Privacy Policy
Plain English, no jargon, because privacy matters too much to hide behind it.
We believe in clarity. This policy is written in plain English that anyone can understand.
If you use the Catchlight app: we hold none of your data. None. Your notes, reminders, and privacy phrase live on your device and, if you choose, in a cloud folder you own. Considus never sees them.
If you signed up to hear from us: we hold your email address in MailerLite so we can send you updates you asked for. You can unsubscribe at any time.
That’s it. Everything below is the legal detail behind those two sentences.
Who we are
Catchlight is published by Considus. References to “we”, “us”, and “our” in this policy mean Considus.
We are the data controller for personal data processed in connection with our marketing communications. We are not a data controller for any data you create inside the Catchlight app, because we never receive it.
For questions or requests, contact us at [email protected].
Two entirely separate relationships
Depending on how you interact with Catchlight, different privacy considerations apply. We separate them clearly because they are genuinely different.
2.1 Catchlight app users
Considus holds zero data about you.
Catchlight is designed on a zero-knowledge, offline-first architecture. This is not a marketing claim, it is a structural constraint built into every layer of the app.
- Your notes, activity types, and reminders are stored only on your device, encrypted at rest using AES-256-GCM with a key derived from your privacy phrase. Considus has no copy of this key.
- Your privacy phrase (a 12-word mnemonic) is generated on your device during setup and stored in the iOS Keychain, protected by Apple’s hardware security. It is never transmitted anywhere.
- Your PIN (if set) is processed entirely on-device using PBKDF2-HMAC-SHA256. We receive no hash, no salt, and no record of it.
- Cloud sync is optional and user-directed. If you enable it, your encrypted data is written to a folder in a cloud storage provider of your choice (such as iCloud Drive). That folder belongs to you and is governed by your agreement with that provider. The data is encrypted before it leaves your device. Considus has no access to that folder.
- Crash reports and analytics are not collected. The app contains no analytics SDK, no crash reporting service, and no telemetry of any kind.
- Device identifiers, IP addresses, usage patterns, none of these are collected or transmitted to us.
Because we hold no data, we cannot breach it, sell it, or lose it. That is the point.
What iOS and Apple process
When you download Catchlight from the App Store, Apple processes data in accordance with Apple’s own privacy policy. We have no control over or access to that data. When you use optional features such as Face ID or Touch ID to unlock the app, those are processed locally by iOS on your device; neither Considus nor Apple’s biometrics frameworks receive the biometric data itself.
Local device storage
| Storage | What it holds | Who can access it |
|---|---|---|
| iOS Keychain | Your privacy phrase (encrypted) | You, on this device only |
| SQLite database | Your encrypted notes and reminders | You, on this device only |
| UserDefaults / App Group | UI preferences, cloud folder bookmark | You, on this device only |
The SQLite database is protected with NSFileProtectionCompleteUntilFirstUserAuthentication, meaning it is inaccessible until you have unlocked your device for the first time after a restart.
2.2 Marketing subscribers
If you opted in to receive news and updates from Considus, for example, via the Catchlight website, we hold your email address for the purpose of sending those communications.
- Legal basis: Consent (UK GDPR Article 6(1)(a)).
- Data held: Your email address, and any name you voluntarily provided. We do not hold payment information, device identifiers, or any data derived from your app usage.
- Processor: We use MailerLite to manage and send our email list. MailerLite acts as a data processor on our behalf. MailerLite’s privacy policy is available at mailerlite.com/legal/privacy-policy.
- How long we keep it: Until you unsubscribe or ask us to delete it. We do not retain subscriber data for longer than necessary.
Cookies and the Catchlight website
catchlight.app may use essential cookies necessary for the site to function. We do not use tracking cookies, advertising cookies, or third-party analytics cookies. If we add any non-essential cookies in future, we will update this policy and seek your consent.
Children’s privacy
Catchlight is rated 4+ on the App Store. It is suitable for all ages. Because we collect no personal data from app users, no special consideration for children is required in that context. Our marketing email list requires opt-in consent; we do not knowingly collect email addresses from children under 13.
Your rights under UK GDPR
As a data subject under UK law, you have the following rights in relation to personal data we hold. This applies to marketing subscribers, app users have no personal data held by us to exercise rights over.
- Right of access, you may request a copy of the personal data we hold about you.
- Right to rectification, you may ask us to correct inaccurate data.
- Right to erasure, you may ask us to delete your data. We will comply promptly unless a legal obligation requires us to retain it.
- Right to restrict processing, you may ask us to pause processing your data in certain circumstances.
- Right to data portability, you may request your data in a portable format.
- Right to object, you may object to processing based on legitimate interests.
- Right to withdraw consent, where we process data on the basis of consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
To exercise any of these rights, or to unsubscribe from marketing emails, contact us at [email protected]. We will respond within one calendar month.
If you are not satisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk.
Data transfers
Our marketing email list is managed using MailerLite. MailerLite may store and process data outside the UK. Where data is transferred outside the UK, MailerLite applies appropriate transfer mechanisms in accordance with UK data protection law.
Catchlight app data is never transferred to us, so no international transfer consideration applies to it.
Security
For marketing subscriber data, we rely on MailerLite’s security practices and implement appropriate organisational measures on our side, including using a dedicated privacy contact address and limiting access to subscriber data.
For Catchlight app data, security is structural: end-to-end encryption means there is nothing in our possession to secure or breach.
Changes to this policy
We may update this policy from time to time. We will post the updated version at the canonical URL provided by the App Store and on the Catchlight website. Material changes that affect marketing subscribers will be communicated by email. Continued use of the app after a non-material update does not require fresh consent, because we hold no app user data to begin with.
The version number and effective date at the top of this document indicate which revision you are reading.
Governing law
This policy is governed by the laws of England and Wales. Any disputes arising under it are subject to the exclusive jurisdiction of the courts of England and Wales.
Contact
All privacy enquiries, data subject requests, and complaints should be directed to:
Email: [email protected]
Publisher: Considus
We aim to respond to all enquiries within five business days and to fulfil formal data subject requests within one calendar month.
Catchlight is built on the principle that your private thoughts are yours alone. This policy reflects that commitment, not as a legal obligation, but as the natural consequence of how the app is built.