Privacy Policy

1.Introduction

This Privacy Policy explains how Anomalia (“Anomalia”, “we”, “us”, “our”) collects, uses, discloses, and retains information when you use the Anomalia mobile application (the “Service”).

Anomalia is operated by an individual entrepreneur based in Spain. We are the data controller for the personal information described in this policy.

We have written this policy in plain language because we believe you should be able to understand what happens to your data without a law degree. If anything is unclear, email us at hello@anomalia.app and we will explain.

By installing or using Anomalia, you confirm that you have read and understood this policy.

2.What data we collect

We collect the minimum information needed to deliver the Service. We group it by purpose below.

2.1 Account data

• Email address — provided by Google when you sign in with Google. We use it to identify your account and contact you about service issues (for example, a security notice or a subscription problem).
• Google profile name and avatar — only if you grant Google permission to share them. We display your name and avatar inside the app so your reading history is personalised to you.
• User identifier — a random internal ID generated by our systems, used to link your reading history, subscription, and analytics records without exposing your email.

2.2 Reading data

• Mysteries you have read — a list of mystery IDs and the timestamps at which you opened them, so we can mark them as read in your archive and show your reading streak.
• Streak counter — the number of consecutive days you have read a mystery, reset at midnight in your device’s local time zone.
• Reading time — approximate time spent on each mystery, used to power the streak count and to improve content quality. We do not record what you scrolled to or what you tapped within a mystery.

2.3 Subscription data

• Subscription status — whether you have an active subscription, the plan (monthly or annual), the renewal date, and the trial end date.
• Subscription source — always “Google Play” for v1 (iOS is not supported).
• RevenueCat anonymous user identifier — a random ID issued by RevenueCat to link your subscription to your Anomalia account. We never see your payment card number; payment processing is handled entirely by Google Play.

2.4 Analytics (anonymous)

• Event data — anonymous counters such as “user opened the paywall” or “user viewed the today screen”. We do not attach your email, name, or user identifier to these events in PostHog.
• Aggregated device class — OS family, OS version, app version, device model family. We use this to debug and to decide which Android versions to support.
• PostHog is hosted in the European Union. See Section 9.

2.5 Crash reports

• Stack traces and diagnostic context — technical information about app errors, including the action you took, the screen you were on (as a route name, not content), and the device class listed above.
• We strip email addresses, names, and personal identifiers from crash payloads before they leave your device.
• Sentry is hosted in the United States. See Section 9.

2.6 Push notifications

• Firebase Cloud Messaging (FCM) token — a random token issued by Google that allows us to send you a notification at 9:00 in your local time zone each morning.
• Notification interaction — whether you tapped the morning notification, used only to measure if the feature is working.
• You can disable notifications at any time in your device settings. Disabling does not delete the FCM token immediately; it is refreshed on next app launch.

2.7 Device identifier

• Firebase Installation ID — a per-install random identifier that lets us send you push notifications and count installations. This is not a device serial number, not an advertising ID, and not linked to you personally.

2.8 Waitlist (landing page)

• Email address — if you voluntarily enter your email in the waitlist form on anomalia.app, we store it solely to notify you when Anomalia launches. We do not use it for marketing, newsletters, or any other purpose unless you separately opt in after launch.
• The waitlist form is processed by Formspree (see Section 5). We do not collect your IP address, name, or any other information through the waitlist.

3.What we do not collect

We believe in data minimisation. The Anomalia app does not request, access, store, or transmit any of the following:

• Location (GPS, IP-based geolocation, or coarse location)
• Contacts or address book
• Photos, videos, or camera access
• Microphone or any audio recording
• Advertising identifiers (Google Advertising ID, IDFA, or any equivalent)
• Health or biometric data
• Financial data (we never see your payment card; Google Play handles it)
• Government identifiers (passport, national ID, social security number)
• Browsing history outside the app
• Calendar, SMS, call logs, or device sensor data

Specifically, we do not sell or share your personal information with third parties for cross-context behavioural advertising, as those terms are defined under the California Consumer Privacy Act (CCPA) and its amendments.

4.How we use your data

We use the information described in Section 2 for the following purposes only:

1. To provide the Service — authenticate you, deliver the daily mystery, mark mysteries as read, compute your streak, and unlock the archive for paying subscribers.
2. To process your subscription — verify subscription status through RevenueCat, and prevent abuse of the free trial.
3. To send the daily notification — only if you have notifications enabled.
4. To improve the Service — diagnose crashes via Sentry and understand feature usage via PostHog.
5. To respond to you — if you email us with a support question, account request, or feedback.
6. To comply with the law — keep records required by tax and accounting law, respond to lawful requests from authorities.

We do not use your data for automated decision-making that produces legal effects concerning you. We do not profile you for advertising. We do not train AI models on your personal data.

Legal bases under the GDPR (for users in the European Economic Area and United Kingdom)

Where the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) applies, we process your personal data on the following legal bases (Article 6 GDPR):

• Contract performance (Art. 6(1)(b)) — to deliver the Service you signed up for and to manage your subscription.
• Legitimate interests (Art. 6(1)(f)) — to maintain stable, secure infrastructure (analytics and crash reporting), prevent abuse, and improve the product, balanced against your rights and freedoms.
• Consent (Art. 6(1)(a)) — to send you push notifications. You can withdraw consent at any time by disabling notifications in your device settings.
• Legal obligation (Art. 6(1)(c)) — to retain records required by tax and accounting law.

5.Third-party services

To run Anomalia, we rely on a small number of trusted sub-processors. Each one receives only the data it needs to do its job, and is bound by its own privacy policy and, where applicable, a data processing agreement with us.

5.1 Firebase / Google Cloud

Purpose: account authentication, data hosting (Firestore database, Cloud Functions), push notifications (FCM), and file storage.

Data shared: email and profile (for sign-in), reading data, subscription metadata, FCM token.

Hosting region: nam5 (United States). See Section 9 for the transfer mechanism.

Privacy policy: policies.google.com/privacy

5.2 RevenueCat

Purpose: subscription management and purchase validation.

Data shared: an anonymous RevenueCat user ID linked to our internal user ID, the subscription product ID, purchase receipts, and renewal status.

Privacy policy: revenuecat.com/privacy

5.3 PostHog (EU Cloud)

Purpose: product analytics (anonymous event counts).

Data shared: event names, screen route names, OS version, app version, and a PostHog-distinct random ID. We do not send email, name, IP address (we strip the last octet), or user identifier.

Hosting region: European Union (PostHog EU).

Privacy policy: posthog.com/privacy

5.4 Sentry

Purpose: crash reporting and performance monitoring.

Data shared: stack trace, route name, OS version, app version, device model. We strip email, name, and personal identifiers before sending.

Hosting region: United States.

Privacy policy: sentry.io/privacy

5.5 Unsplash

Purpose: serving editorial images that accompany each mystery.

Data shared: standard HTTPS request metadata (your IP address, user agent) when your device loads an image. We do not send your account information to Unsplash.

Privacy policy: unsplash.com/privacy

5.6 LLM provider (OpenAI)

Purpose: generating the daily mystery text. A second LLM pass verifies the output before publication.

Data shared: only the date and the desired category (for example, “2026-06-04” + “historical oddity”). We do not send your email, account ID, reading history, IP address, or any other personal data to the LLM provider.

Privacy policy: openai.com/policies/privacy-policy

We may change LLM provider (for example, to Anthropic) to improve quality. We will update this section when we do, and the data we send will remain the same: no personal data.

5.7 Formspree

Purpose: processing the waitlist sign-up form on anomalia.app.

Data shared: only the email address you enter in the waitlist form. Formspree also receives your IP address as part of the standard HTTPS request, which they log for abuse prevention.

Hosting region: United States.

Privacy policy: formspree.io/legal/privacy-policy

5.8 Google Analytics

Purpose: measuring aggregate traffic to anomalia.app so we can understand which content resonates and improve the site.

Data shared: page URLs, referrer, device class, browser, country (derived from truncated IP), and the events described in Section 5.9 below. We do not send your email, account ID, or any other identifier that links analytics to your Anomalia account.

Cookies set: _ga and _ga_* (Google Analytics 4), used to distinguish unique users and sessions. The _ga cookie expires after 2 years of inactivity; the session cookie expires when you close your browser.

IP anonymisation: we send anonymize_ip: true, so Google truncates the last octet of your IP address before storage. We do not have access to your full IP address in analytics.

Legal basis (GDPR): legitimate interest (Art. 6(1)(f)) — measuring site performance in a way that does not identify you, balanced against your privacy. You can opt out by enabling your browser’s Do Not Track signal, by blocking third-party cookies, or by using a privacy-focused browser extension such as Privacy Badger.

Hosting region: Google Analytics 4 processes data in the European Union when the user’s IP is geolocated there, and in the United States otherwise. See Section 9 for the transfer mechanism.

Data retention: 14 months, then automatically deleted by Google.

Privacy policy: policies.google.com/privacy · Opt-out browser add-on

5.9 Custom events we measure

In addition to standard page views, we measure a small number of anonymous interactions to understand how visitors use the site. None of these events include your email, account ID, or any personal identifier.

• language_change — when you switch the site language. Parameter: the new language code (e.g. es).
• waitlist_submit — when you successfully join the waitlist. Parameter: which form was used (hero or final) and your selected language.
• cta_click — when you click a primary call-to-action button. Parameter: a truncated label of the button and its target URL.
• pricing_view — when the pricing section becomes visible in your viewport (counts as a single event per visit).
• outbound_click — when you click a link to a third-party site (e.g. Google Play, social profiles) or a mailto: link. Parameter: the destination URL and a truncated link text.

These events are aggregated and retained for 14 months. You can opt out of all Google Analytics measurement as described in Section 5.8 above.

6.Data retention

We keep your data only as long as we need it for the purposes described above, and then we delete or anonymise it.

• Account data (email, profile, user identifier) — until you delete your account, plus a 30-day grace period in case of accidental deletion. After the grace period, your account record is hard-deleted from our production database. Backups are rotated within 90 days.
• Reading data and streak — until you delete your account.
• Subscription records — 7 years from the last transaction, as required by Spanish accounting law (Ley 58/2003, General Tributaria).
• Analytics events (PostHog) — 24 months, then automatically deleted by PostHog.
• Crash reports (Sentry) — 90 days, then automatically deleted by Sentry.
• Push notification tokens — deleted when you delete your account or disable notifications permanently.
• Support emails — 24 months from the last interaction, unless you ask us to delete them sooner.
• Waitlist emails — until 30 days after the public launch of Anomalia, at which point the waitlist is deleted. You may also email hello@anomalia.app at any time to request immediate deletion.

7.Your rights

You have a number of rights over your personal data. We honour all of them, regardless of where you live.

7.1 If you are in the EEA, UK, or Switzerland (GDPR)

You have the right to:

• Access (Art. 15) — request a copy of the personal data we hold about you.
• Rectification (Art. 16) — correct inaccurate or incomplete data.
• Erasure (Art. 17) — the “right to be forgotten”. The easiest way is the in-app “Delete account” button in Settings.
• Restriction (Art. 18) — ask us to pause processing while we investigate a concern.
• Data portability (Art. 20) — receive your reading history in a machine-readable format (JSON or CSV).
• Object (Art. 21) — object to processing based on legitimate interests, on grounds relating to your particular situation.
• Withdraw consent (Art. 7(3)) — at any time, where processing is based on consent (for example, push notifications).
• Lodge a complaint (Art. 77) — with the data protection authority in your country. A list is available at edpb.europa.eu. In Spain, the authority is the Agencia Española de Protección de Datos (aepd.es).

7.2 If you are in California (CCPA / CPRA)

Under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (Cal. Civ. Code § 1798.100 et seq.), you have the right to:

• Know what personal information we have collected about you, the categories of sources, the business or commercial purpose, and the categories of third parties with whom we share it.
• Delete personal information we have collected from you, subject to the exceptions in Cal. Civ. Code § 1798.105(d).
• Correct inaccurate personal information.
• Limit the use of sensitive personal information — not applicable, because we do not collect sensitive personal information (as defined in § 1798.140(ae)).
• Non-discrimination for exercising your CCPA rights (§ 1798.125).

We do not sell or share your personal information for cross-context behavioural advertising. Therefore, there is no need to provide a “Do Not Sell or Share My Personal Information” link, though you may still contact us to confirm this.

7.3 If you are elsewhere

Most jurisdictions grant similar rights (access, deletion, correction, portability). We extend the same standards globally. If your local law grants additional rights (for example, the right to set post-mortem instructions), we will honour them to the extent required.

7.4 How to exercise your rights

You can exercise most rights yourself directly inside the app, in Settings → Privacy. For anything else, email hello@anomalia.app from the email address linked to your account, so we can verify the request.

We will acknowledge your request within 7 days and complete it within 30 days (45 days for complex CCPA requests, with notice). There is no fee for exercising your rights, except where requests are manifestly unfounded or excessive (Art. 12(5) GDPR).

8.Children’s privacy

Anomalia is rated for users aged 13 and over. The Google Play listing carries an “Everyone” (10+) content rating and we have declared a target audience of 13+ in the Play Console data safety form.

We do not knowingly collect personal information from children under 13. The Children’s Online Privacy Protection Act (COPPA, 15 U.S.C. §§ 6501–6506), the EU General Data Protection Regulation (which sets the consent age at 13–16 depending on the Member State), and equivalent laws in other jurisdictions all prohibit this, and we agree.

If you are a parent or guardian and believe your child has created an Anomalia account, email hello@anomalia.app with proof of relationship. We will delete the account and all associated data within 7 days.

Age verification is performed at sign-in. Google sign-in does not allow account creation by children under the applicable age in their country. As a backup, we will delete any account we discover belongs to a user under 13.

9.International transfers

Anomalia is operated from Spain. When you use the Service, your data may be transferred to and processed in:

• The European Union — PostHog analytics.
• The United States — Firebase / Google Cloud (Firestore, Cloud Functions, FCM), Sentry crash reports, Formspree (waitlist processing), and Unsplash image delivery.

For transfers from the European Economic Area, the United Kingdom, or Switzerland to the United States, we rely on the following safeguards (Chapter V GDPR):

• European Commission Adequacy Decision for the EU–US Data Privacy Framework (and the UK Extension and Swiss–US Data Privacy Framework), where the recipient is self-certified. Firebase / Google Cloud and Sentry are self-certified.
• Standard Contractual Clauses (Commission Decision 2021/914) for any recipient that is not self-certified.
• Where required, we conduct a transfer impact assessment (TIA) per the Schrems II judgment.

You can request a copy of the safeguards that apply to your data by emailing hello@anomalia.app.

10.Security measures

We take reasonable steps to protect your data, including:

• HTTPS / TLS 1.2+ for all data in transit.
• Encryption at rest on all managed storage (Firestore, Storage, backup disks).
• Firestore security rules that deny all reads and writes by default, with allow rules limited to the authenticated user’s own data.
• App Check (Play Integrity) on the Android client to prevent API abuse from non-genuine installs.
• Secrets stored in Google Secret Manager, never in source control.
• Principle of least privilege for any human access to production data.
• Data breach notification: in the event of a personal data breach likely to result in a high risk to your rights and freedoms, we will notify affected users and the relevant supervisory authority within the timelines required by Article 33–34 GDPR (72 hours to the authority, without undue delay to you).

No system is perfectly secure. We cannot guarantee absolute security. If you discover a vulnerability, please email hello@anomalia.app with the subject line starting with “Security:”; we will respond within 7 days.

11.Changes to this policy

We may update this policy from time to time. When we do, we will:

1. Update the “Effective date” at the top of this page.
2. For material changes (for example, a new category of data collected, a new third-party processor, or a change in retention period), show an in-app notice the next time you open Anomalia and, where required by law, ask for renewed consent.
3. Keep a previous-versions archive available at anomalia.app/privacy/archive (coming soon).

Material changes will never apply retroactively. Continued use of the Service after the effective date of a change constitutes acceptance of the updated policy, except where additional consent is required by law.

12.Contact us

The fastest and most reliable way to reach us is by email. We aim to respond within 7 days.

Email: hello@anomalia.app
Postal address: provided on request, in accordance with GDPR Article 13(1)(a).
Operator: Anomalia (individual entrepreneur, Spain).
EU representative: not applicable (operator is established in the EU).

For any privacy request, please include the email address linked to your Anomalia account so we can verify the request before acting on it.

13.Effective date

This Privacy Policy is effective as of 5 June 2026.

Glossary

Personal data

Any information that identifies, or can reasonably be used to identify, a living person. In Anomalia, this is essentially your email, your reading history, and your subscription record.

Processing

Anything we do with personal data: collecting, storing, reading, sending, deleting. The GDPR uses this term broadly.

Data controller

The person or organisation that decides why and how personal data is processed. For Anomalia, that is the operator identified in Section 12.

Data processor

A third party that processes personal data on the controller’s behalf. Firebase, RevenueCat, PostHog, and Sentry are our data processors.

Service

The Anomalia mobile application and its associated backend.

Streak

The number of consecutive calendar days, in your device’s local time zone, on which you have read at least one mystery.