Privacy

Your family's plans aren't readable by us.

Ūna end-to-end encrypts sensitive household content before it syncs. We cannot read your event titles, notes, locations, birthdays, list items, or household text from our backend.

Last updated · 16 June 2026 v3
The short version

If you only read one paragraph.

Sensitive household content is encrypted on your device before it syncs. Our backend stores encrypted payloads and the minimum metadata needed to make the app work.

We do not sell your data, show ads, use third-party analytics SDKs in the iOS app, or train AI models on your household content.

No. 02 · What we cannot see

We can't open the database and read your plans.

  • × What your events are called
  • × Event notes, locations, and links
  • × Birthdays and birthday names
  • × Household and family member names
  • × Shopping, to-do, chore and custom list names
  • × List item names and links
No. 03 · What we can see

The minimum metadata to sync correctly.

Account
Your Sign in with Apple account identifier and a hashed Apple subject. Used to sign you in and link you to your household.
Household membership
Household and member ids, member roles (owner, adult, caregiver), and the profile each adult is linked to.
Invites
Invite status, expiration, acceptance and revocation timestamps.
Event metadata
Start/end times, all-day flag, recurrence rule, reminder timing, visibility (household / personal), assignment ids, and whether an event is private, busy-only, or agent-readable.
List metadata
List type (shopping, to-do, chores), item sort order, checked/completed state, due date, reminder timing, and assignee id.
Reminders
Reminder status — active, snoozed, completed, skipped, canceled.
Audit metadata
Action type, actor id, target id, timestamp, and result status. Used to debug sync issues and protect your household.
Profile photo storage
An encrypted-file storage id for an uploaded profile photo. The photo bytes themselves are encrypted on your device before upload.
Attachment metadata
Encrypted-file storage id, byte size, content-type group (image, document), the household item it's attached to, upload status, and quota usage. Filenames are encrypted before upload.
Diagnostic metadata
Feature name, error category, retry count, result counts, app version, build number, and platform. No household text, member names, event names, or household ids. Retained around 30 days.
Subscription metadata
From Apple via StoreKit: transaction id, product id, dates, environment, storefront, signed payload, and an opaque app account token. Apple is the payment processor.
No. 01 · The household key

The key never leaves your devices.

When you create a household, Ūna generates a 256-bit household key on your device. It's stored in Apple Keychain. Ūna uses Apple CryptoKit AES-GCM to encrypt content before it's sent to Convex, our sync backend. The backend only ever sees ciphertext and nonces.

  • Restores via iCloud Keychain. Across your own Apple devices, the key follows you.
  • Shared via invite. When another adult joins your household, the invite flow transfers the key to their device.
  • We can't recover it. That's the trade-off — see the runbooks on support.
Flow
Plaintext → Ciphertext
On device
"🍝 Spaghetti"
CryptoKit
AES-GCM
In Convex
a8::3f1b…c4
Household key
Apple Keychain · synchronizable
No. 04

No ads. No tracking. No selling.

More detail

The other questions people ask.

No. 05

Household keys & device access

The household key is created on your device and stored in Apple Keychain. It is saved as synchronizable, so iCloud Keychain helps restore it across your own Apple devices. Our backend never stores the plaintext household key.

No. 06

Invites

Invite links should only be sent to people you trust. Joining a household gives that device access to the household's encrypted content. Invites have status and expiration metadata, and can be revoked at any time.

No. 07

Profile photos

Profile photos are optional. They're encrypted on your device before upload and stored as encrypted files — our backend holds the ciphertext and a storage id, never the photo bytes. Profile photos are not used for ads, tracking, analytics, or AI training.

No. 08

Files & attachments

When you attach a file, image, or document to a household item, the file bytes are encrypted on your device before upload and stored as encrypted files. The filename and display metadata are also encrypted. Our backend stores a storage id, byte size, content-type group (image, document), the household item the file is attached to, upload status, and quota usage. We never store the plaintext filename.

No. 09

Widgets

Widgets read decrypted household content from a small on-device snapshot stored in Ūna's shared app group. They may display household names, events, list items, and people you choose to show on the device. Widgets do not connect directly to Ūna's sync backend. Widgets trade some of the in-app strict "decrypt-then-display" model for being readable at a glance — anyone with physical access to your unlocked device can read what a widget shows.

No. 10

Notifications

Ūna uses normal iOS local notifications. Reminder, birthday, and list-item notification text is composed on your device after local decryption. Ūna does not need to send plaintext reminder text through our backend to notify you.

No. 11

Maps & location

Event locations are encrypted before they reach our backend — we can't read them. When you use address suggestions while typing, or open a location in a maps app, the query may be sent to Apple Maps or another map provider you choose. Those third-party requests are subject to the map provider's own privacy policies.

No. 12

Google Calendar import

Google Calendar import is optional. Ūna lets you connect Google Calendar so you can choose events to copy into your Ūna household calendar.

Data accessed

When you use Google Calendar import, Ūna requests read-only access to:

  • The list of Google calendars you are subscribed to.
  • Google Calendar events in the date range you choose.
  • Calendar IDs, calendar names, calendar colors, event IDs, event titles, descriptions, locations, event links, start and end times, all-day status, and related event metadata needed to display and de-duplicate import choices.

Data usage

Ūna uses Google Calendar data only to show calendars and events for import, let you select which events to copy, detect possible duplicates, and create the selected events in your Ūna household calendar.

Ūna does not create, edit, delete, invite guests to, or otherwise change events in your Google Calendar. Imported events become independent Ūna events. They are not continuously synced with Google Calendar. Changes made later in Google Calendar do not automatically update Ūna, and changes made in Ūna do not update Google Calendar.

Data storage and protection

Ūna uses read-only Google Calendar OAuth access for the import flow. Ūna does not store a Google refresh token or keep long-term Google Calendar access.

Events you do not import are not saved by Ūna. For events you choose to import, event details such as title, notes, location, link, and import identifiers are encrypted on your device before syncing to Ūna's backend. Ūna's backend stores encrypted event content and limited operational metadata needed to run the calendar, such as event time, all-day status, household membership, assignments, visibility, recurrence, and reminder timing.

Data sharing

Ūna does not sell Google Calendar data, use it for advertising, tracking, analytics, or AI model training.

Selected imported events are shared with the members of your Ūna household because they become Ūna household calendar events. Ūna may also process encrypted event data and limited operational metadata through service providers that host, sync, secure, or operate Ūna, only for providing the app.

Ūna's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Data retention and deletion

Ūna keeps imported Google Calendar events until they are deleted in Ūna or removed through account or household deletion.

You can delete imported events directly in Ūna. You can also delete your Ūna account from the app. If other adults remain in the household, shared household events may remain available to them until deleted by someone with access. If you are the last adult in the household, deleting your account also deletes the household and its content.

You can revoke Ūna's Google access at any time from your Google Account permissions page.

No. 13

Diagnostics

Ūna collects a small amount of first-party diagnostic metadata to help us find and fix bugs: feature name, error category, retry count, result counts, app version, build number, and platform. We do not include household text, member names, event names, or household ids in diagnostics. Rows are retained around 30 days.

No. 14

Operational alerting

The iOS app ships with no Sentry, Crashlytics, or similar SDK. On our backend, if a routine ops task — such as data cleanup — fails, we may send the operational incident to Sentry so the team can fix it. Those alerts carry hashed ids and incident metadata. They never carry household content.

No. 15

Billing & App Store

Ūna is purchased through the App Store, with Apple as the payment processor. We receive StoreKit subscription metadata from Apple: transaction id, product id, dates, environment, storefront, the signed payload, and an opaque app account token. We do not receive your full payment details. Manage or cancel a subscription in your Apple Account settings.

No. 16

Retention windows

Cleanup runs asynchronously. Some operational rows are retained briefly so we can recover from cleanup failures without losing audit-trail integrity. Approximate windows:

Deleted calendar rows
~1 day
Deleted list rows
~30 days
Diagnostic metadata
~30 days
Removed-member cleanup
~90 days
No. 17

Sign in with Apple

Ūna uses Sign in with Apple for authentication. During sign-in, the app requests your email and name from Apple, and caches your Apple session locally in your device's Keychain. Your Apple email and name are not stored on our backend beyond what is required for transient authentication. The Apple subject identifier is used to create and restore your Ūna account and connect you to your household.

No. 18

Agents & assistants

Ūna lets adults create assistant connections with selected, revocable access they control. An assistant connection is not a household member. Adults choose capabilities, then grant access to specific people, calendars, and lists. Assistants only receive content intentionally made agent-readable and granted; availability checks can stay limited to whether someone is busy or free unless event details are explicitly allowed. Adults can rotate tokens, revoke access, or remove revoked entries from the visible connection list.

No. 19

Children & household profiles

Ūna is made for adults and caregivers managing a household. Children can be represented as household profiles, with a name, colour, and birthday — but they do not need Ūna accounts, and we do not collect personal information from them directly.

No. 20

Account deletion

You can delete your account in Ūna at any time. If other adults remain in the household, Ūna removes your account link, your device keys, and your private content while keeping shared household content for them. If you are the last adult, deleting your account also deletes the household and its content. Cleanup runs asynchronously — see Retention windows above for typical timing.

Reach us

Privacy questions, always.

Support is available inside the app, under Settings. For privacy and data questions, email us directly.