Legal
Privacy Policy
Last updated: 8 June 2026
This notice explains how Norn Digital (“we”, “us”) processes personal data when you use the Dander app and website. It is written for users in the United Kingdom (including Northern Ireland) and the Republic of Ireland / European Economic Area where EU GDPR applies.
Data controller
Norn Digital (incorporated in Northern Ireland) is the data controller. Privacy enquiries: info@danderapp.com.
EU representative (Article 27 GDPR): Where required for EEA users, we will publish EU representative contact details on this page. Until then, EEA users may contact info@danderapp.com for all privacy matters.
What we cover
Dander is a fitness and walking rewards app (not a game or social network). This notice covers the Dander mobile app, website (www.danderapp.com), account services, step sync, virtual rewards (Clover), prediction pools, leaderboards, referrals, optional profile photos, push notifications, rewarded advertising, and partner reward redemptions.
Age limit
You must be at least 13 to create a Dander account. We do not knowingly collect data from younger children. App-store age ratings (for example PEGI 3 or Everyone) reflect content suitability; our account minimum remains 13.
Clover and partner rewards
- Clover is virtual in-app currency earned through walking, app activity, optional rewarded ads, referrals, and promotions. It has no cash value, is not cryptocurrency, and cannot be sold or transferred outside the app.
- Dander does not sell digital goods or in-app currency for real money. There is no Google Play Billing, App Store billing, or other real-money checkout in the app.
- When you redeem Clover for a partner offer (voucher code, discount link, or similar), fulfilment is provided by that independent business under its own terms. Dander does not issue cash, bank transfers, gift cards, or convertible digital assets.
Location and leaderboards
- We do not collect your precise GPS location and do not share your real-time or exact location with other users.
- We may store a country or region code (for example GB or IE) to group leaderboards and show eligible shop offers.
- Leaderboards and team features may show your display name or username, optional profile photo, step totals, team name, and regional grouping to other signed-in users. There is no in-app chat, direct messaging, or open user-generated content feed.
Personal data we collect
| Category | Examples |
|---|---|
| Account | Email, password (hashed by Firebase Auth), display name, username, user ID, country/region code |
| Profile | Optional profile photo (camera or photo library), team name, referral code, equipped title |
| Fitness | Daily step counts and sync metadata from Apple Health / Health Connect when you connect; on some devices, motion/activity data may be used as a fallback when health access is unavailable |
| Leaderboards | Public ranking fields: display name, optional profile image, step totals, team name, regional grouping |
| App activity | Feature usage events (e.g. login, shop redemption, ads, health permission) via Firebase Analytics |
| Device | FCM push token, advertising/device identifiers (AdMob, Firebase), App Check signals, ad consent choices (Google UMP where shown) |
| Rewards | Clover balance, pool participation, shop redemptions, voucher codes/links, referral records |
| Support | Contact form messages, data access requests, and account deletion requests |
Why we use data and lawful bases
| Purpose | Typical lawful basis (UK / EU GDPR) |
|---|---|
| Create and manage your account | Contract |
| Sync steps, streaks, pools, leaderboards | Contract; consent for health platform permissions |
| Deliver rewards and partner redemptions | Contract; legitimate interests |
| Show leaderboards and team rankings | Contract; legitimate interests |
| Push notifications (if enabled) | Consent / legitimate interests |
| Analytics and product improvement | Legitimate interests; consent where required for EEA/UK ads |
| Rewarded advertising (AdMob) | Consent where required (Google UMP in the app); legitimate interests for fraud prevention |
| Security and App Check | Legitimate interests; legal obligation |
| Respond to privacy requests | Legal obligation |
Step and motion data are fitness and wellness data. We use them only to power app features, not for medical diagnosis. You can revoke health or motion access in device settings at any time.
Processors and sharing
We use trusted suppliers under contract. We do not sell your personal data for money.
- Google Firebase / Google Cloud — authentication, database, storage, cloud functions, analytics, app attestation (regions may include EU and US).
- Google AdMob and User Messaging Platform (UMP) — optional rewarded video ads and, where required, consent prompts for personalised advertising in the EEA/UK.
- Vercel — website hosting and privacy-friendly page analytics (see Cookies below).
- Partner businesses — limited data needed to honour rewards you choose to redeem (for example display name and redemption record). Partners do not receive your email, password, or full step history unless you contact them directly.
International transfers
Data may be processed in the UK, EEA, and United States. Where required, we rely on adequacy decisions, Standard Contractual Clauses, or supplier certification mechanisms. Details are available in Google and Vercel privacy documentation.
Retention
- Account data: until you delete your account, then removed or anonymised within a reasonable period (typically within 30 days of a verified deletion request), except where we must retain records for legal, tax, or fraud purposes.
- Analytics: per Google Analytics retention settings.
- Support emails: as long as needed to resolve your enquiry.
Security
We use encryption in transit, access controls, and Firebase security rules proportionate to risk. No method of transmission is 100% secure.
Cookies and similar technologies
Our marketing website uses:
- Essential storage — for example to remember cookie-notice dismissal.
- Vercel Web Analytics — privacy-oriented, cookieless page-view analytics on www.danderapp.com. We do not use advertising or cross-site tracking cookies on the website.
The mobile app uses on-device storage and third-party SDKs (Firebase, AdMob) as described above. In the app, open Settings → Ad privacy settings (where available) to review or change advertising consent choices shown via Google UMP.
Your rights
Depending on where you live, you may have the right to:
- Access and receive a copy of your data
- Rectify inaccurate data
- Erase data (“right to be forgotten”)
- Restrict or object to certain processing
- Data portability
- Withdraw consent where processing is consent-based
- Lodge a complaint with a supervisory authority
UK: Information Commissioner’s Office (ICO) — ico.org.uk
Ireland / EEA: Data Protection Commission (Ireland) — dataprotection.ie
To exercise rights, email info@danderapp.com with Data access request or Account deletion in the subject, use our contact form (choose “Request my Data” or account deletion), or use in-app controls:
- Delete account: Settings → Delete your account (permanent; removes profile, steps, and rewards data).
- Request my data: Settings → Request my data (opens the contact form — email from your Dander account so we can verify you).
- Ad choices: Settings → Ad privacy settings (mobile app, where UMP is available).
We respond within one month where required by law.
Automated decisions
We do not make solely automated decisions with legal or similarly significant effects. Pool settlement and rewards use automated systems with published rules; you may contact us with questions.
Changes
We may update this policy. The “Last updated” date will change. Material updates may be shown in the app or by email.
Related documents
See also our Terms of Service.