CleanMy Privacy Policy
Effective date: to be set at publication.
Published at: https://cleanmy.life/privacy.
This document is the source of truth for the public privacy policy page. The
apps/web/app/privacy/page.tsx Next.js route renders this content. Changes to
this file are deployed to production via the standard web deploy pipeline.
The same content informs the App Privacy nutrition label at
../02-app-store-connect-listing/02-app-privacy-nutrition-label.md
and the on-device PrivacyInfo.xcprivacy manifest. If you change one, audit the
other two before deploying.
Privacy Policy
CleanMy is built and operated by Devon Saliga, sole proprietor ("we," "us," "our"). This policy describes the limited categories of personal information we collect when you use CleanMy on iOS or visit cleanmy.life, how we use it, who we share it with, and how to revoke consent.
The short version (everything in 60 seconds)
- We collect the photos you take inside CleanMy, your Sign in with Apple email (if you sign in), an internal user ID, your in-app purchase history, and anonymous analytics events.
- In family mode we also store a child's first name, which the parent types in
during setup. It is kept locally on the device for personalizing the
experience (the cleaning checklist greeting, the parent dashboard, the
iMessage send-to-family copy). When the parent later reviews and publishes
one of the child's cleans to the public feed, the post is created under
the parent's account and labeled with the parent's chosen display name (or
a system-assigned user handle like
user_a4b3c2d1if the parent has not set one). The child's first name is never used as the post label and the child is not identified on the public feed in any way. - We never send to our servers: your location, your contacts, your device's advertising identifier, or any record of which apps you use or for how long. When you set up the family configuration, CleanMy asks you to add phone numbers for the adults the kid should be able to message at the end of a clean. Those phone numbers are stored only in the device's local settings, used only to address an iMessage when the kid taps "Send to Mom" / "Send to Dad," and are never transmitted to CleanMy's servers.
- To turn your before-photo into a cleaning checklist and to verify your after-photo, we use Google Cloud's Vertex AI service. Vertex AI's published terms commit Google to not using customer content (our requests, including your photos) to train Google's models or any partner-model provider's models (see cloud.google.com/terms/service-terms). The model we run today is Gemini 3.5 Flash.
- To improve the product we send anonymous crash reports to Sentry and anonymous product-interaction events to PostHog. In kid mode these run with extra restrictions: no email is sent to PostHog (the kid account doesn't have one anyway); Sentry screen recordings and screenshot attachments are disabled; and a redaction filter scrubs emails, account IDs, and post URLs from every event before transmission. We never use this data for advertising and we never sell it.
- We do not sell your data. CleanMy today is a paid product (in-app credit packs) and we do not show advertisements to anyone in any configuration. In the future, if we offer a free tier of the AI-powered cleaning loop, we reserve the right to make that free tier ad-supported to cover the per-clean AI cost. Whatever we do on the adult product, children's data is never used to serve ads and ads are never shown to a child using the kid surface of CleanMy.
- Children using CleanMy authenticate anonymously; we collect no email from children, and we never ask a child to type their own name. The only name we store about a child is the first name the parent provides during setup.
- You can delete your account in-app at Settings → Account → Delete account. The deletion runs server-side immediately; ON DELETE CASCADE in our database removes every record tied to your account as part of the same transaction. We commit to it being complete within 24 hours at the outside.
- Questions:
support@cleanmy.life.
What we collect
Photos you take in CleanMy
When you start a cleaning session, you capture one before-photo and one after-photo via the device camera. We upload both photos to our backend (Supabase Storage) so our AI vendor (Google Cloud's Vertex AI service) can generate cleaning tasks and verify completion. Before upload, the image is re-encoded as a fresh JPEG on your device, which strips EXIF metadata (including any GPS coordinates the camera would otherwise embed) as a side effect of the re-encode. Photos are retained against your user record so you can view your own history; you can delete any photo from inside the app or by deleting your account.
Vertex AI's published terms commit Google to not using customer content (our requests, including your photos) to train Google's models or any partner-model provider's models (see cloud.google.com/terms/service-terms). The model we run today is Gemini 3.5 Flash (Google). Vertex AI's catalog also includes other multimodal models we may evaluate or move to as the product evolves: Google's own Gemini 3.1 Pro, Gemini 3.1 Flash-Lite, and Gemini 3 Pro Image; Anthropic's Claude (Opus 4.7, Opus 4.6, Sonnet 4.6, Haiku 4.5); and Mistral's Small 3.1 and OCR 2505. The specific model we run at any time is an implementation detail and may change without notice; whichever model we use, all traffic goes through Vertex AI under the same no-training contractual commitment.
Automated content-safety screening
Every photo is screened by our AI before it is saved or published, to block content that should not be captured, stored, or shared: nudity or sexual content, a real person in the shot, graphic violence, weapons, drug paraphernalia, and anything that may sexualize a minor. A flagged photo is removed from your account and held in restricted storage for our review.
We reserve the right to add industry-standard image-hash matching services (for example Microsoft PhotoDNA) to detect known illegal images, and we report apparent child sexual abuse material to the National Center for Missing and Exploited Children (NCMEC) and to law enforcement as required by law. Any such hash-matching service compares mathematical hashes, never the photos themselves, against known-illegal-content databases. We will note here when a hash-matching service is enabled.
Child's first name (family mode only)
If you set CleanMy up in family mode, the setup flow asks you (the parent) to type your child's first name. This name is used locally on the device for personalization — the cleaning checklist greeting ("Hudson's room"), labels in the parent dashboard, the iMessage send-to-family copy. It is stored in iOS UserDefaults on the device that did the setup.
The first name is transmitted to our servers as part of one specific record: when the child sends a completed clean to the parent for review, the internal "pending review" row that goes to the parent's inbox is labeled with the first name (so the parent can tell which child the clean came from). That row is never visible on the public feed — it is gated to the paired parent's account by database-level access controls and is permanently held in a "pending" state until the parent takes action on it.
If the parent then chooses to publish the clean to the public feed, our server
creates a separate public post owned by the parent. That public post's
displayed label is the parent's chosen public name. If the parent has not set
a public name, the post appears under a system-assigned user handle (for
example, user_a4b3c2d1) derived from a one-way hash of the parent's
account ID; the handle is stable across the parent's posts but does not
reveal their account ID, email, or any other personal information. The
child's first name is never used as the public post label. (If the parent
chooses to mention their child by name in the free-text caption they write
themselves at publish time, that is the parent's own speech and is outside
our control; we do not pre-populate the caption with anything.)
We do not ask the child to type their own name. We never combine the child's first name with a server-side last name, an email address, a phone number, a home address, geolocation, or any other personal identifier we would assemble into a personal profile.
Sign in with Apple email (adult and parent only)
If you choose adult mode or parent mode in CleanMy, we authenticate you via Apple's
Sign in with Apple. Apple gives us either your real email or an Apple-relay address
(<random>@privaterelay.appleid.com) depending on your selection. We use this email
only to:
- identify your account on the server,
- send PIN reset emails (if you've enabled the reset path),
- send notifications you've opted into (V1.5+),
- contact you if you write to support.
We never share your email with third parties. You can revoke the Apple Sign-In at any time from iOS Settings → [Your Name] → Sign in with Apple → CleanMy → Stop using Apple ID. Revoking signs you out and locks your account against further use until you re-authenticate or delete it.
Pre-provisioned tester/reviewer email sign-in
CleanMy also accepts an email + password sign-in path for a small set of accounts we provision on our backend for App Store reviewers and internal testers. There is no signup form in the app. These accounts cannot be created by anyone other than us, and they are not advertised to or expected of real users. The email is collected and stored in Supabase Auth; the password is bcrypt-hashed at rest by Supabase, is never sent in plaintext to our application code, never logged, and never shared with any third party. Once signed in, a tester account is handled identically to a Sign-in-with-Apple account (same data, same retention, same delete-account pathway). Real users should continue to use Sign in with Apple.
Internal user ID
Each device that opens CleanMy is assigned a Supabase user UUID. For kids and solo users this UUID is the only identifier we have; it is not derived from any hardware identifier and cannot be cross-referenced with other apps you use. For adult and parent users, the UUID is paired with the Apple Sign-In identity.
Subscription and in-app purchase records
When you subscribe to CleanMy Plus (or buy add-on cleans) from inside CleanMy, Apple's StoreKit handles the transaction; we never see your payment card. Apple sends us a receipt confirming the purchase, which our server validates and turns into your monthly clean allotment, a single pool shared across your family. We keep the transaction record for seven years for tax and audit purposes.
Anonymous analytics events
To improve the product we send product-interaction events (clean started, clean completed, shield applied, etc.) to PostHog via their privacy-preserving SDK. Events from the kid surface are never linked to any identity (no email is sent to PostHog in kid mode, and the kid account doesn't have one anyway). Events from adult and parent surfaces are linked to your Supabase user ID but not to your real name or email. We use these events to:
- understand which parts of the app are working (most-used surfaces, conversion funnel),
- diagnose bugs (when a flow breaks for a class of users),
- detect abuse (when usage patterns indicate fraud against the credit system).
We never use analytics for advertising. PostHog is configured with cross-app tracking disabled.
Crash diagnostics
To improve the product we send anonymous crash reports to Sentry. A redaction filter scrubs emails, account IDs, and post URLs from every event before transmission. In kid mode, Sentry screen recordings and screenshot attachments are disabled as an extra layer; only the scrubbed crash payload reaches Sentry. Crash reports help us fix bugs faster.
Camera and microphone
We use the camera only to capture cleaning photos. We do not record video or audio. Apple's permission system asks you to authorize camera access on first use; you can revoke it at any time from iOS Settings → CleanMy → Camera.
What we do NOT collect
To be explicit (because the absence is the point):
- We do not access your location.
- We do not read your address book or contacts. The contact picker in the share flow is an iOS system control; only the recipient you tap is known to us, and only for the duration of the share.
- We do not read your calendar.
- We do not read your photo library outside the cleaning session you actively initiated.
- We do not use the device's advertising identifier (IDFA). We do not use the IDFV beyond Apple's default in-app scope.
- We do not observe which apps you have opened or for how long. CleanMy uses Apple's Family Controls APIs (ManagedSettings + DeviceActivity) to apply and schedule shields on the apps you (or your parent) chose to gate; we never use the DeviceActivityReport API and never collect usage data.
- We do not collect biometric data, health data, fingerprints, or face data beyond Apple's standard FaceID prompt (which Apple handles entirely and never reveals to us).
- We do not track you across other apps or websites.
Children's privacy (COPPA)
CleanMy can be used by children in the family configuration. We design the child-facing experience to minimize personal-information collection:
- Children sign in anonymously to Supabase. We do not ask the child for an email, age, address, phone number, or any other personal identifier. We never ask a child to type their own name into the app.
- The only name we hold about a child is the first name the parent types in during setup. It is stored in iOS UserDefaults on the device and is used for on-device personalization. It is transmitted to our servers as part of the internal "pending review" record that goes from a child's device to the paired parent's inbox; it is never used as the label on the public feed (see "Child's first name" above for the full description).
- The child-facing surface contains no fields where a child could enter personal information.
- The child surface contains no public feed, no in-app purchase, no chat, no comments. No public surface is reachable from the kid-mode build.
- The cleaning photos a child captures are of physical spaces, not faces. Today, any kid-created photo can only become public via an explicit parent review and publish action — kid devices cannot post directly. Automated server-side face detection on every published photo is on our V1.5 roadmap; until it ships, the parent review step is the sole defense against a face appearing in a background or mirror.
- The parent's Sign in with Apple identity serves as our base verifiable parental consent record under the COPPA Rule (16 CFR §312.5(b)); CleanMy does not rely on Apple Family Sharing. A child's clean can never publish on its own. A database rule forces every child-captured post into pending review. For every individual publish of a child's clean, the parent must review and approve it on the parent's own Sign in with Apple verified session; our server records that approving parent's verified identity and makes the parent the publisher of record, producing an auditable per-act consent record.
- A parent can request deletion of all data we hold about their child at any
time by emailing
support@cleanmy.lifeor by signing into the parent's device and choosing Settings → Account → Delete account (which cascade-deletes any paired kid accounts).
For the longer COPPA-specific disclosure, see
coppa-disclosure.md.
Who we share with
| Third party | What we share | Why | Where they are |
|---|---|---|---|
| Supabase Inc. | All backend data (photos, user IDs, IAP ledger, etc.) | Backend hosting | United States |
| Google LLC (Vertex AI service) | Cleaning photos for task generation + verification. We run Gemini 3.5 Flash today; Vertex AI's catalog includes other multimodal models (Google Gemini 3.1 Pro / Flash-Lite / Pro Image, Anthropic Claude 4.x, Mistral Small 3.1 + OCR 2505) we may evaluate. Vertex AI's terms commit Google to not using customer content to train Google's or any partner-model provider's models. | AI vendor | United States |
| Sentry | Crash reports (scrubbed of PII) | Diagnostics | United States |
| PostHog | Anonymous product-interaction events | Analytics | United States (we use US PostHog Cloud) |
| Apple (StoreKit, App Store Connect) | IAP receipts; Sign in with Apple identity for adult/parent | Payments + authentication | United States |
| Industry image-hash database providers (e.g. Microsoft PhotoDNA, when integrated in V1.5) | Perceptual hashes of published photos only (never the photos themselves) | Moderation: hash matching against known-objectionable-content databases | United States |
We do not sell, rent, or trade your personal information to data brokers, marketers, or anyone else.
How long we retain data
- Photos: until you delete the photo from your history or delete your account.
- IAP receipts: seven years (US tax recordkeeping requirement).
- Crash diagnostics: 90 days (Sentry default retention).
- Anonymous analytics: 12 months in PostHog, then aggregated.
- Account record: deleted within 24 hours of your delete request.
How to revoke consent or delete your data
You can delete your CleanMy account in-app at Settings → Account → Delete account. This triggers a server-side cascade that removes:
- Your user record.
- All photos you've uploaded.
- All cleaning sessions in your history.
- Your subscription and purchase ledger entries (the historical transaction record is retained as a financial document; the linkage to your account is removed).
- Your published feed posts (if any).
- Your moderation-related records.
The cascade runs server-side immediately as part of the same transaction; we
commit to it being complete within 24 hours at the outside. Email
support@cleanmy.life if you don't see confirmation by then.
Your rights under GDPR (EU residents)
EU residents have the right to:
- access the personal information we hold,
- correct inaccurate information,
- delete the information (right to erasure),
- restrict or object to processing,
- data portability (we export your data in JSON on request).
To exercise these rights, email support@cleanmy.life. We respond within 30 days.
Your rights under CCPA (California residents)
California residents have similar rights: access, deletion, opt-out of "sale"
(we don't sell), opt-out of "sharing" for cross-context behavioral advertising
(we don't share for that purpose). Email support@cleanmy.life.
Security
- All network traffic is HTTPS.
- Photos are stored in Supabase Storage with row-level security enforcing per-user access.
- The PIN is stored in iOS Keychain with
kSecAttrAccessibleWhenUnlockedThisDeviceOnly. - We do not hold any user secrets server-side that aren't already protected by Apple's Sign in with Apple infrastructure.
Changes to this policy
When we change this policy, we post the new version here and bump the "Effective date" at the top. If the change is material (we would collect new categories of data, share with new third parties, etc.) we will surface the change in-app and via email to Sign-in-with-Apple-verified accounts.
Contact
| Inquiry type | |
|---|---|
| General privacy questions | support@cleanmy.life |
| Abuse / harassment reports | abuse@cleanmy.life |
| Legal / DMCA / takedown | dmca@cleanmy.life |
| GDPR / CCPA requests | support@cleanmy.life |
Postal: Devon Saliga, 555 West 53rd St., New York, NY 10019.