Legal
Privacy Policy
Effective date: February 7, 2026
Carbon ("we," "us," or "our") is developed and operated by Shawn Schwartz, an independent developer. This Privacy Policy describes how we collect, use, store, and protect your information when you use the Carbon mobile application, widgets, web application, and related services (collectively, the "Service").
By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.
1. Information We Collect
1.1 Account Information
When you create an account, we collect the information necessary to authenticate you:
- Email and password — if you sign up with email/password authentication.
- Apple ID token — if you sign in with Apple. We receive only the identity token and, if you choose to share it, your email address. We do not receive your Apple ID password.
Authentication is handled by Supabase, our backend infrastructure provider. We do not store raw passwords; Supabase handles password hashing using industry-standard methods (bcrypt).
1.2 Task and Card Data
The core purpose of Carbon is to store and organize your tasks. When you use the Service, we store:
- Task content (the text you enter)
- Task metadata: signal state, sort order, due dates, due times, tags, delegate names, and notes
- Card data: card type (Today, Next, Someday), associated date, title, dot tracking state, and archive status
This data is associated with your user account and is stored on Supabase's servers to enable cross-device syncing.
1.3 Device Permissions
Carbon may request access to the following device capabilities. Each permission is requested only when needed, and you can deny or revoke them at any time through your device settings:
| Permission | Purpose | Required? |
|---|---|---|
| Microphone | Voice task capture | No |
| Speech Recognition | Converting spoken words to task text | No |
| Notifications | Reminders for tasks with due dates and times | No |
Voice data: When you use voice capture, audio is processed on-device using Apple's Speech Recognition framework. We do not transmit, store, or have access to your audio recordings. Only the resulting transcribed text is stored as task content.
1.4 Purchase Information
When you purchase Carbon, the transaction is processed entirely by Apple through the App Store. We do not collect or store your payment information (credit card numbers, billing address, etc.). We receive only a purchase receipt from Apple to verify your purchase.
1.5 Information We Do NOT Collect
- We do not use analytics or tracking SDKs
- We do not collect device identifiers (IDFA, IDFV) for advertising
- We do not collect location data
- We do not collect contacts, photos, or other personal files
- We do not collect browsing history or app usage telemetry
- We do not use cookies for tracking on our website (the website is static HTML with no tracking scripts)
2. How We Use Your Information
We use the information we collect exclusively for the following purposes:
- Providing the Service — storing your tasks, syncing across devices, and delivering notifications
- Authentication — verifying your identity when you sign in
- Purchase verification — confirming your purchase via Apple's StoreKit
We do not use your data for advertising, profiling, marketing emails, or any purpose unrelated to the core functionality of the Service.
3. Data Storage and Security
3.1 Infrastructure
Your data is stored on servers operated by Supabase, which uses Amazon Web Services (AWS) as its underlying cloud infrastructure. Supabase provides encryption at rest (AES-256) for all database storage and encryption in transit (TLS 1.2+) for all network communication.
3.2 Access Controls
Your task and card data is protected by Supabase Row Level Security (RLS) policies, which ensure that only authenticated requests associated with your user ID can read or modify your data. Other users cannot access your tasks.
3.3 Widget Data
To power Home Screen widgets, a subset of your task data is cached locally on your device using App Groups shared storage. This data never leaves your device and is accessible only to the Carbon app and its widget extension.
4. Third-Party Services
We use the following third-party services:
| Service | Purpose | Data Shared |
|---|---|---|
| Supabase | Authentication, database, real-time sync | Account info, task/card data |
| Apple (StoreKit) | In-app purchase processing | Purchase receipt (no payment info shared with us) |
| Apple (Speech Framework) | On-device speech recognition | Audio processed locally; Apple may process some audio per their privacy policy |
We do not sell, rent, or share your personal data with any other third parties.
5. Data Retention
We retain your account data and task data for as long as your account is active. If you delete your account, we will delete all associated data from our servers within 30 days. Backups that may contain your data are retained for up to 30 additional days before being permanently purged.
Locally cached data (widget cache, app data) is removed when you uninstall the application from your device.
6. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Access — You can view all your task and card data directly within the app at any time.
- Correction — You can edit any task or card data directly within the app.
- Deletion — You can delete individual tasks within the app, or request complete account deletion by contacting us at the email below.
- Data portability — You may request an export of your data by contacting us.
- Withdraw consent — You can revoke device permissions (microphone, speech recognition, notifications) at any time in your device settings.
To exercise any of these rights, contact us at privacy@carbonapp.co. We will respond within 30 days.
7. Children's Privacy
The Service is not directed to children under the age of 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.
8. International Data Transfers
Your data may be processed and stored on servers located in the United States (via Supabase/AWS). If you are accessing the Service from outside the United States, you acknowledge that your data will be transferred to, stored, and processed in the United States, where data protection laws may differ from those of your jurisdiction.
9. California Residents (CCPA)
If you are a California resident, you have the right to:
- Know what personal information we collect, use, and disclose
- Request deletion of your personal information
- Opt out of the sale of your personal information — we do not sell your personal information
- Not be discriminated against for exercising your privacy rights
To exercise these rights, contact us at privacy@carbonapp.co.
10. European Residents (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland:
- Legal basis: We process your data based on contractual necessity (providing the Service you requested) and your consent (for optional features like voice capture and notifications).
- Data controller: Shawn Schwartz is the data controller for the purposes of the GDPR.
- You have the right to access, rectify, erase, restrict processing, and port your data, as well as the right to object to processing and to lodge a complaint with a supervisory authority.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Effective date" at the top of this page and, where practicable, notify you within the app. Your continued use of the Service after changes are posted constitutes acceptance of the revised policy.
12. Contact Us
If you have questions about this Privacy Policy or your personal data, contact us at:
Shawn Schwartz
Email:
privacy@carbonapp.co