Privacy Policy

Last updated: March 22, 2026

Data Controller

Deriva is operated by Fauzi Asfour Akoudad ("we", "us"). For any questions about how your data is handled, contact us at support@tryderiva.com.

What Deriva Collects

Deriva accesses the following data to generate your reviews:

• Calendar events — Event titles and durations (not attendees or locations)
• Health data — Sleep duration and workout count from Apple Health (if you grant permission)
• Your inputs — Priorities, goals, weekly notes, and other text you enter

Legal Basis for Processing

We process your data on the following legal grounds under the GDPR:

• Consent — Calendar and Health data are accessed only after you grant explicit permission through iOS prompts. You can revoke this consent at any time in iOS Settings.
• Contract performance — We process your data to deliver the core service you signed up for: generating personalized time reviews based on your priorities.

How Your Data Is Used

• Review generation — Your time data is sent to our secure server, which uses OpenAI to generate your personalized review
• Local storage — All your data (priorities, reviews, notes) is stored locally on your device
• No analytics — We don't track how you use the app
• No advertising — We don't use your data for ads

Third-Party Services

• OpenAI — We use OpenAI's API to generate your review narratives. Data sent to OpenAI is processed according to their privacy policy. We do not send your name, email, or other identifying information.
• RevenueCat — We use RevenueCat to manage subscriptions. RevenueCat processes transaction data according to their privacy policy. No personal data beyond purchase tokens is shared.
• Apple — Calendar and HealthKit data are accessed through Apple's frameworks with your explicit permission.

International Data Transfers

To generate your reviews, anonymised time data is sent to our server and processed by OpenAI, whose servers are located in the United States. The following safeguards are in place:

• All data is transmitted over HTTPS
• No personally identifiable information (name, email, etc.) is sent
• Data is not stored on our servers or OpenAI's servers after your review is generated

Data Retention

• On your device — Your data (priorities, reviews, notes) is stored locally on your device until you delete the app
• On our servers — Data sent for review generation is processed in real-time and is not retained after your review is delivered

Data Security

• Your data is stored locally on your device using Apple's Core Data framework
• Data sent to our server for review generation is transmitted over HTTPS
• We do not store your time data on our servers after generating your review

Your Rights

If you are in the European Economic Area (EEA), you have the following rights under the GDPR:

• Access — Request a copy of the data we hold about you
• Rectification — Request correction of inaccurate data
• Erasure — Request deletion of your data. You can also delete all locally stored data by uninstalling the app
• Restriction — Request that we limit how we process your data
• Portability — Request your data in a portable format
• Object — Object to the processing of your data
• Withdraw consent — You can revoke calendar or health access at any time in iOS Settings

To exercise any of these rights, contact us at support@tryderiva.com. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection supervisory authority if you believe your data has been processed unlawfully.

Children's Privacy

Deriva is not intended for children under 16. We do not knowingly collect data from children. If you believe a child has provided us with data, please contact us and we will delete it.

Changes to This Policy

We may update this policy. Significant changes will be communicated through the app. We encourage you to review this page periodically.