Privacy Policy
Last updated: May 16, 2026 · Version 2.0
1. Data Controller
Ferro is developed and operated by an individual developer based in Italy. For any questions regarding data protection, you can contact us at: ferroai@gmail.com
This privacy policy is provided in accordance with Art. 13 of EU Regulation 2016/679 (General Data Protection Regulation — GDPR).
2. How Ferro Stores Your Data
Ferro works in two modes. You choose which one by deciding whether to sign in.
2.1 Anonymous mode (no sign-in)
If you never sign in, nothing leaves your device. All timers, preferences, memory, and history live in local storage on your iPhone and are deleted when you uninstall the app. The only exception is the AI text-creation flow described in §2.3.
2.2 Signed-in mode (Sign in with Apple)
If you choose to sign in with Apple, Ferro creates an account that syncs your data across your devices and enables AI-driven personalization. We then collect and store the following on our servers (hosted by Supabase, see §4):
- Account identifier: a Supabase user UUID derived from your Apple ID. If you choose to share them, your email address and display name from Apple Sign-in are also stored.
- Preferences: language, theme, voice intensity, comment frequency, personality style, notifications setting.
- Memory ("what Ferro knows about you"): short string facts you tell Ferro to remember, plus facts inferred from your activity (see §2.5).
- Timer history: one row per timer you start — type, label, optional natural-language prompt, duration, completion outcome, device locale, app version.
- Stats: streak, total focused time, lifetime sessions, unlocked themes.
You can sign out at any time — data stays in the cloud but stops syncing to that device. You can delete everything via Profile → Privacy & Legal → Delete my account (see §6).
2.3 AI text processing (both modes)
When you create a timer using voice or natural-language input ("set a 25-minute focus timer"), your text is sent through a secure proxy to a third-party large language model (currently DeepSeek via OpenRouter, see §4) for natural-language understanding. The text is processed in real-time, used only to produce the timer, and is not persisted by us or the model provider beyond the duration of the request.
2.4 Subscriptions (both modes)
If you subscribe to Ferro Premium, billing is handled entirely by Apple through the App Store — we never see or store your payment information. Subscription state (active / inactive / expiry) is tracked by RevenueCat (see §4) using an opaque, pseudonymous device identifier.
2.5 AI inference / "Learning" (signed-in mode only, opt-out available)
Once per night, our server analyzes the recent timer history of signed-in users and writes back summaries and inferred patterns ("Francesco usually does focus blocks in the morning"). The summarization is performed by the same third-party LLM described in §2.3.
You can disable this entirely at any time via Profile → Privacy & Legal → Let Ferro infer things about me. When disabled, your timer history is no longer sent to the model and no inferred facts are produced.
2.6 Website (ferroai.app)
- Contact form submissions: name, email address, and message content — collected only when you voluntarily submit the contact form.
- No cookies, no analytics: this website uses no cookies, no Google Analytics, no Meta Pixel, no third-party tracking.
- Fonts: all fonts are self-hosted. No external font requests.
3. Purpose & Legal Basis
| Data | Purpose | Legal Basis |
|---|---|---|
| Contact form data | Respond to your inquiry | Consent — Art. 6(1)(a) GDPR |
| AI text input (timer creation) | Convert natural language into a timer | Performance of contract — Art. 6(1)(b) GDPR |
| Account, preferences, memory, history, stats | Cross-device sync; provide the signed-in experience | Performance of contract — Art. 6(1)(b) GDPR |
| Inferred memory (nightly job) | Personalize Ferro to your patterns | Consent — Art. 6(1)(a) GDPR (opt-out toggle) |
| Product analytics (Mixpanel) | Aggregate metrics to improve the app | Legitimate interest — Art. 6(1)(f) GDPR |
| Subscription state (RevenueCat / Apple) | Verify Premium entitlement | Performance of contract — Art. 6(1)(b) GDPR |
4. Third-Party Processors
We use the following sub-processors. All transfers to the United States are governed by the EU-US Data Privacy Framework or Standard Contractual Clauses where applicable.
| Service | Role | Location |
|---|---|---|
| Supabase Inc. | Account auth, database (memory, timer history, stats) | EU (Ireland) |
| OpenRouter Inc. / model providers (DeepSeek) | LLM inference (timer creation prompts, nightly digest) | USA / Singapore |
| Apple Inc. | Sign in with Apple, App Store billing, on-device TTS | USA / Ireland |
| RevenueCat Inc. | Subscription state tracking | USA |
| Superwall Inc. | Paywall presentation (no PII, only event names) | USA |
| Mixpanel Inc. | Product analytics (aggregated, pseudonymous) | EU (residency-set) |
| Vercel Inc. | Hosting for ferroai.app website only | USA |
We do not sell, rent, or share your personal data with third parties for marketing purposes.
5. Data Retention
- Anonymous on-device data: kept on your device until you uninstall the app.
- Signed-in cloud data: retained for as long as your account exists. Deleted within 30 days of account deletion (see §6).
- Timer creation text (LLM prompts): processed in real-time, not stored.
- Nightly digest LLM calls: model providers do not retain prompt/response data per their data processing agreements.
- Contact form data: retained as long as necessary to respond, deleted after the conversation ends. Maximum: 12 months.
- Subscription state: retained for as long as the subscription is active, plus what Apple/RevenueCat require for billing audits.
6. Deleting Your Account
You can permanently delete your Ferro account and all associated data directly from inside the app:
- Open Profile → Privacy & Legal.
- Tap Delete my account.
- Confirm via the Apple system prompt.
This action:
- Revokes the Sign in with Apple token so Ferro stops appearing in Settings → Apple ID → Apps Using Apple ID on your iPhone.
- Deletes your row in our database, which cascades to your preferences, memory, timer history, session digests, and inferred patterns (within 30 days).
- Wipes the local copy of your data on the current device.
Anonymous users (never signed in) have no cloud data to delete — uninstalling the app removes everything.
7. Your Rights
Under the GDPR, you have the right to:
- Access — get a copy of your data (in-app: Profile → Privacy & Legal → Export my data, returns a JSON file)
- Rectify — edit or correct your memory and preferences directly from inside the app
- Erase — see §6, "Deleting Your Account"
- Restrict processing — disable AI inference via Profile → Privacy & Legal → Let Ferro infer things about me
- Data portability — the Export action returns your data in JSON
- Object to processing based on legitimate interest (e.g., Mixpanel analytics) — write to us
- Withdraw consent at any time without affecting the lawfulness of processing before withdrawal
For requests not actionable from inside the app, contact us at ferroai@gmail.com. We respond within 30 days.
8. Children
Ferro is not directed at children under 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.
9. Security
All data in transit is encrypted via TLS. Cloud data is protected by Supabase's Row-Level Security policies — every row is gated on your Apple-derived user ID, so even with our database keys, no user can read another user's rows. Production secrets (API keys, signing keys) are stored outside the app binary and rotated when compromised.
10. Supervisory Authority
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Italian Data Protection Authority:
Garante per la protezione dei dati personali
Piazza Venezia 11, 00187 Roma, Italy
Website: www.garanteprivacy.it
Email: garante@gpdp.it
11. Changes to This Policy
We update this privacy policy when the app's data practices change. Any update bumps the version number and the "last updated" date at the top. Material changes — anything that adds a new data category, new third party, or a new purpose — will also trigger an in-app notice the next time you open Ferro.
Version 2.0 (May 16, 2026) — major update: introduces optional cloud sync via Sign in with Apple, the nightly AI inference job (opt-out), in-app account deletion, and discloses Supabase, OpenRouter/DeepSeek, RevenueCat, Superwall, and Mixpanel as sub-processors.