Privacy Policy

1. Information We Collect

We collect only the minimum information needed to provide our services:

• Account information: your email address and any optional display name.
• Therapy progress data: exposure levels you complete, your self-reported SUDS (Subjective Units of Distress) anxiety ratings, session timestamps, and related practice tracking.
• Subscription status: whether you have an active premium subscription, the plan type, and renewal/expiration dates (received from RevenueCat and Google Play).
• Device and usage data: when you use the app, PostHog automatically collects a pseudonymous identifier, your IP address (used for approximate geographic location only, not stored long-term in identifiable form), device type, OS version, app version, screen size, and in-app events (which screens you visit, which features you use).
• Communications: if you email us for support or to request deletion, we retain that correspondence to respond and for record-keeping.

We do not collect your full payment card details (handled directly by Google Play; we receive only your subscription status and a transaction identifier), real-time location or GPS data, contacts, photos, microphone or camera data, or doctor-administered medical records.

2. Health Data

Your therapy progress (SUDS ratings, exposure levels, session history) may constitute data concerning health under GDPR Article 9 and similar laws. We process this data solely on the basis of your explicit consent, given when you sign up and use the app. You can withdraw your consent at any time by deleting your account (see Section 10). We do not share your health data with insurers, employers, advertisers, or any party outside the sub-processors listed in Section 6.

3. How We Use Your Information

We use your information to:

• Provide and personalize the Service.
• Track your exposure-therapy progress and surface relevant next steps.
• Process subscription payments and manage entitlements via Google Play and RevenueCat.
• Improve and debug the Service using PostHog analytics.
• Send transactional emails (account verification, support replies) via Resend.
• Respond to your support and privacy requests.
• Comply with our legal obligations.

We do not use your information for targeted advertising, and we do not sell your data.

4. Legal Basis for Processing (EU/UK users)

If you are located in the European Economic Area (EEA) or the UK, we process your personal data under the following legal bases:

• Contract (Art. 6(1)(b)): providing the Service you signed up for.
• Explicit consent (Art. 9(2)(a)): processing of health-related data such as SUDS ratings and exposure history.
• Legitimate interests (Art. 6(1)(f)): security, fraud prevention, debugging, and aggregated analytics.
• Legal obligation (Art. 6(1)(c)): where required by applicable law.

5. Payment Information

Subscription payments are processed by Google Play in accordance with Google's policies. Our subscription provider RevenueCat (RevenueCat, Inc.) helps us manage entitlements and receive purchase/renewal status. We never see or store your full payment card information. We receive only the subscription product you bought, its status (active, in grace period, canceled, or expired), and a transaction identifier.

6. Sub-Processors

We share the minimum data necessary with the following sub-processors, each contractually bound to protect your data:

• Supabase (Supabase, Inc., USA) — database, authentication, and storage. Stores your email, sessions, SUDS ratings, and progress.
• RevenueCat (RevenueCat, Inc., USA) — subscription management. Receives an app user ID and subscription events.
• Google Play (Google LLC, USA) — payment processing for in-app subscriptions.
• Cloudflare (Cloudflare, Inc., USA) — content delivery for images and videos used in exposure exercises.
• Vercel (Vercel, Inc., USA) — hosts our API at api.vasowin.com. Logs IP addresses for security and abuse prevention.
• Resend (Resend, Inc., USA) — sends transactional emails (account verification, support replies).
• PostHog (PostHog, Inc., EU region) — pseudonymous product analytics. Data is processed in the European Union.
• Expo / EAS Updates (Expo, Inc., USA) — delivers over-the-air application updates.

If we add or materially change a sub-processor, we will update this Policy and notify you of significant changes.

7. Data Retention

We retain your personal data only as long as your account is active. If you delete your account or request deletion, your personal data will be permanently removed from our systems within 30 days. Anonymized, aggregate analytics that cannot be linked back to you may be retained indefinitely.

8. Your Rights

For EU/UK Users (GDPR):

• Right to access, correct, or delete your data.
• Right to restrict or object to processing.
• Right to data portability.
• Right to withdraw consent at any time.
• Right to lodge a complaint with your data protection authority (e.g., the UK Information Commissioner's Office).

For US Users (CCPA/CPRA and other state laws):

• Right to know what categories of personal information we collect and how we use them.
• Right to request access, correction, or deletion of your data.
• Right to opt out of the "sale" or "sharing" of personal information — we do neither.
• Right to non-discrimination for exercising your rights.
• We honor Global Privacy Control (GPC) browser signals as a valid opt-out request where applicable.

9. Exercising Your Rights

To access, correct, export, or delete your data:

• In-app: Settings → Delete Account.
• Email: flox.studio@proton.me

We may need to verify your identity (e.g., by replying from the email address on file) before fulfilling your request. We respond within 30 days as required by GDPR and CCPA.

10. Account Deletion

You can request permanent deletion of your Vasowin account at any time:

• From inside the app: open Settings → Delete Account.
• By email: send a request to flox.studio@proton.me with the subject "Delete my Vasowin account".

When we receive your request, we permanently delete your account, sessions, progress, SUDS history, and any cached media references within 30 days. We retain only the minimum data required by law (e.g., transaction records for tax or audit purposes) for the statutory retention period.

Account deletion does not automatically cancel an active Google Play subscription — please cancel that separately in your Google Play account settings before requesting deletion.

11. Security

We use industry-standard measures to protect your personal information, including HTTPS encryption in transit, encryption at rest by our database provider, restricted internal access on a need-to-know basis, and authentication tokens stored in secure device storage. No system is completely secure, and we cannot guarantee absolute security.

12. Children's Privacy

Vasowin is intended for users aged 16 and over. If your country requires a higher age for digital consent, that higher age applies. We do not knowingly collect data from children below the applicable age. If we discover that we have collected data from a child without verifiable parental consent, we will delete it promptly.

13. International Data Transfers

Your information may be processed outside your country of residence, including in the United States (where most of our sub-processors are based) and the European Union. Where required by GDPR or UK law, we rely on appropriate safeguards including the EU Standard Contractual Clauses and the UK International Data Transfer Addendum to protect your data.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated version with a new "Last updated" date. For significant changes, we will also notify you by email or in-app.

15. Contact Us

For any questions about this Privacy Policy, to exercise your rights, or to report a security concern:

• Email: flox.studio@proton.me
• Data controller: Florent Pépin (sole trader), United Kingdom.