Privacy Policy
Last updated: 14 June 2026
1. Who we are
Phew (“Phew”, “we”, “us”, “our”) is published by Creative Code Logic Ltd.
If you have any questions about this policy or want to exercise your privacy rights, contact us at admin@creativecodelogic.com.
2. Who this policy covers
This policy applies to anyone who uses the Phew mobile app on Android or iOS, visits any related web page, or otherwise interacts with our service.
Phew is not directed at children under 16. If you are under 16, you may not create an account or use the app. If you believe a child under 16 has registered, please contact us at the email above and we will delete the account.
3. What data we collect — and why
We collect only what we need to run the service. Here is the complete list.
3.1 Account & identity
| Data | Why we collect it |
|---|---|
| Email address | Your login identity; we send transactional emails to it. |
| Password | Stored only as a salted bcrypt hash — we never store or can see your plaintext password. |
| Display name (optional) | Shown to your linked partner inside the app. |
| Timezone | So your reminders fire at the right local time, not ours. |
| Email verification status; one-time verification and reset codes | To confirm your email and let you securely reset your password. Codes are hashed and expire quickly. |
3.2 Relationship / pairing
We store the pairing link between your account and your partner’s, and any invite tokens used to establish that link. This is the core of the shared-moments feature.
3.3 Your moments
When you create a moment (an event you want to remember), we store:
- Title
- Date, and optional time and event timezone
- Optional personal note
- Importance level
- Confirmation status between you and your partner
3.4 Notifications
We store your notification preferences (push on/off, which email categories you want), your reminder timing and cadence settings (what time of day reminders arrive and how far ahead of an event), and, if you enable push notifications, a device push token provided by your phone’s operating system. We use that token only to send you reminders via the platform push services described in Section 5.
3.5 Security & operational data
We process standard security and technical data needed to protect the service — for example, failed-login counters and temporary account lockouts that prevent brute-force attacks, and IP addresses used for rate-limiting and abuse prevention. We and our infrastructure providers (see Section 5) also retain limited server logs for security and operational purposes. We keep only what is necessary for these purposes.
4. How we use your data
We use your data to:
- Provide the service — store your moments, link you with a partner, and send reminders and notifications.
- Authenticate you and keep your account secure — handle login, password reset, rate-limiting, and account lockout.
- Send transactional emails — including email verification, password-reset links, and security alerts. We will send reminder or partner-activity emails only if you opt in to those categories.
We do not use your moments or personal data for advertising, profiling, or any purpose beyond running the service described above. We do not sell your data.
We do not currently use any third-party advertising or analytics SDKs. If that ever changes, we will update this policy before the change takes effect.
4.1 Legal basis for processing (EU / UK users)
If you are in the EU or UK, we rely on the following legal bases under the GDPR:
- Performance of a contract — to provide the core service: storing your moments, linking you with a partner, and sending the reminders you ask for.
- Legitimate interests — to keep the service secure and prevent abuse (for example, rate-limiting and brute-force protection).
- Consent — to send the optional reminder and partner-activity emails, which you can withdraw at any time in Settings.
- Legal obligation — where we must process or disclose data to comply with the law.
5. Who we share data with
We do not sell or share your data with third parties for their own purposes. We work with a small number of service providers / sub-processors who process data on our behalf solely to operate Phew:
| Provider type | What they do |
|---|---|
| Cloud hosting & managed database | Our app servers run on a cloud platform; your data is stored in a managed PostgreSQL database on the same infrastructure. |
| Transactional email provider | Sends verification, reset, and notification emails on our behalf. |
| Push notification services | Expo Push and the underlying OS push services (Google Firebase Cloud Messaging on Android; Apple Push Notification service on iOS) deliver push reminders to your device. Your device push token is passed to these services for this purpose only. |
| Background job / queue service | A managed Redis-based queue handles scheduling and sending reminders at the right time. |
Each provider processes data under their own security and privacy terms and is engaged only for the purpose described above. These providers may be located outside your country, which means your data may be transferred internationally. Where such transfers occur, we rely on the providers’ own legal transfer mechanisms (such as standard contractual clauses or equivalent safeguards).
We may also disclose data if required by law, court order, or to protect our legal rights.
6. Your rights
Depending on where you live, you have rights over your personal data. We have built the following controls directly into the app — no need to email us first.
6.1 Export your data (access / portability)
Go to Settings → Your data → Export my data. You will receive a complete JSON file of everything we hold about your account.
6.2 Delete your account (right to erasure)
Go to Settings → Your data → Delete account. Here is exactly what happens:
- Immediate deactivation. Your account is blocked from login, all active sessions are revoked, and your pairing link is severed.
- 30-day grace period. Your data is retained for 30 days. This protects you if the deletion was accidental or carried out by someone with access to your device. During this window you can contact us to restore your account.
- Permanent erasure. After 30 days, an automated process permanently and irreversibly deletes all your account data.
What happens to shared moments? Moments you created are removed when your account is deleted. Moments your former partner created remain in their account — those revert from shared to private and belong entirely to them. We think this is the fairest outcome: each person keeps what they made.
6.3 Edit your data (right to rectification)
You can update your display name, profile settings, and any moment at any time inside the app.
6.4 Other rights
If you want to exercise any other right — such as restriction of processing or objection to processing — email us at admin@creativecodelogic.com. We will respond within 30 days.
If you are in the EU or UK, you also have the right to lodge a complaint with your local data-protection supervisory authority (for example, the Information Commissioner’s Office in the UK) — though we’d appreciate the chance to resolve your concern directly first.
7. Data retention & security
- Passwords are stored as bcrypt hashes. We cannot recover your plaintext password.
- Verification and reset codes are hashed and expire within minutes.
- Access tokens are short-lived. Refresh tokens are revocable and are revoked automatically on logout, password reset, and account deletion.
- Data in transit is encrypted via HTTPS/TLS.
- Deleted accounts are purged after the 30-day grace period described above.
No method of electronic storage or transmission is 100% secure. We apply industry-standard protections, but we cannot guarantee absolute security.
8. Changes to this policy
If we make material changes, we will notify you by email or by a prominent notice in the app before the changes take effect. The “Last updated” date at the top of this page will always reflect the current version.
Continuing to use Phew after changes take effect means you accept the updated policy.
9. Contact us
Creative Code Logic Ltd
Email: admin@creativecodelogic.com
For privacy-related requests (access, deletion, complaints), please include “Privacy Request” in the subject line.
Governing law: England & Wales