← Back to Manifestry

Privacy Policy

Last updated: June 8, 2026

1. Introduction

Manifestry ("we," "our," or "us") is an iOS manifestation and journaling app. This Privacy Policy explains what data we collect, what we don't, and how the things you create inside the app, your intentions, manifest sessions, and journal entries, flow between your device and our backend (Firebase).

Manifestry is built by one developer. We don't sell ads, we don't track you across other apps, and we don't sell your data. Your journal is personal, and we treat it that way.

2. How Your Data Flows

• Device ↔ Firebase (your private space): Your account, intentions, manifest session records, and journal entries are stored in Google Firebase under your user ID, governed by security rules that scope your data to your own account.
• Device ↔ Apple (sign-in): You sign in with Apple. Apple authenticates you and returns a token to Firebase Auth. We never see your Apple password, and Apple may relay a private email address on your behalf.
• Device ↔ RevenueCat ↔ Apple: When you subscribe, the purchase is processed by Apple. RevenueCat sits between the app and Apple to report whether your subscription is active. It receives an anonymous user ID we generate and the receipt data Apple returns. We never see your Apple ID or payment method.
• Device ↔ PostHog (product analytics):The app sends anonymous behavioral events (e.g. "session completed," "paywall shown") keyed to your user ID so we can understand which parts of the app work. The content of your intentions, sessions, and journal entries is never sent to PostHog. Session recording / replay is disabled.

3. Information We Collect

Account information

• Email address (Apple may relay a private address)
• A Firebase Authentication user ID (UID)
• A profile photo, only if you choose to add one

Content you create

• Your intentions
• Your manifest session records (when you ran a session and related metadata)
• Your journal entries
• Streak and progress information derived from your activity

This content is stored only under your account in Firestore. No one but you can read it.

Subscription state

• Whether your subscription entitlement is active and its expiry, as reported by RevenueCat / Apple

Product analytics (PostHog, anonymous events)

• Event names and coarse metadata (which screens you used, whether a session was completed) keyed to your user ID
• Crash and error reports without the content that triggered them

What we do NOT collect

• No advertising identifier (no IDFA-based tracking)
• No contacts, calendar, or microphone access
• No third-party ad networks, ad SDKs, or retargeting trackers
• No cross-app or cross-site tracking of any kind
• No content of your intentions, sessions, or journal entries sent to analytics
• No session recording or screen replay

4. Camera, Photos & Location

Manifestry requests access to your camera and photo library only so you can set a profile photo, and only when you choose one. If you opt into reminders, the app may request location while in use to help time notifications relevantly; this is optional, used only for that purpose, and you can decline and still use the app.

5. Notifications

With your permission, Manifestry sends reminders to help you keep your practice. Notifications are opt-in and can be turned off at any time from the app or your iOS settings.

6. Tracking & Advertising

Manifestry does nottrack you across other companies' apps or websites, and does not use Apple's IDFA. The app does not present an App Tracking Transparency prompt because no cross-app tracking occurs.

7. Third-Party Services

• Google Firebase (Authentication, Firestore): hosts your account and journal data.
• Apple: Sign in with Apple, App Store distribution, and subscription billing.
• RevenueCat: reports your subscription status. Receives an anonymous identifier and Apple receipt data. Processes data in the United States.
• PostHog: product analytics and error monitoring. Anonymous events only, no journal content. Session recording disabled.

8. Data Retention & Deletion

Your intentions, sessions, and journal entries live in your account so you can look back at them. You can delete individual entries in the app, and you can delete your entire account from settings, which removes your content and your authentication record. This is irreversible.

9. Legal Basis for Processing (GDPR)

• Contractual necessity (Art. 6(1)(b)): account creation and storing the content you create, necessary to provide the app.
• Legitimate interest (Art. 6(1)(f)): basic operation and abuse prevention.
• Consent (Art. 6(1)(a)): optional notifications and location for reminder timing, which you can withdraw.

10. International Data Transfers

Firebase, RevenueCat, and PostHog process data in the United States. If you use Manifestry from outside the U.S., your data is transferred there. These providers offer Standard Contractual Clauses for cross-border transfers.

11. Your Rights

• EEA/UK (GDPR): access, portability, restriction, objection, and the right to complain to your data protection authority.
• California (CCPA/CPRA): the right to know, delete, and opt out of "sale" or "sharing." We do not sell or share your personal information.

12. Children's Privacy

Manifestry is not directed to children under 13 (or 16 in the EEA). We do not knowingly collect data from children. If you believe a child has signed up, contact us and we will delete the account.

13. Security

Authentication tokens are stored securely in the device keychain (Expo Secure Store). All traffic uses HTTPS, and Firestore security rules restrict your data to your own account. No system is perfectly secure, but Manifestry stores only what's needed to run your practice.

14. Changes to This Policy

We may update this Privacy Policy. Material changes will be announced on this page and, if significant, in the app.

15. Contact

Questions or requests, write to support@moetalaat.com.