This policy describes what information the Am I Normal iOS app ("the app") collects, how it's stored, and what we do (and don't) do with it.
What the app collects
When you use the app, the following data is sent to our backend (Google Cloud Firestore):
A salted hash of your device. When you first open the app, we generate a random UUID, store it in your iPhone's Keychain, combine it with your device's vendor identifier, and run it through a SHA-256 hash with an app-specific salt. The result is a 256-bit string. We never see, store, or transmit your raw UUID, your vendor identifier, your name, your email, your phone number, your IP address as an identifier, or your location. The hash exists only so we can prevent the same device from voting many times and so we can resume your profile across sessions.
A short demographic profile. Before you take your first quiz we ask a few optional questions about life-stage, gender, parent and relationship status, and primary language. The exact questions are managed in our backend and may evolve over time. These answers are stored alongside your device hash so we can later show you how your quiz results compare to people in the same buckets.
Your encrypted quiz answers. Your yes/no answers for a questionnaire are packed into a compact bitmap, then encrypted with AES-GCM using a key derived from the same salt and your device hash. Only your device can decrypt the stored payload. Aggregate counts (e.g. "63% said yes to question 4") are tracked separately as plain numbers and cannot be tied back to any individual.
Your community submissions. If you submit a new question, an edit, a removal, or a new questionnaire topic, we store the text you typed alongside your device hash so admins can review it and so duplicate submissions can be prevented. Once approved by an admin, your submission becomes visible to other users for voting (without revealing your device hash).
Your votes. Up/down votes on community submissions are stored with your device hash so we can ensure one vote per device per item.
Your notification choice. If we ask whether you want to be notified about new results, new questionnaires, or app updates, we record only whether you said yes or no.
What we do not do
We do not request your name, email, phone number, location, contacts, photos, microphone, camera, or any device permission beyond network access and (optionally, with your consent) push notifications.
We do not show ads.
We do not use any third-party tracking or analytics SDKs.
We do not sell, rent, or share your data with anyone.
We do not link the device hash, your demographic profile, your answers, your community submissions, or your votes to your Apple ID or any other identity.
Notifications
If you opt in, we may send you push notifications when:
New aggregate results are published after enough people have answered.
New questionnaires are added.
A sponsored questionnaire is launched.
A meaningful new feature or upgrade ships.
You can revoke notifications at any time in Settings → Notifications → Am I Normal.
Where the data is stored
All records are stored in Google Cloud Firestore in the australia-southeast1 (Sydney) region. Google encrypts data in transit (TLS) and at rest by default. We use Firebase Anonymous Authentication, which gives each device install an opaque token used only to satisfy backend access rules.
Your rights
Because the app does not link your data to a human identity, we cannot retrieve or delete records on your behalf based on a name or email. However:
Deleting the app stops all future data submissions from your device.
Reinstalling on a different device generates a new device hash; the old hash becomes orphaned but the encrypted payload stays in Firestore until manually purged.
If you'd like the encrypted submission, the demographic profile, the lock, your community submissions, or your votes associated with your specific device deleted, contact us at the email below — you'll need to provide the hash from the app's diagnostic screen.
Security limitations (honesty)
The app's salt is compiled into the binary. A determined reverse-engineer could extract it and re-derive the hash function used to anonymise device IDs. This is acceptable for an anonymous-quiz use case but would not be suitable for sensitive personal data. We do not handle any health, financial, or other regulated information.
Changes
If we update this policy, we'll post the new version here and bump the "Last updated" date.