Skip to content
Exscroll
HomePrivacyTermsContact
View on the App Store

Privacy Policy

How Exscroll handles app, workout, health, account, purchase and support data.

Effective 15 July 2026Version 1.2This global policy describes the current Exscroll build and website.
CameraVideo frames are processed on your device and are neither saved nor uploaded.
Screen TimeYour selected-app tokens and active unlock session remain on your iPhone.
Apple HealthWith permission, step totals and derived fitness progress sync to Firebase.
Your choicesProtected accounts can be deleted in the app; anonymous users can contact us for help.
On this page Who we are Scope Data we handle How we use data Device permissions Service providers Sharing and transfers Retention Security Your rights Children Contact
Table of contents
Who we areScopeData we handleHow we use dataDevice permissionsService providersSharing and transfersRetentionSecurityYour rightsChildrenContact

Who we are

“Exscroll”, “we”, “us” and “our” mean the Exscroll service and the independent developer responsible for the Exscroll App Store listing. Exscroll is an iPhone app that lets people earn intentional access to selected apps through exercise and steps, with an accompanying website and support inbox.

For privacy questions, rights requests or complaints, contact the operator through the Exscroll contact form and choose “Privacy request”. The form is the current public privacy contact channel; it routes directly to the protected Exscroll inbox.

Scope

This policy applies to the Exscroll iOS app, the Exscroll website, the website contact form and the protected contact-admin area. It does not replace the privacy terms of Apple, Google Firebase, RevenueCat or any third-party website you choose to open.

Current privacy postureExscroll has no advertising SDK, behavioural advertising, third-party analytics SDK, cloud AI service, social feed or user file-upload feature in the current build. We do not sell personal data or use HealthKit, camera or Screen Time information for advertising.

Data we handle

CategoryWhat it can includeWhere it is handled
Account and authenticationFirebase user ID; anonymous/protected status; optional email address and verification status; linked provider; account and last-sign-in timestamps. Sign in with Apple may supply an Apple identifier, email and name according to your Apple choices.Firebase Authentication and owner-scoped Firestore records.
Workouts, steps and progressExercise type, verified units or reps, exact Apple Health daily step total, timestamps and local day, earned or spent minutes, journey encounters, streaks, quests, repairs, rest days, trophies and related progress.On device first; selected records sync to owner-scoped Firestore for continuity and restore.
Camera processingLive front-camera frames and temporary pose points/confidence used to count movement. Pose data is not used to identify you.Processed ephemerally on your iPhone using Apple Vision. Raw video is not saved or uploaded. Derived workout results may sync.
Screen Time controlsOpaque Family Controls app/category/web-domain tokens, selection counts, shield state, unlock expiry and session settings.Stored only in Exscroll’s private on-device App Group. Installed-app names and selection tokens are not uploaded to Firebase.
Purchases and entitlementsFirebase user ID used as the RevenueCat App User ID; product, offering, entitlement, purchase/receipt, restore and subscription-status information; device/OS and service-security data handled by the providers.Apple App Store and RevenueCat. Exscroll does not receive your payment-card details.
Local settings and onboardingExercise preferences, intro completion, reminder time/identifier, reward settings, notification choices and local app state. Onboarding may temporarily carry a nickname, age band, selected app types, feelings, screen-time estimates, goals and exercise choices between screens.Primarily on device. Current onboarding answers are not saved as a cloud profile, although resulting app settings and progress may be stored.
Website contact dataName, email, topic, message, consent confirmation, time, support status, a one-way salted network-address hash used to limit spam, and a short-lived one-way email/message fingerprint used to suppress accidental duplicates.Google Firebase / Firestore, submitted through a server-side Netlify Function and available only in the protected admin inbox.
Technical and security dataIP address, user agent, request time, authentication events, service logs and fraud/abuse signals that our infrastructure providers process to deliver and secure their services.Handled by Netlify, Firebase, Apple and RevenueCat under their respective terms.

How we use data

We use data only for the following purposes:

  • provide the app, create an anonymous account, protect an account, sync progress, calculate earned minutes, apply selected-app controls, restore progress and maintain streak, quest, trophy and journey state;
  • verify movement on device, read steps you authorise and convert eligible activity into rewards;
  • offer, validate and restore subscriptions and respond to purchase issues;
  • schedule local reminders and show the settings you choose;
  • reply to support, privacy, partnership and press messages;
  • protect the app and website, prevent spam, diagnose faults, enforce our Terms and comply with law.

Legal grounds and sensitive data

Privacy rules differ around the world. Where applicable law requires a legal ground for processing, the ground depends on the activity and may include: performing our agreement with you to provide requested app and account features; your consent or authorisation for optional device permissions and sensitive-data features; our legitimate interests in security, support, service integrity and fraud prevention; and compliance with legal obligations. You may withdraw a device permission through iOS Settings, although withdrawal does not affect processing that was already lawful.

Step totals and associated fitness activity may be treated as health, fitness, sensitive or consumer-health information in some locations. We use this information only to provide the Exscroll features you request, protect the service and comply with law—never for advertising, data brokerage or unrelated marketing. We will not use it for a materially different purpose without additional notice and any consent or authorisation required by applicable law.

Device permissions and local processing

Camera

Exscroll requests camera access when you choose a camera-verified exercise. Apple Vision processes frames on device to identify body joints and count movement. Exscroll does not record, save, upload or send raw camera video to a cloud AI service. A derived workout event—such as exercise type, rep count, reward and time—may sync to your account.

Apple Health

Exscroll requests read access to the Apple Health step-count category. It does not write to or alter HealthKit. When enabled, the exact eligible daily step total and a derived workout/reward event are saved in Exscroll and can sync to Firebase. Manually entered Health steps are excluded by the current app logic. You can revoke access in Apple Health or iOS privacy settings.

Screen Time / Family Controls

Exscroll uses Apple Family Controls, Managed Settings and Device Activity to shield the apps, categories or web domains you select. Apple provides opaque selection tokens, not a readable list of installed-app names. Those tokens, active shield and unlock state remain in the private on-device App Group and are not uploaded.

Notifications

Exscroll uses local notifications for the routine reminder and unlock state. The current build does not register an Expo remote push token. You can change notification permission in iOS Settings.

Service providers

  • Google Firebase / Google Cloud — anonymous, email/password and Apple-linked authentication; owner-scoped cloud progress and account records; and Firestore storage for website contact messages and their support status. Firebase Authentication can process email, password credentials, IP address and user agent for authentication and abuse prevention. See Firebase privacy and security.
  • Apple — iOS device permissions, Sign in with Apple, HealthKit, Family Controls, notifications, TestFlight, App Store distribution, billing and subscription management. See Apple’s Privacy Policy.
  • RevenueCat — subscription offerings, receipt validation, entitlement status and restore support using the Firebase user ID as the App User ID. See RevenueCat’s Privacy Policy.
  • Netlify — hosting, content delivery, serverless contact-form processing, service logging and protection of this website. Contact messages are stored in Firebase / Firestore rather than Netlify’s static hosting layer. See Netlify’s Privacy Statement.

These providers may act as processors, independent controllers or platform providers depending on the specific data and service. Their own notices describe their processing in more detail.

Sharing and international transfers

We share personal data only with the providers above where needed to operate Exscroll, with professional advisers under confidentiality, with authorities where legally required, or as part of a genuine business reorganisation subject to appropriate safeguards and notice. We do not sell or rent personal data.

Firebase Authentication operates from United States data centres; RevenueCat states that it stores customer data on AWS in the United States; and our website infrastructure may process data internationally. When applicable law restricts international transfers, we and our providers use available lawful mechanisms such as contractual safeguards, adequacy decisions, recognised certifications or data-transfer frameworks.

Retention

  • On-device information remains until you clear the relevant setting, delete app data or uninstall, subject to iOS and App Group behaviour.
  • Firebase account and synced progress remain while your account is active. Protected accounts can use in-app deletion. Anonymous accounts may remain after uninstall because uninstalling does not tell Firebase to delete them; contact us for assistance. Provider backups may take additional time to expire after deletion.
  • Purchase and entitlement records remain under Apple’s and RevenueCat’s retention and legal requirements. Deleting Exscroll or your Exscroll account does not cancel a subscription or delete Apple’s transaction record.
  • Website contact messages are scheduled for deletion after 24 months, or earlier where a valid request applies. Retention cleanup runs whenever the contact or inbox service is used, removing messages past that period, clearing stored one-way IP hashes once they are more than seven days old, and clearing duplicate-prevention fingerprints after 10 minutes.
  • Provider security logs follow each provider’s documented retention periods.

Security

We use encrypted network transport, owner-scoped app records, server-only access to website contact records in Firestore, Firebase authentication, a Firebase-authenticated server check for the single website admin account, Netlify security controls, input validation, spam rate limiting and least-data design. Camera frames and Screen Time selections are deliberately kept off the cloud. No system is perfectly secure, so we cannot promise absolute security.

Do not send health records, passwords, payment-card numbers or other unnecessary sensitive information through the contact form.

Your choices and rights

Your privacy rights depend on where you live and which laws apply. We extend practical access, correction and deletion routes globally, while additional rights may apply in your region. We may need to verify your identity or an authorised agent before fulfilling a request, and we may retain information where law permits or requires it.

  • Change Camera, Health, Screen Time or Notification permission in iOS Settings and Apple Health.
  • Clear or change the selected Screen Time apps from Exscroll.
  • Delete a protected Exscroll account from Settings. This removes the Firebase account and known synced Exscroll progress, subject to provider backup timing; it does not cancel an App Store subscription.
  • Manage or cancel a subscription in Apple’s App Store subscription settings.
  • For an anonymous account, a website message or any wider privacy request, use the contact form and select “Privacy request”. Include only enough detail for us to locate and verify the account.

European Economic Area, United Kingdom and Switzerland

Where the GDPR, UK GDPR or equivalent Swiss law applies, you may have rights to be informed; access, correct or erase personal data; restrict or object to processing; receive portable data; withdraw consent; and complain to the data-protection authority where you live or work. You may also have rights concerning decisions based solely on automated processing. Exscroll’s reward verification does not make legal or similarly significant decisions.

United States

Where a United States state privacy or consumer-health law applies, you may have rights to know, access, correct or delete covered information; obtain a portable copy; limit certain sensitive-data uses; opt out of sale, targeted-advertising sharing or profiling; and appeal a denied request. Exscroll does not sell personal data, share it for cross-context behavioural advertising or use it for targeted advertising, and we will not discriminate against you for exercising an applicable right.

Canada

Where Canadian privacy law applies, you may request access to and correction of personal information, ask questions about our practices, withdraw consent subject to legal or contractual limits, and complain to the privacy regulator with jurisdiction over your location.

Australia, New Zealand and other regions

Where applicable, you may request access to or correction of personal information and complain to the privacy or data-protection regulator in your country or region. Other local laws may provide additional rights. Submit any request through the privacy contact route above and we will respond under the law that applies to the request.

Children

Exscroll is not intended for children under 13. Users aged 13 to 17 should use Exscroll only with permission and appropriate supervision from a parent or guardian, including supervision for exercise and in-app purchases. If local law requires a higher age or verified parental permission, that rule applies.

If you believe a child has provided personal data contrary to this section, contact us so we can investigate and delete it where required. The app’s age-band question is used to tailor onboarding language; it is not currently a verified age-assurance system.

Changes to this policy

We may update this policy when Exscroll’s features, providers or legal obligations change. We will post the updated version here, change the effective date and provide additional notice in the app where a change materially affects how personal data is used.

Contact

Use the Exscroll contact form and choose “Privacy request”. The message will go to the protected Exscroll inbox. Please do not include passwords, payment details or unnecessary health information.

ExscrollMove more. Scroll on purpose.
PrivacyTermsContact
© 2026 Exscroll.Privacy choices should be as intentional as screen time.