Privacy Policy
To-Be-Determined
Operated by Curiosity Bit LLC
Effective Date: April 5, 2026
Last Updated: April 5, 2026
1. Introduction
Welcome to To-Be-Determined, operated by Curiosity Bit LLC ("Company," "we," "our," or "us"). We are committed to protecting the privacy of you and your family. This Privacy Policy explains what information we collect, how we use and share it, and the choices you have with respect to your data.
To-Be-Determined is a mobile application designed for parents and caregivers to log daily baby care activities, track developmental milestones, and support parental wellness. It is a personal record-keeping and wellness tool — not a medical device, diagnostic tool, or clinical service. It does not provide medical advice, diagnosis, or treatment of any kind.
Because the data you entrust us with is deeply personal — involving your child's daily life and your experience as a parent — we treat it with the utmost care and implement robust security measures to protect it.
Please read this policy carefully. By using To-Be-Determined, you agree to the practices described here.
2. Information We Collect
2.1 Account Information
When you create an account, we collect:
- Email address — used to create and authenticate your account.
- Password — stored securely via our authentication provider (Supabase); we never store your password in plaintext. Passwords are cryptographically hashed using industry-standard algorithms.
- Display name — the name you choose to associate with your account (e.g., "Mom," "Dad," or your first name).
2.2 Baby Profile Information
When you create a baby profile, you provide:
- Baby's name
- Date of birth
- Sex
2.3 Daily Caregiving Logs
As you use the app, you may log the following everyday caregiving activities. This data is recorded by you for your own personal reference and is not used for any medical, diagnostic, or analytical purpose by us.
Feeding Logs
- Feeding type (breastfeeding, bottle, solids, vitamin drops)
- Duration, quantity, breast side, food items, textures, and reactions
- Timestamps and optional notes
Diaper Logs
- Diaper type, amount, consistency, and color
- Optional photos (for personal reference)
- Timestamps and optional notes
Sleep Logs
- Sleep start and end times, duration
- Timestamps
Pumping Logs
- Pumping start/end times, duration, and quantity
- Timestamps and optional notes
Activity Logs
- Activity type (tummy time, bath, rolling over, etc.) and custom activities
- Optional photos
- Timestamps and optional notes
Growth Logs
- Height, weight, and head circumference
- Measurement units and dates
2.4 Medical Reference Notes
You may optionally log the following information for your own personal record-keeping. This data may constitute health-related information under certain privacy laws and is subject to additional protections described in Section 2.7.
- Doctor visit notes — your personal notes about healthcare appointments
- Vaccine records — records of vaccinations your child has received
- Illness logs — notes about symptoms or illnesses
- Medication records — notes about medications administered
- Dates and optional notes
Important: To-Be-Determined stores these notes exactly as you enter them. We do not interpret, analyse, validate, or act on this information in any way. It is stored solely for your personal reference. We do not use this data to generate medical advice, diagnoses, or recommendations. You should always verify medical information with a licensed healthcare provider.
2.5 Parental Wellness Data
The "You" tab allows you to optionally log:
- Daily mood (a five-level personal wellness check-in)
- Daily wins (self-care activities such as showering, fresh air, asking for help)
This is a personal self-reflection feature. It is not a mental health assessment, diagnostic tool, or clinical screening instrument. This information is private to your account.
2.6 Moments & Photos
You may upload photos to create memory records ("Moments"). Photos are stored securely in cloud storage. First-time developmental milestones (e.g., baby's first roll) may be automatically saved as Moments.
2.7 How We Classify Your Data Under Privacy Laws
To-Be-Determined collects two broad categories of personal data:
| Category | Examples | Classification |
|---|---|---|
| Everyday caregiving logs | Feeding times, sleep duration, diaper counts, activity logs, growth measurements, mood check-ins, daily wins | General personal data. This is routine parenting activity information logged for your convenience. |
| Medical reference notes | Vaccine records, illness logs, medication records, doctor visit notes | May constitute health data or sensitive personal information under certain privacy laws (e.g., GDPR Article 9, CPRA, Virginia VCDPA). Subject to additional protections. |
For medical reference notes that may qualify as health data under applicable law, we rely on your explicit consent as the legal basis for processing, which you provide when you voluntarily enter this information into the app. You may withdraw your consent at any time by deleting the relevant records or your account (see Section 6).
For everyday caregiving logs, we process this data as general personal data under the legal bases described in Section 11.
2.8 Usage and Technical Data
We may automatically collect limited technical information, including:
- Device type and operating system version
- App version
- Crash and error logs (used solely to diagnose and fix bugs)
- App performance metrics (used solely to improve the App)
We do not collect precise location data, track you across other apps, use device fingerprinting for advertising, or collect data from other apps on your device.
3. How We Use Your Information
We use the information collected to:
- Provide core functionality — Store and sync your logs across your devices and with authorized caregivers.
- Enable caregiver collaboration — Allow you to invite trusted caregivers to view or contribute to your baby's logs under role-based access controls.
- Display patterns and summaries — Generate charts and summaries of feeding, sleep, growth, and activity data for your personal reference. These visualizations are simple data displays — they do not constitute medical analysis, diagnosis, or clinical advice.
- Authenticate your identity — Verify your account and protect against unauthorized access.
- Send in-app notifications — Deliver reminders or wellness prompts you have enabled within the app.
- Maintain and improve the app — Diagnose crashes, fix bugs, and improve performance using anonymized technical data.
- Process subscriptions — Manage your premium subscription through Apple's In-App Purchase system.
- Respond to support requests — Process and respond to your support inquiries and data requests.
- Comply with legal obligations — Process data as necessary to comply with applicable laws, regulations, court orders, or governmental requests.
We do NOT:
- Use your personal data for advertising or marketing by third parties.
- Sell, rent, or trade your personal data to any third party for any purpose.
- Use your data to train AI, machine learning models, or algorithms.
- Perform automated decision-making, profiling, or diagnostic analysis on your data.
- Share your data with data brokers, analytics companies, or advertising networks.
4. Sharing Your Information
We share your information only in the following limited circumstances:
4.1 With Caregivers You Invite
You control who has access to your baby's data. When you send a caregiver invitation, the invited person's email address is used to match their account. Accepted caregivers can view and (depending on their role) add or edit records. You can revoke caregiver access at any time.
Caregiver roles and permissions:
- Owner — Full access, including managing caregivers.
- Parent — Can add, edit, and delete all records.
- Caregiver — Can view all records and add their own; cannot delete records.
You are solely responsible for whom you invite and for revoking access when appropriate.
4.2 With Our Service Providers
We use Supabase (a U.S.-based cloud infrastructure provider) to store your data securely in a managed PostgreSQL database and file storage system. Supabase processes data on our behalf and is contractually obligated to protect it in accordance with a Data Processing Agreement (DPA).
Supabase's infrastructure runs on Amazon Web Services (AWS). AWS provides physical security, network isolation, and infrastructure monitoring for the servers that host your data.
We do not share your data with any other third-party service providers for data storage, processing, marketing, or advertising purposes.
4.3 Apple In-App Purchases
Subscription purchases are processed by Apple. We receive only a confirmation of your purchase status (subscription tier and expiration). Apple's privacy policy governs their collection of payment information. We do not receive, process, or store your payment card details.
4.4 Legal Requirements
We may disclose information if required by law, court order, subpoena, or governmental authority, or if we believe in good faith that disclosure is necessary to:
- Comply with a legal obligation.
- Protect the rights, property, or safety of Company, our users, or the public.
- Prevent fraud, security threats, or technical issues.
- Enforce our Terms of Use.
Notice to Users: Where legally permitted, we will endeavor to notify you before disclosing your data in response to a legal request, so you may seek a protective order or other remedy. We will not provide such notice where we are legally prohibited from doing so or where doing so would create a risk of harm.
4.5 Business Transfers
If To-Be-Determined or Curiosity Bit LLC is acquired, merged, or its assets are transferred, your data may be transferred as part of that transaction. We will:
- Notify you of any such change via email and/or in-app notice at least 30 days before the transfer.
- Give you the opportunity to export and delete your data before the transfer is completed.
- Require the acquiring entity to honor the commitments in this Privacy Policy or provide you with notice of any material changes.
5. Data Storage and Security
5.1 Storage Location
Your data is stored on Supabase servers located in the United States, running on Amazon Web Services (AWS) infrastructure. If you are located outside the United States, please be aware that your information will be transferred to and processed in the U.S.
For users located in the European Economic Area (EEA) or the United Kingdom, we rely on the European Commission's Standard Contractual Clauses (SCCs) as the lawful mechanism for transferring personal data to the United States (see Section 11 for more details).
5.2 Security Measures and Data Protection
We implement comprehensive, industry-standard security measures to protect your personal information:
(a) Encryption:
- Encryption in transit — All data transmitted between your device and our servers is encrypted using HTTPS/TLS 1.2 or higher.
- Encryption at rest — All data stored on Supabase/AWS servers is encrypted at rest using AES-256 encryption.
- Key management — Encryption keys are managed by Supabase/AWS key management services and are not directly accessible to Company personnel.
(b) Access Controls:
- Row-level security (RLS) — Database-level access controls ensure you can only access data you are authorized to see. Your baby's records are never accessible to other users who are not explicitly invited by you.
- Role-based access control — Company personnel have access to user data only when strictly necessary to resolve support requests or technical issues, and only with appropriate authorization.
- Signed URLs — Photos and file downloads are accessed via time-limited, signed URLs that expire after one hour and cannot be shared or reused.
- Secure authentication — Passwords are cryptographically hashed and managed by Supabase Auth; we never store, view, or have access to your plaintext password.
(c) Infrastructure Security:
- Supabase hosts data on AWS infrastructure with physical security, network isolation, and continuous infrastructure monitoring.
- Regular security patches are applied to server infrastructure.
- DDoS protection and intrusion detection systems are active.
(d) Monitoring and Audit:
- We log data access events for security audit purposes.
- Suspicious access patterns are monitored and investigated.
- Audit logs are retained for security analysis.
(e) Local Device Security:
- A limited cache is stored on your device to enable offline access. This cache is managed by iOS sandboxing and is not accessible to other apps.
(f) Limitations of Security:
Despite these measures, no method of electronic transmission or storage is 100% secure or impenetrable. We cannot guarantee that your personal information will never be accessed, disclosed, altered, or destroyed by unauthorized parties. Security risks that exist despite our measures include but are not limited to:
- Zero-day exploits or previously unknown vulnerabilities in third-party software or infrastructure
- Advanced cyberattacks, including nation-state level threats
- Insider threats at Company, Supabase, or AWS
- User account compromise resulting from weak passwords, credential reuse, phishing, or device theft
You are responsible for maintaining the security of your account credentials, using a strong unique password, and keeping your device secure. We encourage you to enable any available device-level security features (passcode, biometrics).
5.3 Data Breach Notification and Response
In the event of a personal data breach affecting your information, Company will take the following steps:
(a) Internal Response:
- Notify Company leadership and initiate incident response procedures immediately upon discovery.
- Engage appropriate technical resources to investigate the breach, determine its scope, and contain the incident.
(b) User Notification:
- Notify affected users by email within 72 hours of confirming the breach (or as soon as the investigation permits identification of affected users).
- Notification will include: what data was compromised; when the breach likely occurred; what steps Company is taking to address the breach; and recommended steps you should take to protect yourself.
(c) Regulatory Notification:
- GDPR (EU/UK Users): Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of data subjects, as required by GDPR Article 33.
- CCPA (California Users): Notify the California Attorney General if the breach affects more than 500 California residents, as required by California Civil Code § 1798.82.
- Other State Laws: Comply with all applicable state-specific breach notification laws and timelines.
(d) Remediation:
- Promptly patch the vulnerability or address the root cause of the breach.
- Conduct a security review to identify similar vulnerabilities.
- Implement additional security controls as needed to prevent recurrence.
- Where the breach involves financial data or government identification numbers, provide information about credit monitoring resources to affected users.
(e) Transparency:
- Company will provide ongoing updates to affected users about the status of the investigation and remediation efforts as appropriate.
5.4 Data Retention, Deletion, and User Rights
(a) Data Retention During Active Account:
While your account is active, we retain all user-entered data to provide the Service. Data is retained as long as your account remains active and as long as necessary to fulfill the purposes stated in this Privacy Policy.
(b) Account Deletion:
You may delete your account at any time through the App (Settings > Account > Delete Account). Account deletion is permanent and irreversible. Upon deletion:
- All user-entered data (health records, medical notes, photos, personal information) is deleted from production systems within 30 days.
- Backup copies are purged within 90 days.
- Company cannot recover deleted data after this period.
- Company retains only the minimum metadata required for legal compliance (e.g., account creation date for tax and financial reporting purposes) for up to 7 years as required by applicable law.
(c) Individual Record Deletion:
You may delete individual records, baby profiles, or specific data entries at any time within the App. Deleted records are removed from production systems within 30 days and from backups within 90 days.
(d) Data Export and Portability:
You may export your data using the App's "Export Data" feature (Settings > Export Data). Exports include all user-entered data in a portable format. You may also request a data export by emailing privacy@curiositybitllc.com. Export requests are processed within 14 business days at no charge.
Company strongly recommends exporting your data regularly — at minimum once per month — to maintain your own backup copies.
5.5 Data Retention Schedule
| Data Type | Retention Period | Purpose |
|---|---|---|
| User-entered caregiving logs | Until record or account deletion | Service provision |
| Medical reference notes | Until record or account deletion | Service provision |
| Photos and Moments | Until record or account deletion | Service provision |
| Account information (name, email) | Up to 7 years after account deletion | Legal/tax compliance |
| Backup copies | 90 days after deletion | Disaster recovery |
| Audit and access logs | 1 year | Security auditing |
| Crash reports and technical logs | 30 days | Bug fixing and performance |
| Subscription/purchase records | As required by applicable law (up to 7 years) | Financial reporting |
6. Your Rights and Choices
Depending on your location, you may have the following rights regarding your personal data:
| Right | Description | How to Exercise |
|---|---|---|
| Access | Request a copy of the personal data we hold about you. | Use Export Data in App, or email us. |
| Correction | Update or correct inaccurate data. | Edit directly in the App, or contact us. |
| Deletion | Delete specific records, baby profiles, or your entire account. | Delete in App, or email us. |
| Portability | Receive your data in a portable, machine-readable format. | Use Export Data in App. |
| Restriction of Processing | Request that we limit the processing of your data in certain circumstances. | Email us. |
| Right to Object | Object to processing based on legitimate interests. | Email us. |
| Withdrawal of Consent | Withdraw consent for any consent-based processing at any time, including wellness tracking, photo uploads, and medical reference notes. Withdrawal does not affect the lawfulness of prior processing. | Delete relevant records in App, delete account, or email us. |
| Opt-out of notifications | Disable in-app notifications. | Device Settings. |
Response Timeline: We will acknowledge your request within 10 business days and respond substantively within 30 calendar days (or 45 days for complex requests, with written notice of the extension).
Verification: For security purposes, we may need to verify your identity before processing certain requests. We will ask you to confirm information associated with your account.
Appeals: If we deny your request, we will explain the reason. You may appeal by emailing privacy@curiositybitllc.com with "APPEAL" in the subject line. We will review the appeal and respond within 30 calendar days.
To exercise any right not available directly in the app, please contact us at the address below.
7. Children's Privacy
To-Be-Determined is designed for parents and caregivers — adults who track information about infants and young children. The app is not directed at children, and we do not knowingly collect personal information directly from children under the age of 13 (or the applicable age in your jurisdiction).
The data you log about your baby (name, birthdate, daily care logs) is entered by you as the parent or guardian and is subject to your account's privacy settings. You are responsible for ensuring that any caregiver you invite handles this information responsibly.
If you believe a child under 13 has created an account without parental consent, please contact us immediately and we will take steps to investigate and remove the account and associated data within 48 hours of verification.
COPPA Compliance: We comply with the Children's Online Privacy Protection Act (COPPA). We do not knowingly collect, use, or disclose personal information from children under 13 without verifiable parental consent. Parents or guardians who believe their child's information has been collected without consent may contact us to request deletion.
8. Device Permissions
To-Be-Determined requests the following device permissions:
| Permission | Purpose |
|---|---|
| Camera | Taking photos of diaper changes or activities for personal record-keeping. |
| Photo Library | Selecting existing photos to attach to diaper records, activity records, or Moments. |
We do not request access to your contacts, location, microphone, health data (Apple HealthKit), or any other sensitive device capability beyond what is listed above. You may revoke permissions at any time through your device's Settings app. Revoking permissions may limit certain App features but will not affect your stored data.
9. Third-Party Services and Infrastructure
9.1 Service Providers
| Service | Purpose | Data Processed | Privacy Policy |
|---|---|---|---|
| Supabase | Database hosting, authentication, file storage | All user data | supabase.com/privacy |
| Amazon Web Services (AWS) | Underlying cloud infrastructure for Supabase | All user data (encrypted) | aws.amazon.com/privacy |
| Apple App Store / In-App Purchases | App distribution, subscription management, payment processing | Purchase status only | apple.com/legal/privacy |
| Google Cloud Text-to-Speech | Used during development to generate guided meditation audio content embedded in the App | No user data — used only during development for content generation, not during runtime App operation | cloud.google.com/terms |
9.2 Third-Party Data Processing
Supabase processes your data on our behalf as a data processor under a Data Processing Agreement (DPA). Supabase is contractually obligated to:
- Process your data only on our instructions and for the purposes specified in our agreement.
- Implement appropriate technical and organizational security measures.
- Notify us promptly of any data breach affecting your information.
- Delete or return your data upon termination of our agreement.
9.3 Third-Party Risks
We are not responsible for the privacy practices, security measures, or data handling of third-party services. While we select providers with strong security practices, we cannot guarantee their security or continued availability. Third-party services may experience outages, data breaches, or security vulnerabilities that affect your data. We encourage you to review their respective privacy policies.
9.4 No Other Third-Party Sharing
We do not share your data with any other third-party services, data brokers, analytics providers, advertising networks, or social media platforms. We do not use third-party tracking pixels, cookies, or similar technologies for advertising or cross-site tracking.
10. California Privacy Rights (CCPA / CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA):
10.1 Your California Privacy Rights
| Right | Description |
|---|---|
| Right to Know | Request what personal information we collect, the sources, the business purposes for collection, and the categories of third parties with whom we share it. |
| Right to Access | Request a copy of the specific pieces of personal information we have collected about you. |
| Right to Delete | Request deletion of your personal information, subject to certain legal exceptions. |
| Right to Correct | Request correction of inaccurate personal information. |
| Right to Opt-Out of Sale/Sharing | Opt out of the "sale" or "sharing" of your personal information for cross-context behavioral advertising. |
| Right to Limit Use of Sensitive Information | Limit our use of sensitive personal information to purposes necessary to provide the Service. |
| Right to Non-Discrimination | We will not discriminate against you for exercising any CCPA/CPRA rights (no denial of service, different pricing, or reduced quality). |
10.2 We Do Not Sell or Share Your Personal Information
We do not sell your personal information for monetary or other valuable consideration. We do not share your personal information for cross-context behavioral advertising. We have not sold or shared personal information in the preceding 12 months.
10.3 Sensitive Personal Information
We collect and process the following categories of sensitive personal information under CCPA/CPRA:
- Health data (medical reference notes including vaccine records, illness logs, medication records, doctor visit notes)
We use sensitive personal information only for the following purposes, which are necessary to provide the Service:
- Storing your medical reference notes for your personal access within the App.
- Displaying your medical reference data to you and your authorized caregivers.
- Complying with applicable law.
We do not use sensitive personal information for advertising, profiling, marketing, or any secondary purpose beyond providing the Service.
10.4 How to Exercise Your California Privacy Rights
To submit a CCPA/CPRA request:
- Email: privacy@curiositybitllc.com with "CCPA Request" in the subject line.
- In-App: Use the "Export Data" or "Delete Account" features for access and deletion requests.
Verification: We will verify your identity by asking you to confirm the email address and approximate account creation date associated with your account.
Response Timeline: We will acknowledge your request within 10 business days and respond substantively within 45 calendar days. If we need additional time (up to 45 additional days), we will notify you in writing with the reason for the extension.
Authorized Agents: You may designate an authorized agent to submit requests on your behalf. We may require the agent to provide proof of authorization and may contact you directly to confirm.
10.5 Appeals
If we deny your CCPA/CPRA request in whole or in part, we will explain the reason for the denial. You may appeal by emailing privacy@curiositybitllc.com with "CCPA APPEAL" in the subject line. We will review the appeal and respond within 30 calendar days. If the appeal is denied, you may contact the California Attorney General to file a complaint.
10.6 Categories of Personal Information Collected
| Category (per CCPA) | Examples | Collected? | Sold/Shared? |
|---|---|---|---|
| Identifiers | Email, display name | Yes | No |
| Personal information (Cal. Civ. Code § 1798.80) | Name, email | Yes | No |
| Characteristics of protected classifications | Baby's sex, date of birth | Yes | No |
| Internet or network activity | Crash logs, app version | Yes | No |
| Sensory data | Photos uploaded by user | Yes | No |
| Sensitive personal information (health data) | Medical notes, vaccine records, illness logs | Yes | No |
11. EU/UK Users — GDPR
If you are located in the European Economic Area (EEA) or the United Kingdom, the General Data Protection Regulation (GDPR) or UK GDPR may apply to you.
Legal Bases for Processing
| Processing Activity | Legal Basis | GDPR Article |
|---|---|---|
| Account creation, data storage, and syncing | Contract performance | Art. 6(1)(b) |
| Everyday caregiving logs (feeding, sleep, diapers, activities, growth) | Contract performance | Art. 6(1)(b) |
| Technical data for app maintenance and security | Legitimate interests | Art. 6(1)(f) |
| Optional wellness tracking (mood, daily wins) and photo uploads | Consent | Art. 6(1)(a) |
| Medical reference notes (vaccine records, illness logs, medication records, doctor visit notes) | Explicit consent (may constitute health data) | Art. 6(1)(a) + Art. 9(2)(a) |
| Compliance with legal obligations | Legal obligation | Art. 6(1)(c) |
Note on everyday caregiving logs: We treat routine caregiving activity data — such as feeding times, sleep durations, diaper counts, and growth measurements — as general personal data processed under contract performance. This data reflects everyday parenting activities and is not collected or used for any health, medical, or diagnostic purpose. However, medical reference notes (vaccines, illnesses, medications, doctor visits) may constitute health data under GDPR Article 9 and are processed only with your explicit consent.
International Data Transfers
Your data is stored on Supabase servers in the United States. For transfers of personal data from the EEA or the UK to the United States, we rely on the European Commission's Standard Contractual Clauses (SCCs) (Controller-to-Processor module, adopted June 2021) as the lawful transfer mechanism. For UK users, we also rely on the UK International Data Transfer Addendum (IDTA) to the EU SCCs. We have conducted a transfer impact assessment and implemented supplementary technical safeguards, including encryption in transit (TLS 1.2+) and at rest (AES-256), to protect your data during and after transfer.
Your Additional GDPR Rights
In addition to the rights listed in Section 6, you have the right to:
- Lodge a complaint with your local data protection supervisory authority (e.g., the CNIL in France, the ICO in the UK, the BfDI in Germany). A full list of EEA supervisory authorities is available at edpb.europa.eu.
- Request information about any automated decision-making affecting you. Note: To-Be-Determined does not perform any automated decision-making, profiling, or diagnostic analysis.
- Object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
Data Protection Officer
Given the nature and scale of the personal data we process, we have not appointed a Data Protection Officer (DPO) at this time. If this changes, we will update this policy accordingly. For all data protection inquiries, please contact us at the address below.
To exercise your GDPR rights, contact us at the address below.
12. Additional U.S. State Privacy Rights
12.1 Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and Other State Privacy Laws
If you are a resident of Virginia, Colorado, Connecticut, Utah, or another state with a comprehensive privacy law, you may have rights similar to those described in Sections 6 and 10, including the right to access, correct, delete, and port your data, and the right to opt out of certain processing.
We do not:
- Sell personal data (as defined by any applicable state privacy law).
- Process personal data for targeted advertising.
- Engage in profiling that produces legal or similarly significant effects.
To exercise your rights under any applicable state privacy law, email privacy@curiositybitllc.com with the subject line "State Privacy Request" and identify your state of residence. We will respond within the timeframe required by your state's law.
If we deny your request, you may appeal by emailing privacy@curiositybitllc.com with "APPEAL" in the subject line.
13. Government Data Requests and Transparency
13.1 Government and Law Enforcement Requests
We may be required to disclose user data in response to valid legal process, including court orders, subpoenas, or national security requests.
13.2 User Notice
Where legally permitted, we will endeavor to notify affected users before disclosing their data in response to government or law enforcement requests, so they may seek legal counsel or a protective order. We will not provide notice where:
- We are legally prohibited from doing so (e.g., by court order or national security letter).
- Providing notice would create a risk of harm to any person.
13.3 Transparency
We are committed to transparency about government data requests. If we receive government requests for user data, we will publish summary information about such requests in our annual transparency report (if applicable, once we receive such requests).
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or app features. When we make material changes — meaning changes that affect how we collect, use, or share your personal data, or that reduce your rights — we will:
- Update the "Last Updated" date at the top of this policy.
- Notify you through an in-app notice or via email at least 15 days before the changes take effect.
Non-material changes (clarifications, formatting, updates to reflect unchanged practices) may be made without advance notice.
Your continued use of To-Be-Determined after any changes constitutes your acceptance of the updated policy. If you do not agree to the updated policy, you should stop using the App and delete your account.
15. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or your data, please contact us:
Curiosity Bit LLC — To-Be-Determined Support
General Inquiries: contact@curiositybitllc.com
Privacy Requests: privacy@curiositybitllc.com
Website: www.curiositybitllc.com
We aim to respond to all inquiries within 5 business days.
For privacy-related requests (access, deletion, correction, portability), we will acknowledge your request within 10 business days and provide a substantive response within 30 calendar days.
This Privacy Policy was last updated on April 5, 2026.