Privacy Policy

Last updated: February 9, 2026

Introduction

CEO ("Built To Win") is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains in detail how we collect, use, store, share, and protect your information when you use our application ("App") across all platforms including iOS, Android, and web.

By using the App, you consent to the data practices described in this Privacy Policy. If you do not agree with these practices, please do not use the App.

1. Information We Collect

We collect the following categories of information:

Account Information:

• Full name (from your Google account)
• Email address
• Profile picture URL (if available from Google)
• Unique user identifier
• Account creation date
• Authentication method (Google Sign-In or Anonymous)

User-Generated Content:

• Journals you create (names, settings, cover customisation)
• Goals and their progress (titles, categories, milestones, completion status)
• Habits and tracking data (names, frequencies, streak records, check-in history)
• Daily journal entries (text content, mood ratings, reflection responses)
• Notes (titles, content, folders, tags)
• To-do items (titles, descriptions, priorities, schedules, Pomodoro session data)
• Calendar events and notes (dates, titles, descriptions)
• Activity logs (timestamps and types of actions performed)

App Usage and Preferences:

• Last active date and time
• Notification preferences and schedules
• Theme preferences (light/dark mode)
• Feature usage patterns
• Journal PIN lock preferences (hashed PINs only, never plaintext)
• Social card sharing preferences
• Quote sharing preferences

Device and Technical Information:

• Device type and operating system version
• App version
• Platform (iOS, Android, Web)
• Crash reports and error logs (anonymous)

2. How We Use Your Information

We use your information for the following purposes:

Core Service Delivery:

• Providing and maintaining the App functionality
• Synchronising your data across devices in real-time
• Enabling shared journal collaboration between partners
• Processing and displaying your goals, habits, and progress
• Generating achievement cards for social sharing

Communication:

• Sending notifications you've opted into (daily reminders, streak alerts, encouragement)
• Partner activity notifications within shared journals
• Important service announcements and security alerts

Service Improvement:

• Analysing usage patterns to improve features and user experience
• Identifying and fixing bugs and performance issues
• Developing new features based on user needs

Security and Compliance:

• Ensuring the security and integrity of your account
• Preventing fraud, abuse, and unauthorised access
• Complying with applicable legal obligations

3. Data Storage and Security

Infrastructure:
Your data is stored securely using Google Cloud Platform through Firebase services:

• Firebase Cloud Firestore for structured data storage
• Firebase Authentication for identity management
• All data centres are SOC 1, SOC 2, and SOC 3 certified

Encryption:

• All data is encrypted in transit using TLS/HTTPS protocols
• Data at rest is encrypted using AES-256 encryption
• Authentication tokens are securely stored on your device
• Journal PINs are hashed and never stored in plaintext

Security Measures:

• Role-based access controls and authentication
• Firestore security rules enforcing data isolation between users
• Regular security reviews and updates
• Secure authentication via Google Sign-In (OAuth 2.0)
• Optional biometric app lock for device-level security
• PIN-protected journals for sensitive content

Offline Access:

• The App caches data locally on your device for offline access
• Local data is protected by your device's security measures
• Changes made offline sync automatically when connectivity is restored
• We recommend enabling device-level security (passcode, biometrics)

4. Data Sharing and Third Parties

Your data may be shared only in the following limited circumstances:

With Your Explicit Consent:

• Shared journals with invited partners (only the journal content you choose to share)
• Achievement cards you choose to share on social media platforms
• Motivational quotes you choose to share publicly

Service Providers (Data Processors):

• Google/Firebase: Cloud data storage, authentication, and real-time database services
• Google Fonts: Typography rendering (no personal data transmitted)
• These providers are bound by strict data protection agreements and process data only on our behalf

Legal Requirements:

• When required by law, legal process, or governmental request
• To protect the rights, property, or safety of CEO, our users, or the public
• In connection with a merger, acquisition, or sale of assets (users will be notified)

We do not:

• Sell or rent your personal data to advertisers
• Share your data with data brokers
• Use your content for training AI models
• Display targeted advertising based on your content

5. Your Rights and Controls

You have comprehensive rights over your personal data:

Right to Access:

• View all your data within the App at any time
• Export your journals as PDF files
• Request a copy of all data we hold about you

Right to Rectification:

• Edit or update your personal information at any time
• Correct inaccurate or incomplete data

Right to Deletion:

• Delete individual journals, goals, habits, entries, notes, or to-do items
• Delete all data while keeping your account
• Delete your entire account and all associated data permanently
• Request complete data erasure (right to be forgotten)

Right to Data Portability:

• Export your data in standard formats (PDF)
• Transfer your data to another service

Right to Control:

• Choose what features to enable in each journal
• Control notification preferences and schedules
• Enable or disable social sharing features
• Choose whether to include stats in journey cards
• Manage shared journal access and permissions
• Set PIN locks on individual journals

6. Data Retention

Active Accounts:
We retain your data for as long as your account remains active and the service is operational.

Data Deletion:

• Individual items (goals, habits, entries, etc.) are deleted immediately upon your request
• Account deletion permanently removes all associated data
• Deletion from our primary systems occurs within 24 hours
• Automated backup systems may retain encrypted copies for up to 30 days for disaster recovery purposes

Anonymous Accounts:

• Anonymous account data may be automatically purged if inactive for extended periods
• We recommend linking your account to a Google account to prevent data loss

After Deletion:
Once deleted, your data cannot be recovered. We recommend exporting important data before deletion.

7. Children's Privacy

The App is not intended for children under 13 years of age (or the applicable minimum age of digital consent in your jurisdiction).

We do not knowingly collect personal information from children under the applicable minimum age. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us immediately.

If we discover that we have inadvertently collected personal information from a child under the minimum age, we will take immediate steps to delete that information from our systems.

8. Third-Party Services and Links

The App integrates with the following third-party services:

• Google Sign-In: For secure authentication (governed by Google's Privacy Policy)
• Firebase/Firestore: For data storage and real-time sync (governed by Google Cloud's Privacy Policy)
• Google Fonts: For typography rendering (minimal data exchange)
• Share Plus: For native sharing functionality (data shared only at your explicit action)
• Gal: For saving images to device gallery (local only, no data transmitted)

These services have their own privacy policies that govern their use of your information. We encourage you to review their privacy policies.

The App may contain links to external websites or services. We are not responsible for the privacy practices of these third-party services.

9. Notifications and Communications

If you enable notifications, we may send:

• Daily reminder notifications at your chosen time
• Habit streak milestone celebrations
• Encouragement messages if you miss active days
• Goal completion congratulations
• Pomodoro timer alerts
• Partner activity notifications within shared journals (in-app only)

Managing Notifications:

• You can customise notification types and schedules in App settings
• You can disable all notifications at any time
• Device-level notification controls can override App settings
• We will never send marketing emails without your explicit consent

10. International Data Transfers

Your data may be processed and stored in data centres located in various countries as part of Google Cloud Platform's infrastructure.

We ensure that any international transfer of data is conducted in compliance with applicable data protection laws and with appropriate safeguards in place, including:

• Standard contractual clauses
• Adequacy decisions where applicable
• Google Cloud's compliance certifications (ISO 27001, SOC 2, etc.)

11. Cookies and Tracking (Web Platform)

When using the web version of CEO:

• We use essential cookies for authentication and session management
• We use local storage for offline data caching
• We do not use advertising cookies or tracking pixels
• We do not use third-party analytics cookies
• Firebase may use cookies for authentication persistence

You can manage cookie preferences through your browser settings.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes:

• We will update the "Last updated" date at the top of this policy
• We will notify you through in-app notifications

Your continued use of the App after the effective date of any changes constitutes your acceptance of the revised Privacy Policy. If you do not agree with the changes, you should stop using the App and delete your account.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us. We aim to respond to all privacy-related enquiries within 30 days.