Privacy Policy

Last Updated: June 29, 2026

1. INTRODUCTION

This Privacy Policy describes how Back to Basics Behavior LLC (doing business as Chatterfly) (“we,” “our,” or “us”) collects, uses, stores, and protects information in connection with the Dooly mobile application (“Dooly” or the “App”). Please read it carefully. By using Dooly, you agree to the practices described here. This Policy should be read alongside the Dooly Terms of Service, available at chatterfly.org/doolyterms. This Policy applies solely to Dooly and does not govern any other product or service offered under the Chatterfly name. Back to Basics Behavior LLC is the legal entity responsible for Dooly and all data practices described here. We are a consumer software company. We are not a healthcare provider, a covered entity under HIPAA, a clinical service, or a business associate of any healthcare organization. Our contact information is support@chatterfly.org and our website is chatterfly.org. 

This Privacy Policy applies to all users of the Dooly application, regardless of how they came to use it, whether through their own discovery, through the Apple App Store, or because a healthcare provider, therapist, coach, employer, or other third party suggested or recommended the App to them. The nature of any external recommendation does not alter our status or obligations under this Policy.

1.2. About Dooly

Dooly is designed as a general-purpose personal productivity application for the public. It is not a HIPAA-covered platform, a clinical recordkeeping system, an electronic health record, or a medical device. We do not enter into Business Associate Agreements in connection with the use of Dooly, and the App is not configured or intended to function as a secure clinical data repository. We are aware that healthcare providers sometimes recommend consumer apps like Dooly to their clients as a supplement to care. That recommendation is a professional decision made by the clinician under their own authority. It does not create any obligation on us to handle user data as if it were protected health information, and it does not transform Dooly into a HIPAA-covered service. Users who have been directed to Dooly by a healthcare provider should understand that they are using a consumer application and should not enter clinically sensitive information into the App.

2. INFORMATION COLLECTION

We collect only the minimum data necessary to provide the App's core functionality. Every category of data we collect serves a specific, defined purpose. We do not collect data for advertising, behavioral profiling, research, or any purpose beyond operating the service.

2.1 Account Data

We collect your email address when you register for an account. This is required for login, account recovery, and communicating important service notices. If you use Sign in with Apple with the email hiding feature enabled, Apple provides us with a relay address instead of your real email, and we store only that relay address. In that case, we have no access to your actual email.

2.2 User-Generated Content

We store the custom habits and skills you create ("Doolies"), the categories you assign them to, the deck configurations you set up, your daily check-in history, and your personal reflection journal entries. This content is stored exclusively so that the App can display it to you, calculate your progress, and power the streak and calendar features. This content belongs to you. We do not read it, analyze it, or use it for any purpose other than displaying it back to you within the App.

2.3 Local Device Data

Your notification preferences, color theme selections, and other app settings are stored locally on your device only. This data is never transmitted to our servers and is not accessible to us.

2.4 Data We Do Not Collect

We do not collect your real name, date of birth, precise location, contacts, browsing history, device identifiers beyond what is required for account operation, biometric data, health or medical information, or any data about you beyond what is listed in this section. We do not use tracking pixels, third-party advertising SDKs, or analytics tools that share your data with outside parties.

3. ANONYMOUS ACCOUNTS AND USERS YOUR IDENTITY

Dooly is built to know as little about you as possible. Your user-generated content is linked internally to an anonymous account identifier a random string with no inherent connection to your real-world identity. Chatterfly has no means of identifying who you are from stored data alone. We do not maintain a directory of users or link accounts to names, demographic profiles, or clinical records.

Dooly supports Sign in with Apple, which allows you to create and use an account without revealing your actual email address. If you use this feature, Apple generates a unique relay email address for your Dooly account. We have no way to reverse that anonymization or determine your true identity from the relay address. We strongly encourage users who are privacy-conscious to use this option.

4. HOW WE USE YOUR DATA

We use the data we collect for the following purposes, and no others in order to create and maintain your account, to provide and operate the App's features, including displaying your Doolies, calculating your streaks, powering your progress calendar, and rendering your reflection history; to sync your data across sessions so that it is available when you return; and to respond to support requests you initiate.

We do not use your data for advertising. We do not use your data for behavioral analysis or product research. We do not use your data to build profiles about you. We do not sell your data. We do not share your data with third parties for their own purposes. We do not use your data for any purpose that you have not consented to through your use of the App.

5. DATA ACCESS BY OUR PERSONNEL

Our personnel may access user account data solely for the purpose of providing technical support, maintaining App functionality, and resolving reported issues. User-generated content will not be accessed, reviewed, or used for any purpose other than technical support and App maintenance. User data will never be sold, shared, or used for advertising, research, or any commercial purpose. Access to user data within our organization is restricted to personnel who require it to perform technical support or maintenance functions. Any such access is logged and subject to internal review. No employee, contractor, or affiliate is permitted to read, analyze, copy, or export user content for any purpose other than resolving a specific technical issue at the user’s request or diagnosing a system fault. If you contact us for support and ask us to look at your data to help resolve a problem, you are granting us limited, temporary permission to access that data for that purpose only. We will not retain or use that data beyond the scope of your support request.

6. DATA STORAGE 

Your account and activity data is stored securely using Supabase, our cloud infrastructure provider. Supabase processes data on our behalf and is contractually bound to handle it only as directed by us. Supabase is our sole third-party data processor. We do not share your data with any other third-party service, analytics platform, advertising network, or data broker. Local device preferences are stored only on your device using your operating system’s local storage mechanisms. This data is never transmitted to our servers and is not accessible to us. If you delete the App, this data is deleted along with it.

7. DATA SECURITY

We implement industry-standard technical and organizational security measures to protect your data from unauthorized access, disclosure, alteration, or destruction. These measures include encrypted data transmission over HTTPS, secure credential storage, access controls on our infrastructure, and restricted personnel access as described in Section 5. Despite these measures, no digital system is completely secure. We cannot guarantee that your data will never be accessed by an unauthorized party. Electronic transmission over the internet carries inherent risk, and you use the App with an understanding of that risk. You are responsible for maintaining the confidentiality of your account credentials. If you believe your account has been compromised, please contact us immediately at support@chatterfly.org. Because Dooly is a consumer application and not a clinical system, it does not offer the same level of data protection as systems purpose-built for healthcare data. This is another reason we strongly advise against entering sensitive health information into the App.

8. DATA YOU SHOULD NOT ENTER

Dooly is a general consumer productivity application. It is not equipped to receive, store, or appropriately protect the following categories of sensitive information, and we advise strongly against entering any of them into the App: personal health or medical information, including diagnoses, symptoms, medications, treatment histories, or clinical notes; information identifying other individuals, particularly in a clinical or professional capacity; government-issued identification numbers such as Social Security numbers or passport numbers; financial account numbers, credit card information, or banking credentials; login credentials for other services; or any information you are professionally or legally prohibited from storing in a consumer application. If you choose to enter any of the above into Dooly, you do so voluntarily and at your own risk. We assume no responsibility for the storage, security, or consequences of a user’s decision to enter sensitive information into a consumer app that is not designed for that purpose. The presence of sensitive information entered by a user does not change the regulatory nature of the App, impose any healthcare-specific obligation on us, or constitute our acceptance or solicitation of that information.

9. CLINICIAN-RECOMMENDED USE

We are aware that some users may come to Dooly through a recommendation from a licensed healthcare provider, therapist, counselor, or other professional. We want those users to understand clearly what Dooly is and what it is not. Dooly is a supplementary personal tool. It is not part of any clinical workflow, electronic health record system, or treatment protocol. A clinician’s decision to recommend Dooly is their own professional judgment, made under their own authority, and does not create any relationship between us and that clinician’s patients or any obligation on us with respect to those individuals’ data. We do not receive, review, or act on clinical information, and we are not able to confirm to any clinician what a user has or has not entered into the App. If you are a licensed professional who has recommended Dooly to clients, please be aware that you bear full responsibility for ensuring that your recommendation is consistent with your professional obligations, including but not limited to any duties you have under HIPAA, applicable state mental health confidentiality laws, and your licensure requirements. We do not enter into Business Associate Agreements and do not represent that Dooly is compliant with clinical data regulations.

10. YOUR RIGHTS AND DATA DELETION

You have the right to access the personal data Dooly holds about you; to receive a copy of it in a portable format; to request correction of inaccurate data; to request restriction of how we process your data while a request is being resolved; to object to processing where you believe we have no legitimate basis to continue; and to delete your account and all associated data at any time. These rights apply to all users regardless of location, and we honor them as a baseline standard of respect for your privacy. You can delete your account directly within the App. Upon deletion, your user-generated content — including all Doolies, check-in history, and reflection entries — will be permanently removed from our servers within 30 days. Account metadata required for audit and security purposes may be retained for a limited period in anonymized form. You may also contact us at support@chatterfly.org to request a copy of your data, request corrections, or request deletion. We will respond to all data rights requests within 30 days. In cases involving complex or multiple requests, we may extend this period by an additional 30 days and will notify you if that applies. If you are located in the European Union or European Economic Area and believe we have not adequately addressed your request, you have the right to lodge a complaint with your local data protection supervisory authority. We would always prefer to resolve concerns directly and encourage you to contact us first.

11. STATE SPECIFIC PRIVACY LAWS

We are committed to honoring user privacy rights under all applicable laws, including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and comparable privacy statutes in other jurisdictions. We apply these standards as a baseline for all users globally, not just those in jurisdictions where we are strictly required to comply, because we believe they reflect a principled approach to data stewardship. Under the GDPR, if you are located in the European Union or European Economic Area, Back to Basics Behavior LLC acts as the data controller for your personal data. The legal basis for processing your data is the performance of our contract with you, specifically, delivering the App’s functionality as described in this Policy. We do not process your data on the basis of consent for any core service feature, which means you do not need to withdraw consent to stop processing; you can simply delete your account. We do not engage in automated decision-making or profiling. To the extent any data is processed in jurisdictions outside your own, Supabase’s data processing agreements and standard contractual clauses govern those transfers. Under the CCPA and similar state laws, users in qualifying jurisdictions have the right to know what categories of personal information we collect and why; to access the specific data we hold; to request deletion; and to opt out of the sale of personal information. We do not sell personal information and affirm this for clarity. We do not discriminate against any user for exercising these rights. All requests may be submitted to support@chatterfly.org.

12. CHILDREN'S PRIVACY

Dooly is intended for users 13 years of age and older. We do not knowingly collect personal information from children under the age of 13. If we become aware that a user is under 13 and has provided us with personal information, we will take prompt steps to delete that information from our systems. If you are a parent or guardian and believe your child under 13 has created a Dooly account or submitted information to us, please contact us immediately at support@chatterfly.org.

13. DATA RETENTION

We retain your account data and user-generated content for as long as your account is active. If you delete your account, your data is permanently deleted from our servers within 30 days. We do not retain user-generated content beyond the period necessary to provide the service. We may retain anonymized, non-identifiable aggregate data — such as total number of active users or overall feature usage rates — indefinitely for internal business purposes. No such aggregate data can be linked back to any individual user.

14. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you by email or by a prominent in-app notice at least 14 days before the changes take effect. The updated Policy will always be available at chatterfly.org/doolyprivacypolicy. Your continued use of the App after the effective date of any change constitutes your acceptance of the revised Policy. If you do not agree to the revised Policy, you should stop using the App before the changes take effect.

15. TERMS OF SERVICE

This Privacy Policy is incorporated into and should be read alongside the Dooly Terms of Service, which govern your use of the App and include important disclaimers, limitations of liability, and indemnification provisions. The Terms of Service are available at chatterfly.org/doolyterms.

16. CONTACT

If you have questions, concerns, or requests relating to this Privacy Policy or how we handle your data, please contact Back to Basics Behavior LLC (DBA Chatterfly) at:

Email: support@chatterfly.org

Website: chatterfly.org