Last updated: May 26, 2026.
App: NeckGuardian. Developer and privacy contact: NeckGuardian, Mikolaj Drozdz, [email protected]. If Cloudflare email protection hides the address, write it as: neckguardianapp [at] gmail.com.
Posture and wellbeing scope: NeckGuardian supports awareness of posture and desk working conditions. It is not a medical device, does not diagnose medical conditions and does not replace medical advice. We treat posture, presence-at-desk and work-pattern data as sensitive in the practical sense of Google Play privacy expectations, even when those data are not formal medical records.
User, device, posture and telemetry data are not sold or used for behavioral advertising.
The desk device sends telemetry and posture data directly to the cloud API. The mobile app displays results.
The system does not require camera, contacts, SMS, GPS location or microphone recording access.
You can request deletion of your account and related data in the app or through the deletion page.
1. What data we process
| Category | Examples | Purpose |
|---|---|---|
| Account and profile | Email address, Firebase UID, display name, language, timezone, app settings, account status and roles. | Sign-in, account recognition, settings sync and access control so users can access only their own data. |
| NeckGuardian device | Serial number, model, hardware revision, firmware version, activation status, account-device binding, unbinding history, device configuration and user-created device commands. | Device pairing, secure device communication, displaying the user's devices, diagnostics and firmware updates. |
| Bluetooth and device provisioning | Bluetooth device identifiers and name discovered during setup, basic technical device information, Wi-Fi network details entered by the user, provisioning data and setup status messages. | Discovering, connecting to and configuring compatible nearby NeckGuardian devices. |
| Telemetry and desk environment | Sample time, device uptime, battery, temperature, humidity, pressure, light level, estimated CO2, air quality index, aggregated sound level in decibels, device error codes and telemetry batch metadata. | Showing current desk status, history, environmental insights and device diagnostics. |
| Posture, presence and work patterns | Posture score, head or neck angles, head height above desk, presence status at the desk, active minutes, session length, breaks, daily summaries and posture alerts. | Recommendations, trainer mode, gentle alerts, summaries and ergonomic awareness. |
| Mobile app and push notifications | Expo or FCM push token, platform, app installation identifier, notification send status, push delivery errors, app settings and user-initiated sync or command requests. | App functionality, user settings, push alerts when enabled and user control of the paired device. |
| Support, bug reports and newsletter | Email address, subject, message content, bug description, severity, newsletter consent, signup source and hashed browser or app user-agent. | Responding to requests, fixing bugs, project communication and documenting consent for email updates. |
| Security and diagnostics | Authentication tokens, hashed device secrets, hashed IP address or user-agent, audit logs, timestamps, API errors and technical metrics. | Protecting accounts and devices, detecting misuse, troubleshooting failures and auditing admin actions. |
2. Mobile app role and device-to-cloud telemetry
The NeckGuardian mobile app does not act as an intermediary for posture or telemetry collection after a device has been paired. The desk device authenticates independently and sends telemetry, posture, presence and environment data directly to the NeckGuardian cloud API over HTTPS.
The mobile app is used to sign in, pair the device, display cloud-processed measurements and recommendations, register push tokens, update settings, request sync and send user commands. It does not read posture sensor values from the phone, does not continuously upload telemetry from the phone and does not forward raw device telemetry through the phone.
NeckGuardian uses Bluetooth Low Energy (BLE) only to discover, connect to and configure compatible NeckGuardian devices located near the user. During this process, the app may detect Bluetooth device identifiers and the device name, read basic technical information about the device and send data needed for setup, such as Wi-Fi network details entered by the user, including the SSID and password, and provisioning data required to connect the device with backend services. The app may also receive setup status messages from the device. Bluetooth is not used to track the user's location or profile the user's activity.
3. Data the mobile app does not collect
In the current scope, NeckGuardian does not require access to the phone's precise GPS location, contacts, address book, SMS, call log, calendar, list of installed apps, user files, camera or microphone recordings.
If the desk device reports sound level, it is an aggregated loudness measurement in decibels and not an audio recording. The system does not store user photos, user videos or audio content.
4. Where data comes from
- From the user: profile data, support messages, newsletter signup, app settings and app actions.
- From Firebase Authentication: identity confirmation, Firebase UID, email and account name when available.
- From the NeckGuardian desk device: telemetry, device state, firmware, battery, environment sensors and posture metrics sent directly to the cloud API.
- From the mobile app: push tokens, app settings, sync requests and user commands for the paired device.
- From infrastructure: technical logs, API metrics, hashed IP or user-agent data and security events.
5. How we use data
- To create and operate the user account.
- To pair the phone with a NeckGuardian device and limit access to devices assigned to the account.
- To show current metrics, history, daily summaries and recommendations.
- To send push notifications when the user enables them.
- To handle support requests, bug reports, newsletter communication and user contact.
- To protect the service, audit actions, diagnose issues, prevent misuse and maintain infrastructure.
- To comply with legal obligations if they apply.
We do not use posture, presence, desk-environment data or device identifiers for advertising profiling. We do not sell personal data or sensitive user data.
6. Sharing data and service providers
Data may be processed by technical providers that help operate NeckGuardian, including:
- Google Firebase Authentication for user sign-in and token verification.
- Google Firebase Cloud Messaging for native Android push notifications.
- Expo Push Service if the app uses Expo tokens for compatibility or development.
- Cloudflare for public HTTPS traffic, tunnel, DNS and network-layer protection.
- Hosting, database, monitoring and object-storage providers used to operate the cloud API.
We may also share data when required by law, needed to protect users or the security of the service, or as part of a project reorganization with appropriate user notice.
7. Data security
- Communication between the mobile app, cloud API and device uses HTTPS/TLS.
- Users authenticate with Firebase tokens; devices use separate device tokens.
- Long-term device secrets and credentials are stored as hashes, not plain values.
- Access to device data is checked against the active account-device binding.
- Admin tools require a separate admin role, and important actions may be written to audit logs.
- Links to non-public assets are time-limited or signed where applicable.
8. Retention and deletion
We retain account, profile, device and telemetry data for as long as the account is active and the data are needed for app features, history, recommendations, security or support. The current implementation does not define a public fixed automatic deletion period for all telemetry. Data may be deleted or anonymized after a user request, subject to backups, security requirements and legal obligations.
- Newsletter data is retained until the user unsubscribes or requests deletion.
- Support requests are retained for the time needed to handle the case and a reasonable period for bug prevention or abuse protection.
- Push tokens are disabled or deleted after logout, device change, push-provider errors or account deletion request.
- Security logs and backups may remain for a limited technical period before they are overwritten or deleted.
9. Account and data deletion
A user may request deletion of their NeckGuardian account and data associated with the account. The web deletion path is available at https://neckguardian.com/delete-account/.
A request may also be sent to [email protected]. The same address in text form is: neckguardianapp [at] gmail.com. The message should include the account email and, if known, the NeckGuardian device serial number. After verification, we will delete or anonymize account data, profile data, device bindings, push tokens, recommendations and telemetry linked to the account, unless continued retention is required by law or security needs.
10. Android permissions and consent
The app should request Android permissions only when a specific feature needs them. Push notifications require the user's system-level permission. If the app later uses additional sensitive data or permissions that are not reasonably expected for the feature, NeckGuardian will provide a clear in-app disclosure before requesting consent.
On devices running Android 12 or newer, the app may request permissions to discover and connect to nearby devices (Nearby devices / Bluetooth). On older Android versions, the system may require location permission for BLE scanning even though the app does not use Bluetooth to determine the user's physical location.
11. Children
NeckGuardian is not directed to children. If we learn that a child's data has been processed without required guardian consent, we will take steps to delete it.
12. Changes to this policy
This policy may be updated as the app, device and infrastructure evolve. The updated version will be published on this page with the current date. If a change materially affects how sensitive data is processed, we will notify users in the app or through another appropriate channel.