2,840 CLLegal
Privacy Policy
Last updated: 2 June 2026
This notice explains how Norn Digital (“we”, “us”) processes personal data when you use the Dander app and website. It is written for users in the United Kingdom (including Northern Ireland) and the Republic of Ireland / European Economic Area where EU GDPR applies.
Data controller
Norn Digital (incorporated in Northern Ireland) is the data controller. Privacy enquiries: info@dander.app.
EU representative (Article 27 GDPR): Where required for EEA users, we will publish EU representative contact details on this page. Until then, EEA users may contact info@dander.app for all privacy matters.
What we cover
The Dander mobile app, website (www.danderapp.com), account services, step sync, in-app rewards (Clover), prediction pools, leaderboards, referrals, optional profile photos, push notifications, and partner reward redemptions.
Age limit
You must be at least 13 to use Dander. We do not knowingly collect data from younger children.
Personal data we collect
| Category | Examples |
|---|---|
| Account | Email, password (hashed by Firebase Auth), display name, username, user ID, country/region code |
| Profile | Optional profile photo, team name, referral code |
| Fitness | Daily step counts and sync metadata from Health Connect / Apple Health when you connect |
| App activity | Feature usage events (e.g. login, shop, ads, health permission) via Firebase Analytics |
| Device | FCM push token, advertising/device identifiers (AdMob, Firebase), App Check signals |
| Rewards | Clover balance, redemptions, pool participation, voucher codes |
| Support | Contact form messages and account deletion requests |
Why we use data and lawful bases
| Purpose | Typical lawful basis (UK / EU GDPR) |
|---|---|
| Create and manage your account | Contract |
| Sync steps, streaks, pools, leaderboards | Contract; consent for health platform permissions |
| Deliver rewards and partner redemptions | Contract; legitimate interests |
| Push notifications (if enabled) | Consent / legitimate interests |
| Analytics and product improvement | Legitimate interests; consent where required for cookies/EEA ads |
| Rewarded advertising (AdMob) | Consent where required; legitimate interests for fraud prevention |
| Security and App Check | Legitimate interests; legal obligation |
| Respond to privacy requests | Legal obligation |
Step data from health platforms is fitness and wellness data. We use it only to power app features, not for medical diagnosis. You can revoke health access in device settings at any time.
Processors and sharing
We use trusted suppliers under contract. We do not sell your personal data for money.
- Google Firebase / Google Cloud — authentication, database, storage, cloud functions, analytics, app attestation (regions may include EU and US).
- Google AdMob — rewarded advertisements.
- Vercel — website hosting.
- Partner businesses — limited data needed to honour rewards you choose to redeem.
International transfers
Data may be processed in the UK, EEA, and United States. Where required, we rely on adequacy decisions, Standard Contractual Clauses, or supplier certification mechanisms. Details are available in Google and Vercel privacy documentation.
Retention
- Account data: until you delete your account, then removed or anonymised within a reasonable period (typically within 30 days of a verified deletion request), except where we must retain records for legal, tax, or fraud purposes.
- Analytics: per Google Analytics retention settings.
- Support emails: as long as needed to resolve your enquiry.
Security
We use encryption in transit, access controls, and Firebase security rules proportionate to risk. No method of transmission is 100% secure.
Cookies and similar technologies
Our marketing website uses essential cookies only (for example to remember cookie notice dismissal). We do not use non-essential analytics cookies on the website at this time. The mobile app uses local storage and SDKs as described above.
Your rights
Depending on where you live, you may have the right to:
- Access and receive a copy of your data
- Rectify inaccurate data
- Erase data (“right to be forgotten”)
- Restrict or object to certain processing
- Data portability
- Withdraw consent where processing is consent-based
- Lodge a complaint with a supervisory authority
UK: Information Commissioner’s Office (ICO) — ico.org.uk
Ireland / EEA: Data Protection Commission (Ireland) — dataprotection.ie
To exercise rights, email info@dander.app with Data access request or Account deletion in the subject, or use our account deletion form. We respond within one month where required by law.
Automated decisions
We do not make solely automated decisions with legal or similarly significant effects. Pool settlement and rewards use automated systems with published rules; you may contact us with questions.
Changes
We may update this policy. The “Last updated” date will change. Material updates may be shown in the app or by email.
Related documents
See also our Terms of Service.