Privacy Policy – 3 Things

Privacy Policy – 3Things

Privacy Policy

Effective date: May 24, 2026
Last updated: May 24, 2026

3Things (“we”, “our”, or “us”) is built on a simple principle: your productivity data is yours. We designed 3Things to do as little data collection as possible, and to keep what little we touch on your devices and in your private iCloud account. This Privacy Policy explains exactly what data the app handles, how, and why.

If anything here is unclear, write to us at rokia@rokialtd.com and we’ll explain in plain English.

1. Who we are

3Things is published by Giulio Fontana – RokiaLTD

If you are in the European Union, the United Kingdom, or Switzerland, this entity is the data controller for the personal data processed in connection with 3Things.

2. What we don’t do

Before we list what we do with your data, here is what we do not do, ever:

  • We do not require you to create an account, sign up, or log in.
  • We do not run our own servers that store your tasks, habits, calendar events, or health data.
  • We do not sell, rent, or share your personal data with advertisers or data brokers.
  • We do not include third-party advertising SDKs or third-party trackers in the app.
  • We do not read, transmit, or store the contents of your tasks, habits, notes, or calendar events on any server we operate.
  • We do not use your data to train AI models — ours or anyone else’s.

3. Data that stays on your device

The following data is created and stored on your device, and optionally synced through your private iCloud account using Apple’s CloudKit. We never see it.

Category Examples Storage
Tasks Title, notes, priority, due date, project, dependencies, icon On-device + your iCloud
Habits Title, frequency, streak history, completion log On-device + your iCloud
Calendar events Title, time, location, notes, reminders, color, recurrence rule On-device + your iCloud
Energy snapshots Self-reported energy levels and timestamps On-device + your iCloud
Settings & preferences Notification timing, theme, language On-device + your iCloud

Because this data syncs through CloudKit, it is stored in your personal iCloud space under Apple’s privacy controls. Apple’s handling of your iCloud data is governed by the Apple Privacy Policy. We have no access to your iCloud container.

4. Health data HealthKit

If you choose to enable HealthKit integration, 3Things reads the following metrics from Apple Health to compute your daily energy score:

  • Sleep duration
  • Steps
  • Heart rate variability HRV

HealthKit data is processed entirely on-device. It is never transmitted to us, never written to your iCloud container, and never shared with any third party. You can revoke HealthKit access at any time in iOS Settings → Privacy & Security → Health → 3Things.

5. Calendar data EventKit

If you grant calendar access, 3Things reads events from your existing calendars iCloud, Google, Exchange, or local so that scheduling, conflict detection, and travel-time alerts work against your real day. It can also create or update events you ask it to.

EventKit data is processed on-device. The only outbound use is the optional MapKit query described below.

You can revoke calendar access at any time in iOS Settings → Privacy & Security → Calendars → 3Things.

6. Location and Maps MapKit

When you set a location on a calendar event and enable travel-time alerts, the app sends the destination address to Apple’s MapKit service to compute an ETA. The request includes the destination and optionally your current location at the moment the alert is calculated.

We do not transmit, store, or log location data on any server we operate. MapKit requests are handled by Apple under the Apple Privacy Policy.

You can revoke location access at any time in iOS Settings → Privacy & Security → Location Services → 3Things.

7. AI insights Apple Foundation Models

3Things uses Apple’s on-device Foundation Models framework to generate insights, suggest similar tasks, and draft reflections. All AI processing happens on your device. Prompts and outputs are not transmitted to any server — ours or Apple’s — and your data is not used to train any model.

8. Subscriptions and payments StoreKit

If you purchase 3Things Pro, the transaction is handled entirely by Apple through StoreKit. We receive an anonymized receipt from Apple confirming that the subscription is active; we do not receive your name, address, payment method, or any billing details.

Apple’s handling of payment data is governed by the Apple Privacy Policy and the Apple Media Services Terms.

You can manage, refund, or cancel your subscription at any time in your Apple ID account settings.

9. Analytics privacy-respecting

To understand how to improve the app, 3Things sends a small number of anonymous usage signals to TelemetryDeck, a privacy-focused analytics service based in the European Union. These signals contain:

  • The event name, e.g. “task_completed”, “habit_streak_reached”
  • The app version, OS version, and device class, e.g. “iPhone”
  • A salted, rotating, non-reversible hash that approximates uniqueness without identifying you

TelemetryDeck does not receive: your name, your Apple ID, your IP address it is hashed at the edge and discarded, your tasks, your habits, your calendar events, your health data, or any free-form text from the app.

TelemetryDeck is GDPR-compliant and processes data in Germany. See their Privacy Policy for details.

You can disable analytics entirely in Settings → Privacy → Analytics inside the app.

10. Crash reports

If the app crashes and you have opted into “Share with Developers” in iOS Settings → Privacy & Security → Analytics & Improvements, Apple may share a symbolicated crash report with us through App Store Connect. These reports contain stack traces and device metadata, but no personal data, no task content, and no health data.

You can opt out at any time in iOS Settings → Privacy & Security → Analytics & Improvements.

11. App Store Search Ads attribution

If you arrived at 3Things via an Apple Search Ads campaign, Apple may share an anonymous attribution token with us via the Apple Ads Attribution API. This token tells us that an install came from an ad — never who installed the app. It is used solely to evaluate campaign performance and is deleted within 30 days.

12. Notifications

3Things schedules local notifications on your device focus session end, habit reminders, event reminders, travel-time alerts. These are processed entirely on-device by the system. We do not operate a push-notification server.

You can manage notifications at any time in iOS Settings → Notifications → 3Things.

13. Children’s privacy

3Things is not directed to children under the age of 13 or the equivalent minimum age in your jurisdiction. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at privacy@3things.app and we will delete it.

14. Your rights

Depending on where you live, you may have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you.
  • Correction — ask us to correct inaccurate data.
  • Deletion — ask us to delete data we hold about you.
  • Restriction — ask us to limit how we process your data.
  • Portability — request your data in a machine-readable format.
  • Objection — object to certain types of processing.
  • Withdraw consent — where processing is based on consent, withdraw it at any time.

Because 3Things stores almost all of your personal data on your own device and in your private iCloud account, you can exercise most of these rights directly: delete the app and remove the 3Things data from iCloud → Manage Storage. For anything related to the limited analytics or attribution data we receive, write to privacy@3things.app and we will respond within 30 days.

If you are in the EU/UK/Switzerland, you also have the right to lodge a complaint with your local data protection authority.

15. International data transfers

We are based in [Country]. The limited analytics data we process is hosted in the European Union TelemetryDeck, Germany. Apple’s services CloudKit, MapKit, StoreKit, App Store Search Ads may transfer data internationally under Apple’s own safeguards, as described in the Apple Privacy Policy.

Where transfers leave the European Economic Area, we and our processors rely on Standard Contractual Clauses or other lawful transfer mechanisms.

16. Data retention

  • Data on your device / iCloud: retained for as long as you keep the app installed and the data in iCloud. Deleting the app removes local data; clearing the 3Things container in iCloud removes the synced copy.
  • Analytics signals: retained by TelemetryDeck for up to 24 months in aggregate form.
  • Search Ads attribution tokens: deleted within 30 days.
  • Crash reports: retained for as long as needed to diagnose the issue, typically less than 12 months.

17. Security

We use Apple’s platform security primitives — Keychain for secrets, CloudKit’s per-user encrypted containers for sync, and on-device file protection for local storage. We do not operate servers that hold your task, habit, calendar, or health data, which removes an entire category of breach risk.

No method of electronic storage is 100% secure. If we become aware of a security incident affecting your personal data, we will notify you in accordance with applicable law.

18. Changes to this policy

We may update this Privacy Policy as the app evolves or as regulations change. When we do, we update the “Last updated” date at the top, and — if the change is material — we notify you inside the app the next time you open it. Continued use of 3Things after a change indicates acceptance of the updated policy.

19. Contact

Questions, complaints, or requests:

Email: rokia@rokialtd.com

We respond to privacy inquiries within 30 days.