Welcome to Pippin. We respect your privacy and are committed to protecting your personal data. This policy explains what information we collect, why we collect it, which third-party services receive it, how long we keep it, and how you can delete it — in plain language, without legalese. If you have any questions, write to us at pippinaiteam@gmail.com.
1. What We Collect and Why
Pippin collects only the data necessary to provide you with an AI-powered scheduling experience. Below is every category of information we collect, the specific data points involved, and the reason each is needed.
| Category | Data collected | Purpose |
|---|---|---|
| Account info | Email address, display name, profile photo (optional) | Authentication and account management |
| Schedule & task data | Class names, assignments, deadlines, priorities, time blocks you create | Core app functionality — generating and displaying your schedule |
| AI prompt data | Tasks and preferences sent to the AI scheduling engine | Generating AI schedule suggestions via OpenRouter |
| Usage data | Monthly AI output token count (a numeric counter only) | Enforcing free-tier limits; no content is stored |
| Purchase history | Subscription status, entitlement level, transaction identifiers | Verifying Pippin Plus access via RevenueCat |
| Device identifiers | Anonymized Supabase user ID, anonymized RevenueCat app user ID | Linking your account and subscription across sessions |
| Diagnostic data | Anonymized crash reports and error logs (no schedule content) | Identifying and fixing bugs; improving stability |
We do not collect location data, contacts, photos, microphone or camera input, advertising identifiers (IDFA), or any health and fitness data.
2. AI Features & Third-Party AI Disclosure
Pippin's scheduling intelligence is powered by large language models accessed through OpenRouter (openrouter.ai), a third-party AI routing service. When you use an AI scheduling feature, Pippin sends your task data and scheduling preferences to a Supabase Edge Function, which forwards the request to OpenRouter. OpenRouter routes the request to an underlying language model (currently Google Gemini) to generate a schedule.
What is sent to OpenRouter: your task names, deadlines, priority levels, and scheduling preferences that you have entered into Pippin. No payment information, no device identifiers, and no data unrelated to your scheduling request is included.
Your data is never used to train generalized language models. OpenRouter processes your request ephemerally and does not retain prompt content after the response is returned. You can review OpenRouter's privacy practices at openrouter.ai/privacy.
Before your data is sent to OpenRouter for the first time, Pippin will present a clear consent prompt within the app describing this data flow. You may withdraw AI consent at any time in Settings → AI Features. Withdrawing consent disables AI scheduling suggestions; all other app features remain fully accessible.
All AI-generated scheduling suggestions are labeled as such within the app so you always know when content was produced by an AI model rather than calculated by Pippin directly.
3. No Sale of Personal Data
Our business model is built entirely on providing you with a premium scheduling tool via Pippin Plus subscriptions — not on monetizing your personal information.
We do not, and will never, sell your personal data, task information, schedules, or usage patterns to any third party. Your schedule is yours alone.
4. Authentication & Security
Pippin offers the following ways to create and access your account:
- Email / Password — your email and a hashed password stored in Supabase Auth. Signup requires email verification. Password resets use an 8-digit one-time code.
- Sign in with Apple — Apple's privacy-preserving login that lets you use a real or anonymous email address. Pippin only receives a name and email from Apple; no other Apple account data is accessed.
- Google OAuth — your Google account name and email are received via ASWebAuthenticationSession. No other Google account data is accessed.
All authentication tokens are stored securely in the iOS Keychain and auto-refresh 60 seconds before expiry. All data in transit between your device and Supabase is protected by TLS 1.2 or higher encryption.
5. Third-Party Services
Pippin integrates with the following third-party services. Each receives only the minimum data necessary for its function. Where applicable, links to their own privacy policies are included.
| Service | Data received | Purpose | Policy |
|---|---|---|---|
| Supabase | Account info, schedule data, token usage counter | Database, authentication, and edge functions | View Policy |
| OpenRouter | AI scheduling prompts (task names, deadlines, preferences) | Routing AI scheduling requests to language models | View Policy |
| RevenueCat | Anonymized app user ID, subscription status, transaction IDs | Managing Pippin Plus subscriptions and entitlements | View Policy |
| Apple App Store | Purchase records and transaction identifiers | Processing subscription payments | View Policy |
Each third-party service listed above is contractually bound to protect your data in a manner consistent with applicable privacy law and with the standards described in this policy.
6. Subscriptions & Billing
Pippin offers an optional Pippin Plus auto-renewable subscription. All payments are processed exclusively through Apple's In-App Purchase system — Pippin never sees, stores, or handles your payment card details.
RevenueCat receives your anonymized app user ID and Apple-issued transaction identifiers in order to verify your subscription status and unlock premium features. RevenueCat does not receive your name, email address, payment details, or schedule data.
Subscriptions auto-renew unless cancelled at least 24 hours before the end of the current billing period. You can manage or cancel your subscription at any time in iOS Settings → [Your Name] → Subscriptions. Cancelling stops future charges; access to Pippin Plus continues until the current period ends.
7. Data Retention
We retain your data only as long as necessary to provide the service:
- Account and schedule data — retained for as long as your account is active. Deleted within 30 days of account deletion.
- AI prompt data — not stored after the response is returned. OpenRouter processes requests ephemerally with no logging of prompt content.
- Token usage counters — reset at the start of each calendar month; deleted within 30 days of account deletion.
- Purchase history — RevenueCat retains anonymized transaction identifiers per their data retention policy. You may request deletion directly from RevenueCat at their account settings.
- Diagnostic crash logs — automatically purged after 90 days.
8. Account Deletion
You have the right to delete your Pippin account and all associated data at any time. Account deletion is available directly within the app — no emails, phone calls, or external forms are required.
To delete your account: open Pippin, go to Settings → Delete Account, confirm your intent, and your account and data will be permanently erased immediately.
When you delete your account, Pippin takes the following actions:
- All schedule, task, and profile data is deleted from Supabase within 30 days.
- Your Supabase authentication record is immediately revoked.
- If you signed in with Apple, your Sign in with Apple authorization token is revoked via Apple's REST API.
- Your anonymized RevenueCat user record is flagged for deletion per RevenueCat's data deletion process.
Important: If you have an active Pippin Plus subscription, deleting your account does not automatically cancel billing. Please cancel your subscription in iOS Settings → Subscriptions before or after deleting your account to avoid future charges.
9. Your Rights
Regardless of where you live, you have the following rights with respect to your personal data:
- Access — you may request a copy of all personal data Pippin holds about you.
- Correction — you may update your account email and display name at any time within the app.
- Deletion — you may delete your account and all associated data in-app (see Section 08).
- Portability — you may request an export of your schedule and task data in a structured format by emailing pippinaiteam@gmail.com.
- Withdrawal of AI consent — you may disable AI data sharing at any time in Settings → AI Features without deleting your account.
To exercise any of the above rights, contact us at pippinaiteam@gmail.com. We will respond within 30 days.
10. Children, Students & Minors
Pippin is designed for students of all levels, including high school students who may be under 18. We take the privacy of younger users seriously.
Pippin is not directed at children under the age of 13 and does not knowingly collect personal information from children under 13. If you are under 13, please do not use Pippin or submit any personal information. If we learn that we have inadvertently collected information from a child under 13 without verified parental consent, we will delete that data immediately. Please contact us at pippinaiteam@gmail.com if you believe this has occurred.
For users between the ages of 13 and 17: Pippin collects only the minimum data required to provide the scheduling service. We do not use your data for advertising, we do not sell your data, and all AI processing is limited to the scheduling tasks you choose to share. Parental guidance regarding data sharing with AI services is encouraged.
11. Analytics and Diagnostics
Pippin collects anonymized, aggregated crash reports and error logs to identify and fix bugs. This diagnostic data is collected using Apple's built-in crash reporting mechanisms and is processed internally — no third-party analytics SDK is integrated into Pippin.
Diagnostic data cannot be linked back to an individual user, does not include the content of your schedules or tasks, and is used solely for improving app stability. This data is automatically purged after 90 days.
Pippin does not use advertising SDKs, cross-app tracking, Apple's advertising identifier (IDFA), or any third-party analytics platform. The App Privacy Nutrition Label in the App Store reflects exactly what is described in this policy.
12. App Store Compliance
This privacy policy is designed to comply with the Apple App Store Review Guidelines, including Guideline 5.1.1 (Privacy — Data Collection and Storage) and Guideline 5.1.2(i) (Third-Party AI Data Sharing). Pippin is built exclusively for iOS 16.0 and later.
The Pippin App Privacy Nutrition Label in the App Store discloses the following data types as collected and linked to you: Contact Info (email, name), User Content (schedule and task data), Identifiers (user ID), and Purchases (subscription status). No data is declared as used for tracking.
13. Changes to This Policy
We may update this privacy policy from time to time to reflect changes to our practices, new features, or legal requirements. When we make a material change, we will update the Effective Date at the top of this page and notify you within the app. The most current version of this policy is always available at the URL where you found it.
Continued use of Pippin after a policy change constitutes your acceptance of the updated terms. If you disagree with any changes, you may delete your account at any time per Section 08.
14. Contact Us
If you have any questions about this Privacy Policy, want to exercise your data rights, or need to report a privacy concern, we'd love to hear from you.
For general privacy questions and data rights requests: pippinaiteam@gmail.com
For support with the app: pippinaiteam@gmail.com
We aim to respond to all privacy-related inquiries within 30 days.