Privacy Policy

Effective Date: March 1, 2026

1. Information We Collect

1.1 Account Information

To use Whazzat, you create an account. We collect and store:

• Email Address: Used to identify your account and for account recovery
• Password: Stored as a secure hash — we never store your plain-text password
• Account Metadata: Account creation date, last sign-in date, and session tokens

You may also sign in using Sign in with Apple. When you do, Apple may provide a real or relay email address at your discretion. We store this address solely to identify your account.

Authentication is handled by Supabase, a secure backend-as-a-service platform. You can review Supabase's privacy policy at https://supabase.com/privacy.

1.2 Dropbox Connection

When you connect your Dropbox account, we collect and store:

• OAuth Access Token: Stored securely on your device and in our database to enable access to your Dropbox files
• Connection Status: Whether your Dropbox account is currently connected

We use the OAuth 2.0 standard to connect to Dropbox. We never receive or store your Dropbox password. You can revoke access at any time through your Dropbox account settings.

1.3 Tags and Labels

Whazzat stores the organizational data you create:

• Photo Tags: Labels and people tags you assign to photos
• File References: Dropbox file identifiers used to associate tags with specific photos (not the photos themselves)

This data is stored in our database so it is available across all your devices.

1.4 Usage Data

We store minimal usage data to provide app features:

• Streak Data: Daily visit dates, used to power the streak feature

1.5 What We Do Not Collect

Whazzat does not collect:

• Your photos or photo content — images are streamed directly from Dropbox to your device
• Location data
• Advertising identifiers or tracking data
• Contact lists
• Analytics or behavioral tracking data

2. How We Use Your Information

2.1 Core App Functionality

• Authenticating you when you sign in to the app
• Connecting to your Dropbox account to browse and display your photos
• Storing and syncing the tags and labels you create across your devices
• Powering the streak feature to track your daily visits

2.2 Account Management

• Sending account-related emails (password reset, email verification) when you request them
• Maintaining the security of your account

3. Information Sharing and Disclosure

3.1 Dropbox

Whazzat communicates with Dropbox on your behalf using your OAuth token to:

• List your photo files and folders
• Retrieve photo thumbnails and full-resolution images for display
• Maintain connection status

We do not share any of your personal information with Dropbox beyond what is required for the OAuth connection. Dropbox's privacy policy is available at https://www.dropbox.com/privacy.

3.2 Infrastructure Providers

We use the following third-party services to operate Whazzat:

• Supabase: Database and authentication infrastructure. Account data and tags are stored on Supabase-hosted servers.
• Cloudflare: Web hosting for our API and website.

These providers operate under their own privacy policies and security standards.

3.3 Legal Requirements

We may disclose information if required by law, regulation, or legal process, or to protect the safety and rights of users and the public.

4. Data Security

4.1 On-Device Security

• Keychain Storage: OAuth tokens and session credentials are stored using iOS Keychain Services
• App Sandbox: All local data is isolated within the app's secure container

4.2 Server-Side Security

• HTTPS/TLS: All communication between the app and our servers uses encrypted connections
• Row-Level Security: Database access is enforced at the row level — you can only access your own data
• Password Hashing: Passwords are hashed using industry-standard algorithms and never stored in plain text
• OAuth 2.0: Industry-standard authentication for Dropbox access

5. Your Rights and Choices

5.1 Account Management

• Delete Account: You can permanently delete your account and all associated data directly within the app via Settings → Delete Account

5.2 Dropbox Access

• Disconnect: You can disconnect your Dropbox account at any time within the app
• Revoke Access: You can also revoke Whazzat's authorization directly in your Dropbox account security settings at dropbox.com/account/connected_apps

5.3 Data Deletion

• Uninstall: Uninstalling the app removes all locally cached data and stored credentials from your device
• Account Deletion: Delete your account and all server-side data (including tags and labels) directly in the app via Settings → Delete Account. You can also contact us at hello@chasingthetwist.com if you need assistance.

6. Data Retention

We retain your account data and tags for as long as your account is active. If you request account deletion, we will delete your data within 30 days, except where retention is required by law.

7. Children's Privacy

Whazzat does not knowingly collect personal information from children under 13. The app requires account creation and is intended for general audiences. If you believe a child under 13 has created an account, please contact us and we will delete the account promptly.

8. International Data Transfers

Your account data and tags are stored on servers operated by Supabase and Cloudflare, which may be located outside your home country. By using Whazzat, you consent to the transfer of your data to these services in accordance with this Privacy Policy and their respective privacy policies.

When you connect Dropbox, your files remain stored within Dropbox's infrastructure. Whazzat does not transfer or copy your photos to our servers.

9. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices or applicable law. We will notify users of material changes through the app or by email. Your continued use of Whazzat after changes become effective constitutes acceptance of the updated policy.

10. Contact Us