Privacy Policy

Effective date: April 27, 2026

ShiftPath ("ShiftPath", "we", "us") is an iOS application that helps people stop gambling. This Privacy Policy explains what information we collect, how we use it, who we share it with, and the rights you have over your data. By using ShiftPath, you agree to this Policy.

If you do not agree with any part of this Policy, please do not use ShiftPath.

1. Who we are

ShiftPath is operated as an independent project. The app is published on the Apple App Store. The data controller for the personal information described below is ShiftPath.

Contact: support@shiftpath.app

2. Age requirement

ShiftPath is intended for users 18 years of age or older. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us information, contact us and we will delete it.

3. What we collect

3.1 Information you provide

• Profile: first name, the type of gambling you are working to quit, your typical daily spend, your primary trigger, and your preferred coach tone. You enter this during onboarding.
• Streak data: the date you started, your current streak, your best streak, your relapse history, and your daily check-ins.
• Journal entries: anything you write in the in-app journal, including reflections and "Unsent Bet" entries (urge, trigger, attempted bet amount).
• AI Coach messages: the messages you send to the AI Coach during a panic, reflection, or check-in session.
• Notification preferences: the times of day and days of the week you choose for check-in and high-risk reminders.

3.2 Information collected automatically

• Account identifier: an anonymous Firebase Authentication user ID created on first launch. We do not require a username, email, password, or any third-party login.
• Push token: an Apple Push Notification Service (APNs) / Firebase Cloud Messaging (FCM) token, used only to deliver milestone and reminder notifications.
• Subscription state: a flag indicating whether you have an active premium subscription, sourced from RevenueCat.
• Diagnostics: crash reports and non-fatal error logs (Firebase Crashlytics).
• Usage analytics: anonymous events such as which screens you view and which features you use (PostHog). Analytics are pseudonymous and do not include the contents of journal entries or AI messages.
• Rate-limit counters: the number of free-tier AI Coach sessions you have used today (UTC), so we can enforce daily limits.

3.3 What we do not collect

• We do not collect your real name beyond what you choose to enter as your first name.
• We do not collect your contact list, photos, location, microphone, or camera.
• We do not collect health data from Apple HealthKit.
• We do not store full transcripts of AI Coach conversations. We store only a one-to-two-sentence summary of each session for your history.
• We do not sell your personal information.
• We do not use your data to train AI models.

4. How the AI Coach handles your messages

This section is important and specific to ShiftPath, so please read it carefully.

• When you send a message to the AI Coach, the message is sent over an encrypted connection to a server we operate.
• The server forwards your message to Anthropic (the provider of the Claude language model that powers the Coach). Anthropic processes the message to generate a reply and streams the reply back through our server to your device.
• Per Anthropic's API terms, your messages are not used to train Anthropic's models.
• We do not store your AI Coach messages or replies on our servers. Only a short summary of each completed session is stored on your device and synced to our database for your own history.
• Our server scans every message you send for crisis-related phrases (for example, mentions of self-harm or suicide). If detected, the server will short-circuit the AI reply and respond with crisis-line information (988 in the United States, or the Crisis Text Line). This scan happens on our infrastructure and is not visible to Anthropic.

If you do not want your messages processed by Anthropic, do not use the AI Coach feature. You can use ShiftPath's streak tracker, journal, and milestone features without it.

5. How we use your data

• To run the app: track your streak, calculate money saved, deliver notifications, unlock milestones, and provide the AI Coach.
• To sync your data across devices you sign into with the same account.
• To enforce free-tier limits and verify your subscription status.
• To diagnose crashes and improve stability.
• To understand which features are used (in aggregate, never linked to journal contents or messages).
• To respond to support and privacy requests you send us.

6. Service providers we share data with

We share the minimum data necessary with the following processors:

• Google Firebase (Authentication, Firestore database, Cloud Functions, Cloud Messaging, Crashlytics) — hosts your synced profile, streak, journal entries, milestones, push token, and crash logs. Firebase Privacy.
• Anthropic, PBC — processes AI Coach messages to generate replies. Anthropic Privacy.
• RevenueCat — manages and verifies your subscription. RevenueCat Privacy.
• PostHog — pseudonymous product analytics. PostHog Privacy.
• Apple, Inc. — App Store distribution, in-app purchase processing, push notification delivery, optional Sign in with Apple. Apple Privacy.

We do not sell or rent your personal information to anyone.

7. Where your data is stored

Most data lives on your device. Cloud-synced data is stored in Firebase, hosted on Google Cloud (primary region: us-central1). Some processors (such as Anthropic, RevenueCat, and PostHog) may process data in the United States or other countries. By using the app, you consent to this transfer. We rely on Standard Contractual Clauses or equivalent mechanisms where required.

8. How long we keep your data

• Data on your device: until you delete the app or your account.
• Cloud-synced data: until you delete your account.
• AI Coach messages in transit: not retained by us; processed in real time and discarded.
• Rate-limit counters: rolling 30 days then automatically deleted.
• Crash logs: up to 90 days.
• Subscription receipts: as required by Apple and applicable law.

9. Your rights

Regardless of where you live, you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data (most fields are editable in-app under Settings).
• Delete your account and all associated data (Settings → Account → Delete Account, or email us). Deletion removes your profile, streak record, journal entries, milestones, rate-limit records, and authentication record.
• Export a copy of your data. Email us and we will send a JSON export within 30 days.
• Object to processing or restrict it.
• Withdraw consent at any time; this does not affect prior processing.
• Lodge a complaint with your local data protection authority.

If you are in the European Economic Area, the United Kingdom, or Switzerland, the GDPR / UK GDPR applies. If you are in California, the CCPA / CPRA applies and you have the right not to be discriminated against for exercising these rights. We do not "sell" or "share" personal information as those terms are defined under the CCPA.

10. Security

All network traffic uses HTTPS / TLS. Cloud data is access-controlled by Firebase Authentication and Firestore Security Rules: only your account can read or write your data. The Anthropic API key never reaches your device. Subscription verification happens server-side.

No system is perfectly secure. If we become aware of a breach affecting your data we will notify you and the relevant authorities as required by law.

11. Crisis resources

ShiftPath is not a medical service, a therapy service, or a substitute for professional help. If you are in crisis, please reach out:

• United States: 988 (Suicide & Crisis Lifeline) or text HOME to 741741 (Crisis Text Line).
• For gambling-specific support: 1-800-GAMBLER (United States).
• Outside the United States: please refer to your local emergency or crisis service.

12. Changes to this Policy

We may update this Policy. Material changes will be announced in-app at least 14 days before they take effect. The "Effective date" at the top of this document indicates the latest revision.

13. Contact us

Questions, requests, or complaints about this Policy or your data:

support@shiftpath.app

© 2026 ShiftPath. All rights reserved.