● ONETAP Terms

LEGAL

Privacy Policy

Effective date: May 29, 2026  ·  Last updated: May 29, 2026

oneTap is built on a simple promise: your data is used to power your brief, nothing else. This policy explains exactly what we collect, how we use it, and the choices you have.

CONTENTS

  1. Overview
  2. Information We Collect
  3. Third-Party Integrations
  4. How We Use Your Data
  5. Data Sharing
  6. Data Storage & Security
  7. Data Retention
  8. Your Rights
  9. Health Data
  10. Financial Data
  11. Children's Privacy
  12. California Privacy Rights
  13. Changes to This Policy
  14. Contact Us

1. Overview

oneTap ("oneTap," "we," "us," or "our") operates the oneTap mobile application and the website at theonetap.app (collectively, the "Service"). This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our Service.

We take privacy seriously. oneTap connects to sensitive data sources — your email, calendar, health metrics, and financial accounts — solely to generate your personalized morning brief. We do not sell your data, use it for advertising, or share it with third parties for their own purposes.

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Information You Provide Directly

  • Account information: When you create an account, we collect your email address and password (stored as a salted bcrypt hash — we never store your plaintext password).
  • Subscription information: We collect payment information through our payment processor (Apple In-App Purchase). We do not store your credit card number or payment details on our servers.
  • Preferences and settings: The integrations you enable, your notification preferences, and your brief configuration.
  • Support communications: If you contact us for help, we retain those communications to resolve your issue and improve the Service.

2.2 Information Collected Automatically

  • Device information: Device type, operating system version, and app version — used for debugging and compatibility.
  • Usage analytics: Which integrations you use, how often you complete your brief, and aggregate feature usage. This data is anonymized and never linked to your identity for external reporting.
  • Crash reports: Anonymized crash logs to help us fix bugs.
  • Log data: Server-side logs including timestamps of API requests. Logs are retained for 30 days and automatically deleted.

2.3 Information from Third-Party Integrations

When you connect an integration, we access only the specific data scopes necessary to build your brief. See Section 3 for integration-specific details.

3. Third-Party Integrations

oneTap is an aggregation service. The following describes exactly what we access and why for each integration. You can revoke any integration at any time from within the app or directly from the third-party platform.

FREE

Gmail (Google)

What we access: Unread email count, flagged/starred email subjects, and sender names for emails received in the last 24 hours.

What we do not access: Email body content, attachments, sent mail, or any email older than 24 hours.

OAuth scope used: gmail.readonly — read-only access, we cannot send, delete, or modify emails.

Data handling: Email metadata is fetched in real-time at brief generation and is not stored on our servers beyond your brief session cache (TTL: 4 hours).

Revocation: Remove access at myaccount.google.com/permissions.

FREE

Google Calendar

What we access: Event titles, start/end times, and location for today's calendar events.

What we do not access: Event descriptions, attendee lists, private calendar events marked as private, or historical events.

OAuth scope used: calendar.readonly — read-only access.

Data handling: Calendar data is fetched at brief generation and cached for up to 4 hours. We do not store your calendar data persistently.

Revocation: Remove access at myaccount.google.com/permissions.

FREE

Apple Health (HealthKit)

What we access: Sleep analysis data (time in bed, time asleep, sleep stages) for the most recent sleep session.

What we do not access: Heart rate, step count, nutrition, menstrual health, or any HealthKit data category not explicitly listed above.

Data handling: HealthKit data is read on-device at brief generation. Sleep summaries are processed locally and only a computed summary (e.g., "Recovery 82 — go easy") is transmitted to our servers. Raw HealthKit records never leave your device.

Storage: The computed summary is cached server-side for up to 4 hours and then deleted.

Note: In accordance with Apple's HealthKit guidelines, we do not use HealthKit data for advertising, sell it to data brokers, or share it with third parties for any purpose other than providing the Service.

PRO

WHOOP

What we access: Recovery score, strain score, and sleep performance percentage for the current day.

What we do not access: Heart rate variability raw streams, detailed workout data, or historical data beyond 24 hours.

OAuth scope used: Read-only access via WHOOP's official API.

Data handling: WHOOP data is fetched at brief generation, processed into a summary, and cached for up to 4 hours. Raw WHOOP data is not persisted beyond the cache window.

PRO

Financial Data (Plaid)

What we access: Account balances and recent transaction totals (spending in the last 24 hours). We access this through Plaid, a licensed financial data aggregator.

What we do not access: Individual transaction details, merchant names, account numbers, routing numbers, or login credentials for your bank. Plaid handles authentication — we never see your banking username or password.

Data handling: Balance and spending summaries are fetched at brief generation and cached for up to 4 hours. We do not store your Plaid access token in plaintext — it is encrypted at rest using AES-256.

Plaid's role: Plaid acts as a subprocessor. Their privacy policy is available at plaid.com/legal/privacy-policy.

Revocation: You can disconnect your financial accounts at any time from within the app. This permanently deletes your Plaid access token from our servers.

PRO

News Digest

What we access: We query a curated set of public news APIs based on your topic preferences. No personal data is shared with news providers beyond standard API usage.

Data handling: News content is fetched fresh for each brief and not stored beyond the brief session.

4. How We Use Your Data

We use the information we collect to:

  • Generate your personalized morning brief
  • Authenticate you and manage your account
  • Process your subscription through Apple In-App Purchase
  • Send transactional notifications (e.g., brief ready, subscription renewal)
  • Debug crashes and improve app stability
  • Respond to support requests
  • Detect and prevent fraud or abuse
  • Comply with legal obligations

We do not use your data to:

  • Serve advertisements
  • Build advertising profiles
  • Train machine learning models on your personal data
  • Sell or license your data to any third party

5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We share data only in the following limited circumstances:

5.1 Subprocessors

We use a limited set of trusted third-party service providers to operate the Service:

ProviderPurposeData Shared
Apple (In-App Purchase)Subscription billingTransaction receipts only
PlaidFinancial data aggregationOAuth tokens, balance/spend summaries
Google (OAuth)Gmail & Calendar accessOAuth tokens
WHOOP (OAuth)Recovery data accessOAuth tokens
SupabaseDatabase & authenticationAccount data, brief preferences
Sentry (or equivalent)Crash reportingAnonymized crash logs

All subprocessors are bound by data processing agreements and are prohibited from using your data for their own purposes.

5.2 Legal Requirements

We may disclose your information if required by law, subpoena, or other legal process, or if we believe disclosure is necessary to protect our rights, prevent fraud, or protect the safety of any person.

5.3 Business Transfers

If oneTap is acquired or merges with another company, your information may be transferred as part of that transaction. We will notify you before your information becomes subject to a materially different privacy policy.

6. Data Storage and Security

We take security seriously and implement controls consistent with industry best practices:

  • Encryption in transit: All data transmitted between the app and our servers uses TLS 1.2 or higher.
  • Encryption at rest: Sensitive data (OAuth tokens, financial tokens) is encrypted at rest using AES-256.
  • Password hashing: Passwords are hashed using bcrypt with a per-user salt. We never store or log plaintext passwords.
  • Access controls: Database access is restricted to authenticated backend services. No employee has routine access to user data. Access to production systems requires multi-factor authentication.
  • Principle of least privilege: Internal systems and team members are granted only the minimum access required for their role.
  • Vulnerability management: We conduct regular dependency audits and monitor for known vulnerabilities in our infrastructure.
  • Breach response: In the event of a data breach affecting your personal information, we will notify you within 72 hours where required by law.

Your data is stored on servers located in the United States. If you are outside the United States, your information will be transferred to and processed in the United States.

7. Data Retention

We retain your data only as long as necessary:

Data TypeRetention Period
Account information (email, hashed password)Until account deletion
Brief preferences and settingsUntil account deletion
Brief session cache (integration summaries)4 hours, then auto-deleted
OAuth tokens (Google, WHOOP)Until you disconnect the integration or delete your account
Plaid access token (encrypted)Until you disconnect financials or delete your account
Server access logs30 days, then auto-deleted
Crash reports90 days
Support communications2 years from last interaction
Subscription/billing records7 years (legal/tax requirement)

When you delete your account, we delete or anonymize all personal data within 30 days, except where retention is required by law (e.g., billing records).

8. Your Rights and Choices

You have the following rights with respect to your personal data:

  • Access: You can request a copy of the personal data we hold about you.
  • Correction: You can update your account email and preferences directly within the app.
  • Deletion: You can delete your account from Settings → Account → Delete Account. This permanently and irreversibly deletes your data within 30 days.
  • Portability: You can request an export of your data (brief preferences and account info) by contacting us at privacy@theonetap.app.
  • Disconnect integrations: You can disconnect any third-party integration at any time from Settings → Integrations. Disconnecting removes our access tokens immediately.
  • Opt out of analytics: You can disable usage analytics from Settings → Privacy.
  • Push notifications: You can manage notification permissions through your iOS Settings.

To exercise any of these rights, contact us at privacy@theonetap.app. We will respond within 30 days.

9. Health Data — Special Protections

We treat health and fitness data with the highest level of care. This section supplements our general privacy practices for health-related integrations (Apple Health, WHOOP).

  • We access health data only to generate your morning brief.
  • We do not sell health data, use it for advertising, share it with insurers, employers, or data brokers, or use it for any purpose unrelated to the Service.
  • Raw HealthKit records are processed on your device. Only computed summaries leave your device.
  • Health data is never used to train machine learning models.
  • You can revoke health data access at any time from iOS Settings → Privacy & Security → Health.
  • oneTap complies with Apple's HealthKit and MindKit guidelines and any applicable health data regulations.

10. Financial Data — Special Protections

Financial data accessed through Plaid is treated with heightened security and access controls.

  • We access financial data read-only. We cannot initiate transactions, transfers, or payments of any kind.
  • We do not store account numbers, routing numbers, or bank login credentials. Plaid handles all credential management.
  • Financial summaries (balance, daily spend total) are cached for a maximum of 4 hours and then deleted.
  • Your Plaid access token is stored encrypted with AES-256 and is accessible only to the authenticated API process that fetches your brief.
  • We do not sell, share, or monetize financial data in any way.
  • You can permanently disconnect and delete your financial data linkage from Settings → Integrations → Finances → Disconnect.

11. Children's Privacy

The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we learn that we have inadvertently collected personal information from a child under 13, we will delete it promptly. If you believe we may have information about a child under 13, please contact us at privacy@theonetap.app.

12. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA:

  • Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months.
  • Right to Delete: You may request deletion of personal information we have collected, subject to certain exceptions.
  • Right to Correct: You may request correction of inaccurate personal information.
  • Right to Opt Out of Sale: We do not sell personal information. No opt-out is required.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise California rights, contact us at privacy@theonetap.app with "California Privacy Request" in the subject line. We will verify your identity before processing your request.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you through the app and update the "Last updated" date at the top of this page. We will also provide at least 30 days' notice before any material changes take effect, giving you time to review the changes and, if necessary, delete your account.

Continued use of the Service after changes take effect constitutes your acceptance of the revised policy.

14. Contact Us

If you have questions about this Privacy Policy or how we handle your data, please contact us:

oneTap

Privacy inquiries: privacy@theonetap.app

General: hello@theonetap.app

Website: theonetap.app

We aim to respond to all privacy inquiries within 5 business days.

● ONETAP
Privacy Terms Contact