Lockus Privacy Policy
This policy explains how Lockus handles data for the Lockus app and the Writing features.
1. What Lockus Writing is
Lockus Writing helps users draft, edit, adapt, score, and prepare writing for creator workflows. The Writing features are designed to stay separate from the core Lockus discipline engine.
Lockus Writing is local-first. Drafts, templates, variants, local publishing preparation, and manual sharing can work without external AI. Some optional features may use a Lockus Writing service or an AI provider after explicit user action and consent.
2. What data stays on device
The following data is designed to stay on the user's device unless the user explicitly uses a remote feature:
- writing drafts and draft bodies;
- writing templates and template variables;
- generated local variants saved by the user;
- local writing settings;
- local consent state;
- local export and deletion records;
- Screen Time, FamilyControls, DeviceActivity, discipline events, blocked apps, session history, and core Lockus intelligence data.
Writing requests do not include discipline events, blocked apps, session history, social tokens, analytics identifiers, media files, or device identifiers.
3. What data may be sent to AI cloud if enabled
Remote AI is optional. When remote AI is enabled, Lockus requires explicit consent and shows a data preview before a request can be sent.
A remote AI request may include the selected writing text or the minimal text needed for the requested action, the requested writing operation, target platform metadata when needed, tone, language, formatting constraints, and request or schema metadata needed to validate the response.
The app can redact detectable email addresses, phone numbers, and links before remote processing. The Lockus Writing Worker validates request and response schemas. The first Worker design does not store prompt text, raw input text, raw output text, captions, social tokens, provider raw errors, or stack traces in D1.
If an AI provider is enabled, the provider may process the submitted text to return the requested writing result. The production provider rollout must be reviewed before production use.
4. What data is used for Premium and quota
Lockus may use pseudonymous device or account identifiers to enforce entitlement and quota limits for remote Writing features.
Quota and usage records may include pseudonymous device or account hash, entitlement tier, action type, period start and end, request counters, input and output character counters, estimated cost units, reservation status, and timestamps.
Quota records are metadata. They must not include draft text, prompt text, AI response text, email addresses, social handles, access tokens, refresh tokens, or media content.
5. What data is used for publishing and connectors
Current publishing remains local or manual unless a separately reviewed connector is enabled. Lockus must not claim automatic publishing, imply a partnership with social platforms, or claim a web dashboard unless those features are separately approved.
If publishing jobs or media preparation are enabled later, server records may include metadata such as platform, route, job state, user confirmation status, retry count, timestamps, media kind, content type, byte size, checksum presence, storage policy, and expiry. These records must not include social tokens or raw writing content unless a later release adds explicit consent, retention, export, and deletion support.
Social accounts, OAuth tokens, and provider access must be handled through explicit connection and disconnection flows. Social tokens must not be stored in the first Worker data model.
6. What data is never sold
Lockus does not sell user writing content.
Lockus does not sell drafts, AI requests, quota records, publishing metadata, or social account metadata.
7. Tracking and advertising stance
Lockus does not use third-party advertising tracking for Writing.
The app privacy manifest declares no tracking. If tracking, advertising analytics, or a third-party SDK is introduced later, the App Privacy Details, privacy manifest, consent flows, and this policy must be reviewed before release.
8. Data retention
Local writing data remains on device until the user deletes it, removes the app, or uses an available deletion/export control.
Remote Writing usage metadata is retained only as needed for quota enforcement, abuse prevention, diagnostics, billing readiness, and operational reliability. Worker logs must be minimized and redacted. Raw writing content must not be retained by the first Worker data model.
Temporary media metadata, if enabled later, must have a bounded retention window and purge path. Server records in D1, R2, Queues, logs, and backups must follow the retention policy reviewed for the release.
9. Export and deletion
Lockus supports local Writing export and deletion for local drafts.
For remote Writing metadata, the Worker design includes privacy export and deletion routes. These routes are intended to export or delete quota usage windows, quota reservations, publish jobs, publish attempts, and asset records for the relevant pseudonymous subject. Export and deletion responses must not include raw writing content.
If a Lockus account is introduced, account deletion must include server account data where legally deletable, token revocation where applicable, and deletion of server-stored Writing records that belong to the account.
10. Social account revocation
If a social connector is enabled, users must be able to disconnect the account in Lockus where supported.
Users may also need to revoke Lockus access in the social platform's own settings. Disconnecting a social account should stop future publishing through that connector and remove locally held connector credentials where applicable.
11. Subprocessors
Lockus may rely on subprocessors only for reviewed features.
Current or planned subprocessors may include Apple for App Store, StoreKit, device frameworks, and system services; Cloudflare for Worker hosting, D1, R2, Queues, logs, and related infrastructure; Cloudflare Workers AI if a reviewed AI provider rollout is enabled; social platforms only when the user connects a supported account; and billing or analytics providers only after a separate privacy review.
The active subprocessor list must match the enabled production flags and App Privacy Details before public release.
12. Contact and support
For privacy questions, export requests, deletion requests, or support, contact:
support@lockusapp.com
If this contact address changes, the published policy and App Store metadata must be updated before release.
13. Changes to this privacy policy
Lockus may update this policy when features, providers, retention rules, or data practices change.
The published policy must be reviewed before external TestFlight, App Store submission, production Worker exposure, or public marketing claims.