Privacy Policy
https://adhd-buddy.nl/privacy. Enter this URL in the Google Play Console under
App content โ Privacy policy.
1. Who We Are
ADHD Buddy ("we", "our", "us") is operated by [Your Company Name / Legal Entity], registered at [Your Address], The Netherlands. We build tools to support people with ADHD and autism in managing daily tasks, routines, focus, health, and emotional regulation.
Contact: privacy@adhd-buddy.nl
2. What This Policy Covers
This policy applies to the ADHD Buddy mobile application available on the Google Play Store and
any associated backend services hosted at api.adhd-buddy.nl. It explains:
- What personal data we collect and why
- How data is stored and protected
- Who data is shared with
- Your rights and how to exercise them
- Specific rules for children under 16
3. Data We Collect
3.1 Account Data
| Data | Purpose | Required |
|---|---|---|
| Email address | Account creation, login, password reset | Yes |
| Name (display name) | Personalisation | Yes |
| Age group (child / teen / adult / senior) | Adapting UI and parental consent flow | Yes |
| Password (hashed, never stored in plain text) | Authentication | Yes |
3.2 App Usage Data (User-Generated)
| Data | Purpose |
|---|---|
| Tasks (title, priority, due date, completion status) | Core feature |
| Calendar events (title, date/time, category) | Core feature |
| Routines and routine steps | Core feature |
| Focus session logs (duration, interruptions) | Productivity tracking |
| Notes and documents | User content |
| Health reminders (medications, appointments) | Lifestyle support |
| Health logs (sleep, nutrition, exercise entries) | Lifestyle tracking |
| Mindfulness session history | Wellbeing support |
| Stress level logs | Emotional regulation support |
3.3 Caregiver Relationship Data
| Data | Purpose |
|---|---|
| Caregiver email address | Sending invitation link |
| Feature visibility preferences per caregiver | Access control |
| Caregiver access audit log (who viewed, when) | Transparency to user |
3.4 Technical Data
| Data | Purpose |
|---|---|
| JWT access token (stored in device secure storage) | Authentication sessions |
| Refresh token (stored in device secure storage) | Session renewal |
| Device-level offline data (SQLite via Drift) | Offline-first functionality |
| Sync metadata (entity versions, device ID) | Conflict resolution during sync |
| Debug API base URL override (dev builds only, stored in device secure storage) | Developer configuration |
3.5 Data We Do NOT Collect
- Location data
- Device contacts
- Camera or microphone data
- Advertising identifiers (IDFA / GAID)
- Biometric data
- Financial information
4. Legal Basis for Processing (GDPR)
| Data Category | Legal Basis |
|---|---|
| Account data | Contract (Art. 6(1)(b)) โ necessary to provide the service |
| App usage data | Contract (Art. 6(1)(b)) |
| Health and lifestyle logs | Explicit consent (Art. 9(2)(a)) โ health data is a special category |
| Caregiver access | Consent (Art. 6(1)(a)) โ user explicitly enables per-feature |
| Children's data (under 16) | Parental consent (Art. 8 GDPR / COPPA) |
| Audit logs | Legitimate interest (Art. 6(1)(f)) โ security and transparency |
5. Children's Privacy
5.1 Age Groups and Controls
ADHD Buddy serves users across age groups. We apply additional protections based on age:
๐ถ Children (under 13)
- Parental/guardian consent is required before account creation
- Parent or guardian must complete consent during the signup flow
- Caregiver access is ON by default and cannot be disabled by the child
- Data is limited to core task and routine features only
- COPPA-compliant data handling applies
๐ง Teens (13โ17)
- Parental consent is required
- Users control which features are visible to caregivers (opt-in per feature)
- At age 18, caregiver access is automatically revoked unless the adult re-enables it
๐งโ๐ผ Adults (18+)
- Full autonomy over all data and caregiver access
- Caregiver visibility is OFF by default for all features
5.2 Parental Rights
Parents and guardians of children under 16 may at any time:
- Review the data collected about their child
- Request correction or deletion of their child's data
- Withdraw consent, which will result in account deletion
- Contact us at privacy@adhd-buddy.nl
6. How Data Is Stored and Protected
6.1 Local Storage
- App data is stored locally on your device using SQLite (via Drift)
- Tokens are stored in your device's secure storage (Android Keystore / iOS Keychain)
- Local data remains on your device even while offline
6.2 Server Storage
- Data is synced to our backend server hosted in the EU
- Passwords are hashed using bcrypt and never stored in plain text
- All API communication uses HTTPS/TLS
- JWT tokens expire; refresh tokens are rotated on use
6.3 Security Measures
- Role-based access control at API level
- Caregiver accounts have read-only access; they cannot create, edit, or delete your data
- All caregiver access is logged and visible to the primary user
- We conduct regular security reviews against OWASP Top 10
7. Data Sharing and Third Parties
We do not sell, rent, or trade your personal data.
We may share data in limited circumstances:
| Recipient | Reason | Data Shared |
|---|---|---|
| Hosting provider (EU-based) | Server infrastructure | Encrypted data at rest |
| Caregiver (invited by you) | You explicitly grant access | Only features you enable |
| Legal authorities | Legal obligation | Minimum required by law |
We do not use third-party advertising SDKs. We do not share data with analytics companies, data brokers, or advertisers.
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Account and usage data | Retained for the lifetime of your account |
| Health logs and notes | Retained until you delete them or delete your account |
| Caregiver audit logs | Retained for 12 months, then automatically deleted |
| Deleted account data | Permanently deleted within 30 days of account deletion request |
| Backups | Purged within 60 days of deletion request |
9. Your Rights (GDPR)
You have the following rights regarding your personal data:
| Right | How to Exercise |
|---|---|
| Access โ see all data we hold about you | Email privacy@adhd-buddy.nl or use in-app export (Settings โ Export my data) |
| Rectification โ correct inaccurate data | Update in-app via Settings โ Profile |
| Erasure โ delete your account and all data | Settings โ Account โ Delete Account, or email us |
| Portability โ receive your data in machine-readable format | Email privacy@adhd-buddy.nl |
| Objection โ object to processing based on legitimate interest | Email us |
| Withdraw consent โ for health data or caregiver access | In-app toggles, or email us |
| Lodge a complaint โ with a supervisory authority | Dutch Data Protection Authority (Autoriteit Persoonsgegevens): autoriteitpersoonsgegevens.nl |
We respond to all rights requests within 30 days.
10. Sensitive Data โ Health and Wellbeing
ADHD Buddy may collect health-related information such as:
- Medication reminders and adherence logs
- Sleep, nutrition, and exercise entries
- Stress levels and emotional state logs
This data is classified as special category data under GDPR Article 9. We only process it with your explicit consent, which you provide when you first use these features. You can withdraw this consent at any time by deleting your health data and disabling the relevant features.
11. Caregiver Access
Caregiver features work as follows:
- You invite caregivers by sending them a link โ they cannot add themselves
- You control which features (tasks, routines, calendar, notes, focus sessions) each caregiver can see
- Caregivers have read-only access โ they cannot modify your data
- You can see when a caregiver viewed your data (audit log)
- You can revoke caregiver access at any time from Settings โ Caregiver Access
- Caregivers are not notified when you revoke their access
12. Data Transfers Outside the EU
Our primary servers are located in the EU. If any data processing occurs outside the EU (e.g., via infrastructure providers), we ensure appropriate safeguards are in place such as EU Standard Contractual Clauses (SCCs).
13. Changes to This Policy
We will notify you of material changes to this policy via:
- An in-app notification
- Email to your registered address (for significant changes)
The updated policy will display the new "Last updated" date at the top. Continued use of the app after changes constitutes acceptance.
14. Contact
For any privacy-related questions or to exercise your rights:
- Email: privacy@adhd-buddy.nl
- Postal: [Your Company Name], [Address], The Netherlands
- Data Protection Officer (if applicable): [DPO name/contact]