Legal document

Privacy Policy

Last updated: 30 June 2026

This Privacy Policy explains how Good News (the "App") processes your personal data.

The short version: we collect the minimum we need to send you a daily digest of positive news in your country, and nothing else. We do not run advertising, we do not profile you, and we do not sell your data.

1. Data Controller

The data controller responsible for processing your personal data is:

Entity: TYP NETWORK PTE. LTD.
UEN (Singapore Unique Entity Number): 202209033N
D-U-N-S® (Dun & Bradstreet identifier): 659993981
Registered office: 20 Collyer Quay #09-01, Singapore 049319
Jurisdiction: Singapore
Privacy contact: privacy@goodnewsapp.app

For the purposes of Regulation (EU) 2016/679 ("GDPR") and Spain's Organic Law 3/2018 ("LOPDGDD"), TYP NETWORK PTE. LTD. acts as the data controller.

2. EU Representative (GDPR Article 27)

GDPR Article 27 requires an EU representative for companies established outside the EEA that offer services to EU users.

TO BE DESIGNATED. We will designate the EU Representative before the App becomes available in the EU and publish the representative's name, EU postal address, and contact email here. Until then, contact the controller directly at privacy@goodnewsapp.app.

3. What Data We Process

Good News works without user accounts. We do not ask for your name, email, password, phone, or payment details. The only personal data or identifiers we process are:

3.1. Push notification token (Expo Push Token)

What it is: A device-bound identifier from Expo / Apple (APNs) / Google (FCM) to deliver a daily push.
When we get it: Only if you opt in via an in-App consent screen (shown before the OS prompt).
Where stored: Backend on AWS (us-east-1), associated with country code and preferred hour.
Revocation: "Delete my data" in Settings, or OS-level notification toggle.
Google Play taxonomy: "Device or other IDs", shared with Expo, Apple (APNs), Google (FCM) solely for App functionality.

3.2. Country code

What it is: Two-letter country code (e.g. ES, FR).
How we obtain it: Auto-detected from device locale at onboarding; manually overridable. No IP-based geolocation.
Why: To select which country's digest to serve.
Where stored: Locally in AsyncStorage; on backend only if notifications enabled.

3.3. Preferred notification hour

What it is: Hour of day (local time zone) for the daily digest.
How stored: Backend, paired with push token, as local-time hour plus IANA time-zone identifier (e.g. Europe/Madrid). Time-zone reveals only broad region, not precise location.

3.4. Feedback events

What they are: Events about dismissed or favourited articles (POST /v1/feedback).
Identity: No push token, no account ID, no session ID. Source IP dropped before storage.
Why: Improve editorial selection in aggregate (per country), not individual personalisation.
Google Play taxonomy: "App interactions" / "Product interaction".

3.5. IP address

Any HTTP request transiently leaves the source IP in CloudFront / EC2 logs. Logs retained for at most 30 days — security, abuse detection, technical diagnostics. Legal basis: legitimate interest (GDPR Art. 6(1)(f)).

3.6. Crash reports (Expo Crash Reporter)

Contain: Device model, OS version, app version, stack trace, non-persistent install ID from Expo.
Do NOT contain: Push token, country code, or any user input.
Encryption: TLS in transit.
Retention: 30 days under DPA with Expo.
Opt-out: OS-level (iOS: Settings > Privacy > Analytics; Android: Settings > Google > Usage & diagnostics).

3.7. Aggregate store statistics

Apple App Store Connect and Google Play Console provide aggregate, non-identifying statistics: installs, uninstalls, version distribution, crash-free session rate. No user-level identifiers reach us.

3.8. Apple "required reason" APIs (Privacy Manifest)

The App uses UserDefaults (via AsyncStorage) solely to store on-device preferences (country, hour). Declared in PrivacyInfo.xcprivacy under reason code CA92.1.

3.9. What we do NOT collect

No accounts, passwords, registration data.
No payment information (App is free, no IAP).
No GPS, no precise location.
No access to contacts, photos, microphone, calendar.
No Firebase Analytics, GA4F, Mixpanel, Amplitude, Sentry, Segment, or advertising SDKs.
No cross-app or cross-site behavioural tracking.
No social graph.

4. Why We Process Your Data

Deliver the daily digest as a push at your chosen hour.
Serve articles relevant to your country.
Improve the editorial selection (aggregate signals only).
Diagnose crashes and technical errors.
Detect and prevent abuse of the backend.

We do not process your data for advertising, individual commercial profiling, or sale to third parties.

5. Legal Bases (GDPR)

Data	Legal basis
Expo Push Token + notification hour	Consent (Art. 6(1)(a)).
Country code (on-device only)	Necessity to perform the service (Art. 6(1)(b)).
Country code (on backend, notifications enabled)	Consent, bundled with notification opt-in.
Aggregate feedback events	Legitimate interest (Art. 6(1)(f)). LIA on request.
IP in logs / abuse detection	Legitimate interest (Art. 6(1)(f)).
Crash reports	Legitimate interest (Art. 6(1)(f)).

You can withdraw consent at any time. Withdrawal does not affect the lawfulness of prior processing (Art. 7(3) GDPR).

6. Data Retention

Push token + country + hour: As long as token is valid. Deleted on revoke or after 90 days of failed deliveries.
Country code on-device: Until uninstall or data clear.
Feedback events: Up to 24 months in aggregate.
Crash reports: 30 days.
Server logs (incl. IP): 30 days maximum.

7. Processors, Recipients, and Sub-Processors

We do not sell or rent your data. To operate the App we use the following providers; each processes only what is strictly necessary.

7.1. Data processors (GDPR Art. 28)

Provider	Location	Function	Data shared
Amazon Web Services, Inc.	United States (`us-east-1`)	Backend hosting (EC2, S3, CloudFront, SSM)	Push token, country, hour, aggregate feedback
Anthropic, PBC	United States	Article classification/rewriting via Claude API. Zero-retention enabled.	Only public article content. No user data.
OpenAI, L.L.C.	United States	Cover-image generation. Zero-retention agreement signed.	No user data.
Expo, Inc.	United States	Push dispatch + OTA JS bundle updates.	Push token, timestamp, digest payload, delivery status.

We also use Apify Technologies s.r.o. (Czech Republic, EU) to crawl public news websites. Apify does not receive or process any personal data of App users.

7.2. Independent controllers / recipients

Recipient	Location	Function
Apple Inc.	US / global	App Store distribution and APNs delivery.
Google LLC	US / global	Google Play distribution and FCM delivery.

7.3. Contractual safeguards

DPA signed with each sub-processor or platform terms accepted: AWS GDPR DPA, Anthropic Trust Center, OpenAI DPA, Expo Terms, Apple DPLA Schedule 2, Google Play DDA. SCCs for non-EU transfers.

8. International Transfers

United States: EU-US Data Privacy Framework where certified, and/or SCCs (Decision (EU) 2021/914). AWS, Anthropic, OpenAI, Apple and Google are DPF-certified. Expo operates under SCCs.
Singapore (controller's location): no EU adequacy decision; SCCs (controller-to-controller module).
Czech Republic (Apify): within the EU; no additional safeguards required.

We have carried out a Transfer Impact Assessment (TIA) per Schrems II. Request a copy at privacy@goodnewsapp.app.

9. Your Rights

Access: know what data we hold.
Rectification: correct inaccurate data.
Erasure ("right to be forgotten").
Restriction of processing.
Portability in structured format.
Objection to legitimate-interest processing.
Withdrawal of consent (Art. 7(3) GDPR).
Not to be subject to automated individual decisions with legal or similarly significant effects.
Lodge a complaint with the AEPD: www.aepd.es, C/ Jorge Juan 6, 28001 Madrid.

California (CCPA/CPRA): rights to know, delete, correct, opt out of sale/sharing. We do not sell or share personal data.

Singapore (PDPA): rights of access and correction (sections 21 and 22).

10. How to Exercise Your Rights

Open Settings > Delete my data inside the App.
As a fallback, email privacy@goodnewsapp.app; we'll action within 7 days.

For other rights, email us at the same address. We respond within one month, extendable by two additional months in complex cases.

11. Automated Decisions and Profiling

We use AI (Anthropic Claude and OpenAI) to classify articles as positive and rewrite headlines and summaries.

Models operate on public publisher content, not your personal data.
Aggregate feedback events influence country-level selection, not per-user personalisation.
No individual profiling.

12. Push Notifications and ATT

Notifications are opt-in. Before the OS prompt, we show purpose, sub-processors, US transfers, and accept/decline.

Expo Push Token associated with country and hour.
One notification per day.
Exceptional operational notification if disruption > 24 h.
Never used for advertising or cross-promotion (Apple 4.5.4; Google Play Disruptive Notifications).
Revoke any time; token invalidated and deleted in seconds.

Apple ATT: no tracking. App does not present an ATT prompt.

13. Minors

Intended for users aged 16 or older (GDPR Art. 8 default; at or above national minima in the EU).

App Store / Google Play age rating: 12+ / Teen.
We do not request age (no identifying data collected).
If we are notified that a child under 16 uses the App, we delete the token and associated data.
Parents/guardians: privacy@goodnewsapp.app.

14. Security

HTTPS, TLS 1.2 or higher (1.3 where available).
At-rest encryption via AWS-managed KMS.
API keys and secrets in AWS SSM Parameter Store, encrypted at rest.
On-device: AsyncStorage; may appear in iCloud / Google One Backup encrypted under your account.
Push-token dataset access limited to a small set of operators.

15. Changes to this Policy

New version at https://goodnewsapp.app/privacy.
Updated "Last updated" date.
In-App notice for significant changes.

Where a change affects a new purpose or different legal basis, we request fresh, explicit consent (Art. 6(4) GDPR).

16. Contact

privacy@goodnewsapp.app

TYP NETWORK PTE. LTD.
20 Collyer Quay #09-01
Singapore 049319

English-language version. In case of discrepancy with the Spanish version for users resident in Spain or the EU who installed the App in Spanish, the Spanish version prevails. Version 1.0.

Also available as markdown: privacy.en.md.