Privacy Policy
Privacy Policy for Drey
1. Who We Are
Drey is developed by CognaWorks Inc. ("we," "us," "our"), based in Ottawa, Ontario, Canada. Drey is a scheduling and organization application for iOS.
Privacy Officer & Contact:
CognaWorks Inc.
[email protected]
Ottawa, Ontario, Canada
Under the Personal Information Protection and Electronic Documents Act (PIPEDA), we are accountable for all personal information in our possession or under our control, including information transferred to third-party service providers (Principle 4.1 - Accountability).
2. Our Privacy Commitment
Drey was built by someone with ADHD who manages a complex daily health routine. We understand the sensitivity of health-related data. Our core principle is simple: your health data stays on your device. We designed the app so that we cannot access, read, transmit, or recover your health information — even if you asked us to.
3. Information We Collect
3.1 Data Stored Only on Your Device (Never Transmitted to Us or Any Third Party)
The following information is created and stored locally on your iPhone using on-device storage (SQLite). It never leaves your device:
- Medications and supplements: Names, dosages, preferred timing, interaction rules you configure
- Daily schedules: Generated schedules, task completion records, day type configurations
- Health check-ins: Mood ratings (1-5), energy ratings (1-5), water intake, focus ratings, symptom checkboxes, side-effect notes
- Health protocols: Morning routine sequences, protocol completion progress
- Voice recordings: Quick-capture audio recordings (processed entirely on-device)
- Personal notes: Brain dump entries, captured items, wins journal entries, gratitude entries
- Bad day history: Timestamps of when you activated simplified scheduling mode
- Feedback votes: Thumbs up/down votes on app tools (stored locally)
- Message reminders: Names of people you note as needing a reply
- Preferences: Wake times, sleep times, day type settings, notification preferences, theme and display choices
We cannot access this data. We do not have the technical ability to read, retrieve, or recover it. It exists only on your physical device. If you delete the app, this data is permanently erased.
3.2 Data Collected by Third-Party Services
When you use certain features, limited non-health data is processed by the following third-party services:
Subscription Management — RevenueCat, Inc. (United States)
When you subscribe to Drey Warren or Drey Colony:
- Apple App Store purchase receipt (transaction identifier)
- Anonymous subscriber identifier (randomly generated by the app — not your name, Apple ID, or email)
- Subscription tier and status (active, expired, cancelled)
- Purchase and renewal timestamps
RevenueCat does not receive any health data, medication names, supplement names, schedule content, mood entries, task information, or any information you enter within the app.
Anonymous Analytics — Aptabase (European Union)
Only if you opt in (analytics are off by default; you can enable them in Settings > Privacy):
- Anonymous event names (e.g., "schedule_generated," "tool_opened") — no content or context is included
- App version number and general device type (e.g., "iPhone 15")
- No health data, medication names, supplement names, mood values, energy values, task content, schedule content, or personal information is ever transmitted
Crash Reporting — Sentry (United States)
If the app crashes:
- Technical crash information: stack trace, device model, iOS version, app version
- Last 20 anonymized app navigation actions before the crash (e.g., "opened settings," "viewed schedule") — no health data, medication names, mood values, personal content, or task information is included in crash reports
We sanitize all crash report breadcrumbs to remove any personal or health-related content before transmission.
Apple, Inc. (United States)
- Apple processes subscription payments through the App Store under Apple's own terms and privacy policy
- Apple Push Notification service (APNs) delivers notification alerts to your device — notification content containing medication names is added on-device by a Notification Service Extension and is never sent through Apple's servers in readable form
- If you use Siri Shortcuts with Drey, Apple processes your voice input under Apple's privacy policy, not ours
Web Hosting — Cloudflare, Inc. (United States)
Our website (getdrey.app) uses Cloudflare for hosting. Standard web server logs (IP address, pages visited, browser type) may be processed by Cloudflare. The Drey iOS app does not transmit data to Cloudflare.
3.3 Information We Do Not Collect
We do not collect, and have never collected:
- Your name, email address, or any account credentials (no account is required to use Drey)
- Your geographic location or GPS coordinates
- Your contacts or address book
- Your photos, camera access, or photo library
- Your browsing history
- Your payment or financial information (payments are handled entirely by Apple)
- Advertising identifiers (IDFA) or device fingerprints for advertising purposes
- Any data for the purpose of advertising, marketing profiling, or data brokering
4. Apple HealthKit Integration (Future Feature)
When HealthKit integration becomes available and you choose to connect Apple Health:
- Drey will read sleep data, workout data, and step count data from Apple Health to help optimize your schedule timing
- Drey will write medication adherence records to Apple Health so they appear in your Health app
- HealthKit data will be used in real time only and will not be stored in Drey's local database
- HealthKit data will never be transmitted to any server, third party, or cloud service
- HealthKit data will never be used for advertising, marketing, or data mining
- HealthKit data will never be shared with third parties, including RevenueCat, Aptabase, and Sentry
- You can disconnect Apple Health at any time in Settings > Connected Services
5. Purposes for Collection and Use
We collect and use information only for the purposes identified below. We limit collection to what is necessary for those purposes (PIPEDA Principle 4.4 - Limiting Collection).
| Data | Purpose | PIPEDA Legal Basis | GDPR Legal Basis | Retention |
|---|---|---|---|---|
| On-device health data | Generate your personalized daily schedule; provide medication timing reminders; display interaction guidelines; track your progress and wins | Consent — you voluntarily enter this data and can delete it at any time (Principle 4.3) | Consent — Article 6(1)(a) and Article 9(2)(a) for health data | Until you delete it. Schedule data auto-rotates after 30 days. Health logs retained up to 1 year on-device. |
| Subscription purchase receipts (via RevenueCat) | Verify your subscription tier so you can access paid features | Consent at time of purchase (Principle 4.3) | Contract performance — Article 6(1)(b) | Duration of subscription plus any period required by applicable tax or consumer protection law |
| Anonymous analytics events (via Aptabase, if opted in) | Understand which features are used so we can improve the app | Express opt-in consent (Principle 4.3) | Consent — Article 6(1)(a) | 90 days, then automatically deleted by Aptabase |
| Crash reports (via Sentry) | Identify and fix bugs that cause the app to crash | Legitimate interest in app stability and quality (Principle 4.2) | Legitimate interest — Article 6(1)(f) | 90 days, then automatically deleted by Sentry |
| App preferences and settings | Remember your configuration choices so the app works as you set it up | Implied consent — necessary for core app functionality (Principle 4.3.5) | Contract performance — Article 6(1)(b) | Until you delete the app |
6. Consent
On-device data: By entering information into the app (medications, mood check-ins, notes, etc.), you consent to that data being stored locally on your device and used by the app to provide its features. You can withdraw this consent at any time by deleting the data within the app or by deleting the app entirely.
Analytics: Anonymous analytics are off by default. You must actively opt in via Settings > Privacy > Analytics. You can opt out at any time, and previously collected anonymous data cannot be linked back to you.
Crash reporting: Crash reports are sent automatically when the app crashes to help us maintain app quality. You may disable crash reporting in Settings > Privacy > Crash Reporting.
Subscriptions: By purchasing a subscription, you consent to the processing of your purchase receipt by RevenueCat for the purpose of managing your subscription.
Under PIPEDA, you may withdraw your consent at any time, subject to legal or contractual restrictions and reasonable notice (Principle 4.3.8). Under GDPR, you have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal (Article 7(3)).
7. Cross-Border Data Transfers
Drey is operated from Ottawa, Ontario, Canada. Some non-health data is processed outside Canada:
| Data | Destination Country | Service Provider | Safeguard |
|---|---|---|---|
| Subscription purchase receipts | United States | RevenueCat, Inc. | Data Processing Agreement with Standard Contractual Clauses |
| Anonymous analytics events (if opted in) | European Union | Aptabase | Processed in the EU — adequate protection |
| Crash reports | United States | Functional Software, Inc. (Sentry) | Data Processing Agreement with Standard Contractual Clauses |
| Push notification delivery tokens | United States | Apple, Inc. | Apple's standard data processing terms; medication names are never included in push payloads |
| Website server logs | Global (edge network) | Cloudflare, Inc. | Cloudflare Data Processing Addendum |
Under PIPEDA Principle 4.1.3, we remain accountable for your personal information when it is processed by a third party on our behalf. All service providers are bound by written Data Processing Agreements that require them to protect your information to a standard comparable to Canadian privacy law and to use it only for the purposes we specify.
No health data is included in any cross-border transfer. Your medications, supplements, schedules, mood entries, voice recordings, notes, and all other health-related information never leave your device.
8. Data Sharing
We do not sell, rent, trade, or otherwise disclose your personal information to third parties for their own purposes. We do not use your data for advertising. We never have and never will.
We share limited, non-health data with the service providers listed in Section 3.2, strictly for the purposes described. No service provider receives your health data, medication names, supplement names, mood entries, schedule content, task information, voice recordings, or any information you enter within the app.
We may disclose personal information if required to do so by law, by a court order, or by a regulatory body with jurisdiction (such as the Office of the Privacy Commissioner of Canada). We will notify you of such a disclosure unless prohibited by law from doing so.
9. Data Retention
- On-device data: Retained on your device until you delete it within the app or delete the app. Daily schedule data automatically rotates after 30 days. Health check-in and journal data is retained for up to 1 year on your device.
- Subscription data (RevenueCat): Retained for the duration of your subscription and any additional period required by applicable tax or consumer protection law.
- Analytics data (Aptabase): Automatically deleted after 90 days.
- Crash reports (Sentry): Automatically deleted after 90 days.
- Website logs (Cloudflare): Subject to Cloudflare's standard retention policies.
When you delete the Drey app from your iPhone, all on-device data is permanently and irrecoverably erased. We have no backup of your on-device data and cannot restore it.
10. Your Rights
You have the following rights regarding your personal information:
| Right | How to Exercise It |
|---|---|
| Access your data | View all your data directly in the app (Health tab, Schedule tab, Settings). For data held by third-party providers, email [email protected]. |
| Export your data | Settings > Privacy > Export My Data. Exports a machine-readable JSON file of all on-device data. |
| Delete your data | Settings > Privacy > Delete All Data (permanently erases all on-device data). Or delete the app. |
| Correct your data | Edit your medications, supplements, schedule, and all other entries directly in the app at any time. |
| Opt out of analytics | Settings > Privacy > Analytics toggle (off by default). |
| Opt out of crash reporting | Settings > Privacy > Crash Reporting toggle. |
| Withdraw consent | Delete your data within the app, disable optional features, or delete the app entirely. |
| Data portability (GDPR) | Use the Export function to receive your data in a structured, machine-readable JSON format. |
| Object to processing (GDPR) | Email [email protected] to object to processing based on legitimate interest (crash reporting). |
| Restrict processing (GDPR) | Email [email protected]. |
| Lodge a complaint | See Section 11 below. |
To make a formal privacy request (PIPEDA access request or GDPR data subject request):
Email [email protected] with the subject line "Privacy Request." We will acknowledge your request within 5 business days and provide a substantive response within 30 calendar days.
11. Complaints
If you believe your privacy rights have been violated:
- Contact us first: Email [email protected]. We take every complaint seriously and will investigate and respond within 30 days.
- Office of the Privacy Commissioner of Canada (OPC): If you are not satisfied with our response, you have the right to file a complaint with the OPC: Online: https://www.priv.gc.ca/en/report-a-concern/ | Phone: 1-800-282-1376 | Mail: 30 Victoria Street, Gatineau, Quebec K1A 1H3
- EU/EEA Supervisory Authority: If you are in the EU/EEA, you may contact your local data protection supervisory authority under GDPR Article 77.
- UK Information Commissioner's Office: If you are in the UK, you may contact the ICO at https://ico.org.uk/make-a-complaint/.
12. Data Security
We implement the following security measures:
- On-device encryption: All data stored on your device is protected by iOS Data Protection, which uses AES-256 hardware encryption.
- Network encryption: All communications between the app and third-party services use HTTPS with TLS 1.3.
- No credentials stored: No API keys, passwords, or authentication tokens are embedded in the app binary.
- No user accounts: Drey does not require a user account, email address, or password.
- Sanitized crash reports: All crash report breadcrumbs are stripped of personal and health-related content before transmission.
- Minimal data collection: We collect the minimum data necessary for each purpose, consistent with PIPEDA Principle 4.4.
Recommendation: We strongly recommend enabling a device passcode and Face ID or Touch ID on your iPhone.
13. Children's Privacy
Drey is designed for adults with ADHD. We recognize that some minors (ages 13-17) with ADHD may also benefit from the app.
- Under 13: During onboarding, Drey presents an age verification screen. Users who indicate they are under 13 are required to have a parent or guardian complete the setup. Because all data is stored only on the device and no personal information is transmitted to us or any third party, we do not knowingly collect personal information from children under 13 within the meaning of COPPA or PIPEDA.
- Ages 13-17: Minors aged 13-17 may use the app. All data remains on-device.
- No advertising or profiling: Drey does not serve advertising, create marketing profiles, or share data with advertisers, for users of any age.
14. Do Not Track / Global Privacy Control
Drey does not track users across third-party websites or apps. We honor Global Privacy Control (GPC) signals.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes:
- We will notify you via an in-app notification at least 30 days before the changes take effect
- The updated policy will be available in the app and on our website (getdrey.app/privacy)
- Continued use of the app after the effective date of changes constitutes acceptance of the updated policy
16. Medical Disclaimer
Drey is a scheduling and organization tool. Drey does not provide medical advice, diagnosis, or treatment. Always consult your physician, pharmacist, or other qualified healthcare provider for medical decisions. See our full Health & Medical Disclaimer for details.
17. Contact Us
For privacy questions, data requests, complaints, or any other inquiries:
Email: [email protected]
CognaWorks Inc.
Ottawa, Ontario, Canada
Effective Date: April 4, 2026
Last Updated: April 4, 2026