Privacy Policy

Last updated: 2026-05-01

This is what data Lock the F*ck In collects when you visit lockthefuckin.app or use our software, why we collect it, how long we keep it, and the choices you have. This policy reflects GDPR, UK GDPR, CCPA/CPRA, and equivalent data-protection laws applicable where you live. We collect what we need to run the service. Nothing else.

1. Who we are

Lock the F*ck In ("LTFI", "we", "us") publishes the Lock the F*ck In iOS application and this website. For any privacy question, including the rights described in section 7, write to [email protected] and a person will reply.

2. What we collect

Site visit data

When you load this site, our hosting provider records standard server logs: IP address, user agent, requested URL, response status, and timestamp. Kept for up to 30 days for security and reliability.

Waitlist data

If you join the waitlist, we collect your email address and the timestamp. That is it. No name, no country, no anything else.

Product analytics

We use a privacy-respecting analytics provider to count anonymous visits and page interactions. No personal profile is built. This is loaded only after you consent on the cookie banner. If you decline, no analytics is loaded.

App data

The Lock the F*ck In iOS app, when released, runs entirely on your device. Focus session data, schedules, and Family Controls usage stay on your iPhone. Screen Time information does not leave the device.

Support email

If you write to us, we keep the email and our reply for as long as needed to resolve the issue and for a reasonable period after.

3. Why we collect it (legal bases under GDPR and equivalent laws)

  • Site logs and security: legitimate interest in operating a safe service (Art. 6(1)(f)).
  • Waitlist: your consent (Art. 6(1)(a)), withdrawable at any time by replying "unsubscribe" or emailing us.
  • Analytics: your consent where required (Art. 6(1)(a)). Legitimate interest where consent is not required by local law (Art. 6(1)(f)).
  • Support: pre-contractual and contractual performance (Art. 6(1)(b)) and legitimate interest in helping you (Art. 6(1)(f)).

4. Cookies

Short version: this site uses a small set of cookies. Strictly necessary ones run by default. Analytics is loaded only after you consent on the banner. The full list with providers, purposes, and retention is in our Cookie Policy.

5. Subprocessors

We share data only with vendors who help us run the service. Each is bound by a written data processing agreement.

  • Railway (hosting). Server logs, request data. Region: US/EU. Retention: 30 days.
  • Cloudflare (CDN, security, basic edge analytics). IP and request metadata. Retention: 30 days.
  • Google Fonts (font delivery). Loaded self-hosted where possible. Otherwise Google receives the IP and User-Agent on font fetch. We are migrating to fully self-hosted fonts.
  • Resend (transactional email). Email address and message content for waitlist confirmations and support replies.
  • Google Analytics (product analytics, consent-gated). Anonymous event data. Loaded only after you accept on the cookie banner.
  • Amplitude (product analytics, planned, EU residency). Anonymous event data, EU data center. Loaded only after consent. Will replace or supplement Google Analytics.
  • Apple (App Store distribution, planned). App downloads, in-app purchase processing, App Store reviews. Apple's privacy terms govern that relationship.

We update this list when subprocessors change. The "Last updated" date at the top reflects the most recent change.

6. International transfers

Where personal data leaves your country of residence, we apply the safeguards required by GDPR and equivalent laws. For US-based subprocessors, we rely on Standard Contractual Clauses approved by the European Commission and, where applicable, the EU-US Data Privacy Framework. UK transfers rely on the UK International Data Transfer Addendum.

7. Your rights

If you are in the EU, UK, EEA, or Switzerland, you have the right to access, rectify, erase, restrict, or object to our processing of your personal data, the right to data portability, and the right to withdraw consent at any time without affecting the lawfulness of prior processing. You also have the right to lodge a complaint with your local supervisory authority.

If you are in California, you have the right to know what personal information we collect, the right to delete, the right to correct, the right to limit use of sensitive personal information, and the right to opt out of "sale" or "sharing" of personal information. We do not sell or share your personal information as those terms are defined under the CCPA/CPRA. You also have the right not to be discriminated against for exercising these rights.

To exercise any right, email [email protected] from the address you used, or describe your request in enough detail for us to verify it. We respond within 30 days for GDPR requests and 45 days for CCPA requests, with one extension where allowed.

8. How long we keep things

  • Server logs: 30 days.
  • Waitlist email: until you unsubscribe or until 24 months after launch, whichever is sooner.
  • Support emails: 24 months after the last interaction.
  • Analytics data: anonymized at ingestion. Aggregate retained up to 14 months.
  • App-side data on your iPhone: until you delete the app or wipe the data from inside the app.

9. Children

This service is not directed to children under 16. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided information, email us and we will delete it.

10. Security

Data in transit is encrypted with TLS. Production secrets are stored in environment variables, never in code. Access to production systems is limited and protected by hardware-key two-factor authentication.

11. Changes

We update this policy when our practices change. The "Last updated" date at the top reflects the latest change. Material changes are announced on the homepage at least 14 days before they take effect.

12. Contact

[email protected]