Identity of Data Controller
This Privacy Policy is issued by the Goldfish development team ("Goldfish," "we," "us," or "our"), currently operating as an unincorporated student project. Goldfish is the data controller for all personal information collected through the Service.
Upon formation of a legal entity, this Policy will be updated to reflect the entity's legal name, state of incorporation, and registered contact information. Existing users will be notified of any such transition via their registered email address.
For all privacy-related inquiries, contact us at get.goldfish.focus@gmail.com.
Scope and Application
This Privacy Policy applies to all personal information collected through the Goldfish iOS application and any related services, websites, or communications (collectively, the "Service"). It governs information collected from all users, including users located in the United States and, to the extent applicable, users located internationally.
This Policy is incorporated by reference into Goldfish's Terms of Service. By creating an account or using the Service, you acknowledge that you have read and understood this Privacy Policy and consent to the data practices described herein.
This Policy does not apply to third-party services linked to or integrated with the Service. Those services are governed by their own privacy policies.
Information We Collect
3.1 Information You Provide Directly
| Category | Examples | Required? |
|---|---|---|
| Identity & Account | Name, email address, profile photo | Required |
| Session Content | Timelapse videos, session titles, captions, annotations, duration | Core features |
| Communications | Support requests, feedback, messages to Goldfish | As needed |
| Optional Profile Data | Academic major, GPA range, graduation year, career aspirations, post-graduation plans, dream job, internship history, extracurricular activities | Optional — see §3.2 |
3.2 Optional Profile Data — Special Notice
Optional Profile Data is collected for purposes that include potential future commercial data partnerships. You are not required to submit this information to use Goldfish's core features. However, if you choose to submit Optional Profile Data, you acknowledge that it may be retained and — subject to the conditions in Section 5.3 — eventually shared with third-party commercial partners.
Do not submit Optional Profile Data you are not willing to have retained and potentially commercialized.
3.3 Information Collected Automatically
| Category | Details |
|---|---|
| Behavioral & Usage | Features used, content viewed, sessions recorded, follows, reactions, time-on-app, study habit patterns from longitudinal activity |
| Device & Technical | Device model, OS version, unique device identifiers, Apple IDFA, IP address, network type |
| Location Data | Approximate or precise geolocation when app is active and permissions are granted. Revocable anytime in device settings. |
| Diagnostics | Crash logs, error reports, app performance metrics |
3.4 Information From Third Parties
We may receive limited technical information from Apple in connection with App Store distribution. We do not currently purchase personal data about you from third-party data brokers or aggregators.
How We Use Your Information
We use your personal information for the following purposes:
- Service operation: Creating and maintaining your account, operating the social feed, enabling timelapse recording, and providing community features
- Analytics and personalization: Generating your personal study statistics, habit analytics, and productivity insights; personalizing your content feed
- Product development: Conducting internal research, testing new features, and improving the Service based on usage patterns
- Communications: Sending service notifications, security alerts, product updates, and — with your consent — marketing and third-party partner communications
- Safety and integrity: Detecting and preventing fraud, abuse, unauthorized access, and Terms of Service violations
- Legal compliance: Complying with applicable laws, regulations, and legal process
- Future data partnerships: Pursuing the commercial data partnership program described in Section 5.3 once launched, in accordance with the conditions and notice requirements set forth therein
Data Sharing & Future Monetization
5.1 What We Do Not Do Currently
We do not currently sell, rent, license, or otherwise transfer your individually identifiable personal data to third-party advertisers or commercial partners. We share data with third-party service providers — including Supabase and analytics, email delivery, and infrastructure vendors — solely as necessary for them to provide services to us, under confidentiality and data processing obligations.
5.2 Service Provider Sharing
- Supabase, Inc.: Backend database and infrastructure. Your data is stored on Supabase's US-based servers.
- Analytics providers: To help us understand app usage and improve the Service
- Email delivery providers: To send transactional and marketing communications
- Crash reporting providers: To identify and fix technical issues
5.3 Future Commercial Data Partnership Program
Goldfish intends to establish a commercial data partnership program in the future. Under that program, personal data — including Optional Profile Data such as academic major, GPA range, graduation year, career aspirations, post-graduation plans, and behavioral analytics — may be licensed, sold, or otherwise transferred to third-party commercial partners ("Data Partners").
By using the Service, you provide advance informed consent to this future data commercialization, subject to the following conditions:
- Notice: We will provide no less than 30 days' written notice to your registered email before the program becomes operational
- Opt-out window: During that 30-day period, you may update, restrict, or delete your Optional Profile Data, or delete your account entirely, before any monetization occurs
- Scope: We retain full discretion to determine the categories of Data Partners and the nature of data shared. The identity and categories of Data Partners will be described in the activation notice
- Minor exclusion: Optional Profile Data submitted by users under 18 will not be included in any commercial data partnership without verified parental consent, obtained separately at program launch
5.4 Aggregate and De-identified Data
Aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you individually may be shared with third parties at any time — including before the data monetization program launches — without advance notice.
5.5 Legal Disclosures
We may disclose your personal data to law enforcement, government agencies, or regulators when required by applicable law, subpoena, or court order; or when necessary to prevent fraud, protect safety, or enforce our Terms of Service.
5.6 Business Transfers
In connection with any merger, acquisition, asset sale, financing, or reorganization, your personal data may be transferred to the acquiring or successor entity. You will be notified via your registered email, and if the acquiring entity intends to use your data inconsistently with this Policy, you will have the opportunity to delete your account before the transfer takes effect.
Data Storage & Security
6.1 Infrastructure
Goldfish uses Supabase, Inc. as its primary backend database and infrastructure provider. Your personal data — including account information, session content, and Optional Profile Data — is stored and processed on Supabase's servers located in the United States. Supabase's privacy practices are available at supabase.com/privacy.
6.2 Security Measures
We implement commercially reasonable administrative, technical, and physical safeguards to protect your data from unauthorized access, alteration, disclosure, or destruction — including encryption in transit, access controls, and periodic security reviews. No method of electronic storage or transmission is completely secure, and we expressly disclaim any guarantee of absolute data security.
6.3 Breach Notification
In the event of a data breach that triggers applicable legal notification obligations, we will notify affected users in the manner and timeframe required by applicable law, via their registered email address.
Data Retention & Deletion
We retain your personal data for as long as your account is active, or as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements.
You may request deletion of your account and associated personal data at any time by contacting us at get.goldfish.focus@gmail.com or through the account deletion feature in the app.
Children & Minor Users
8.1 Minimum Age
The Service is not directed to children under 13 years of age. We do not knowingly collect personal information from users under 13. If we obtain actual knowledge that a user is under 13, we will immediately suspend their account, cease data collection, and delete previously collected data to the extent technically feasible. Contact us at get.goldfish.focus@gmail.com if you believe a child under 13 has registered.
8.2 Users Ages 13–17
Users between 13 and 17 may only use the Service with verifiable parental or legal guardian consent. By permitting a minor to use Goldfish, the consenting parent or guardian accepts this Privacy Policy and our Terms of Service in full on the minor's behalf, including the forward-looking data monetization disclosure in Section 5.3.
8.3 Minor Data Monetization Exclusion
Optional Profile Data submitted by a user under 18 at the time of submission will not be included in any commercial data partnership or sold to third-party Data Partners without separate, affirmative, verifiable parental consent obtained at or before program activation. Aggregate and de-identified data from minor users may be used as described in Section 5.4 without parental consent.
8.4 Parental Rights
Parents and guardians may at any time: review personal information collected from their child; request correction of inaccurate information; request deletion of their child's account and associated data; or refuse further collection (subject to account termination). Contact us at get.goldfish.focus@gmail.com.
Your Rights
Depending on your jurisdiction, you may have the following rights. Contact get.goldfish.focus@gmail.com to exercise any of them. We will not discriminate against you for doing so.
| Right | Description |
|---|---|
| Access | Request a copy of the personal data we hold about you |
| Correction | Request that we correct inaccurate or incomplete personal data |
| Deletion | Request deletion of your account and associated data, subject to retention obligations |
| Restriction | Request that we limit processing of your data in certain circumstances |
| Portability | Request a machine-readable copy of personal data you have provided to us |
| Objection | Object to processing of your data for direct marketing purposes at any time |
| Opt-out | Opt out of the future data partnership program during the 30-day notice window in Section 5.3, or by contacting us at any time |
| Withdraw consent | Withdraw previously given consent where processing is consent-based; withdrawal does not affect prior processing |
Cookies & Tracking Technologies
10.1 Mobile Tracking
As a mobile application, Goldfish does not use browser cookies. We use functionally analogous tracking technologies including:
- Apple IDFA: Used for analytics and future advertising measurement. Limit ad tracking via iOS Settings → Privacy & Security → Tracking.
- Supabase session tokens: Used to authenticate your account and maintain session state
- Analytics SDKs: Third-party tools that collect usage data as described in Section 3.3
10.2 App Tracking Transparency
In compliance with Apple's App Tracking Transparency framework, Goldfish will request your permission before accessing your IDFA for cross-app tracking. You may change this preference at any time in iOS Settings.
Third-Party Services
The Service may integrate with or link to third-party platforms that operate under their own privacy policies, which we do not control. Key third-party services currently in use:
- Supabase: supabase.com/privacy
- Apple: apple.com/privacy
International Users
Goldfish is operated in the United States. By using the Service, you consent to the collection, transfer, storage, and processing of your personal data in the United States, regardless of your country of residence.
If you are located in the European Economic Area or United Kingdom, please be aware that we transfer data internationally and that your use of the Service constitutes consent to such transfer. We do not currently maintain specific GDPR compliance infrastructure; if Goldfish expands to serve European users at scale, this Policy will be updated accordingly.
Policy Updates
We may update this Privacy Policy from time to time. For non-material changes, we will update the effective date and post the revised version at this URL. For material changes — including any changes to data monetization practices, data sharing arrangements, or your rights — we will provide at least 14 days' advance notice via your registered email address before the changes take effect.
Your continued use of the Service after the effective date constitutes acceptance of the changes. If you do not accept a material change, your remedy is to stop using the Service and delete your account.
Contact & Data Requests
For all privacy-related inquiries, data access or deletion requests, parental consent matters, or questions about this Policy:
Email: get.goldfish.focus@gmail.com
Mailing Address: 500 College Avenue, Swarthmore PA 19081
Attn: Legal — Goldfish / Tristan Choi
We aim to respond to all privacy requests within 30 days.
This Privacy Policy is governed by the laws of the Commonwealth of Pennsylvania, consistent with Goldfish's Terms of Service.