Privacy Policy
Last updated: May 17, 2026 Version: 2026-05-17
1. Who Is Responsible for Your Data
SmartFeed is operated by SC Smart Continuous Development SRL, a company registered in Romania (EU). We act as the "data controller" under the General Data Protection Regulation (GDPR).
- Company: SC Smart Continuous Development SRL
- Address: Cluj-Napoca, Romania
- Privacy contact: feedback@smartfeed.live
- Country of operation: Romania / European Union
Under Article 37 GDPR, we are not legally required to appoint a Data Protection Officer (DPO) given our scale of processing. For all privacy-related queries — including any of the rights described in Section 11 — please write to feedback@smartfeed.live with "Privacy" in the subject line.
2. What Data We Collect
Information You Provide
- Account information: When you sign in with Apple or Google, we receive a unique provider identifier and an email address. If you sign in with Apple and choose "Hide My Email", we receive only the relay address Apple generates for SmartFeed.
- Terms of Service acceptance record: We record the date you accepted these Terms and the version you accepted, so that we can demonstrate your acceptance if required and prompt you for re-acceptance when material changes are made.
- Preferences: Your selected language, country, topics, news source preferences (favorited or blocked), content vibe, news balance, temperature unit, theme, and notification settings.
- Saved content: Articles you save, subjects you track, and podcast episodes you bookmark.
- Conversations: When you ask questions about an article via the in-app AI chat, your message and the model's response are processed by Google Gemini (see Section 4) and may be cached on our servers for up to 30 days to provide consistent answers across users asking similar questions.
- Feedback: Any messages you send through the in-app feedback form. Your email address is included so we can respond. Feedback is transmitted via Resend (see Section 7) to our internal inbox.
Information Collected Automatically
- Usage events (telemetry): When you read or listen to articles, we record events such as "article opened", "article completed", "audio played", and "time block completed". We use these events solely to compute your personal statistics in the "Your Focus" screen, which is part of your SmartFeed subscription. Because Your Focus depends on these events to be useful, telemetry cannot be disabled while you are subscribed. To stop all data collection, delete your account in Profile → Account → Delete Account; everything is permanently removed within 7 days.
- Coarse device location (optional): If you grant location permission, your approximate coordinates (latitude/longitude) are used to fetch a local weather forecast displayed alongside your daily brief. The coordinates are sent only to the Norwegian Meteorological Institute (MET.no) through our backend, are never linked to your account, and are not retained beyond the in-flight request. You can decline the permission and instead pick a city manually, or turn it off at any time in your device's system settings.
- Push notification token: If you grant permission for notifications, we store a device-specific token issued by Apple Push Notification service (APNs) or Firebase Cloud Messaging (FCM). The token is used only to deliver notifications you have enabled.
- Device and technical data: Device model, operating system version, app version. IP address (server logs only, retained per Section 13).
- Crash and error reports: Sentry collects crash reports and error metadata to help us fix bugs. These reports do not include the contents of articles you read, conversations you have, or any payment data.
- Search queries: When you search for podcasts or news sources, your search term is sent to our backend, which proxies the lookup to the iTunes Search API. Your device's IP address is not sent to Apple — only our backend's. The search term itself is processed by Apple but not retained by us beyond a short cache window.
- Web analytics on smartfeed.live: Vercel Analytics, which is anonymized, cookieless, and limited to aggregated page-view data on the marketing site.
Payment Information
SmartFeed subscriptions are sold and billed by Apple (App Store) and Google (Google Play) under their own terms. SmartFeed never sees, stores, or has access to your credit card numbers, banking details, or payment method.
We use RevenueCat to manage subscription state across both stores. RevenueCat receives a per-store anonymous user identifier and your subscription status (active, trial, expired, and so on). It does not see payment details.
3. Why We Collect Data (Legal Basis)
Under GDPR, we must have a legal basis for processing each type of data:
| Data | Purpose | Legal Basis |
|---|---|---|
| Email and account identifier | Create and secure your account | Contract performance (Art. 6(1)(b)) |
| Terms of Service acceptance record | Demonstrate contractual consent | Legal obligation (Art. 6(1)(c)) |
| Preferences | Deliver personalised news content | Contract performance |
| Saved articles, subjects, episodes | Sync your library across devices | Contract performance |
| Subscription status | Verify entitlement to premium features | Contract performance |
| Conversations (AI chat) | Provide AI-powered article Q&A | Contract performance |
| Usage events (telemetry) | Compute "Your Focus" statistics | Contract performance (Art. 6(1)(b)) |
| Coarse device location | Local weather forecast | Consent (Art. 6(1)(a)) |
| Device / technical data | Ensure the app works correctly and securely | Legitimate interest |
| Search queries | Find podcasts and news sources you request | Contract performance |
| Push notification token | Deliver notifications you have enabled | Consent (Art. 6(1)(a)) |
| Feedback submissions | Respond to your messages | Legitimate interest |
You can withdraw any consent at any time without affecting the lawfulness of processing carried out before the withdrawal.
4. AI Processing — What We Send and What We Don't
SmartFeed uses Google Gemini (AI summarisation, translation, analysis, and conversational responses) and Google Cloud Text-to-Speech (audio narration) to provide its core features. Transparency about what is sent to these services matters.
What we SEND to Google's AI services:
- Article title, full text, source name, publication date, and category metadata (for summarisation, classification, and translation)
- The article text and your selected language (for audio narration via Cloud TTS)
- Your chat questions and the article context they relate to (for the in-app AI chat)
What we DO NOT send:
- Your account email or name
- Your Apple ID, Google account ID, or Supabase user ID
- Your device IP address (calls to Google are made server-to-server from our backend; your IP never reaches Google for AI processing)
- Your saved library, your tracked subjects, your subscription status, or your "Your Focus" telemetry
- Any other personally identifying information not strictly necessary for the requested AI operation
Under our agreement with Google for paid API access, Google does not use SmartFeed-routed prompts or responses to train its general AI models. Generated outputs may be cached on our own servers for up to 30 days, keyed to the content and a normalised question (for chat), so subsequent users asking the same question get a fast, consistent answer.
5. Automated Decision-Making
We use AI to select, prioritise, summarise, translate, and narrate news content. These are content-presentation choices: they decide which articles appear in your daily brief and how each is summarised, translated, or read aloud.
We do not make automated decisions that produce legal effects on you or similarly significantly affect you within the meaning of Article 22 GDPR. SmartFeed does not score, rank, screen, or evaluate you for any benefit, service, employment, financial, legal, governmental, or similarly material outcome.
6. Data Storage
Your account data, preferences, saved library, tracked subjects, and acceptance records are stored using Supabase, with our primary database hosted in the European Union (Ireland, AWS eu-west-1). Caching for performance is provided by Upstash Redis, also hosted in the EU. Data is encrypted in transit (TLS 1.2+) and at rest (AES-256 or equivalent).
On your device, your authentication tokens are stored securely using the platform's native secure storage (Apple Keychain on iOS, Android Keystore on Android). Application state and preferences are stored in encrypted MMKV-backed storage.
7. Third-Party Services (Data Processors)
We use the following third-party services. Each processes user data only as necessary for its stated purpose, under a Data Processing Agreement (DPA) compliant with GDPR Article 28.
| Service | Purpose | Location |
|---|---|---|
| Supabase | Authentication and primary database | EU (Ireland) |
| Apple — Sign in with Apple | Account authentication on iOS | Per Apple terms |
| Google — Sign in with Google | Account authentication on Android | Per Google terms |
| Apple App Store | iOS subscription billing | Per Apple terms |
| Google Play | Android subscription billing | Per Google terms |
| RevenueCat | Subscription state management across stores | US (SCCs) |
| Google Cloud — Gemini API | AI summaries, translations, analysis, chat responses | US (SCCs) |
| Google Cloud — Text-to-Speech | Audio narration | US (SCCs) |
| Apple Push Notification service (APNs) | Push notification delivery on iOS | Per Apple terms |
| Firebase Cloud Messaging (FCM) | Push notification delivery on Android | US (SCCs) |
| Expo Push Service | Push notification relay to APNs and FCM | US (SCCs) |
| iTunes Search API | Podcast and news source search | Per Apple terms |
| Vercel | API hosting and landing page | US (SCCs, EU edge deployment) |
| Upstash Redis | Performance caching, chat cache, rate limiting | EU |
| Sentry | Error tracking and crash reporting | US (SCCs) |
| Resend | Routing of feedback-form submissions to our admin inbox | US (SCCs) |
Additional product-analytics or observability services may be added in the future. Any addition will be disclosed in this Policy in advance of activation, and the "Last updated" date and Version string will reflect the change.
8. International Data Transfers
Some of our third-party service providers may process data outside the European Economic Area (EEA), primarily in the United States. These transfers are protected by:
- Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into each processor's DPA
- EU–US Data Privacy Framework (DPF) for providers that are certified participants
We do not transfer your personal data to any jurisdiction lacking an adequate level of protection under EU law without these safeguards in place.
9. Data Sharing and Selling
We do not sell your personal information. We do not share it with advertisers, data brokers, or any third party other than the data processors named in Section 7, and only for the purposes stated there.
10. Tracking and Advertising
- SmartFeed does not track you across other companies' apps or websites. Because we do not perform such tracking, the Apple App Tracking Transparency (ATT) prompt will not appear in SmartFeed.
- SmartFeed contains no third-party advertising. Your data is not used for advertising targeting on or off the app.
11. Your Rights Under GDPR (EU Residents)
If you are in the European Union or European Economic Area, you have the following rights:
- Right to access (Art. 15): Request a copy of all personal data we hold about you.
- Right to rectification (Art. 16): Ask us to correct inaccurate data.
- Right to erasure (Art. 17): Request deletion of all your data. You can do this directly from Profile → Account → Delete Account in the app. Personal data is deleted within 7 days.
- Right to data portability (Art. 20): Request your data in a machine-readable format (JSON). Contact us at feedback@smartfeed.live.
- Right to restrict processing (Art. 18): Ask us to limit how we use your data.
- Right to object (Art. 21): Object to processing we carry out on the basis of legitimate interest. This currently applies to device and technical data and to handling feedback you send us. To exercise this right, write to feedback@smartfeed.live with "Privacy" in the subject line. Note that usage events for Your Focus are processed on the basis of contract performance (Section 3), not legitimate interest — to stop those, delete your account.
- Right to withdraw consent (Art. 7(3)): If you consented to notifications, you can withdraw that consent at any time in your device's system settings or in the SmartFeed app. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
Response timing: We will respond to any request without undue delay and at the latest within one month of receipt, as required by Article 12(3) GDPR. We may extend this by up to two further months for complex or numerous requests, and will inform you of any such extension and the reasons within the first month.
Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority. In Romania, this is the National Supervisory Authority for Personal Data Processing (ANSPDCP) at www.dataprotection.ro. EU residents outside Romania may instead complain to the supervisory authority in their own member state, in particular in the member state of their habitual residence, place of work, or place of the alleged infringement.
12. Your Rights Under California Law
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with the following rights:
- Right to know what personal information we collect, use, and disclose
- Right to delete your personal information — you can do this from Profile → Account → Delete Account
- Right to correct inaccurate personal information
- Right to opt out of sale or sharing of personal information. We do not sell or share your personal information for cross-context behavioural advertising, so there is nothing to opt out of
- Right to non-discrimination for exercising any of these rights
To exercise any of these rights, contact us at feedback@smartfeed.live with "California Privacy Request" in the subject line. We may need to verify your identity before fulfilling the request.
Residents of Virginia, Colorado, Connecticut, Utah, Texas, and other US states with comprehensive consumer privacy laws have substantially similar rights. The same contact channel applies.
13. Data Retention
| Data | Retention |
|---|---|
| Active account data, preferences, saved library, tracked subjects | Until you delete your account |
| Deleted accounts | Permanently removed from our systems within 7 days |
| AI chat answer cache | Up to 30 days from last access, then evicted automatically |
| Usage events (raw) | 90 days rolling |
| Weekly aggregated focus snapshots | Indefinite; deletable on request |
| Server logs containing IP addresses (Vercel) | 1 day, per Vercel's standard runtime-log retention for our Pro plan |
| Crash reports (Sentry) | Per Sentry's standard retention policy for our subscription tier |
| Feedback emails (Resend) | Per Resend's standard email-log retention policy |
| Subscription records held by Apple or Google | Per Apple's and Google's own retention policies |
If you delete your account, all of the above categories that we control are permanently removed from our systems within 7 days, except where we are required by law (for example, tax or accounting records) to retain certain information for longer.
14. Security
We implement appropriate technical and organisational measures to protect your data, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256 or equivalent)
- Authentication via Sign in with Apple or Sign in with Google (we never store passwords)
- Refresh tokens stored in the device's native secure storage (Apple Keychain / Android Keystore)
- Row-level security policies on our database
- Service-role key separation for server-side operations
- Regular review of dependencies and security advisories
Personal data breach notification: In the unlikely event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority (ANSPDCP) without undue delay and where feasible within 72 hours of becoming aware of it, as required by Article 33 GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay, as required by Article 34 GDPR.
15. Children's Privacy
SmartFeed is not intended for users under 16 years of age. You must be at least 16 to use the Service (see Section 3 of our Terms of Service). We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal data from a child under 16, we will delete that data without undue delay.
16. Changes to This Policy
We may update this Privacy Policy from time to time. Each version is identified by the "Version" string near the top of this page. The "Last updated" date will always reflect the most recent revision.
If we make material changes affecting how we collect, use, or share your personal data, we will provide reasonable advance notice via an in-app notification or email (where we have your address) so that you can review the changes.
Continued use of the Service after the effective date of the revision constitutes your acknowledgement of the updated Policy.
17. Contact Us
If you have questions about this Privacy Policy or want to exercise any of your data rights, please contact us:
- Email: feedback@smartfeed.live
- Company: SC Smart Continuous Development SRL
- Address: Cluj-Napoca, Romania
SmartFeed is operated by SC Smart Continuous Development SRL, registered in Romania, European Union.