Privacy Policy
1. Who we are
This Privacy Policy explains how Life GPS (hereinafter "the App", "we", "us", "our") collects, uses, and protects your personal data.
Controller (data controller under GDPR Article 4):
- Legal entity: WAADSU s.r.o., a limited liability company incorporated under the laws of the Czech Republic
- Registered address: [to be added before publishing — Prague, Czech Republic]
- Contact email: waadsu45@gmail.com (a dedicated
privacy@lifegpsos.comaddress activates with the production domain) - Support: waadsu45@gmail.com
Data Protection Officer (DPO): The founder acts as the point of contact for data-protection matters at waadsu45@gmail.com. Under GDPR Article 37, appointment of a separate DPO is not required at our current scale (fewer than 250 employees, no large-scale systematic monitoring, no large-scale processing of special-category data). We will appoint an independent DPO before the App exceeds ~50,000 active users in the EU/EEA or begins processing special-category health data at scale.
2. What data we collect
2.1 Data you provide directly
| Category | Examples | Legal basis (GDPR Art. 6) |
|---|---|---|
| Account identifiers | Email, hashed password or OAuth ID (Google/Apple) | Contract (6(1)(b)) |
| Profile | Name, age, (optional) phone, city, avatar | Contract |
| Life balance data | Sliders for 9 spheres (money, health, love, family, friends, self-realization, education, spirituality, work) | Contract — core service |
| Quiz answers | Sphere-specific responses (~90 items) | Contract — core service |
| Desires & pains | Free-text entries describing goals and obstacles per sphere | Contract — core service |
| Tasks & programs | Tasks, daily check-ins, 21-day program progress, notes, reflections | Contract — core service |
| Social graph (if used) | Contacts you invite, supportive connections | Consent (6(1)(a)) — explicit opt-in per invite |
2.2 Data collected automatically
| Category | What | Legal basis |
|---|---|---|
| Usage analytics (PostHog) | Screen views, taps, funnel progression, session duration, device/OS/app version | Legitimate interest (6(1)(f)). Opt-out in Settings. |
| Error tracking (Sentry) | Stack traces, device state, app version, non-identifying breadcrumbs | Legitimate interest — fix crashes |
| Auth metadata (Supabase) | Last sign-in timestamp, IP (30-day retention), provider | Legitimate interest — security |
2.3 Data from third parties
- Google Sign In — email + name from your Google account
- Apple Sign In — Apple ID email (or anonymized relay if you chose "Hide My Email")
3. How we use your data
- Provide the core service — calculate balance, track sphere progress, generate 21-day programs, manage tasks.
- Personalize AI guidance — your profile, desires, pains, recent activity inform AI chat responses (Section 5).
- Improve the product — aggregated analytics inform roadmap. Pseudonymized in PostHog.
- Communicate — transactional emails (login codes, security alerts), opt-in product updates, support.
- Security — detect suspicious logins, protect account integrity.
- Legal compliance — respond to lawful requests when required.
We do NOT:
- Sell your data to advertisers or data brokers.
- Use your data to train foundation AI models without consent (see Section 5).
- Share desires / pains / reflections with any third party other than strictly necessary processors (Supabase, OpenAI/Anthropic).
4. Third-party services (sub-processors)
| Service | Role | Data accessed | Location |
|---|---|---|---|
| Supabase | Backend / DB / auth | Account + profile | EU (Frankfurt) |
| Apple (Sign in with Apple) | Auth provider | Email / relay email | USA |
| Google (Sign In) | Auth provider | Email, name | USA |
| PostHog | Product analytics (pseudonymized) | Usage events | EU or USA (configurable) |
| Sentry | Error tracking (no PII) | Stack traces, device state | EU (Frankfurt — de.sentry.io) |
| OpenAI / Anthropic | AI inference (chat only) | Chat messages + minimal profile context | USA |
| Email vendor (selected at launch) | OTP / transactional email | Email + content | USA / EU |
Data transfers outside EU/EEA: Standard Contractual Clauses (SCC) approved by the European Commission, or EU-US Data Privacy Framework where applicable.
5. AI features
Apple App Review Guideline 5.1.2(i) disclosure:
Life GPS includes an AI-powered chat assistant. When you send a message:
- Your message + relevant context (name, current sphere scores, active desires/pains, current program, last ~10 messages) is sent to our AI provider (OpenAI and/or Anthropic).
- The provider processes data and returns a response.
- Per our DPA: messages are not used to train foundation models (zero-retention enabled where supported).
- Chat history retained in your Supabase account; you can delete any message any time.
What we do NOT send: your email (provider sees only internal user ID), raw credentials, payment info.
Right to opt out: disable AI chat in Settings. Rest of App keeps working.
6. Data retention
| Data | Retention |
|---|---|
| Active account | Until your account is deleted |
| Deleted account | Hard-deleted within 30 days (backups purged within 90 days) |
| Auth logs (IP, timestamps) | 30 days |
| Error logs (Sentry) | 90 days |
| Analytics (PostHog) | 12 months pseudonymized; aggregated counts indefinitely |
| AI chat history | Until you delete or account deletion |
| Email delivery logs | 14 days |
| Legal compliance records | 3 years post-account-deletion |
7. Your rights
Under GDPR / CCPA / similar laws:
- Access — Settings → Data → Export (JSON), or email privacy@lifegpsos.com
- Rectification — Edit profile in Settings, or email
- Erasure — Settings → Delete account; processed within 30 days
- Portability — JSON export, same as Access
- Restriction — Email privacy@lifegpsos.com
- Objection — Opt out of analytics in Settings
- Withdraw consent — Disable feature in Settings
- Lodge a complaint — With your local data protection authority (EU: edpb.europa.eu)
Response time: within 30 days (extendable to 60 for complex requests).
8. Security
- Encryption in transit: TLS 1.2+
- Encryption at rest: AES-256 (Supabase)
- Access control: only authorized personnel; logged and audited
- Auth tokens stored in iOS Keychain / Android Keystore (Expo SecureStore)
- Row-Level Security (RLS) on database
- Incident response: notify users + supervisory authority within 72 hours per GDPR Art. 33
9. Children
Life GPS is not intended for users under 16 years of age in the EU/EEA, or under 13 in the United States. We do not knowingly collect data from children below these ages. Contact privacy@lifegpsos.com if you believe we have.
10. Cookies and local storage (mobile app)
The mobile app does not use browser cookies. It uses:
- Secure local storage (Keychain / Keystore) — auth tokens
- Async storage — cached profile data, task state, preferences. Cleared on logout.
11. Changes to this policy
We may update this policy. When we do:
- "Last updated" date changes.
- Notify in-app at least 14 days before material changes take effect.
- Material legal changes may require renewed consent.
12. Contact
| For | Contact |
|---|---|
| Privacy / data rights | privacy@lifegpsos.com |
| Account / product support | support@lifegpsos.com |
| Abuse / AI content reports | abuse@lifegpsos.com |
| Business / press | hello@lifegpsos.com |
| Legal / DPO | WAADSU s.r.o., waadsu45@gmail.com |
Until production domain is live, all addresses route to waadsu45@gmail.com.
13. Supplemental jurisdictional notices
13.1 California residents (CCPA / CPRA)
You have the right to know what categories of personal information we collect and to opt out of "sale" or "sharing". We do not sell or share your information. Contact privacy@lifegpsos.com.
13.2 Brazilian users (LGPD)
LGPD rights are substantially similar to GDPR. Contact our Controller above.
13.3 Russian users (152-FZ)
If located in Russia, you have rights under Federal Law No. 152-FZ. Requests via Section 12 contacts. Response within 30 days.
13.4 Other jurisdictions
Local data protection laws apply. We default to the stricter standard.