Legal
Privacy Policy
Effective July 15, 2026 · Applies to the Catch app on iOS and Android
1. Who we are
Catch ("we", "us") is a self-reflection tool for recognizing automatic thoughts, operated by mikd. For users in the European Economic Area and the UK, Catch is the data controller for the limited data described below. Contact: privacy@mikd.at.
2. Data stored only on your device
The content you create in Catch — caught thoughts, feelings, body sensations, context tags, relief ratings, your constellation and Path progress — is stored exclusively in local storage on your device. It is never transmitted to us or to any third party. We have no technical ability to read, access, or recover it.
Because this content never reaches our systems, it is not "collected" within the meaning of Apple's App Privacy labels or Google Play's Data Safety form, and it is not subject to processing by us under the GDPR.
3. Data we do process
Purchases (when offered). If you purchase Catch Plus through the App Store or Google Play, billing is processed entirely by Apple or Google. We may receive an anonymized purchase token to validate entitlement — never your name, card, or billing address. Apple's and Google's own privacy policies govern payment data.
Optional diagnostics. If you opt in (Settings → Help improve Catch, off by default), we receive anonymous crash reports and aggregate usage events (e.g. "a catch was completed"). These contain no thought content, no identifiers linkable to you, and no device fingerprinting.
Support email. If you email us, we keep the correspondence only as long as needed to help you, then delete it within 12 months.
4. What we never do
We do not sell or share personal data (as defined by the CCPA/CPRA). We do not serve ads. We do not use third-party advertising or cross-app tracking SDKs, so the iOS App Tracking Transparency prompt never appears — there is nothing to ask about. We collect no precise location, contacts, photos, microphone, or health data.
5. Legal bases (GDPR Art. 6)
Where the GDPR applies: subscription validation (when offered) is processed for performance of a contract (Art. 6(1)(b)); opt-in diagnostics on your consent (Art. 6(1)(a)), withdrawable anytime in Settings; support correspondence on our legitimate interest in helping you (Art. 6(1)(f)).
6. Your rights
Under the GDPR, UK GDPR, CCPA/CPRA and similar laws you may request access, correction, deletion, portability, restriction, or object to processing — email privacy@mikd.at. Since your thought content lives only on your device, you already hold direct, complete control of it: export or delete it in Settings → Data at any time, no request needed.
You also have the right to lodge a complaint with your local supervisory authority. We never discriminate against you for exercising any right.
7. Retention and deletion
On-device content persists until you delete it or uninstall the app — uninstalling permanently removes all Catch data from your device. Anonymous diagnostics are retained for a maximum of 14 months. See our Data Deletion page for step-by-step instructions.
8. Security
Your content is protected by your device's system-level encryption (iOS Data Protection / Android File-Based Encryption) and your device passcode or biometrics. The small amount of data we do process is encrypted in transit (TLS 1.3) and at rest.
9. Children
Catch is not directed at children under 13 (or the higher minimum age in your country, e.g. 16 in parts of the EEA). We do not knowingly process data from children. If you believe a child has used Catch, contact us and we will help.
10. International transfers
Because thought content never leaves your device, no international transfer of it occurs. Optional anonymous diagnostics may be processed on infrastructure in the EU and US under Standard Contractual Clauses and the EU–US Data Privacy Framework.
11. Changes to this policy
If we make material changes, we will notify you inside the app before they take effect and update the date above. Earlier versions are available on request.