Who we are
Oathkeep is made by Worth Spreading, a sole proprietorship (eenmanszaak) registered in the Netherlands KVK number — arriving 10 July. We are the data controller. Questions or requests: support@worthspreading.com.
What Oathkeep is
A private space where you keep notes about people you care about, and where an AI helps you draft messages to them in your own voice. Nothing in this policy changes that basic shape: your data exists to serve you; we don’t sell it, rent it, or use it for advertising.
The data we process, and why
1. Your account
A Firebase user ID is created the moment you open the app (anonymously — no sign-up needed). If you later sign in with Apple, Google, or an email link, we store that email/name so your data can follow you across devices. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
2. Your profile
What you choose to tell Oathkeep about yourself: name, where you live, home and work life, what’s going on, interests, upcoming plans, an optional photo, your personal promise (“oath”), the languages you speak. Basis: contract.
3. Notes about your people
This deserves its own paragraph, because it’s data about people other than you — names, how you know each other, what’s happening in their lives, birthdays and other dates, topics you’d rather handle gently, optional photos. You are sharing it with us so we can help you be a better friend to them; we act as processor-like custodian of your notebook. Please only record what you’d be comfortable with that person knowing you noted, and if someone asks you to remove what you’ve written about them, delete their profile — it’s gone from our servers with it.
We never contact the people in your notebook, never build profiles of them, and never use their data for anything except generating your drafts. Basis: our legitimate interest in operating the notebook feature you asked for (Art. 6(1)(f)), pursued strictly on your instructions.
4. Your messages (style sample)
When you confirm you sent a message, its text may be kept (up to 24, on your account, clearable in Settings → “Learn my writing voice”) so drafts sound like you. It’s used only as private examples in your own drafting requests — never shared, never used to train shared models. Basis: contract; the toggle is yours.
5. Voice input
When you talk to Oathkeep, the transcription is done by your phone’s operating system, not by us — and we explicitly request on-device recognition wherever your phone supports it, so in that mode the audio never leaves your device. On devices without on-device speech support, the operating system’s own speech service (Google’s on Android, Apple’s on iOS) may send the audio to its servers to transcribe it, under that provider’s privacy policy — standard OS behaviour that applies to any app using the system recognizer, and one we’ve configured Oathkeep to avoid whenever the device allows. Oathkeep itself never records, stores, receives, or uploads audio — ever. Only the resulting text reaches us, and it’s treated like a typed note.
6. AI processing
When you generate a draft or have a note sorted into profile fields, the relevant text (the note; the recipient’s profile fields; your profile context; a few of your recent messages as style examples) is sent to our server and processed by Google’s Gemini API to produce the result. This is per-request processing on our instructions — the content is not used by us to profile you. We use Google’s paid API tier, whose terms mean your content is not used to train Google’s models.
7. Usage statistics & crash reports
We collect anonymous, content-free events (e.g. “a draft was generated”, “onboarding finished”) via Google Analytics for Firebase, and crash reports via Crashlytics, to keep Oathkeep fast and reliable. No advertising identifiers are collected (they are explicitly disabled), no ad networks are involved, and events never contain names, notes, drafts, or emails. How long this lives: user- and event-level analytics data is automatically deleted after at most 14 months; crash reports (stack traces and their associated device identifiers) are kept by Crashlytics for 90 days, after which Google begins removing them from live and backup systems. Fully aggregated, non-identifiable statistics (e.g. “how many drafts were generated last month”) may persist beyond those windows — they contain nothing traceable to you. Basis: our legitimate interest in a working product (Art. 6(1)(f)); we will move analytics behind consent if required in your region. You can object at any time (email us).
8. Purchases
Subscriptions are bought from Apple or Google and managed by RevenueCat for us (your user ID, email if signed in, and purchase state). We never see your card. Basis: contract.
Where your data lives
Your account data is stored in Google Firebase (Firestore/Storage), US multi-region (nam5); our functions run in us-central1. Transfers outside the EEA rely on the European Commission’s Standard Contractual Clauses as implemented in Google’s and RevenueCat’s data-processing terms, plus the EU-US Data Privacy Framework where the vendor is certified.
Our processors
Google Ireland/Google LLC (Firebase: authentication, database, storage, functions, analytics, crash reporting; Gemini API for AI processing) · RevenueCat, Inc. (US — subscriptions) · Apple / Google additionally act as independent controllers for sign-in and store billing you initiate with them.
Retention
Everything lives until you delete it or delete your account: notes and profiles until you remove them; the style sample is capped at your last 24 messages and clearable. Anonymous analytics events auto-delete after at most 14 months and crash reports after 90 days (see §7 above). We add no hidden copies and no marketing lists.
Deletion
Settings → Delete account erases your Firestore data (profiles, people, notes, style sample), your uploaded photos, your RevenueCat customer record, and your sign-in itself — server-side, immediately, no grace copy. No access to the app anymore? Request deletion at worthspreading.com/oathkeep/support#delete or email support@worthspreading.com from your account address. Honest footnote: files cached on your own device (e.g. locally stored photos, device preferences, a stale home-screen widget until it refreshes) are yours to clear by deleting the app; and telemetry already sent as anonymous events cannot be re-identified to erase.
Your rights (GDPR)
Access, rectification, erasure, portability, restriction, objection, and withdrawal of consent — write to support@worthspreading.com and we’ll act within a month. The app itself gives you the fast paths: full JSON export (Settings, and offered before deletion) and full deletion in-app. You can complain to the Dutch DPA, the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).
Children
Oathkeep is not directed at children and is not for users under 16.
Changes
We’ll announce material changes in the app and on this page before they take effect, with the date above updated.