Burrow Privacy Policy

Effective date: April 11, 2026

The short version

1. Who We Are

Burrow is developed and operated by TJ Goldblatt, a solo developer based in the United States. No corporation or LLC behind the app — just me.

Privacy contact: hi@burrowapp.net

Email with questions about this policy, your data, or to exercise your rights (access, deletion, portability). I aim to respond within 30 days.

2. What You Give Us When You Sign In

Burrow supports two sign-in methods: Sign in with Apple and Sign in with Google.

Sign in with Apple Apple shares your display name and an email address. If you choose "Hide My Email," we receive a private relay address — we honor that and never see your real address. We use this to create your account and display your name to household members.

Sign in with Google Google shares your display name and email address via OAuth. We use this to authenticate you and display your name.

In both cases, we store:

We do not use your email address for marketing.

3. What You Create Inside Burrow

When you use Burrow, you create content stored in our database:

All of this is stored in Supabase (US region, peeqvdqswqwjuxkvnsrz.supabase.co).

Shared household visibility. Everything above is visible to every member of your shared household — current members and anyone who joins later. If you write notes on a chore, every household member can read them. Completion history shows each member's name, what they did, and when. If you share a household with someone, assume they can see everything in it.

Household membership is the privacy boundary. Data in one household is never visible to members of a different household.

4. Household Sharing and Invitations

How invitations work. Burrow uses short-lived, randomly generated invite links. When a household owner taps "Invite," a URL is copied to their clipboard — something like https://burrowapp.net/invite/<code>. The owner shares that URL however they choose (iMessage, email, AirDrop, etc.). Burrow does not send emails, SMS messages, or access your contacts. The invite code expires.

What happens when someone joins. Once someone accepts an invite, they gain full visibility into all household data: rooms, chores, notes, completion history, and other members' display names. There is no partial or read-only membership.

Removing members. Household owners can remove any member at any time. Removed members lose access immediately. Their past completion history remains in the household record.

5. Analytics, Crash Reports, and Session Replay

PostHog — product analytics and session replay PostHog (US, us.i.posthog.com) collects analytics events when you use the app: a chore was created, a household was joined, the history tab was viewed. Event properties use internal identifiers (UUIDs) and enumerated values — not free-text content like chore titles or notes.

PostHog also records session replays. Text inputs and images are masked — we never see what you type or any personal content on screen. Session replays help us diagnose UI bugs and confusing flows.

Event data is retained for 90 days. Session replays are retained for 30 days.

Sentry — error and crash reporting Sentry (US, sentry.io) captures crash reports and error logs. Text fields are masked — we do not see the content of chore titles, notes, or any user-generated text. Sentry also captures performance traces to identify slow operations (linked to Supabase backend calls). Error and crash data is retained for 90 days.

MetricKit — system performance metrics Apple's MetricKit collects system-level performance data: CPU usage, memory, battery impact, launch time, hang rate. These metrics are forwarded to PostHog. MetricKit data is aggregated and anonymized by Apple before we receive it.

We do not sell analytics data, use it for advertising, or share it with anyone other than PostHog and Sentry.

6. Backend and Infrastructure

Supabase is our backend database and API (US region). All data is encrypted in transit via HTTPS/TLS. Supabase enforces row-level security — a database-level policy ensuring you can only access data from households you belong to. No other user can read your household data through our API.

iCloud Key-Value Store stores a single key: com.burrow.onboardingCompletedDate, an ISO-8601 date string. This detects whether you've completed onboarding when you install the app on a new device. It contains no user-generated content and syncs through your iCloud account per Apple's iCloud privacy policy.

Local storage (UserDefaults) stores a small amount of data on your device only — it never leaves your device. This includes your signup date, which sign-in method you used, your local onboarding completion date, and notification preferences.

7. Notifications

Burrow uses local notifications only — reminders scheduled and delivered on your device for chores you've set up. No push notification tokens are generated or sent to any server.

You can revoke notification permission at any time in iOS Settings → Burrow → Notifications.

8. What We Don't Collect

Burrow does not collect:

A note about Calendar. Burrow declares a calendar usage description in its app configuration to satisfy Apple's App Review process. Burrow's recurrence scheduling uses date math internally. Burrow does not request calendar access, does not read your calendar events, and does not write to Calendar.app. The calendar permission is never invoked at runtime.

9. Your Rights

Access. Email hi@burrowapp.net to request a copy of your personal data. We'll respond within 30 days.

Correction. Update your display name directly in the app. To correct your email address, email us.

Deletion. Delete your account in the app via Settings → [your name] → Delete Account. This immediately removes your account and triggers deletion of your data from our servers within 30 days. If you no longer have access to the app, email hi@burrowapp.net with the subject "Account Deletion Request."

Portability. Email hi@burrowapp.net to request an export of your data in a readable format within 30 days.

Analytics opt-out. Burrow doesn't offer an in-app toggle yet. Email hi@burrowapp.net and we'll flag your account to stop collecting new analytics events tied to your user ID. Historical events already ingested may persist in anonymized or aggregated form per PostHog's and Sentry's retention policies.

We do not sell your personal information. This applies to California residents under CCPA and to all Burrow users.

EU and UK residents (GDPR). You have additional rights under the General Data Protection Regulation: the right to object to processing, restrict processing, and lodge a complaint with your local data protection authority. Email hi@burrowapp.net with the subject "GDPR Data Subject Request."

10. Children

Burrow is intended for users aged 13 and older. EU and UK residents must be 16 or older to use Burrow without parental consent (per GDPR Article 8).

Burrow is not directed at children. We do not knowingly collect personal information from children under 13 (or under 16 in the EU/UK). If you believe a child has created an account, email hi@burrowapp.net and we will delete it.

11. Data Retention

After you delete your account, your data is removed from Supabase within 30 days. Analytics data in PostHog and Sentry may persist in anonymized form per their respective policies.

12. Sub-processors

Burrow shares data with these services to operate:

No other services receive your data. No advertising networks, data brokers, or analytics resellers.

13. Changes to This Policy

For material changes, we'll notify you in the app before they take effect. The effective date at the top updates with each revision.

Full version history: burrowapp.net/privacy/changelog

14. Contact

Email: hi@burrowapp.net

For EU data subject requests, use the subject line: "GDPR Data Subject Request"

For account deletion requests, use the subject line: "Account Deletion Request"

We respond to all privacy requests within 30 days.

Burrow uses Apple's Standard EULA: apple.com/legal/internet-services/itunes/dev/stdeula