1. Overview
oneTap ("oneTap," "we," "us," or "our") operates the oneTap mobile application and the website at theonetap.app (collectively, the "Service"). This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our Service.
We take privacy seriously. oneTap connects to sensitive data sources — your email, calendar, health metrics, and financial accounts — solely to generate your personalized morning brief. We do not sell your data, use it for advertising, or share it with third parties for their own purposes.
By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.
2. Information We Collect
2.1 Information You Provide Directly
- Account information: When you create an account, we collect your email address and password (stored as a salted bcrypt hash — we never store your plaintext password).
- Subscription information: We collect payment information through our payment processor (Apple In-App Purchase). We do not store your credit card number or payment details on our servers.
- Preferences and settings: The integrations you enable, your notification preferences, and your brief configuration.
- Support communications: If you contact us for help, we retain those communications to resolve your issue and improve the Service.
2.2 Information Collected Automatically
- Device information: Device type, operating system version, and app version — used for debugging and compatibility.
- Usage analytics: Which integrations you use, how often you complete your brief, and aggregate feature usage. This data is anonymized and never linked to your identity for external reporting.
- Crash reports: Anonymized crash logs to help us fix bugs.
- Log data: Server-side logs including timestamps of API requests. Logs are retained for 30 days and automatically deleted.
2.3 Information from Third-Party Integrations
When you connect an integration, we access only the specific data scopes necessary to build your brief. See Section 3 for integration-specific details.
3. Third-Party Integrations
oneTap is an aggregation service. The following describes exactly what we access and why for each integration. You can revoke any integration at any time from within the app or directly from the third-party platform.
Gmail (Google)
What we access: Unread email count, flagged/starred email subjects, and sender names for emails received in the last 24 hours.
What we do not access: Email body content, attachments, sent mail, or any email older than 24 hours.
OAuth scope used: gmail.readonly — read-only access, we cannot send, delete, or modify emails.
Data handling: Email metadata is fetched in real-time at brief generation and is not stored on our servers beyond your brief session cache (TTL: 4 hours).
Revocation: Remove access at myaccount.google.com/permissions.
Google Calendar
What we access: Event titles, start/end times, and location for today's calendar events.
What we do not access: Event descriptions, attendee lists, private calendar events marked as private, or historical events.
OAuth scope used: calendar.readonly — read-only access.
Data handling: Calendar data is fetched at brief generation and cached for up to 4 hours. We do not store your calendar data persistently.
Revocation: Remove access at myaccount.google.com/permissions.
Apple Health (HealthKit)
What we access: Sleep analysis data (time in bed, time asleep, sleep stages) for the most recent sleep session.
What we do not access: Heart rate, step count, nutrition, menstrual health, or any HealthKit data category not explicitly listed above.
Data handling: HealthKit data is read on-device at brief generation. Sleep summaries are processed locally and only a computed summary (e.g., "Recovery 82 — go easy") is transmitted to our servers. Raw HealthKit records never leave your device.
Storage: The computed summary is cached server-side for up to 4 hours and then deleted.
Note: In accordance with Apple's HealthKit guidelines, we do not use HealthKit data for advertising, sell it to data brokers, or share it with third parties for any purpose other than providing the Service.
WHOOP
What we access: Recovery score, strain score, and sleep performance percentage for the current day.
What we do not access: Heart rate variability raw streams, detailed workout data, or historical data beyond 24 hours.
OAuth scope used: Read-only access via WHOOP's official API.
Data handling: WHOOP data is fetched at brief generation, processed into a summary, and cached for up to 4 hours. Raw WHOOP data is not persisted beyond the cache window.
Financial Data (Plaid)
What we access: Account balances and recent transaction totals (spending in the last 24 hours). We access this through Plaid, a licensed financial data aggregator.
What we do not access: Individual transaction details, merchant names, account numbers, routing numbers, or login credentials for your bank. Plaid handles authentication — we never see your banking username or password.
Data handling: Balance and spending summaries are fetched at brief generation and cached for up to 4 hours. We do not store your Plaid access token in plaintext — it is encrypted at rest using AES-256.
Plaid's role: Plaid acts as a subprocessor. Their privacy policy is available at plaid.com/legal/privacy-policy.
Revocation: You can disconnect your financial accounts at any time from within the app. This permanently deletes your Plaid access token from our servers.
News Digest
What we access: We query a curated set of public news APIs based on your topic preferences. No personal data is shared with news providers beyond standard API usage.
Data handling: News content is fetched fresh for each brief and not stored beyond the brief session.
4. How We Use Your Data
We use the information we collect to:
- Generate your personalized morning brief
- Authenticate you and manage your account
- Process your subscription through Apple In-App Purchase
- Send transactional notifications (e.g., brief ready, subscription renewal)
- Debug crashes and improve app stability
- Respond to support requests
- Detect and prevent fraud or abuse
- Comply with legal obligations
We do not use your data to:
- Serve advertisements
- Build advertising profiles
- Train machine learning models on your personal data
- Sell or license your data to any third party
5. Data Sharing and Disclosure
We do not sell, rent, or trade your personal information. We share data only in the following limited circumstances:
5.1 Subprocessors
We use a limited set of trusted third-party service providers to operate the Service:
| Provider | Purpose | Data Shared |
|---|---|---|
| Apple (In-App Purchase) | Subscription billing | Transaction receipts only |
| Plaid | Financial data aggregation | OAuth tokens, balance/spend summaries |
| Google (OAuth) | Gmail & Calendar access | OAuth tokens |
| WHOOP (OAuth) | Recovery data access | OAuth tokens |
| Supabase | Database & authentication | Account data, brief preferences |
| Sentry (or equivalent) | Crash reporting | Anonymized crash logs |
All subprocessors are bound by data processing agreements and are prohibited from using your data for their own purposes.
5.2 Legal Requirements
We may disclose your information if required by law, subpoena, or other legal process, or if we believe disclosure is necessary to protect our rights, prevent fraud, or protect the safety of any person.
5.3 Business Transfers
If oneTap is acquired or merges with another company, your information may be transferred as part of that transaction. We will notify you before your information becomes subject to a materially different privacy policy.
6. Data Storage and Security
We take security seriously and implement controls consistent with industry best practices:
- Encryption in transit: All data transmitted between the app and our servers uses TLS 1.2 or higher.
- Encryption at rest: Sensitive data (OAuth tokens, financial tokens) is encrypted at rest using AES-256.
- Password hashing: Passwords are hashed using bcrypt with a per-user salt. We never store or log plaintext passwords.
- Access controls: Database access is restricted to authenticated backend services. No employee has routine access to user data. Access to production systems requires multi-factor authentication.
- Principle of least privilege: Internal systems and team members are granted only the minimum access required for their role.
- Vulnerability management: We conduct regular dependency audits and monitor for known vulnerabilities in our infrastructure.
- Breach response: In the event of a data breach affecting your personal information, we will notify you within 72 hours where required by law.
Your data is stored on servers located in the United States. If you are outside the United States, your information will be transferred to and processed in the United States.
7. Data Retention
We retain your data only as long as necessary:
| Data Type | Retention Period |
|---|---|
| Account information (email, hashed password) | Until account deletion |
| Brief preferences and settings | Until account deletion |
| Brief session cache (integration summaries) | 4 hours, then auto-deleted |
| OAuth tokens (Google, WHOOP) | Until you disconnect the integration or delete your account |
| Plaid access token (encrypted) | Until you disconnect financials or delete your account |
| Server access logs | 30 days, then auto-deleted |
| Crash reports | 90 days |
| Support communications | 2 years from last interaction |
| Subscription/billing records | 7 years (legal/tax requirement) |
When you delete your account, we delete or anonymize all personal data within 30 days, except where retention is required by law (e.g., billing records).
8. Your Rights and Choices
You have the following rights with respect to your personal data:
- Access: You can request a copy of the personal data we hold about you.
- Correction: You can update your account email and preferences directly within the app.
- Deletion: You can delete your account from Settings → Account → Delete Account. This permanently and irreversibly deletes your data within 30 days.
- Portability: You can request an export of your data (brief preferences and account info) by contacting us at privacy@theonetap.app.
- Disconnect integrations: You can disconnect any third-party integration at any time from Settings → Integrations. Disconnecting removes our access tokens immediately.
- Opt out of analytics: You can disable usage analytics from Settings → Privacy.
- Push notifications: You can manage notification permissions through your iOS Settings.
To exercise any of these rights, contact us at privacy@theonetap.app. We will respond within 30 days.
9. Health Data — Special Protections
We treat health and fitness data with the highest level of care. This section supplements our general privacy practices for health-related integrations (Apple Health, WHOOP).
- We access health data only to generate your morning brief.
- We do not sell health data, use it for advertising, share it with insurers, employers, or data brokers, or use it for any purpose unrelated to the Service.
- Raw HealthKit records are processed on your device. Only computed summaries leave your device.
- Health data is never used to train machine learning models.
- You can revoke health data access at any time from iOS Settings → Privacy & Security → Health.
- oneTap complies with Apple's HealthKit and MindKit guidelines and any applicable health data regulations.
10. Financial Data — Special Protections
Financial data accessed through Plaid is treated with heightened security and access controls.
- We access financial data read-only. We cannot initiate transactions, transfers, or payments of any kind.
- We do not store account numbers, routing numbers, or bank login credentials. Plaid handles all credential management.
- Financial summaries (balance, daily spend total) are cached for a maximum of 4 hours and then deleted.
- Your Plaid access token is stored encrypted with AES-256 and is accessible only to the authenticated API process that fetches your brief.
- We do not sell, share, or monetize financial data in any way.
- You can permanently disconnect and delete your financial data linkage from Settings → Integrations → Finances → Disconnect.
11. Children's Privacy
The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we learn that we have inadvertently collected personal information from a child under 13, we will delete it promptly. If you believe we may have information about a child under 13, please contact us at privacy@theonetap.app.
12. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA:
- Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months.
- Right to Delete: You may request deletion of personal information we have collected, subject to certain exceptions.
- Right to Correct: You may request correction of inaccurate personal information.
- Right to Opt Out of Sale: We do not sell personal information. No opt-out is required.
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
To exercise California rights, contact us at privacy@theonetap.app with "California Privacy Request" in the subject line. We will verify your identity before processing your request.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you through the app and update the "Last updated" date at the top of this page. We will also provide at least 30 days' notice before any material changes take effect, giving you time to review the changes and, if necessary, delete your account.
Continued use of the Service after changes take effect constitutes your acceptance of the revised policy.
14. Contact Us
If you have questions about this Privacy Policy or how we handle your data, please contact us:
We aim to respond to all privacy inquiries within 5 business days.