Privacy Policy
Last updated: 12 May 2026
Steady is built around a simple promise: the moments you reach for it are private, and we treat them that way. This policy explains, in plain language, what we collect, what we don't, who else sees it, and what rights you have.
The short version
- We don't retain the text you type about your kid or your situation.
- We do store the categories you've opened and the responses generated, so the app can recall ones that helped.
- To generate a response, your input is sent to our AI provider (Anthropic). They process it on our behalf and don't train models on it. Details below.
- We never sell your data. We never share it for advertising. We don't run third-party trackers, ad SDKs, or analytics SDKs.
- Steady never sends push notifications. The only reminder is one you schedule yourself, stored and fired locally on your device.
- Steady is for adults. You must be 18 or older (or the age of majority where you live) to use it.
Who we are
Steady is operated by a single independent developer. For all privacy questions, the controller of your personal data is reachable at [email protected].
What gets sent to our server
When you use Steady, the app talks to our backend on Fly.io. Each request includes:
- An anonymous device identifier the app generates the first time you open it. This is how the app remembers your saved items without making you create an account.
- Your device's locale (e.g.
en-US) so we can show the right crisis lines for your country. - The category you tapped (e.g. "Sick again", "I'm overwhelmed") and any optional context you wrote into the input field.
- A small set of context to shape the response: your child's age band, whether they're neurodivergent, a nickname you've set, your sense of where they are right now (escalating / shut down / mixed), and where you are right now (boiling / numb / okay). If you've filled in a parent profile — parenting approach, co-parent situation, what's hardest right now — those go along too. The free-text you typed is never retained; the age band, ND flag, and your state are kept on the session record only so the app can recall responses that helped.
- Standard network metadata your device sends to any internet service (IP address, request timestamps, basic device/OS strings). We use this for transient operational purposes — abuse prevention, debugging, rate-limiting — and don't combine it with your other Steady data.
The typed context and any nickname are used at request time to generate a response, then discarded from our backend. They are not retained or written to long-term storage on our side.
What gets stored
- On your device: your anonymous device id and (if you sign in) authentication tokens, kept in iOS Secure Enclave via
expo-secure-store. Your local-only journals (glimmers, the shadow drawer), your theme, and your notification preferences also live only on the device and are never sent to us. - On our server: a record of each request you make — the category, age band, your tolerance state, your child's state, ND flag, and the generated response itself — so the app can recall ones that helped. Your saved responses are flagged on those records. Repair sessions and Plan B sessions are stored the same way. Your kid profiles (nickname, age band, ND flag, optional gender) and parent profile (gender, approach, co-parent situation, what's hardest) are synced so they're there if you switch devices. If you sign in with Apple, your Apple-provided user identifier and any email you allow Apple to share. Nothing you typed in the input field is retained.
How long we keep it
We keep your account-linked data (session records, saved responses, kid and parent profiles, Apple identifier if any) for as long as your account exists. When you delete your account from inside the app, or when we honor a deletion request you email us, we delete that data from our active systems within 30 days. Encrypted backups may persist for up to 90 days after that before they roll off. Transient network logs (IP, request metadata) are kept for at most 30 days for security and debugging purposes, then deleted.
Third parties we share data with
We use a small number of service providers to run Steady. They process data on our behalf, under contract, and only for the purposes described here:
- Anthropic, PBC — generates the AI responses you see. When you send a request, the category, the optional context you typed, the personalization fields listed above, and a system prompt are sent to Anthropic's API for the time it takes to produce a response. Per our agreement with Anthropic, your inputs are not used to train Anthropic's models. Anthropic processes data in the United States.
- Fly.io, Inc. — hosts our backend servers. Servers are located in the United States.
- Apple Inc. — distributes the app via the App Store, and provides Sign in with Apple if you choose to use it. Apple's own privacy terms apply to your relationship with Apple.
We do not sell your personal information. We do not share it for advertising. We do not run third-party analytics SDKs, attribution SDKs, or ad SDKs inside the app or on this website.
Sign in with Apple
Signing in is optional. Steady is fully usable anonymously. If you do sign in, we use Apple's "Sign in with Apple" — Apple sends us a stable user identifier and, only if you choose to share it, your email. We never receive your Apple password. Signing in lets us upgrade your existing anonymous account in place, so your saved responses follow you to other devices.
Cookies and trackers
This website does not set cookies, run JavaScript, or use any analytics or tracking technology. The app does not include any third-party analytics, advertising, or attribution SDKs.
Data security
Traffic between the app and our backend is encrypted in transit (TLS). Tokens on the device are stored in the iOS keychain via expo-secure-store. No system is impervious — if we ever learn of a breach affecting your data, we will notify affected users without undue delay, as required by applicable law.
Crisis lines
The phone numbers Steady shows for medical, parental, and child-mental-health crises are hard-coded in the app and looked up locally based on your device locale. Tapping one opens your phone's dialer. We do not place the call, see the number you dialed, or share anything with the line you contact. Numbers may change without notice; in an emergency, call your local emergency number first.
Children
Steady is for adult parents and caregivers. You must be at least 18 years old (or the age of majority in your jurisdiction, whichever is greater) to use the app. The app is not directed to children, and we do not knowingly collect personal information from anyone under 16 (or under 13 in the United States, per COPPA). If you believe a child has used the app, email [email protected] and we will delete the data.
Your rights
You can wipe everything Steady knows about you from inside the app: Settings → Delete account wipes the local store and deletes your server-side record. You can also email [email protected] from the address tied to your account and we'll delete the server-side record within 30 days.
Depending on where you live, you may have additional rights described in the sections below. To exercise any of them, email us. We'll respond within 30 days. We won't discriminate against you for exercising any privacy right.
If you're in the EU, UK, or EEA
Under the GDPR (and UK GDPR), you have the right to: access your personal data; correct it; have it erased; restrict or object to its processing; data portability; and withdraw any consent you previously gave. You also have the right to lodge a complaint with your local data protection supervisory authority. Our legal basis for processing your data is (a) performance of a contract with you (running the app), (b) your consent (where you've given it, e.g. Sign in with Apple), and (c) our legitimate interests in operating, securing, and improving the service. We do not currently maintain an EU representative or DPO; for all GDPR-related questions, contact us at the address above.
Your data is processed in the United States. Where applicable, transfers from the EU/UK to the US are made under the European Commission's Standard Contractual Clauses (and the UK Addendum) with our service providers, and we rely on supplementary measures (TLS in transit, access controls, no training-on-input commitments) to protect your data.
If you're a California resident
Under the California Consumer Privacy Act (as amended by the CPRA), you have the right to know what personal information we collect about you, the right to delete it, the right to correct it, the right to opt out of "sale" or "sharing" of personal information, and the right not to be discriminated against for exercising these rights. We do not sell or share personal information as those terms are defined under California law. To exercise any of these rights, email us at the address above. You may also authorize an agent to act on your behalf, subject to verification.
Where data is processed
Our backend runs on Fly.io. Our AI provider runs on its own infrastructure. Both process data in the United States. If you are using Steady from outside the US, your data is transferred to and processed in the US — by using the app, you understand and consent to that transfer.
Changes
If we change this policy in any meaningful way, we'll update the date at the top and, where it matters, surface the change inside the app. Continued use of the app after a change means you accept the updated policy. Trivial wording fixes won't be announced.