Rod Software

Spelling Buddy Privacy Policy

Last updated: March 11, 2026

Rod Software LLC ("we", "us", "our") operates the Spelling Buddy app. This Privacy Policy explains what data we collect, how we use it, and your choices.

Contact: legal@rodsoftware.com

1. Scope

This policy applies to the Spelling Buddy iOS app and related backend services used to provide app features.

2. Data We Collect

2.1 No Required Account Login

Spelling Buddy does not require account creation or sign-in to use free features.

We do not use Sign in with Apple, Apple sign-in identity tokens, Apple user identifiers, or app account tokens for normal app access.

2.2 Subscription and Entitlement Data

  • Subscription status and expiration/renewal-related state.
  • Transaction identifiers and OTID-derived entitlement records used to verify purchases and restore access.
  • Usage counters and entitlement state used to enforce plan limits and prevent abuse.
  • Locally cached subscription status, one backend-verified transaction identifier, and an OTID-derived support code used for protected requests, restore flows, support, and deletion flows.

2.3 User Content Data

Words and attributes you create, confirm, upload, submit for enrichment, or edit in the app, including:

  • word
  • definition
  • sentence
  • origin
  • difficulty
  • upload or create timestamps

Photos you capture or select for OCR are processed on-device to extract candidate words. We do not upload the image itself to our backend as part of OCR processing.

2.4 Technical, Security, and Diagnostic Data

  • Basic request, response, rate-limiting, and error diagnostics needed for reliability, security, and abuse prevention.
  • Device and app state needed to render subscription and access state in-app.
  • Network and anti-abuse identifiers such as an IP address and/or an App Attest-related key identifier used for rate limiting, abuse prevention, and request protection.
  • App Attest-related metadata used to validate protected requests, such as a device security key identifier, attestation verification state, assertion counters, one-time challenge metadata, and a verified public key used for assertion verification.
  • Redacted operational logs and diagnostics used to investigate outages, entitlement issues, and abuse.

3. How We Collect Data

We collect data from:

  • You directly (manual word entry, app actions, settings choices, uploads).
  • Apple (StoreKit purchase and restore events, subscription state, and Apple device security services such as App Attest).
  • Our backend APIs and service providers used for word enrichment, entitlement checks, security validation, and deletion requests.

4. How We Use Data

We use data to:

  • Provide free and premium app features.
  • Verify subscriptions and restore premium access.
  • Extract candidate words from photos on-device and process submitted word text for validation and enrichment.
  • Process words and return definitions/sentences/origin/difficulty.
  • Protect premium and backend features using transaction validation and device security checks.
  • Prevent abuse and enforce fair usage.
  • Provide customer support and troubleshoot issues.

4.1 Identifier Use for Internal Operations

  • Subscription transaction and OTID-derived records:
    • Used to verify entitlement ownership, restore access, support deletion requests, prevent mismatch abuse, and maintain subscription integrity.
  • Locally cached subscription, transaction, and OTID-derived support data:
    • Used to support protected backend requests, restore flows, support inquiries, and deletion flows.
  • App Attest-related security identifiers and metadata:
    • Used to verify that protected requests come from a genuine app instance on an Apple device, and to reduce abuse, replay, and unauthorized automated use.
    • The underlying App Attest private key material is managed by Apple and device hardware. We may store the related key identifier, a verified public key, assertion counters, and limited operational verification metadata.

We use these identifiers only for core internal operations, including security, entitlement verification, fraud and abuse prevention, app integrity, deletion handling, and support.

5. App Permissions

The app requests:

  • Camera access: capture photos of word lists when you use the Take Picture flow.
  • Photo library access: select screenshots/photos when you choose an image for OCR.

6. Retention and Deletion

The app provides two data-reset options:

  • Clear Local Data: Removes local app data from the device, resets onboarding, and clears local App Attest state for a fresh start.
  • Delete My Data: Attempts to delete recoverable server data and also removes local app data from the device.
  • If the app can identify prior server data using a current entitlement or a retained backend-verified transaction identifier, we delete associated server data, subject to short technical propagation delays.
  • If the app cannot recover a transaction identifier on the device, the in-app deletion flow may only remove local data. You may still contact us for additional deletion help.
  • If you delete data with subscription history, we may retain only minimal anti-abuse and entitlement-integrity records for up to the earlier of (a) the current entitlement expiry date, or (b) 1 month after deletion, and then purge them.

Examples of minimal retained records may include:

  • OTID reference
  • latest transaction ID reference
  • entitlement expiry marker
  • remaining usage counters
  • When local data deletion succeeds in-app, local words, caches, the cached OTID-derived support code, and the cached latest verified transaction identifier are removed.
  • When you use Delete My Data, a minimal App Attest-related device security identifier stored in the device keychain may remain locally to support app security continuity and abuse prevention.
  • When you use Clear Local Data, local App Attest state is also reset on the device.

7. Children

Spelling Buddy is a general-audience app and may be used by learners of different ages with parent or guardian consent and supervision where required.

We do not use personal data for advertising profiles, cross-app tracking, or data brokerage.

8. Data Sharing

We do not sell personal data.

We do not share personal data with advertisers or data brokers.

We do not use cross-app tracking for advertising.

We may share limited data with service providers strictly to operate core functionality, for example:

  • Apple services for subscriptions, App Store Server Notifications, purchase validation, and device security validation.
  • OpenAI services used to process and enrich word text you submit through the app.
  • Infrastructure and rate-limiting providers used to host and protect backend services.

When we use service providers to operate the app, we do so only for the relevant service and expect those providers to protect data in a manner consistent with applicable law, platform requirements, and their published obligations.

9. Security

We use reasonable technical safeguards, including encrypted transport, secure local storage where appropriate, transaction verification, Apple device security services such as App Attest, and redacted operational logging where practical.

No method of transmission or storage is perfectly secure, but we work to reduce risk and limit data exposure.

10. Your Rights and Requests

You can request access, correction, or deletion of your data by contacting legal@rodsoftware.com.

We target a response window of up to 30 days.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material updates will be reflected by a new "Last updated" date and, where appropriate, in-app notice.

12. Contact

For privacy questions or formal privacy requests, contact legal@rodsoftware.com.

Back to Spelling Buddy Back to Products