Effective date: 2026-05-23
Reading Pal is a reading tracker and pomodoro timer app operated by Darren Lin (solo developer, Taiwan). This Policy explains what personal data we collect when you use Reading Pal on Android or iOS, why we collect it, who we share it with, and the rights you can exercise over it.
This Policy applies to the Reading Pal mobile application and the backend API that supports it. It does not apply to third-party services you may link (e.g., Google) — those are governed by their own privacy policies.
| Field | Source | Purpose |
|---|---|---|
| Email address | You (at registration) or Google OAuth | Account identity, login, account-recovery emails |
| Display name | You or Google OAuth | Shown in-app |
| Avatar URL | Google OAuth (if applicable) | Profile picture |
| Password hash (bcrypt) | You (email+password registration only) | Authentication — we never see or store your plaintext password |
| Locale + timezone | Set at registration | UI localisation; correct notification delivery times |
sub), email, email_verified flag, and the raw id_token payload for verification audit. Retained at most until account deletion.| Field | Purpose |
|---|---|
| Anonymous device ID (UUID generated on-device) | Ties push tokens and sessions to a device without linking to your phone's hardware identifier or IMEI |
| FCM push token (Firebase Cloud Messaging) | Lets us deliver push notifications to your device |
| App version + OS version | Crash diagnostics; compatibility checks |
Each request to our backend logs:
We do not log request bodies in production.
We maintain an audit log for four event types only: deletion_requested, deletion_cancelled, deletion_executed, and export_requested. For each event we record:
These records survive your account deletion and are kept for 6 months after execution to demonstrate that we honored your request. They contain no book notes or reading content. After hard delete, the surviving records contain no PII — only event type, timestamp, and a numeric ID.
When the app crashes or the backend encounters an error, we send a report to Sentry containing:
We explicitly do not send: your email address, display name, IP address, request body, cookies, refresh tokens, or any free-text note content.
Sentry retains these reports for 7 days (free tier default). Sentry data is hosted in the EU region (de.sentry.io). See Section 4 for Sentry's processor details.
| Purpose | Data used |
|---|---|
| Provide the service — sync library across devices, track sessions, compute reading statistics | Sections 2(a), 2(c), 2(h), 2(i) |
| Authentication and account security (token rotation, session invalidation) | Sections 2(a), 2(b), 2(d) |
| Push notifications (strictly opt-in per type — see Section 10) | Section 2(d) FCM token |
| Crash diagnostics and service reliability | Section 2(g) |
| Security — rate-limiting by IP and device, fraud detection on auth flows, defense against credential stuffing | Sections 2(d), 2(e) |
| Demonstrating compliance with deletion / export requests | Section 2(f) |
Planned future use — in-app advertising: Once Reading Pal is publicly launched and stable, we plan to introduce Google AdMob advertising. When we do, this Policy will be updated 30 days in advance. Data shared with AdMob will be limited to the Android Advertising ID and contextual data (e.g., app category). We will not share your account data, email, display name, or reading content with advertisers.
| Provider | Role | Data Shared | Region |
|---|---|---|---|
| Google (OAuth) | Sign in with Google | Standard OpenID Connect claims (sub, email, name, picture) | Global |
| Google Firebase Cloud Messaging (FCM) | Push notification delivery | FCM registration token; push notification title and body | Global |
| Google Play | App distribution and licensing | Standard install metadata (no reading data) | Global |
| Sentry (Functional Software, Inc., US; data hosted EU) | Crash and error monitoring | See Section 2(g) — stack trace, numeric user ID, version, path | EU |
| Apple / APNs | iOS push delivery (only when iOS version launches — currently Android-only) | FCM token equivalent (APNs device token) + push payload | Global |
| (Future) Google AdMob | In-app advertising | Android Advertising ID + contextual data | Global |
We do not sell personal data to any third party, ever.
All your account, library, and reading data is stored in DigitalOcean's Frankfurt (EU) data center (region: FRA1). EU users' data does not leave EU territory.
Sentry crash reports also use Sentry's EU region (de.sentry.io).
Some sub-processors (Google, AdMob) operate globally and may move data between regions for service reliability per their own privacy terms.
You can exercise most rights directly in the app without emailing us.
| Right | How to exercise |
|---|---|
| Access | Settings → Account → "Export my data" — produces a full JSON export, typically within minutes; may take up to 24 hours for large libraries |
| Rectification | Settings → Profile — edit display name and other profile fields directly |
| Erasure (deletion) | Settings → Account → "Delete account" — starts a 30-day grace period. Log back in during those 30 days to cancel. After 30 days, all personal data is permanently deleted from our database (audit log retained 6 more months per Section 2(f)). |
| Portability | Same JSON export as Access |
| Restriction | Email us (Section 12) |
| Object to marketing | Settings → Notifications → "Marketing push" — toggle off (default: off) |
EU / EEA users: you also have the right to lodge a complaint with your national supervisory authority (e.g., your country's data protection authority).
Taiwan users: rights are grounded in the Personal Information Protection Act (個人資料保護法, PIPA).
We will respond to requests within 30 days of receipt.
Reading Pal is not directed at children under 13. We do not knowingly collect personal data from users under 13. If you believe a child has created an account, email us at tn08869679@gmail.com and we will delete the account.
Reading Pal is a mobile app — there are no web cookies. We use these identifiers:
| Identifier | Type | Purpose | Resettable? |
|---|---|---|---|
| Device ID | Anonymous UUID, generated locally on first launch | Sessions, push routing — no link to hardware ID | Yes — uninstalling the app generates a new one |
| FCM token | Assigned by Firebase | Push notification delivery | Yes — Firebase refreshes it periodically; also cleared on logout |
| Android Advertising ID | Google (future, only if AdMob enabled) | Ad targeting | Yes — Settings → Google → Ads → Reset Advertising ID |
| Data category | Retention period |
|---|---|
| Account, library, reading sessions, settings, achievements, points | Active until you delete your account + 30-day grace period, then hard-deleted |
| Audit log (deletion/export event records — no personal reading content) | Event type + timestamp + numeric user ID survive for 6 months after execution; IP, device ID, and user-supplied reason are NULL'd at hard delete |
| Server access logs (IP, request metadata) | 30 days, then automatic rotation |
| Crash reports (Sentry) | 7 days (Sentry free tier default) |
| Refresh token records | Until the token expires or is explicitly revoked |
Marketing push notifications default to OFF. You opt in explicitly: Settings → Notifications → "Marketing push". You can turn off any time in the same place.
We do not send marketing emails.
Material changes (new data category, new sub-processor, expanded use of existing data) are announced via an in-app banner 30 days before taking effect. The updated version is dated.
Minor edits (typo fixes, clarifications that don't affect your rights) take effect immediately without prior notice.
Pre-disclosed upcoming changes:
For privacy questions, complaints, or requests we cannot handle in-app:
We aim to respond within 30 days.
| Version | Date | Summary |
|---|---|---|
| 1.0 | 2026-05-23 | Initial release |