You can reset your Advertising ID or opt out of personalized advertising in Android Settings > Privacy > Ads (or Google Settings > Ads, depending on your device).
6.3 SKAdNetwork (Apple)
The App uses Apple's SKAdNetwork, a privacy-preserving attribution framework. Conversion events (Subscribe, StartTrial, RegistrationComplete) are processed entirely on your device by the operating system. Only aggregated, anonymized data is shared with participating ad networks by Apple. No personal data is transmitted to ad networks through SKAdNetwork.
6.4 How to Opt Out of Tracking
iOS: Go to Settings > Privacy & Security > Tracking > disable tracking for Teafinity, or deny the ATT prompt when it appears.
Android: Go to Settings > Privacy > Ads > opt out of Ads Personalization, or reset your Advertising ID.
Firebase Analytics: You can limit analytics data collection by restricting app background activity or using your device's privacy settings.
Note: Opting out may not retroactively delete data already collected. It prevents future collection only.
7. DATA RETENTION
Local device data: Retained on your device until you delete the App. On iOS, some keychain data may persist across app reinstallation.
Tea recognition images and results: 48 hours, then automatically deleted from our servers.
Server logs (IP, User-Agent, timestamps): 48 hours, then automatically deleted.
Tea request submissions: Until processed or declined (typically 7-14 days).
Analytics data: Per Google Firebase retention policies (default 14 months, configurable).
Crash reports: Per Google Firebase Crashlytics retention policies (90 days).
Subscription data: Per RevenueCat and Apple/Google retention policies.
Attribution data: Per Kochava retention policies.
RevenueCat subscriber attributes: Per RevenueCat retention policies.
8. DATA SECURITY
We implement appropriate technical and organizational measures to protect your data, including:
Encrypted transmission (HTTPS/TLS) for all data in transit between the App and our servers
Secure server infrastructure with access controls and monitoring
API key authentication for all API endpoints
Limited data retention periods with automatic deletion
Restricted access to personal data on a need-to-know basis
However, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security and are not responsible for unauthorized access resulting from factors beyond our reasonable control. You are responsible for maintaining the security of your device.
9. INTERNATIONAL DATA TRANSFERS
Your data may be processed in:
Romania (our headquarters and primary data processing location)
United States (OpenAI for AI processing, Google/Firebase for analytics and crash reporting, RevenueCat for subscription management, Kochava for attribution)
Other countries where our service providers operate data centers
For transfers of personal data from the European Economic Area (EEA) to countries that have not received an adequacy decision from the European Commission, we rely on appropriate safeguards including:
Standard Contractual Clauses (SCCs) as adopted by the European Commission
Adequacy decisions where applicable
Service provider certifications and compliance frameworks
We do not rely solely on your consent for international data transfers. We ensure appropriate safeguards are in place as required by GDPR Chapter V.
10. YOUR RIGHTS UNDER GDPR (EEA Residents)
If you are located in the European Economic Area, you have the following rights under the General Data Protection Regulation:
Right of Access (Article 15): You may request a copy of the personal data we hold about you.
Right to Rectification (Article 16): You may request correction of inaccurate or incomplete personal data.
Right to Erasure (Article 17): You may request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
Right to Restriction of Processing (Article 18): You may request that we restrict the processing of your personal data in certain circumstances.
Right to Data Portability (Article 20): You may request to receive your personal data in a structured, commonly used, machine-readable format.
Right to Object (Article 21): You may object to processing based on legitimate interest at any time. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
Right to Withdraw Consent (Article 7(3)): Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing performed before withdrawal.
Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection supervisory authority. For Romania: Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal (ANSPDCP), B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, cod postal 010336, Bucuresti, Romania. Website: https://www.dataprotection.ro
Automated Decision-Making: We do not use your personal data for automated decision-making or profiling that produces legal effects or similarly significantly affects you. Tea recommendations are based on preferences you explicitly provide during onboarding and can be changed at any time.
How to Exercise Your Rights: Send your request to contact@pocketimplementation.com. Since the App does not require account creation, you must provide sufficient information to verify your identity and locate your data (such as device identifiers, approximate dates of use, or other identifying information). We will respond within 30 days, which may be extended by up to 60 days for complex requests (we will inform you of any extension).
11. YOUR RIGHTS UNDER CCPA/CPRA (California Residents)
If you are a California resident, you have the following rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:
Right to Know: You may request the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it.
Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
Right to Opt-Out of Sale or Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising as defined by the CPRA.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights. Exercising your rights will not result in different pricing, quality, or service levels.
Right to Correct: You may request correction of inaccurate personal information.
Categories of Personal Information Collected (per CCPA):
Identifiers: Device identifiers (IDFA, IDFV, ADID, Kochava device ID), IP address, anonymous user ID
Internet or Electronic Network Activity: App usage data (screen views, feature usage, search queries), browsing history within the App, crash reports
Commercial Information: Subscription status, purchase history, plan type
Geolocation Data: Country-level location derived from IP address, timezone identifier
Categories of Sources:
Directly from you (onboarding selections, tea requests, images for recognition)
Automatically from your device (analytics events, device identifiers, crash data)
From third parties (Kochava attribution data linking your install to an advertising campaign)
How to Exercise Your Rights: Send your request to contact@pocketimplementation.com. We will verify your identity before processing your request.
12. CHILDREN'S PRIVACY
The App is not directed to children. We do not knowingly collect personal information from children under 16 years of age in the European Economic Area, or under 13 years of age in other jurisdictions (including the United States under COPPA).
If we discover that we have inadvertently collected personal information from a child below the applicable age, we will promptly take steps to delete such information.
If you are a parent or guardian and believe your child has provided us with personal information, please contact us at contact@pocketimplementation.com so we can take appropriate action.
13. DO NOT TRACK SIGNALS
We do not currently respond to "Do Not Track" (DNT) browser signals or similar mechanisms, as there is no industry-standard technology for honoring DNT on mobile applications. You can control tracking via the platform-specific mechanisms described in Section 6.4.
14. CHANGES TO THIS POLICY
We may update this Privacy Policy periodically to reflect changes in our practices, technologies, legal requirements, or other factors. Changes will be indicated by updating the "Last Updated" date at the top of this policy.
For significant changes that materially affect your rights or our data practices, we will make reasonable efforts to notify you through the App or other appropriate means.
Your continued use of the App after changes to this Privacy Policy constitutes your acceptance of the updated policy. We encourage you to review this policy periodically.
15. CONTACT INFORMATION
For privacy questions, data subject requests, concerns, or complaints, contact:
We aim to respond to all legitimate requests within 30 days. If your request is particularly complex, we may require an additional 60 days, in which case we will notify you.