1. Who we are (Data Controller / Data Fiduciary)
For the purposes of the UK GDPR, we are the data controller of your personal data. For the purposes of India’s DPDP Act, we are the data fiduciary. Because we operate as a sole proprietorship, the proprietor named below is personally the controller / fiduciary.
- Proprietor (legal name): Mohammad Yaqub Abdul Hafiz
- Trading as: Hash Solution
- Business structure: Sole proprietorship registered in India
- Udyam Registration No.:
UDYAM-MH-17-0144454(Ministry of Micro, Small & Medium Enterprises, Government of India) - Registered business address: Flat 301, A Wing, Vinayak Complex, Building No. 4, DJ Nagar, Boisar, Maharashtra 401501, India
- Contact / privacy queries: yaqub1307@outlook.com
For all privacy-related requests, including the exercise of your rights described in Section 9, please email us at the address above with the subject line “Privacy Request”. Under India’s DPDP Act, the proprietor acts as our Grievance Officer and can be reached at the same email address.
2. Summary — what we do and don’t do with your data
What we do:
- Store your profile and wellbeing entries locally on your device (in the iOS Keychain and encrypted app-sandboxed storage).
- Read free/busy times from your device calendar so that reminders never land during meetings.
- Schedule local notifications on your device to nudge breaks, hydration, movement and rest.
- Charge you through Apple’s in-app purchase system if you subscribe.
What we do not do:
- We do not operate accounts, logins, email lists or user IDs.
- We do not upload your health, stress, calendar or lifestyle data to any server — ours or anyone else’s.
- We do not run third-party analytics, advertising SDKs, attribution SDKs or crash reporters.
- We do not sell or share your personal data with any third party.
- We do not transfer your App data across borders — because there is no server-side data to transfer.
3. Personal data we process
The categories of personal data below are entered by you or generated by the App on your device. Except where explicitly noted, all data listed here is stored only on your device and is never transmitted to Unburn or any third party.
3.1 Profile data (stored in the iOS Keychain via expo-secure-store)
- Display name (defaults to “You” if you do not enter one).
- Sleep goal, typical bedtime, wake time and sleep-quality rating.
- Meals per day, water intake goal, caffeine cups, skipped meals per week.
- Typical work hours per day, meetings per day, commute minutes, work mode (remote, hybrid, office).
- Daily movement minutes goal, sitting hours, step goal.
- Quiet-hours window, do-not-disturb toggle, per-reminder-type on/off flags, daily reminder cap, minimum gap between reminders.
- Whether you have connected your device calendar.
3.2 Wellbeing entries and computed scores (stored in encrypted local storage)
- Self check-ins: water intake, steps, sleep hours, meals, subjective stress rating (1–5), meetings, breaks, walks, stretches, screen-off periods and screen-time totals — each with a timestamp and optional note.
- PSS-4 and PSS-10 questionnaire responses (the Cohen Perceived Stress Scale). We store your numeric answers (0–4 per question) so we can compute a total score and show your progress over time.
- Computed stress index (0–100), burnout risk score (0–100) and contributing factor breakdown. These are computed on your device from the data above.
- Daily burnout-score history so you can see trends.
For performance, the App automatically retains only the most recent 500 wellbeing entries and 200 scheduled reminders on your device.
3.3 Calendar data
With your explicit iOS permission, the App reads events from your device calendar for the next 48 hours so it can time reminders around your commitments.
- We store event start and end times, the calendar-native event ID and a “busy / focus / personal” classification in encrypted local storage on your device.
- We read the event title from the operating system while the App is running so it can be shown to you in-context, but we never persist event titles to storage and we never transmit them anywhere.
- We do not read attendees, locations, notes, attachments or any other event details.
3.4 Notifications
The App schedules notifications locally on your device using Apple’s system APIs. We do not use push notifications. As a result:
- We do not request or store an Apple Push Notification (APNs) token.
- We do not send your device a message from any server — every notification is scheduled and delivered by iOS itself.
3.5 Subscription and payment data
If you subscribe, payment is processed by Apple through your App Store account under Apple’s Media Services Terms and Apple’s privacy policy. We receive from Apple only the information we need to unlock your subscription entitlement — for example, an anonymous purchase receipt or entitlement identifier. We do not receive or store your card number, billing address or Apple ID.
3.6 Website data
Our marketing website is a static site. It does not set analytics cookies, does not embed advertising trackers, and does not host any contact form or newsletter signup. Standard, non-identifying server logs may be kept by our hosting provider for the sole purposes of security and service reliability; see our Cookies notice for details.
4. Special category data (health data)
Wellbeing entries such as sleep hours, stress ratings and PSS questionnaire responses are special category data concerning health under UK GDPR Article 9 and sensitive personal data under India’s DPDP Act. Because this data is sensitive, we process it only where you have given us your explicit consent to do so by choosing to enter it in the App (UK GDPR Article 9(2)(a); DPDP Act Section 6).
You can withdraw your consent at any time by deleting your data (Settings → Delete all data) or by uninstalling the App. Withdrawal does not affect any processing that occurred before the withdrawal.
Unburn is a consumer wellbeing tool, not a medical device. See our Wellbeing disclaimer for what this means in practice.
5. Purposes and lawful bases for processing
| What we process | Why | Lawful basis (UK GDPR / DPDP Act) |
|---|---|---|
| Profile preferences, wellbeing entries, computed scores | To provide the wellbeing features of the App on your device | UK GDPR Art. 6(1)(b) — performance of a contract; and for health data, Art. 9(2)(a) — explicit consent. DPDP Act §4/§6 — consent for a specified purpose. |
| Calendar free/busy times | To time reminders around your meetings and focus blocks | UK GDPR Art. 6(1)(a) — consent (via the iOS calendar permission prompt) |
| Local notifications | To deliver reminders you have configured | UK GDPR Art. 6(1)(a) — consent (via the iOS notification permission prompt) |
| Subscription entitlement | To unlock paid features you have purchased | UK GDPR Art. 6(1)(b) — performance of the subscription contract |
| Server logs (marketing website) | To keep the site online, secure and free from abuse | UK GDPR Art. 6(1)(f) — legitimate interest in service security |
6. Who we share your data with
No one, in the vast majority of cases. Because the App does not send your wellbeing, calendar, profile or reminder data off your device, there is nothing for us to share.
The limited exceptions are:
- Apple, Inc. — if you purchase a subscription, Apple processes the transaction and provides us with a purchase receipt or entitlement identifier. Apple acts as an independent controller for that transaction under its own privacy policy.
- Our website hosting provider — receives standard server-log data (IP address, page requested, timestamp, user agent) when you visit our website, solely for security and reliability. This data is not linked to any App data.
- Law enforcement, courts or regulators — we will disclose personal data only if required to do so by a valid legal request in India or the UK. Given the on-device architecture, we typically have no personal data to disclose.
7. International transfers
Our operating entity is based in India. However, because your App data remains on your device and is never uploaded to any Unburn server, no international transfer of your App data takes place. The UK GDPR restrictions on international transfers (Chapter V) therefore do not apply to your App data because there is no transfer to restrict.
Should we in future introduce any server-side feature (for example, an optional cloud backup), we will update this policy in advance and put in place an appropriate transfer safeguard, such as the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses.
In relation to the marketing website, our hosting provider’s standard server logs may be held in data centres located outside the UK. Where this is the case, the provider operates under its own data-protection safeguards for such transfers.
8. How long we keep your data
- On your device: your data remains on your device until you delete it or uninstall the App. The App caps wellbeing entries at 500 and reminders at 200 for performance; older items are pruned automatically.
- Purchase receipts: where we hold a subscription entitlement identifier, we retain it for the duration of your subscription and for up to 8 years after the last transaction, in line with Indian and UK tax and accounting requirements.
- Server logs: retained by our hosting provider for a maximum of 30 days.
9. Your rights
You have the following rights over your personal data under the UK GDPR and India’s DPDP Act. Where those regimes overlap, we honour whichever gives you the stronger right.
9.1 Rights you can exercise directly in the App
- Right to rectify (UK GDPR Art. 16; DPDP §12(2)): you can edit any profile field, log entry or preference in the App at any time.
- Right to erasure / right to delete (UK GDPR Art. 17; DPDP §12(3)): use Settings → Delete all data to wipe everything from local storage and the iOS Keychain immediately and irreversibly. Uninstalling the App also removes all data on your device.
- Right to withdraw consent (UK GDPR Art. 7(3); DPDP §6(4)): revoke calendar or notification permissions from iOS Settings, or delete all data as above. Withdrawal does not affect processing already carried out.
9.2 Rights inherent to the on-device design
- Right of access (UK GDPR Art. 15): because every item of personal data we process is already stored on your device and visible to you in the App, you have full, ongoing access to it at all times.
- Right to data portability (UK GDPR Art. 20): we do not hold your wellbeing, calendar, profile or reminder data on any server, so there is nothing for us to port on your behalf. Your data is inherently portable because it resides on your device under your control. If, in future, we introduce any server-side feature that holds portable data, we will implement a portability mechanism at that time.
9.3 Other rights and how to exercise them
- Right to object (UK GDPR Art. 21) and right to restrict processing (Art. 18): you can object to or restrict any specific processing by disabling calendar/notification permissions in iOS Settings, deleting affected data in-App, or emailing us at yaqub1307@outlook.com.
- Right to lodge a complaint: if you believe we have not handled your data properly, you have the right to complain to the UK Information Commissioner’s Office (ICO): 0303 123 1113 or ico.org.uk. If you are in India, you may complain to the Data Protection Board of India once it is operational under the DPDP Act.
- Right to nominate (DPDP §14): Indian users may nominate another individual to exercise their DPDP rights in the event of death or incapacity. To register a nomination, email us at the address above.
Because we do not run user accounts, we may not be able to identify a specific individual from our records alone (see UK GDPR Art. 11). In practice this means we have no personal data to return in response to a subject access request — because we do not hold it. Your device is the sole holder of your Unburn data.
10. Security
- Your profile is stored in the iOS Keychain using the
WHEN_UNLOCKED_THIS_DEVICE_ONLYprotection class, which restricts access to when your device is unlocked and prevents the data from being copied to another device via iCloud Backup. - Other wellbeing data is stored in the App’s sandboxed local storage, which is protected by iOS Data Protection at rest.
- Because there is no server, there is no cloud database that could be breached.
- The marketing website is served over HTTPS.
11. Children
The Service is not intended for use by children under 13. If you are under 13, please do not use Unburn. Under India’s DPDP Act, processing of a child’s personal data (defined as an individual under 18) requires verifiable parental consent — because the App does not collect data centrally and does not create user accounts, we do not knowingly process any such data. If you are a parent or guardian and become aware that a child has used the App, deleting the App from that child’s device will remove all Unburn data associated with it.
12. Automated decision-making
Unburn does not carry out any automated decision-making that produces legal or similarly significant effects on you. The App produces wellbeing scores and reminder suggestions, but these are informational only and are computed entirely on your device.
13. Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will change the “Effective” date at the top and, where the change is material, notify you inside the App. Your continued use of the Service after the change takes effect constitutes your acceptance of the updated policy.
14. Contact
For any question about this policy or about how we handle your data — including if you are exercising a right under UK GDPR or the DPDP Act — please email yaqub1307@outlook.com.