Privacy Policy

Doom Inc. is a Delaware corporation operating the Doom App. You can reach us at vitaliy@fylyk.com.

The categories below describe everything we collect. We do not collect data we don't need.

2.1 Account information

When you sign in we receive identifiers from your chosen provider:

• Sign in with Apple — a stable Apple user identifier, your email (real or relay), and optionally your full name on first sign-in.
• Sign in with Google — your Google user ID, email and profile name.
• Email magic link — your email address only. We never see or store your password.

Your locale and IANA timezone are also recorded so reminders fire at the right local time.

2.2 On-device usage data

Doom uses Apple's Screen Time and DeviceActivity APIs to detect when you open apps you've explicitly added to your shield list. Apple processes this data on-device — Doom never receives the content of your screens, your messages, your browsing history, or apps you didn't add to the shield list.

The shield list, focus schedules, your ledger of pending tolls, streak data and per-app open counts are stored on your device. They are not transmitted to Doom unless you explicitly enable cross-device sync.

2.3 Subscription & purchase data

If you subscribe to Doom Premium, the purchase is processed by Apple. We receive an anonymised receipt and entitlement status via RevenueCat so we can unlock features. We never see your payment card.

2.4 Push notifications

With your permission, the App registers an Expo push token associated with your account. We use it only to deliver notifications you have opted into (focus reminders, streak updates, DoomInvest status, weekly summaries).

2.5 DoomInvest data (only if you opt in)

DoomInvest is an opt-in layer that connects your Doom account to a brokerage account in your name with Alpaca Securities LLC. When you enable it:

• You complete identity verification ("KYC") directly with Alpaca. Doom does not store your government ID, SSN or tax forms; Alpaca does.
• You link a funding bank account via Plaid. Plaid issues a tokenised reference; we never see your online banking credentials.
• Doom receives the minimum data needed to display your account state: account status, cash balance, positions, recent orders.

In the current "Bring Your Own Broker" implementation, Alpaca API credentials you provide are stored only in your iPhone's Secure Enclave via expo-secure-store. They are never transmitted to Doom servers.

2.6 Diagnostics & analytics

We use the following diagnostic tools:

• Sentry for crash reports. Stack traces are automatically scrubbed of API keys, tokens, secrets, tax IDs and SSNs before being transmitted.
• PostHog for product analytics — event names (e.g. focus.started), screen views, and your user identifier and provider. We do not send screen content, messages, or per-app usage counts to PostHog.
• Supabase as our application database for your account, profile, preferences and (if enabled) cross-device sync.

• To run the App: authentication, focus sessions, shield rendering, ledger math.
• To provide DoomInvest if you opted in: relay instructions to Alpaca, display positions, settle daily ledgers.
• To send notifications you've turned on.
• To detect and fix crashes and bugs.
• To understand which features are used so we can improve them.
• To enforce our Terms and prevent abuse.

We do not sell or rent your personal information. We do not use your data to train third-party advertising models, and we do not run third-party advertising in the App.

Where the GDPR or UK GDPR applies, our legal bases are: performance of contract (running the App and DoomInvest), consent (notifications, optional analytics), legitimate interests (crash diagnostics, fraud prevention), and compliance with legal obligations (financial recordkeeping for DoomInvest).

We share information only with the processors below, each bound by a written contract:

• Supabase, Inc. — database & authentication.
• RevenueCat, Inc. — App Store subscription receipts.
• Functional Software, Inc. (Sentry) — crash diagnostics.
• PostHog, Inc. — product analytics.
• Expo (650 Industries) — push notification delivery.
• Apple Inc. — App Store purchases, Sign in with Apple, push delivery, Screen Time APIs.
• Google LLC — Sign in with Google.
• Alpaca Securities LLC — brokerage execution & custody (DoomInvest only).
• Plaid Inc. — bank verification & ACH connectivity (DoomInvest only).
• RIA partner — our investment advisory partner, only if you enable advisory features. Their identity will be disclosed inside the App when the relevant feature ships.

We may disclose information when required by law, to protect rights or safety, or in connection with a merger or acquisition (in which case the acquirer inherits this Policy).

Account data is kept while your account is active. If you delete your account we erase your profile, focus history and ledger within 30 days, except records we must keep to satisfy legal obligations (e.g. financial recordkeeping under SEC and FINRA rules for DoomInvest transactions, which can be up to seven years).

Crash and analytics events are retained for a maximum of 12 months.

Sessions use PKCE; data in transit is encrypted with TLS 1.2+; Supabase databases are encrypted at rest. API keys, OAuth tokens and any credentials you provide are stored in iOS Keychain via expo-secure-store. No security is absolute — please use a strong, unique passcode on your device and notify us promptly if you suspect unauthorised access.

Depending on where you live, you may have the right to access, correct, port, delete or restrict processing of your information, and to object to certain processing. You also have the right to lodge a complaint with your local data protection authority.

Email vitaliy@fylyk.com from the address associated with your account to exercise any of these rights — we respond within 30 days.

California residents: we do not "sell" or "share" personal information as those terms are defined under the CCPA / CPRA. We do not process sensitive personal information for purposes that would trigger the right to limit. You retain all access, deletion and correction rights described above.

Doom is not directed to children under 13, and DoomInvest is restricted to users 18 or older. We do not knowingly collect data from children under 13. If you believe a child has provided us with personal information, contact us and we will delete it.

Our processors are mostly based in the United States. Where applicable we rely on the EU Standard Contractual Clauses and equivalent UK addenda to lawfully transfer personal information outside the EEA / UK.

Doom uses Apple frameworks subject to additional Apple guidelines:

• Family Controls / Screen Time / DeviceActivity — used solely to detect and shield apps you select. Data stays on-device and is not used for advertising, retargeting, or sold to third parties, in compliance with Apple's Family Controls Distribution policy.
• Sign in with Apple — we only request your name and email; we honour Apple's relay-email forwarding.
• App Tracking Transparency — Doom does not track you across apps or websites owned by other companies, and therefore does not show the ATT prompt.

We will revise this policy from time to time. Material changes will be announced in-app at least 14 days before they take effect. Continued use of the Services after a change means you accept the revised policy.

Doom Inc. · Attn: Privacy · vitaliy@fylyk.com