Privacy Policy
Effective 30 June 2026
This page is maintained by [anása data controller — FILL IN] ("we", "us") to explain how anása ("the app") collects, uses, stores, and protects your personal data. It is written in plain language and is not a substitute for legal advice.
1. Who we are
The data controller for personal data processed through anása is [anása data controller — FILL IN], based at [Legal address — FILL IN]. You can reach us about privacy matters at [privacy@your-domain — FILL IN].
2. What we collect, why, and on what legal basis
| Category | Examples | Legal basis |
|---|---|---|
| Account data | Email, display name, encrypted password (if you sign up with email) | Performance of contract (Art. 6(1)(b) GDPR) — to provide the app |
| Profile preferences | Experience level, sleep goal, language, dark/light theme | Performance of contract |
| Journal entries | The text reflections and gratitudes you choose to write | Performance of contract; you control deletion at any time |
| Mood entries | Mood score, energy level, optional notes | Performance of contract |
| Practice activity | Exercises completed, durations, favorites, achievements, streaks | Performance of contract |
| Push device token | An opaque identifier from Apple/Google so we can send reminders you enabled | Consent (Art. 6(1)(a)); withdrawn by turning off notifications |
| Device locale | Language tag used to pick a translation | Legitimate interest (Art. 6(1)(f)) — minimal, no profiling |
| Security/diagnostic logs | Request metadata kept briefly to detect abuse | Legitimate interest |
We do not collect precise location, contacts, photos, microphone input, advertising identifiers, or behavioural profiling data. anása does not run ads.
3. Sensitive content
Journal reflections and mood notes describe how you feel and may touch on mental wellbeing. We treat them as private to you: they are scoped to your account by database row-level security, they are not shared with anyone, and they are not used to train AI models. You can delete any entry from the Journal screen and you can delete every entry by deleting your account.
4. Where your data lives
anása stores data on Lovable Cloud (powered by Supabase). The database is hosted in the European Union and encrypted at rest and in transit. Backups are retained on the same infrastructure.
5. Subprocessors
- Lovable Cloud / Supabase — hosting, database, authentication
- Lovable AI Gateway — optional AI features routed through Lovable; only data you submit to those features is processed
- Apple Push Notification service (APNs) — iOS reminders
- Google Firebase Cloud Messaging (FCM) — Android reminders
- Web Push (VAPID) — browser reminders
Subprocessors only process data on our instructions and under their own GDPR commitments.
6. International transfers
Some subprocessors (Apple, Google) are based outside the EEA. Where transfers occur, they rely on Standard Contractual Clauses or equivalent safeguards.
7. How long we keep your data
- Account, journal, mood, and practice data: as long as your account exists.
- Push tokens: until you disable notifications or sign out.
- Security logs: up to 30 days.
- After account deletion: all rows are removed immediately; backups roll off within 30 days.
8. Your rights
Under GDPR you may at any time:
- Access the data we hold about you — use "Download my data" in your profile.
- Rectify inaccurate data — edit your profile or journal entries directly.
- Erase your data — use "Delete my account" in your profile.
- Restrict or object to processing, or withdraw consent for push at any time.
- Portability — the export above is a structured, machine-readable JSON file.
- Lodge a complaint with your national supervisory authority.
9. Children
anása is not directed at children under 16 in the EEA or under 13 elsewhere. If you believe a child has provided personal data, contact us and we will remove it.
10. Security
We use TLS in transit, encryption at rest, row-level security so each user only sees their own data, and least-privilege server access. No system is perfectly secure; if you discover a vulnerability please email [privacy@your-domain — FILL IN].
11. Changes to this policy
If we change this policy materially we will bump the version, prompt you to re-accept on next sign-in, and update the date above.
See also: Terms of Service · Cookies & tracking