Boolean detection events. When the camera-based watchman fires, we record a row that says: a phone was detected, with a confidence score, for a duration, ending at a timestamp. That payload (defined in the WatchmanEvent contract) is the only thing that touches our servers.

Standard account data: your email, focus-session metadata (start, end, duration, mode), rank progression, friend graph, operator preference, and Stripe customer ID for billing.

• No video frames. Not in transit, not at rest, not anywhere.
• No audio. The mic is never accessed.
• No still images, thumbnails, base64 strings, or canvas pixel data.
• No browsing history, app usage outside GOTCHU, or system telemetry.
• No card numbers. Stripe handles all payments.
• No third-party advertising IDs, no ad networks, no behavioral retargeting cookies.

You can verify this directly. Every account has a self-serve privacy receipt at /api/user/privacy that lists data_we_have and data_we_dont_have against the watchman contract. If the contract changes, that endpoint changes with it.

When you start a focus session with watchman enabled, the browser asks for camera permission. If you grant it, your camera feed is processed in your browser using on-device computer vision (MediaPipe + TensorFlow.js). Detection samples at 1 fps: low enough to be cheap on battery, high enough to catch a phone pickup within a second.

When the page is hidden (you switched tabs, locked the screen), detection pauses. When the session ends, the camera track is released. The indicator light goes off.

Granting OR revoking camera permission writes a row to our privacy audit log via recordPrivacyEvent(). That log is the regulatory record.

• Stripe handles payments. They get your card number; we get a token. Their privacy policy is at stripe.com/privacy.
• Supabase is our backend and database host. Row-level policies enforce account isolation.
• ElevenLabs is used to pre-generate operator voice lines during development. We never call them at runtime; audio is baked into the app.
• Resend sends transactional email (sign-up confirmation, password reset). They see your email address and the message body we send.
• Vercel hosts the site and the app. Their infrastructure logs include IP addresses on a rolling 30-day window for abuse prevention.
• Vercel Analytics records anonymous web-vitals and page-view counts. No personal identifiers, no third-party trackers.

Free tier: session and catch history kept for 7 days, then deleted.
Premium / Lifetime: kept for the lifetime of the account.
Privacy audit log:kept indefinitely so you can prove what happened with your camera consent. That's a regulatory record, not personal data.

Wherever you are in the world, you can ask us to:

• Show you everything we have on you (we already do; see the privacy receipt).
• Export your data in a portable format.
• Delete your account and everything attached to it.
• Correct anything that's wrong (mostly: your email, your display name, your friend list).

Email hello@thegotchuapp.com. A real human reads it. We respond within 5 business days.

GOTCHU is not for children under 13. We don't knowingly collect data from anyone under 13; if you're a parent and think your kid signed up, email us and we'll wipe the account.

If we change this policy in a way that affects what we collect or how we use it, we'll email everyone with an account at least 30 days before it takes effect. The old version stays in git history forever.

Email: hello@thegotchuapp.com
Mail: not yet — we don't maintain a postal address for privacy correspondence. Email is the only channel.