eNeighbor Privacy Policy

Last updated: March 21, 2026

This Privacy Policy describes how Curlew Labs LLC (“Curlew Labs,” “we,” “our,” or “us”) handles information in connection with the eNeighbor mobile application (the “App”).

Information we collect

The App detects when a paired device is first used each morning. Specifically, we collect:

• Device activity signals — a timestamped record indicating that the device has been used, along with your timezone offset so we can determine local morning time for notification scheduling. We do not collect the content of any activity, which apps were used, or any other behavioral detail.
• Daily check records — a record of whether a check-in was detected each day, used to track whether a notification should be sent and to display status to the paired contact.
• Account information — an email address, display name, and optional phone number used to create an account and pair devices. We also record which authentication provider you used to sign in (Google or Apple), and the timestamps when your account was created, last modified, and when you completed onboarding.
• Notification preferences — your preferred check-in time and related notification scheduling settings, stored so the App can send alerts at the right time.
• FCM device token — a token issued by Google Firebase Cloud Messaging that allows us to deliver push notifications to your device. This token is stored on our servers and updated automatically when it changes.
• Pairing relationships — the association between a monitored device and a contact device, established explicitly by both users. This includes the invitation code used to initiate the pairing, the timestamp when the invitation was accepted, and a record of which version of this Privacy Policy was in effect when consent was given.

We do not collect location data, contacts, messages, photos, or any other personal content from your device.

How we use your information

We use the information described above solely to operate the App — specifically, to determine whether a device has been used by mid-morning and, if not, to send a notification to the designated contact. We do not use your information for advertising or profiling. We collect limited technical diagnostics as described under “Crash and error reporting” below.

Legal basis for processing

We process your personal data under the following legal bases as defined by the EU General Data Protection Regulation (GDPR):

• Contract performance (Art. 6(1)(b)) — processing your account information and device activity signals is necessary to provide the App’s core service to you.
• Legitimate interests (Art. 6(1)(f)) — we process limited technical diagnostics (crash reports) to maintain and improve the App. Our legitimate interest is ensuring service reliability, which does not override your fundamental rights given the minimal and non-sensitive nature of this data.
• Consent (Art. 6(1)(a)) — when an elder user agrees to be paired with a contact, both parties consent to the sharing of daily activity status between them. You may withdraw this consent at any time by removing the pairing in the App or by contacting us.

Information sharing

We do not sell, rent, or share your personal information with third parties, except as follows:

• Between paired users — activity status is shared between a monitored device and its designated contact, as the core function of the App.
• Service providers — we may use third-party services (such as Google Firebase for authentication, push notifications, and crash reporting, and Cloudflare for cloud hosting) to operate the App. These providers process data only on our behalf and are contractually prohibited from using it for any other purpose.
• Legal requirements — we may disclose information if required to do so by law or in response to valid legal process.

Data retention

We retain your data for the following periods:

• Heartbeat signals (device activity records) — 90 days, then automatically deleted.
• Daily check records (whether a check-in was detected each day) — 30 days, then automatically deleted.
• Account information, notification preferences, pairing relationships, and invitation records — retained for as long as you maintain an account. After an account deletion request, all associated data is deleted within 30 days.
• Device tokens for push notifications — retained as long as your account is active. Tokens are updated automatically when your device issues a new one, and deleted when your account is deleted.
• Crash reports — retained by Google Firebase Crashlytics per their standard retention policy (90 days).

You may request deletion of your account and all associated data at any time (see “Your rights” below).

Children's privacy

The App is intended for adults. We do not knowingly collect information from children. Under the U.S. Children's Online Privacy Protection Act (COPPA), we do not knowingly collect information from anyone under the age of 13. Under GDPR Article 8, we do not knowingly collect information from anyone under the age of 16 in the European Union without verifiable parental consent. If we become aware that we have collected information from a child below the applicable age threshold, we will delete it promptly.

Security

We take reasonable technical and organizational measures to protect your information. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

Crash and error reporting

The App automatically collects diagnostic information when errors occur, including error details, device model, operating system version, and an anonymous account identifier. This data is processed by Google Firebase Crashlytics and is used solely to identify and fix bugs. No personal content, messages, or activity details are included in crash reports.

International data transfers

Your data is processed by service providers located outside the European Economic Area (EEA):

• Google Firebase (United States) — authentication, push notifications, and crash reporting.
• Cloudflare (global edge network) — cloud hosting and API delivery.

Where your data is transferred outside the EEA, these providers maintain appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission. We maintain Data Processing Agreements (DPAs) with each provider.

Automated decision-making

The App does not engage in automated decision-making or profiling as defined by GDPR Art. 22. The only automated process is detecting whether a device has been used in the morning and sending a notification if it has not — this does not produce legal or similarly significant effects.

Your rights

If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction with applicable data protection laws, you have the following rights regarding your personal data:

• Access (Art. 15) — request a copy of the personal data we hold about you.
• Rectification (Art. 16) — request correction of inaccurate personal data.
• Erasure (Art. 17) — request deletion of your personal data (“right to be forgotten”).
• Restriction of processing (Art. 18) — request that we limit how we use your data.
• Data portability (Art. 20) — receive your data in a structured, machine-readable format.
• Object (Art. 21) — object to processing based on legitimate interests.
• Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at support@curlewlabs.com. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection supervisory authority if you believe your data has been processed unlawfully. A list of EEA supervisory authorities is available at edpb.europa.eu.

Changes to this policy

We may update this Privacy Policy as the App evolves. When we do, we will update the “Last updated” date at the top of this page. We encourage you to review this page periodically.

Data controller

The data controller responsible for your personal data is:

Curlew Labs LLC
300 Lenora St. #936
Seattle, WA 98121
Email: support@curlewlabs.com

If you have questions about this Privacy Policy or how we handle your information, please contact us at the email address above.