← anása

Privacy Policy

Effective 30 June 2026

This page is maintained by [anása data controller — FILL IN] ("we", "us") to explain how anása ("the app") collects, uses, stores, and protects your personal data. It is written in plain language and is not a substitute for legal advice.

1. Who we are

The data controller for personal data processed through anása is [anása data controller — FILL IN], based at [Legal address — FILL IN]. You can reach us about privacy matters at [privacy@your-domain — FILL IN].

2. What we collect, why, and on what legal basis

CategoryExamplesLegal basis
Account dataEmail, display name, encrypted password (if you sign up with email)Performance of contract (Art. 6(1)(b) GDPR) — to provide the app
Profile preferencesExperience level, sleep goal, language, dark/light themePerformance of contract
Journal entriesThe text reflections and gratitudes you choose to writePerformance of contract; you control deletion at any time
Mood entriesMood score, energy level, optional notesPerformance of contract
Practice activityExercises completed, durations, favorites, achievements, streaksPerformance of contract
Push device tokenAn opaque identifier from Apple/Google so we can send reminders you enabledConsent (Art. 6(1)(a)); withdrawn by turning off notifications
Device localeLanguage tag used to pick a translationLegitimate interest (Art. 6(1)(f)) — minimal, no profiling
Security/diagnostic logsRequest metadata kept briefly to detect abuseLegitimate interest

We do not collect precise location, contacts, photos, microphone input, advertising identifiers, or behavioural profiling data. anása does not run ads.

3. Sensitive content

Journal reflections and mood notes describe how you feel and may touch on mental wellbeing. We treat them as private to you: they are scoped to your account by database row-level security, they are not shared with anyone, and they are not used to train AI models. You can delete any entry from the Journal screen and you can delete every entry by deleting your account.

4. Where your data lives

anása stores data on Lovable Cloud (powered by Supabase). The database is hosted in the European Union and encrypted at rest and in transit. Backups are retained on the same infrastructure.

5. Subprocessors

  • Lovable Cloud / Supabase — hosting, database, authentication
  • Lovable AI Gateway — optional AI features routed through Lovable; only data you submit to those features is processed
  • Apple Push Notification service (APNs) — iOS reminders
  • Google Firebase Cloud Messaging (FCM) — Android reminders
  • Web Push (VAPID) — browser reminders

Subprocessors only process data on our instructions and under their own GDPR commitments.

6. International transfers

Some subprocessors (Apple, Google) are based outside the EEA. Where transfers occur, they rely on Standard Contractual Clauses or equivalent safeguards.

7. How long we keep your data

  • Account, journal, mood, and practice data: as long as your account exists.
  • Push tokens: until you disable notifications or sign out.
  • Security logs: up to 30 days.
  • After account deletion: all rows are removed immediately; backups roll off within 30 days.

8. Your rights

Under GDPR you may at any time:

  • Access the data we hold about you — use "Download my data" in your profile.
  • Rectify inaccurate data — edit your profile or journal entries directly.
  • Erase your data — use "Delete my account" in your profile.
  • Restrict or object to processing, or withdraw consent for push at any time.
  • Portability — the export above is a structured, machine-readable JSON file.
  • Lodge a complaint with your national supervisory authority.

9. Children

anása is not directed at children under 16 in the EEA or under 13 elsewhere. If you believe a child has provided personal data, contact us and we will remove it.

10. Security

We use TLS in transit, encryption at rest, row-level security so each user only sees their own data, and least-privilege server access. No system is perfectly secure; if you discover a vulnerability please email [privacy@your-domain — FILL IN].

11. Changes to this policy

If we change this policy materially we will bump the version, prompt you to re-accept on next sign-in, and update the date above.

See also: Terms of Service · Cookies & tracking