Privacy Policy

Choralo is a household chore tracker built local-first. Your chores, rooms, completion history, and photos live on your device — we can't see them. If you opt into a shared household, a subset of that data syncs through Firebase so your housemates can see it too. This page explains exactly what's collected, where it goes, and how to remove it.

The short version

• Solo mode — everything is stored only on your device (SwiftData on iOS, Room on Android). Choralo and its servers see nothing.
• Cloud household (opt-in, Premium) — your household members, completions, comments, kudos, and photo proofs sync via Firebase Firestore. We can see this data because we operate the cloud project.
• Authentication — anonymous by default. You can optionally link a Google or Apple account to keep your data across devices.
• Analytics — none. We don't run third-party analytics inside the app.
• Ads — none. Choralo is a one-time $4.99 unlock for Premium; no advertising.
• Sale of data — never. We don't sell, rent, or share your data with third parties for marketing.
• Delete it all — Settings → Data & backup → Delete account wipes your cloud copy. Removing the app wipes the local copy.

What we collect, and why

1. Data stored only on your device

The following lives in your device's local database and never leaves it unless you join a cloud household:

• Rooms you create, task definitions, intervals, effort weights, weekday rules, subtask checklists, pinned status.
• Completion history (which chore, when, with how much effort, optional photo proof).
• Streak counts, freeze tokens, achievement progress, statistics aggregations.
• App preferences (theme, accent color, week start day, daily goal, language, notification toggles, quiet hours).
• Cleaning timer session state.
• Pending invite codes captured from choralo://invite/{CODE} deep links.

2. Data synced when you join or create a cloud household (Premium only)

If — and only if — you create or join a household, Choralo creates a record under /households/{id}/... in Firebase Firestore. From that point on, the following syncs across all household members in real time:

• Household name and ID.
• Member list: display name, avatar color, role (owner / admin / member / limited), opt-in stats.
• Tasks, rooms, completion events (member, chore name, room, effort, timestamp, optional photo).
• Comments and reactions on completions.
• Kudos cards exchanged between members.
• Approval queue state for the "limited role" (kids) workflow.
• Per-household settings (auto-approve-with-photo, quiet hours, daily cap).

Photos are JPEG-compressed to ≤50 KB at ≤800 px on the long edge before they leave your device. They are stored inside the Firestore document as base64 data, not in a separate object store.

3. Account identifiers

Until you sign in with Google or Apple, Choralo creates an anonymous Firebase Auth identity (a random UID). If you later link a Google or Apple account, the email address from that provider is associated with your UID so we can re-authenticate you on a new device.

The Web client ID (used for "Continue with Google") is the only third-party SDK that runs on app start. It loads Google Sign-In if and only if you tap that button.

4. Push notification tokens

When you allow notifications, Firebase Cloud Messaging issues a token tied to your device. We store it under your user document in Firestore (/users/{uid}.fcmTokens) so the server can fan out approval / kudos / weekly-champion alerts to the rest of your household. Tokens are rotated and revoked by Firebase when you uninstall.

5. Receipt data for the $4.99 unlock

When you tap "Unlock Choralo Premium":

• On iOS, StoreKit2 produces a signed JWS receipt. We forward it to Apple's App Store Server API for verification, then write plan = "premium" against your UID. We retain the verified transaction ID for restore-purchase across devices.
• On Android, Play Billing produces a purchase token. We forward it to Google Play Developer API for verification, then write the same plan flag.

We do not see your payment card. Apple and Google handle that.

What we don't collect

• Your real name (unless you type it in as your display name).
• Your phone number, address, location, or contacts.
• Your device's IMEI / advertising ID / ad tracking ID.
• Anything from outside Choralo. We don't read your other apps.
• Your photos beyond the ones you explicitly attach as chore proof.

Children's data

Choralo has a "limited" role designed for younger household members whose completions need an admin's approval. If you add a child to your household, you (the owner / admin) are responsible for their data inside the household. We don't independently identify a member as a child; we treat the limited role as an in-house permission level.

If you believe a child under the age applicable in your jurisdiction has registered without parental consent, contact us at hello@choralo.com and we'll remove the account.

Who we share data with

We use Firebase (a Google service) for authentication, Firestore, Cloud Functions, and Cloud Messaging. Firebase is the only third party that touches your data, and only because we operate the project. We do not share data with marketers, data brokers, or analytics vendors.

Retention and deletion

• Local data persists until you uninstall the app. There's no remote control here.
• Cloud household data persists until: (a) the household owner deletes the household, (b) you leave the household and the owner removes you, or (c) you delete your account.
• Delete account (Settings → Data & backup) clears your user document, leaves any households you're a member of, and removes your anonymous Firebase identity. Comments and kudos you authored stay attached to the completion record they belong to, but your display name is anonymized.
• Backup export (Settings → Data & backup → Export) downloads your full local history as a .choralo.json file. This file is yours — we never see it.

Your rights

Depending on where you live (EEA, UK, California, etc.) you may have additional rights to access, correct, or port your data. You can satisfy most of these inside the app via Export and Delete account. For anything else — including requests in the EEA / UK / California — email hello@choralo.com and we'll respond within 30 days.

Security

Cloud household data is transmitted over TLS and stored in Firebase with project-level access rules. Only members of a household can read its documents; only owners and admins can write to settings. We don't operate any database outside Firebase. We are a small team — please report any vulnerability you find to hello@choralo.com with steps to reproduce.

Changes to this policy

If we change anything that affects what data we collect or how we use it, we'll update the "Effective" date above and, for material changes, surface a notice inside the app the next time you open it.

Contact

Questions, concerns, or rights requests: hello@choralo.com.

Terms of Service →