Privacy Policy

North Tumbleweed LLC — Effective April 4, 2026

1. Overview

North Tumbleweed LLC ("we", "us", "our") develops and publishes mobile applications for iOS. This Privacy Policy explains what information we collect, how we use it, and what rights you have regarding your data across all of our applications.

By using any of our apps, you agree to the practices described in this policy. If you do not agree, please do not use our apps.

2. Our Apps

This policy covers the following applications:

App	Description
PushLock	App blocker with pushup detection using Screen Time / FamilyControls
I Am Locked In	AI-powered discipline coach with pushup challenges
Stamped	Travel postcard journal with photo and location features
Forge	Stoic audiobook player
RizzAI	AI dating coach with screenshot analysis
InstantAI	AI chat assistant
Chiseled	Face analysis and glow-up tracker with camera-based scoring

3. Data We Collect

3.1 Data You Provide

Stamped Photos you take or select, captions, and notes for postcards
RizzAI Screenshots you import from your photo library for conversation analysis
InstantAI Text prompts and messages you enter into the chat
I Am Locked In Text prompts and messages you send to the AI coach
Chiseled Photos you take for face analysis scoring

3.2 Data Collected Automatically

PushLock App usage selections via Apple FamilyControls (managed entirely by Apple's Screen Time framework, opaque to us)
Stamped GPS coordinates when you create a postcard (only with your permission)
InstantAI Clipboard content when you tap "paste" in the chat interface (read only on explicit action, never stored)
Chiseled Face analysis scores and progress history stored locally on your device
All Apps Basic subscription status via RevenueCat (anonymous user identifiers)

3.3 Data We Do NOT Collect

  We do not collect your name, email address, phone number, or any personal identity information. None of our apps require account creation (except InstantAI, which offers optional sign-in). We do not use analytics SDKs, advertising trackers, or fingerprinting technologies.

4. Camera Usage

The following apps request camera access:

PushLock I Am Locked In Pushup detection — The camera is used to detect body pose during pushup exercises. All image processing happens entirely on-device using Apple's Vision framework. Camera frames are analyzed in real-time and immediately discarded. No images or video are ever uploaded, stored, or transmitted.
Stamped Photo capture — The camera is used to take photos for your postcards. Photos you choose to keep are stored locally and, if you opt in, uploaded to our cloud storage for backup.
Chiseled Face analysis — The camera is used to capture photos of your face for scoring and progress tracking. All image processing and analysis happens entirely on-device. Photos are stored locally in your app data. No face images are ever uploaded, stored on our servers, or transmitted to third parties.

  For PushLock, I Am Locked In, and Chiseled, camera data never leaves your device. We cannot access, view, or retrieve any camera imagery.

5. Location Data

Stamped Stamped requests location permission to tag postcards with the GPS coordinates of where they were created. This enhances your travel journal by placing postcards on a map.

Location is captured only at the moment you create a postcard
Location data is stored locally on your device in SwiftData
If you upload a postcard to cloud backup, the associated coordinates are included
You can deny location permission and still use the app — postcards will simply have no location tag

No other app collects or accesses location data.

6. Clipboard Access

InstantAI InstantAI may read your clipboard when you explicitly tap to paste content into the chat input. This is a standard paste action initiated by you.

Clipboard content is used only to populate the text input field
We do not read the clipboard in the background or without your action
Clipboard content is not stored, logged, or transmitted separately from your chat message

7. Local Storage (SwiftData)

All of our apps use Apple's SwiftData framework to store data locally on your device. This includes:

Your preferences and settings
Chat histories (InstantAI, I Am Locked In)
Postcard drafts and metadata (Stamped)
Audiobook progress and bookmarks (Forge)
Conversation analyses (RizzAI)
Pushup counts and blocking preferences (PushLock)
Face analysis scores, progress history, and photos (Chiseled)

  SwiftData stores everything on your device. This data is not accessible to us. When you delete an app, all local SwiftData is removed by iOS.

8. How We Use Your Data

We use data strictly to provide app functionality:

Purpose	Data Used
Pushup detection	On-device camera frames (PushLock, I Am Locked In)
AI coaching and chat	Your messages sent to AI providers (I Am Locked In, RizzAI, InstantAI)
Photo uploads	Photos you choose to upload (Stamped)
Audio playback	Audiobook streaming from cloud (Forge)
Face analysis	On-device camera frames and stored photos (Chiseled)
Subscription management	Anonymous purchase tokens via RevenueCat (all apps)
Location tagging	GPS coordinates at postcard creation (Stamped)

We do not sell your data. We do not use your data for advertising. We do not build user profiles.

9. Third-Party Services

Our apps integrate with the following third-party services. Each has its own privacy policy governing data it receives:

9.1 RevenueCat (All Apps)

We use RevenueCat to manage subscriptions and in-app purchases. RevenueCat receives anonymous identifiers and purchase data from Apple. It does not receive your name, email, or other personal information from us.

RevenueCat Privacy Policy

9.2 Anthropic / Claude API (I Am Locked In, RizzAI)

Your messages and imported screenshots (text extracted via on-device OCR) are sent to Anthropic's Claude API through our backend proxy for AI responses. Anthropic processes this data according to their usage policies. We do not store your messages on our servers beyond the duration needed to relay the request.

Anthropic Privacy Policy

9.3 AI Inference Providers (InstantAI)

Your chat messages are sent to one or more AI inference providers through our backend proxy. These providers process your input to generate responses. We do not store your messages on our servers beyond the duration needed to relay the request.

9.4 Cloudflare R2 (Stamped, Forge)

Stamped uses Cloudflare R2 for optional cloud photo backup. Forge streams audiobook content from Cloudflare R2. Cloudflare acts as a storage and delivery provider.

Cloudflare Privacy Policy

9.5 Apple FamilyControls / Screen Time API (PushLock)

PushLock uses Apple's FamilyControls framework to block selected apps. The selection of which apps to block is managed entirely by Apple's Screen Time system. We do not have access to the names or identifiers of the apps you choose to block — Apple provides this data in an opaque, encrypted format.

Apple Privacy Policy

9.6 Supabase (InstantAI)

InstantAI uses Supabase for optional user authentication and data storage. If you create an account, your email address and authentication tokens are managed by Supabase. Your chat data may be synced through Supabase for cross-device access.

Supabase Privacy Policy

10. Data Retention and Deletion

Local Data

All locally stored data (SwiftData) persists on your device until you either delete it within the app or uninstall the app. Uninstalling removes all local data.

Cloud Data (Stamped)

Photos uploaded to Cloudflare R2 are retained until you delete them within the app. You may request full deletion of cloud-stored data by contacting us.

AI Conversations

Messages sent to AI providers are processed in transit. Our backend proxy does not persist your messages. Refer to each provider's retention policy for their data handling practices.

Account Data (InstantAI)

If you created an account in InstantAI, you can delete your account and all associated data from within the app's settings. You may also request account deletion by contacting us.

Subscription Data

RevenueCat retains anonymous subscription records as needed to manage your purchase. You can request deletion through RevenueCat or by contacting us.

11. Children's Privacy

Our apps are intended for users aged 13 and older. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us and we will delete it promptly.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights:

Right of Access — Request a copy of the personal data we hold about you
Right to Rectification — Request correction of inaccurate data
Right to Erasure — Request deletion of your personal data
Right to Restriction — Request that we limit processing of your data
Right to Data Portability — Request your data in a structured, machine-readable format
Right to Object — Object to processing based on legitimate interests
Right to Withdraw Consent — Withdraw previously given consent at any time

Because most data stays on your device, exercising these rights is often as simple as deleting the app. For cloud-stored data or subscription records, contact us and we will respond within 30 days.

Legal basis for processing: We process data based on (a) your consent (camera, location, photo library permissions), (b) contract performance (providing app features you use), and (c) legitimate interest (subscription management).

13. Your Rights Under CCPA (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with the following rights:

Right to Know — You may request the categories and specific pieces of personal information we have collected
Right to Delete — You may request deletion of personal information we have collected
Right to Opt-Out of Sale — We do not sell personal information. There is nothing to opt out of.
Right to Non-Discrimination — We will not discriminate against you for exercising your CCPA rights

To exercise these rights, contact us at the email address below. We will verify your identity and respond within 45 days.

14. Security

We implement reasonable security measures to protect data in transit and at rest:

All network communication uses HTTPS/TLS encryption
Our backend proxy does not log or persist user messages
Cloud storage (Cloudflare R2) uses server-side encryption
On-device data benefits from iOS hardware encryption and the device passcode

No method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Effective" date at the top of this page. We encourage you to review this policy periodically. Continued use of our apps after changes constitutes acceptance of the updated policy.

For material changes, we will make reasonable efforts to notify you within the affected app.

16. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us:

North Tumbleweed LLC
Email: support@northtumbleweed.com
Web: northtumbleweed.com