Privacy Policy

Last updated: 2026-06-10

BrassKeep (“we,” “us,” “our”) is a personal firearm-management iOS app published by BrassOps LLC, a U.S.-registered limited liability company. This Privacy Policy explains what information BrassKeep collects, how we use it, where it’s stored, and the choices you have. It applies to the BrassKeep iOS app, the optional companion Apple Watch app, and any website pages we operate at brasskeep.com.

1. What we collect

We collect only the information you give us or that is necessary to operate the app for you. We do not sell or rent your data, and we do not use your data for advertising.

1.1 Account information

Sign in with Apple identifier. When you sign in with Apple, Apple provides us a stable, pseudonymous user identifier and (only if you consent) your name and an email address (which may be an Apple private-relay address you control).
Email address. If you choose the email-code sign-in option instead, we receive the email address you enter so we can send a one-time login code.
Username and display name. If you opt into Social features (Armory tier), the username + display name you choose are visible to friends you add.

1.2 User content you create in the app

Firearms — make, model, caliber, serial number (stored locally on your device; if you enable cloud sync on the paid tier the serial is masked at rest server-side and only revealed locally after biometric authentication), purchase date, photos, attachments.
Range sessions, drill sessions, shot-timer runs — scores, times, notes, target photos, the firearm + ammo used.
Ammunition lots — brand, caliber, quantity, costs.
Permits — type, issuing authority, expiration, photos of permit documents.
Maintenance and service log — what you did, when, on which firearm.
Journal entries — text and photo notes you write.
Range locations — names and addresses you save.

Friendships — pairs of users who’ve accepted each other’s friend requests.
Challenges — drill name, scoring method, your score, the optional target photo you attach. Your opponent’s score is hidden from you until both of you submit. Challenge target photos are auto-deleted from storage 30 days after the challenge completes.
Head-to-head records and badges — derived from your challenge history.

1.4 AI target analysis (Armory tier, opt-in)

The target photo you upload, your firearm ID and session ID (so we can attach the analysis to the right run), and the resulting analysis (group size, suspected fliers, suggested follow-up notes).
Photos uploaded for AI analysis are sent to Anthropic’s Claude API server-side from our backend for processing; we do not embed any Anthropic credentials in the iOS app. Anthropic’s terms govern their handling of inference data.

1.5 Device and diagnostic data

Crash reports are collected by Apple’s MetricKit framework on iOS and are delivered to us via Apple’s Xcode Cloud / App Store Connect. They contain stack traces and device model information; they do not contain your data.
“Report a problem” in Settings → Support is a manual action you take. When you tap it, the app composes a diagnostic report you can review before sending; the report contains the app version, OS version, device model, and a summary of recent in-app errors. It is sent only when you tap Send.
We use the iOS unified logging system (OSLog) on-device. These logs stay on your device and are visible only to you (and Apple, via standard iOS diagnostics if you opt in to share with developers).

1.6 What we do NOT collect

We do not use third-party analytics or advertising SDKs.
We do not collect your location, contacts, calendar, microphone audio, or health data.
The Apple Watch shot-timer uses your microphone briefly to detect shot reports during a timed run; that audio is processed entirely on-device and is never uploaded.

2. Where your data is stored

Free tier: Your data stays on your iPhone, in the app’s sandbox. We do not have a server copy. If you delete the app or your phone, the data is gone.
Armory tier (paid): Your data syncs to BrassOps LLC’s backend hosted on Supabase (Postgres database, object storage for photos) in the United States. Row-level security policies on every table ensure one user’s data is not readable by another.
AI analysis photos live in a private storage bucket and are fetched server-side via short-lived signed URLs only for the analysis call. The challenge target-photo bucket follows the same pattern with the additional 30-day auto-delete rule above.

3. How we use your data

We use the information above only to: - Provide the in-app features you’ve activated. - Sync your data across your iOS devices on the paid tier. - Authenticate you and keep your session secure. - Process AI target analyses you request. - Respond to support requests you initiate. - Detect and fix bugs (via the diagnostic flows in §1.5). - Comply with legal obligations.

We do not use your data for marketing or profiling, and we do not share it with third parties except as described in §4.

Apple Inc. — Sign in with Apple authentication; In-App Purchase receipt validation (via RevenueCat).
Supabase, Inc. — our database, authentication, and object storage provider. Supabase operates as our data processor under their DPA.
RevenueCat, Inc. — subscription receipt validation and entitlement management. RevenueCat receives your anonymized RevenueCat App User ID, the IAP transaction, and your active entitlements; it does not receive any of the user content described in §1.2.
Anthropic PBC — when you request an AI target analysis, your uploaded target photo is sent server-side to the Claude API. Anthropic acts as our data processor and is subject to their own Privacy Policy.

We do not sell your data. We do not share data with advertisers. We have no relationship with data brokers.

5. Your choices and rights

Edit or delete in app. Every item in the Safe (firearms), Log (sessions), Journal, and Permits sections can be edited or deleted from the app at any time.
Export your data. Settings → Storage → “Export data” produces CSV files of your records that you can save or share.
Delete your account. In your Profile (open it from the profile icon at the top-right of the Home tab), tap Delete Account at the bottom. This begins an irreversible deletion of your server-side data (Armory tier) within 30 days. The action also calls a server-side delete-account endpoint that removes auth records, profile, all owned tables, and storage objects.
Sign out. In your Profile, Sign Out (under Account) ends the session on this device without deleting any data.
Subscription management. Settings → Subscription includes “Manage subscription” (opens iOS Settings → Subscriptions) and “Restore purchases.”

Under U.S. state privacy laws (California, Virginia, Colorado, Connecticut, Utah, and others), you may have additional rights including the right to know what we hold, the right to deletion, and the right to opt out of “sale” (we do not sell). To exercise any of these rights, email [email protected]. We respond within the timeframe your state law requires (typically 45 days).

6. Retention

Account data and user content are kept while your account is active. If you delete your account, server-side data is purged within 30 days. Backups roll off within 60 days.
Challenge target photos are auto-deleted from storage 30 days after the challenge completes (see §1.3).
Crash reports delivered through Apple’s MetricKit pipeline are retained for up to one year for debugging.
Diagnostic emails you send via “Report a problem” are retained while we are working on the issue and routinely purged afterward.

7. Children

BrassKeep is not directed to children under 17 and is rated 17+ in the App Store. If you are under 17, please do not use the app. If we learn we have collected information from a child under 13, we will delete it.

8. Security

We use TLS (HTTPS) for all data in transit. At rest, your data is stored in Supabase’s encrypted database and object storage. Row-level security policies enforce per-user access on every table. Serial numbers are masked at rest server-side and only revealed on your device after a device-owner biometric authentication. We use Apple’s Keychain for tokens.

No system is perfectly secure. If we become aware of a breach affecting your data, we will notify you in accordance with applicable law.

9. International users

BrassKeep is offered for use in the United States. If you use the app from another country, you are transferring your information to the U.S. We do not currently support data localization to other regions.

10. Changes

If we make a material change to this Privacy Policy, we will post the new version at this URL and update the “Last updated” date. If the change is material we will also notify you in the app on next launch.

11. Contact

BrassOps LLC
PO Box 288, Allenwood, NJ 08720
[email protected]