Privacy Policy

Effective Date: February 15, 2026 · Last Updated: February 15, 2026

Reck Advisory LLC ("we," "our," or "us") operates the Exposr Me mobile application ("App"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our App. By using Exposr Me, you consent to the practices described in this policy. If you do not agree with this policy, please do not use the App.

1. Information We Collect

1.1 Information You Provide Directly

• Email Address: Required for account creation, authentication, and breach monitoring. This is the primary identifier used to check your exposure against known data breaches.
• Display Name: Optional. May be provided during Sign in with Apple if you choose to share it.
• Password: If you choose email/password authentication rather than Sign in with Apple, your credentials are handled exclusively by Firebase Authentication. We do not store, access, or process your password directly.

1.2 Information Collected Automatically

• Anonymous Device Token: Generated by Firebase Cloud Messaging solely for delivering push notifications. This token cannot be used to identify you personally.
• Subscription Status: Managed entirely by Apple through StoreKit 2. We receive only a confirmation of your subscription tier — no payment details, billing address, or financial information.

1.3 Information We Do NOT Collect

We want to be explicit about what we never collect, access, or store:

• Precise or approximate location data
• Contacts, address book, or call logs
• Photos, camera, or media library
• Browsing history or web activity
• Device identifiers used for tracking (IDFA)
• Advertising identifiers or analytics profiles
• Health, fitness, or biometric data
• Financial or payment information (handled by Apple)

2. How We Use Your Information

We use the limited information we collect strictly for the following purposes:

• Breach Monitoring: To check your email address against the Have I Been Pwned (HIBP) breach database using k-anonymity (only a partial SHA-1 hash prefix is transmitted — your full email is never sent to HIBP).
• Privacy Scoring: To calculate and display a privacy risk score based on your breach exposure, stored locally on your device.
• Notifications: To send breach alerts when new exposures are detected, only with your explicit opt-in permission via iOS notification prompts.
• Account Management: To authenticate your identity, manage your session, and validate your subscription status.

We do not use your information for advertising, profiling, behavioral analysis, or any purpose beyond the core functionality described above.

3. Device-First Architecture

Exposr Me is built on a device-first privacy architecture. This means:

• All scan results, breach records, remediation history, and privacy scores are stored exclusively on your device.
• Local data is encrypted at rest using AES-256-GCM via Apple's CryptoKit framework.
• Encryption keys are stored in the iOS Keychain with hardware-backed protection (Secure Enclave where available) and are never synced to iCloud or transmitted off-device.
• Your email address is never sent in plaintext to any third-party service. Breach lookups use the k-anonymity model, transmitting only the first 5 characters of a SHA-1 hash prefix.
• No server-side database of user scan results, breach histories, or privacy scores exists. If you delete the App, your local data is gone.

4. Third-Party Services

We integrate with a limited number of third-party services, each with a specific and narrow purpose:

Service	Purpose	Data Shared	Privacy Policy
Firebase Authentication	Account creation and sign-in	Email address (for authentication only)	firebase.google.com/support/privacy
Firebase Cloud Messaging	Push notifications	Anonymous device token	firebase.google.com/support/privacy
Have I Been Pwned API	Breach database lookups	Partial SHA-1 hash prefix (k-anonymity — your full email is never transmitted)	haveibeenpwned.com/Privacy
Apple StoreKit 2	Subscription management	None (managed entirely by Apple)	apple.com/legal/privacy

We do not integrate any advertising SDKs, analytics trackers, crash reporting tools that collect personal data, or social media SDKs. We do not share, sell, rent, or trade your personal information to any third party for marketing, advertising, or any commercial purpose.

5. Data Retention

• Local Data: Scan results, breach records, and privacy scores are retained on your device until you delete them within the App or uninstall the App.
• Firebase Account: Your authentication record (email address) is retained in Firebase until you delete your account through the App.
• Push Notification Token: Retained only while your account is active. Revoked upon account deletion.

We do not retain any user data on our own servers. There is no server-side user database beyond Firebase Authentication.

6. Data Deletion

You can delete all of your data at any time by navigating to Settings > Delete Account within the App. This action is immediate and irreversible, and it will:

• Permanently delete your Firebase Authentication account
• Erase all locally stored scan results, breach records, and privacy scores
• Remove all encryption keys from the iOS Keychain
• Revoke your push notification device token
• Terminate your active session

After deletion, you may re-register with the same or a different email address. No residual data from your previous account will be accessible.

You may also request account deletion by emailing privacy@reckadvisory.com. We will process deletion requests within 48 hours.

7. Data Security

We implement the following security measures to protect your information:

• Encryption at Rest: AES-256-GCM encryption for all locally stored data via Apple CryptoKit
• Keychain Protection: Encryption keys stored in iOS Keychain with hardware-backed Secure Enclave protection
• Certificate Pinning: All API communications use certificate pinning to prevent man-in-the-middle attacks
• Transport Security: All network communications use TLS 1.2 or higher
• Screenshot Protection: Task switcher screenshot protection prevents sensitive data from appearing in the app switcher
• Rate Limiting: Authentication attempts are rate-limited to prevent brute-force attacks
• No Logging: We do not log user queries, scan results, or personal data on any server

8. Children's Privacy

Exposr Me is not directed at children under the age of 13 (or the applicable age in your jurisdiction). We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected personal information from a child under 13, we will take immediate steps to delete that information. If you believe a child under 13 has provided us with personal information, please contact us at privacy@reckadvisory.com.

9. Your Rights

9.1 For All Users

Regardless of your location, you have the right to:

• Access your personal data (use Settings > Export My Data)
• Delete your personal data (use Settings > Delete Account)
• Withdraw consent for push notifications (via iOS Settings)

9.2 European Economic Area (GDPR)

If you are in the EEA, you additionally have the right to:

• Rectification: Correct inaccurate personal data
• Portability: Receive your data in a structured, machine-readable format (use Settings > Export My Data)
• Restriction: Request restriction of processing
• Object: Object to processing of your personal data
• Lodge a complaint with your local data protection authority

Our legal basis for processing your email address is contractual necessity (it is required to provide the breach monitoring service you have requested). Our legal basis for push notifications is consent.

9.3 California (CCPA/CPRA)

If you are a California resident, you have the right to:

• Know what personal information is collected and how it is used
• Delete your personal information
• Opt out of the sale or sharing of personal information
• Non-discrimination for exercising your rights

We do not sell or share your personal information as defined under the CCPA/CPRA. We have not sold or shared personal information in the preceding 12 months.

10. International Data Transfers

Firebase Authentication is operated by Google LLC, which may process data in the United States. By using the App, you acknowledge that your authentication data (email address) may be transferred to and processed in the United States, where data protection laws may differ from those in your country. Google maintains Standard Contractual Clauses and other safeguards for international transfers.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last Updated" date at the top of this policy
• Notify you via an in-app notification within the App
• For significant changes affecting your rights, provide at least 30 days' notice before the changes take effect

Your continued use of the App after the effective date of changes constitutes acceptance of the revised policy.

12. Contact Us

If you have questions about this Privacy Policy, wish to exercise your data rights, or need to report a privacy concern, please contact us:

• Privacy Inquiries: privacy@reckadvisory.com
• General Support: support@reckadvisory.com
• Web: reckadvisory.com/support

We aim to respond to all privacy-related inquiries within 48 hours.

Reck Advisory LLC · Exposr Me · © 2026 All rights reserved.