Ūna end-to-end encrypts sensitive household content before it syncs. We cannot read your event titles, notes, locations, birthdays, list items, or household text from our backend.
Sensitive household content is encrypted on your device before it syncs. Our backend stores encrypted payloads and the minimum metadata needed to make the app work.
We do not sell your data, show ads, use third-party analytics SDKs in the iOS app, or train AI models on your household content.
When you create a household, Ūna generates a 256-bit household key on your device. It's stored in Apple Keychain. Ūna uses Apple CryptoKit AES-GCM to encrypt content before it's sent to Convex, our sync backend. The backend only ever sees ciphertext and nonces.
The household key is created on your device and stored in Apple Keychain. It is saved as synchronizable, so iCloud Keychain helps restore it across your own Apple devices. Our backend never stores the plaintext household key.
Invite links should only be sent to people you trust. Joining a household gives that device access to the household's encrypted content. Invites have status and expiration metadata, and can be revoked at any time.
Profile photos are optional. They're encrypted on your device before upload and stored as encrypted files — our backend holds the ciphertext and a storage id, never the photo bytes. Profile photos are not used for ads, tracking, analytics, or AI training.
When you attach a file, image, or document to a household item, the file bytes are encrypted on your device before upload and stored as encrypted files. The filename and display metadata are also encrypted. Our backend stores a storage id, byte size, content-type group (image, document), the household item the file is attached to, upload status, and quota usage. We never store the plaintext filename.
Widgets read decrypted household content from a small on-device snapshot stored in Ūna's shared app group. They may display household names, events, list items, and people you choose to show on the device. Widgets do not connect directly to Ūna's sync backend. Widgets trade some of the in-app strict "decrypt-then-display" model for being readable at a glance — anyone with physical access to your unlocked device can read what a widget shows.
Ūna uses normal iOS local notifications. Reminder, birthday, and list-item notification text is composed on your device after local decryption. Ūna does not need to send plaintext reminder text through our backend to notify you.
Event locations are encrypted before they reach our backend — we can't read them. When you use address suggestions while typing, or open a location in a maps app, the query may be sent to Apple Maps or another map provider you choose. Those third-party requests are subject to the map provider's own privacy policies.
Google Calendar import is optional. Ūna lets you connect Google Calendar so you can choose events to copy into your Ūna household calendar.
When you use Google Calendar import, Ūna requests read-only access to:
Ūna uses Google Calendar data only to show calendars and events for import, let you select which events to copy, detect possible duplicates, and create the selected events in your Ūna household calendar.
Ūna does not create, edit, delete, invite guests to, or otherwise change events in your Google Calendar. Imported events become independent Ūna events. They are not continuously synced with Google Calendar. Changes made later in Google Calendar do not automatically update Ūna, and changes made in Ūna do not update Google Calendar.
Ūna uses read-only Google Calendar OAuth access for the import flow. Ūna does not store a Google refresh token or keep long-term Google Calendar access.
Events you do not import are not saved by Ūna. For events you choose to import, event details such as title, notes, location, link, and import identifiers are encrypted on your device before syncing to Ūna's backend. Ūna's backend stores encrypted event content and limited operational metadata needed to run the calendar, such as event time, all-day status, household membership, assignments, visibility, recurrence, and reminder timing.
Ūna does not sell Google Calendar data, use it for advertising, tracking, analytics, or AI model training.
Selected imported events are shared with the members of your Ūna household because they become Ūna household calendar events. Ūna may also process encrypted event data and limited operational metadata through service providers that host, sync, secure, or operate Ūna, only for providing the app.
Ūna's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Ūna keeps imported Google Calendar events until they are deleted in Ūna or removed through account or household deletion.
You can delete imported events directly in Ūna. You can also delete your Ūna account from the app. If other adults remain in the household, shared household events may remain available to them until deleted by someone with access. If you are the last adult in the household, deleting your account also deletes the household and its content.
You can revoke Ūna's Google access at any time from your Google Account permissions page.
Ūna collects a small amount of first-party diagnostic metadata to help us find and fix bugs: feature name, error category, retry count, result counts, app version, build number, and platform. We do not include household text, member names, event names, or household ids in diagnostics. Rows are retained around 30 days.
The iOS app ships with no Sentry, Crashlytics, or similar SDK. On our backend, if a routine ops task — such as data cleanup — fails, we may send the operational incident to Sentry so the team can fix it. Those alerts carry hashed ids and incident metadata. They never carry household content.
Ūna is purchased through the App Store, with Apple as the payment processor. We receive StoreKit subscription metadata from Apple: transaction id, product id, dates, environment, storefront, the signed payload, and an opaque app account token. We do not receive your full payment details. Manage or cancel a subscription in your Apple Account settings.
Cleanup runs asynchronously. Some operational rows are retained briefly so we can recover from cleanup failures without losing audit-trail integrity. Approximate windows:
Ūna uses Sign in with Apple for authentication. During sign-in, the app requests your email and name from Apple, and caches your Apple session locally in your device's Keychain. Your Apple email and name are not stored on our backend beyond what is required for transient authentication. The Apple subject identifier is used to create and restore your Ūna account and connect you to your household.
Ūna lets adults create assistant connections with selected, revocable access they control. An assistant connection is not a household member. Adults choose capabilities, then grant access to specific people, calendars, and lists. Assistants only receive content intentionally made agent-readable and granted; availability checks can stay limited to whether someone is busy or free unless event details are explicitly allowed. Adults can rotate tokens, revoke access, or remove revoked entries from the visible connection list.
Ūna is made for adults and caregivers managing a household. Children can be represented as household profiles, with a name, colour, and birthday — but they do not need Ūna accounts, and we do not collect personal information from them directly.
You can delete your account in Ūna at any time. If other adults remain in the household, Ūna removes your account link, your device keys, and your private content while keeping shared household content for them. If you are the last adult, deleting your account also deletes the household and its content. Cleanup runs asynchronously — see Retention windows above for typical timing.
Support is available inside the app, under Settings. For privacy and data questions, email us directly.