Privacy Policy

Last updated: 20 May 2026

This Privacy Policy explains how Eswarden ("we", "us", "Eswarden") handles personal data when you use the Tether mobile app (the "App"). Tether is a paired, two-person app for couples living apart. By its nature it stores content — photos, voice notes, written messages, mood states, location at the city level — that is shared between you and one other person you have voluntarily paired with. Please read this carefully, and please show it to your partner.

1. Who is the data controller

Eswarden is the controller of personal data processed through Tether. You can reach us at privacy@eswarden.com.

2. The short version

• Tether is built for two people who have chosen to pair. We do not have a public feed, public profiles, friend graph, or messaging with strangers.
• The two of you see each other's content (beads, whispers, mood, city, pulses). No one else does. Not us — for content; not advertisers — at all.
• Your city is stored at the city level only (e.g. "Berlin, DE"). We never store your street address, and we never broadcast your precise location.
• If either of you unpairs, your couple data goes into a 90-day archive. After that it is permanently deleted by an automated job.
• Tether is intended for adults (18+).

3. Data we collect

3.1 Account & profile (per partner)

• Sign-in: email + password, or Sign in with Apple, or Sign in with Google. We use Firebase Authentication. We never see or store your Apple / Google password.
• Profile: a display name, an optional avatar image you choose, and your pulse-window preference.
• City (not street): city name, country code, approximate latitude and longitude rounded to city granularity, and timezone. We obtain this from your phone's reverse-geocoding service (Apple / Google) or from a reverse-geocoding API we proxy through our backend. We use it to render the thread between your cities, compute distance, and show shared sunset / moon phase. We never store your precise GPS coordinates.
• Couple ID: after you pair, both partner records reference a shared couple ID.

3.2 Relationship data (shared between you and your partner)

Anything you create inside the couple's shared space is visible to both partners — that is the whole point. This includes:

• Pulses — timestamps, optional intensity, the shared streak count.
• Memory beads — photo, voice note, text, drawing, or milestone. Stored in Firebase Storage, scoped so only the two paired user IDs can read them.
• Whispers & time capsules — text or voice messages that unlock on a date, place, or after the Nth pulse.
• Mood states, Couple's Aura, Whispered Word, Promise Pacts, Question of the Day.
• Repair flow entries (e.g. "I felt ___ because I needed ___"). These are visible only to the two of you; Eswarden does not read this content.
• Reunion plans — anniversary, reunion date, plan-together checklist, hype-mode entries, after-meet retrospective.
• Your Starling — stage, name, customisation, evolution history.

Because the App is paired, your partner will see anything you put into the shared space. Treat the App like sharing a journal with one specific person — because that is what it is.

3.3 Diagnostics & device data

• Firebase Crashlytics — crash reports, OS name & version, device model, App version, stack traces. A randomly-generated installation ID is used.
• Firebase Analytics — coarse usage events such as "pulse_sent" or "paywall_viewed". We never log the content of whispers, beads, repair entries, or any free-text field into analytics events.
• Firebase Cloud Messaging push token — used to send the pushes you enable (partner pulse, partner online, whisper unlocked, etc.).
• OS name/version and App version, read via device_info_plus and package_info_plus.
• Connectivity state, read via connectivity_plus, to handle offline mode.

We do not collect: precise GPS location, IP-based location stored against your account, the IDFA / Android Advertising ID, contacts, calendars, microphone audio (except recordings you knowingly create as a bead or whisper), HealthKit / Google Fit data, or any inference about ethnicity, religion, political opinions, or sexual orientation.

3.4 Subscription & payment data

Tether Premium is sold by Apple or Google through their App Store / Play billing systems. We never see your full card number. We use RevenueCat to verify entitlement and receive subscription state (active / cancelled / expired, product ID, renewal date, will-renew flag). One subscription covers the whole couple: if either of you has an active entitlement, both partners have Premium. The couple's Premium state is stored in our backend so both of you can see what is unlocked.

3.5 Optional third-party services

If you choose to use them:

• Reverse-geocoding provider — turns coordinates into "Berlin, DE". The API key lives on our backend; the provider sees an anonymised coordinate, not your account.
• Weather provider — for premium Same Sky weather. The provider sees a city-level coordinate.
• Printful — only if you order a physical Year Poster. Printful will receive the shipping address you give them and the artwork file. Printful is then the controller of the data you give them.

4. How we use your data

• To run the App — render the thread, deliver pulses, store beads, time-release whispers, grow your Starling.
• To deliver the push notifications you enable.
• To verify subscription entitlement.
• To diagnose crashes and bugs.
• To measure feature usage in aggregate.
• To enforce these terms — for example, responding to a report of abuse.

We do not use your data for advertising or profiling. We do not sell or rent data. We do not feed your content into third-party machine-learning training pipelines, and we do not read whispers, beads, voice notes, or repair-flow entries.

5. Legal bases (GDPR / UK GDPR)

• Performance of a contract — Art. 6(1)(b), for the core App.
• Consent — Art. 6(1)(a), for optional features such as location for Same Sky, push notifications, and Printful order processing.
• Legitimate interests — Art. 6(1)(f), for crash logs, abuse prevention, and aggregate analytics that don't include content.
• Legal obligation — Art. 6(1)(c), for tax and accounting where applicable.

6. Sub-processors we use

• Google Firebase (Authentication, Cloud Firestore, Cloud Storage, Cloud Functions, Cloud Messaging, Crashlytics, Analytics, Remote Config).
• RevenueCat — subscription entitlement.
• Apple App Store / Google Play — payment, distribution, and federated identity (Sign in with Apple / Google).
• Reverse-geocoding provider — for city lookup (e.g. Mapbox / OpenCage / Google Places; the specific provider is listed in-app under Settings → About).
• Weather provider — for premium Same Sky.
• Printful — only if you place a physical-product order.

We do not currently use ad networks, third-party product-analytics providers besides Firebase Analytics, or error trackers besides Crashlytics. If we add a sub-processor we will update this list before it starts receiving your data.

7. International transfers

Firebase, RevenueCat, and the federated identity providers are operated by US-based companies and may process data in the United States or other regions. Where required, we rely on the European Commission's Standard Contractual Clauses (and the UK addendum, where applicable).

8. Retention & deletion

• While paired and active: we keep your data so Tether works for both of you.
• If you unpair (either partner can initiate): the couple's shared data is moved to a 90-day archive. During that window, either of you may re-pair to restore the relationship. After 90 days, the archive is permanently deleted by a scheduled job.
• If you delete your account: your personal profile is soft-deleted, then permanently deleted after a 7-day grace period. If you were paired, this also unpairs the couple, starting the 90-day archive clock for shared data.
• If a partner is inactive for ≥30 days, the couple may be auto-archived; we will notify the other partner first.
• Aggregate analytics may be retained indefinitely.
• Crash logs are retained per Crashlytics defaults (90 days).

9. Sharing with your partner

By design, the following is visible to the partner you have paired with:

• Your display name and avatar.
• Your city, country, and timezone (not your street).
• All beads, whispers (after their unlock condition is met), capsules, pulses, mood states, repair entries, reunion plans, and Starling state.
• An online / offline presence indicator (premium feature).
• The times of your pulses, where you have not set this to a less precise display.

If you change partners or unpair, the new partner cannot see the previous couple's shared content. The previous couple's content enters the 90-day archive and is then deleted.

10. Your rights

You have rights of access, rectification, erasure, portability, restriction, objection, and withdrawal of consent. You can exercise most of these from Settings → Account: export, edit, unpair, delete. For anything else, write to privacy@eswarden.com and we will respond within 30 days. You also have the right to complain to your local data-protection authority.

11. Security

Data is encrypted in transit (TLS). Firebase encrypts data at rest with Google-managed keys. Firestore Security Rules and Cloud Storage Security Rules restrict access to a couple's content to the two paired user IDs and nobody else. Access to production systems is limited and audit-logged. Eswarden staff cannot read whispers, beads, repair entries, or any free-text content as part of normal operations.

12. Children

Tether is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a child has used Tether, please contact privacy@eswarden.com and we will delete the data.

13. California, Colorado, Virginia, and other US state rights

If you are a resident of a US state with a comprehensive privacy law, you have the right to know, delete, correct, and opt out of "sales" or "sharing" of personal information. We do not sell or share personal information for cross-context behavioural advertising. To exercise other rights, email privacy@eswarden.com.

14. Changes to this policy

If we make material changes, we will notify both partners in-app at next launch and update the "Last updated" date above.

15. Contact

Privacy & data-subject requests — privacy@eswarden.com
Anything else — support@eswarden.com