Privacy Policy

Comprehensive draft — pending final Dutch jurist sign-off. This document has been written to be complete and faithful to how the Breathe app actually works, so that a qualified Dutch privacy/consumer-law jurist can give a final review and sign-off rather than fill gaps. It has not yet been formally reviewed by counsel, and the administrative placeholders below ([KVK NUMBER], [REGISTERED ADDRESS], [BTW NUMBER]) are pending the studio's Kamer van Koophandel registration and Belastingdienst BTW issuance. Do not treat this document as lawyer-approved until those fills are completed and the jurist review is closed out.

Last updated: 2026-06-14 · Document version: 12

Effective date: the "Last updated" date above is the effective date of this version.

Studio: Richicinschi (eenmanszaak) · KvK: [KVK NUMBER] · BTW: [BTW NUMBER] · Registered address: [REGISTERED ADDRESS] · Website: https://richicinschi.com · Contact: hi@richicinschi.com

At a glance (plain-language summary)

This short summary is provided for convenience. It does not replace the full policy below, and the detailed sections control where they differ.

Who we are. Breathe is published by Richicinschi, a one-person business (eenmanszaak) in the Netherlands. We are the data controller.
What we collect. An anonymous app identifier on first launch; aggregate, no-free-text usage analytics and crash diagnostics (both of which you can switch off); your email and an optional display name if you create an account; your breathing-session history and challenge progress (stored only on your device unless you subscribe; subscribing uploads your recent on-device history — at most the last 7 days — to your account once, so your streak carries over; challenge progress is kept in your account from the moment you subscribe — a challenge already in progress on the device does not carry over); and your subscription status. We do not collect location, health data, contacts, photos, microphone recordings, or advertising identifiers, and we serve no ads.
Why. To run the app, secure your account, bill for Pro features, send the daily reminder you opted into, fix bugs, improve the product, and meet our legal obligations.
Your controls. Turn analytics and crash reporting off in Settings → Data & privacy; turn the daily reminder off in Settings; edit your display name in Settings → Account (to change your account email, email us at hi@richicinschi.com); delete your account in Settings → Account → Delete account.
Your rights. You have GDPR rights (access, rectification, erasure, restriction, portability, objection, withdraw consent) and, if you are a California resident, CCPA/CPRA rights. We do not sell or share your personal data.
Where it lives. Most data is in the EU (Google Firebase europe-west). Firebase Authentication (your email, account identifier, tokens) is processed by Google in the United States. US transfers are covered by the EU-US Data Privacy Framework (Google) and the EU Standard Contractual Clauses (RevenueCat, which is not DPF-certified), plus our transfer-impact assessment.
Contact. Email hi@richicinschi.com for any privacy matter.

Accessibility & languages. This policy is available in English and Dutch, in the App and on our website. If you need the policy in another accessible format, email hi@richicinschi.com and we will provide one.

1. Who we are

This app ("Breathe") is published by Richicinschi, a sole proprietorship (eenmanszaak) registered in the Netherlands at the Kamer van Koophandel under KvK number [KVK NUMBER], with registered business/correspondence address [REGISTERED ADDRESS] and BTW (VAT) number [BTW NUMBER]. Richicinschi is the data controller under Regulation (EU) 2016/679 (the GDPR — in Dutch, the Algemene Verordening Gegevensbescherming or AVG) for personal data processed in connection with the app.

Where the studio's registered legal name differs from the trade name (handelsnaam) under which it operates, both will be stated here once the KvK registration is finalised.

For any privacy question, request, or complaint described in this policy, contact us at hi@richicinschi.com or by post at [REGISTERED ADDRESS]. Because Richicinschi is a sole proprietorship, your request is read and actioned by the studio's owner personally.

No Data Protection Officer. We have not appointed a Data Protection Officer (DPO) because none of the triggers in Article 37(1) GDPR apply to us: we are not a public authority, our core activities do not consist of large-scale regular and systematic monitoring of data subjects, and our core activities do not consist of large-scale processing of special categories of data. This determination is documented in our internal compliance records and reviewed at least annually. For any data-protection matter, contact hi@richicinschi.com.

EU representative. Because Richicinschi is established in the European Union (the Netherlands), it is not required to appoint an Article 27 GDPR representative.

UK users. For users in the United Kingdom, the UK GDPR applies in parallel to the EU GDPR. The need (if any) for a UK Article 27 representative is under assessment with our jurist; international transfers affecting UK users are addressed in §7.

2. Definitions

For clarity, in this document:

App — the Breathe mobile application published on the Apple App Store and Google Play.
Service — the App together with any associated cloud services we operate (Firebase Authentication, Firestore database, Cloud Functions, hosted privacy/terms pages).
User, you — a person who installs, opens, or uses the App, whether or not they create an account.
Anonymous user — a User who has not yet created or signed into an account. Identified internally by an opaque Firebase user identifier (UID).
Account — the persistent record created when a User signs up with email/password, Google Sign-In, or Apple Sign-In (available once the iOS version launches).
Personal data, processing, controller, processor — have the meanings given in Articles 4(1), 4(2), 4(7), and 4(8) of the GDPR.
Pseudonymised data — data, such as the opaque Firebase UID, that can no longer be attributed to a specific person without additional information kept separately. Pseudonymised data remains personal data under Article 4(5) GDPR.
Anonymised data — data processed so that it can no longer be attributed to an identified or identifiable person and cannot be re-identified. Anonymised data is not personal data (GDPR Recital 26).
We, us, our — Richicinschi as the data controller.

3. Categories of personal data, sources, and lawful basis

We collect only what is necessary to run the Service, secure your account, improve the experience, and meet our legal obligations. The tables below list every category, when it is collected, where it comes from, and the legal basis under Article 6 GDPR for processing it.

Sources of personal data. Across the categories below, personal data reaches us in three ways: (a) directly from you (e.g. your email, display name, the sessions you complete, your reminder preference); (b) automatically through your use of the App and via the Firebase SDKs (e.g. the anonymous identifier, analytics events, crash diagnostics, server-log data); and (c) from third parties (your chosen sign-in provider supplies your email and, for Apple, an optional name; RevenueCat supplies your subscription status). Each row below identifies its source.

3.1 Always collected (from first launch)

Data	Description	Source	Lawful basis
Anonymous Firebase Authentication UID	An opaque identifier created on first launch so we can save your session history and progress before you create an account. It is pseudonymised data, not a stable cross-app advertising identifier.	Automatic (Firebase)	Art. 6(1)(f) — legitimate interests in operating the Service.
Aggregate product-interaction events (Firebase Analytics)	Screen views, button taps, paywall interactions, session starts/completions, settings toggles, and app-lifecycle events (e.g. `first_open`, `app_open`, `app_remove`). Firebase auto-collects app version/build number, device language/locale, device model and OS, screen/display attributes (e.g. resolution), an approximate region/time-zone, an organic install source / Play install-referrer, a non-advertising app-instance/installation identifier, and session/engagement metrics such as session duration. There is no ad or campaign attribution and no advertising SDK. Firebase auto-stamps each event with a timestamp. Events do not contain free-text content. While you are signed in, events are recorded against your account identifier (the Firebase UID) for attribution — we analyse the results only in aggregate, but the underlying events are linked to your account, and our store privacy labels declare this linkage. The full event taxonomy is documented in the App's source tree (`apps/breathe-app/ANALYTICS.md`) and is available on request from hi@richicinschi.com.	Automatic (Firebase)	Art. 6(1)(a) — your consent. Analytics is off by default; you enable it under Settings → Data & privacy (see the note below).
Crash diagnostics (Firebase Crashlytics)	When the App crashes: stack trace, app version/build, device model, OS version, device language, the screen that was active at the time, and device-state values that Crashlytics collects by default (e.g. available memory and storage, CPU/architecture). This is crash-time diagnostics only — we do not run a separate performance-monitoring SDK and do not collect detailed load-time, frame-rate, or continuous memory telemetry. No free-text personal content; while you are signed in, crash reports are linked to your account identifier (the Firebase UID) so we can see how many accounts a fault affects.	Automatic (Firebase)	Art. 6(1)(a) — your consent. Crashlytics is off by default; you enable it under Settings → Data & privacy.
Push-notification interaction events	An anonymous event recording that a daily reminder was opened (`daily_reminder_opened`), logged via Firebase Analytics to measure reminder effectiveness. No notification content is logged.	Automatic (Firebase)	Art. 6(1)(a) — your consent (logged via Analytics, which is off until you enable it).
IP address / server connection logs	When the App or your browser connects to our hosted pages, Cloud Functions, or our processors, your IP address, request timestamp, HTTP method, response status, and user-agent appear transiently in our processors' server logs (Firebase Hosting, Cloud Functions, and Cloudflare). We use these for security, abuse prevention, and operations. Your IP can indicate only coarse, city/country-level location for aggregate reporting; we do not use it to track your movements or to build a location profile, and we do not retain raw IP addresses ourselves beyond the short operational windows in §8.	Automatic (our processors)	Art. 6(1)(f) — legitimate interests in security and reliable operation.
Legal-obligation records	Where we are legally required to do so, we process the minimum records needed to comply with Dutch tax/accounting law and to respond to lawful requests (see §6 "Disclosures required by law" and §8 retention).	Derived from the above	Art. 6(1)(c) — compliance with a legal obligation.

Firebase Analytics and Crashlytics are off by default. You can turn them on — and off again — at any time under Settings → Data & privacy; a single combined switch controls both. Nothing is collected or transmitted until you enable them. In the Netherlands these device-storage/telemetry functions require your prior consent under the ePrivacy Directive (art. 5(3)) and the Telecommunicatiewet (art. 11.7a), so they are opt-in, not opt-out; legitimate interest does not displace that consent requirement. Device language/locale is auto-collected as a default Analytics property only while Analytics is on.

3.2 Collected when you create an account

Data	Description	Source	Lawful basis
Email address	Required if you sign in with email/password. Also provided by Google Sign-In and (optionally) by Apple Sign-In (available once the iOS version launches); Apple's private-relay addresses are supported.	Directly from you / sign-in provider	Art. 6(1)(b) — performance of a contract, and steps taken at your request before entering into a contract.
Display name (optional)	Provided by Apple Sign-In if you allow it (available once the iOS version launches); otherwise the name you set yourself in Settings → Account.	Directly from you / sign-in provider	Art. 6(1)(b).
Federated sign-in identifier	When you use Google or Apple Sign-In, the provider's account/subject identifier backs the federated login and is held by Firebase Authentication so we can recognise your account.	Sign-in provider	Art. 6(1)(b).
Email-verification status, password-reset tokens	Issued by Firebase Authentication; short-lived tokens expire automatically (verification: ~3 days; reset: ~1 hour).	Automatic (Firebase)	Art. 6(1)(b).
Consent & age-attestation records (`acceptedTermsAt`, `termsVersion`, `ageConfirmedAt`)	At sign-up you tick (a) the Terms/Privacy consent box and (b) a separate 16+ self-attestation box (neither is pre-ticked); we record each acceptance with a timestamp and the accepted document version on your user record.	Directly from you	Art. 6(1)(a) — consent — together with Art. 7(1) (evidencing consent); and Art. 6(1)(c) (verifying the Art. 8 age-of-consent threshold).

Data collected during the sign-up/account-creation flow is processed under Article 6(1)(b) as steps taken at your request prior to entering into the contract (the pre-contractual limb), as well as for performing the contract once your account exists. Providing the account data in this section is a contractual requirement: without an email address (or a federated sign-in) you cannot create an account or use the account-based features of the Service. Providing consent-based data (analytics, crash diagnostics, reminders) is always optional, and declining it has no consequences for your use of the App.

3.3 Collected when you complete a session

Data	Description	Source	Lawful basis
Session record	Breathing technique identifier, number of rounds, whether voice or ambient audio were on, completion timestamp. For free users, this is stored only on your device (see §8); it does not reach our servers. For subscribers it is synced to your Firestore document. When you upgrade to a subscription, the App uploads your recent on-device session history (at most the rolling 7-day window described in §8) to your Firestore document once, so your streak and history carry over to your account.	Directly from you (your practice)	Art. 6(1)(b) — to show your history and compute your streak (a feature of the Service); the one-time upload on subscribing is part of delivering the cross-device sync you purchased.
Streak count	Derived from your session records.	Derived	Art. 6(1)(b).
Challenge progress	If you start one of the in-app challenges (3/7/14 days): the challenge identifier, start timestamp, the current run of completed days, and the completion timestamp of finished challenges. For free users this is stored only on your device (see §8); it does not reach our servers. For subscribers it is synced to your account (`users/{uid}/challenges`) so it carries across devices.	Directly from you (your practice)	Art. 6(1)(b) — delivering the challenges feature and its cross-device sync.

3.4 Collected when you set up a reminder

Data	Description	Source	Lawful basis
Reminder time preference (`HH:mm`)	Stored on the device only; not transmitted to our servers. Used by the operating system to fire a local notification at the chosen time. (Where an analytics event records that a reminder setting was changed, it logs only the coarse fact `"changed"`, not your exact time.)	Directly from you	Art. 6(1)(a) — your explicit consent (the reminder toggle is opt-in and OFF by default).
OS notification permission state	Whether you granted, denied, or revoked the operating system's notification permission.	Directly from you / OS	Art. 6(1)(a).

Enabling reminders triggers your device's notification-permission prompt (the iOS notification dialog, or the Android 13+ POST_NOTIFICATIONS prompt). At onboarding we explain why daily reminders are useful before offering to enable them; you can grant or deny the permission then, and you can revoke it at any time in your device's system settings. All reminders are scheduled locally on your device; Breathe uses no Firebase Cloud Messaging or other remote-push provider, so no reminder is sent from, or routed through, our servers.

Data	Description	Source	Lawful basis
Subscription status, plan (`breathe_annual` / `breathe_monthly`), renewal/expiry date, trial flag, billing-issue flag, cancellation/refund timestamps	Provided by RevenueCat and mirrored into our database via a server-to-server webhook keyed by your Firebase UID, stored at `users/{uid}/private/subscription` (server-written, client read-only).	Third party (RevenueCat)	Art. 6(1)(b) — performance of the subscription contract.
Withdrawal-consent record (`withdrawalConsentAt`)	When you tick the immediate-performance / loss-of-withdrawal checkbox on the paywall and your purchase activates, we record a timestamp on your user record evidencing that request (see Terms §6).	Directly from you	Art. 6(1)(c) — evidencing the consumer's request for immediate performance under the Consumer Rights Directive — and Art. 6(1)(b).
Receipt / purchase token	Held by RevenueCat for validation; we do not store these ourselves.	Third party (RevenueCat)	Art. 6(1)(b).
Itemised purchase history (what was bought, when, the amount paid)	Held by Apple or Google as merchant of record. We do not store your purchase history or prices — we hold only the subscription-status mirror described above. (Under Apple's App Privacy taxonomy this status mirror is categorised under "Purchase History", even though we store no itemised purchases or prices ourselves.)	Held by Apple/Google	n/a — not stored by us.
Payment-card or banking details	We never see or store these. They remain with Apple or Google.	Held by Apple/Google	n/a — not collected by us.
Billing name and address	Held by Apple or Google as merchant of record; we never see or store your billing name or address.	Held by Apple/Google	n/a — not collected by us.
Payment method / type (card, PayPal, Apple Pay, Google Pay, iDEAL, etc.)	Selected and held entirely by Apple or Google; never disclosed to or stored by us.	Held by Apple/Google	n/a — not collected by us.
Promotional / offer codes	Any promo or offer code is redeemed at the Store; we receive only the resulting subscription status via the mirror above and do not separately store promo-code identifiers.	Held by Apple/Google	n/a — not stored by us.
Transaction records we are legally required to keep	Where Dutch tax/accounting law requires it, we retain the minimal subscription/transaction records we do receive (the status mirror above and any invoices/payout statements).	Derived	Art. 6(1)(c) — compliance with a legal obligation (see §8).

3.6 Support and feedback

If you email us for support, or send us feedback or a testimonial, we process the content of that message (and your email address) to answer you and to operate and improve the App. There are no in-app surveys and no in-app feedback forms that transmit free-text to us. Lawful basis: Art. 6(1)(b) (handling a request that relates to your contract) and/or Art. 6(1)(f) (legitimate interests in supporting and improving the Service). Retention is described in §8.

3.7 Special-category data

We do not collect any data that constitutes special categories under Article 9 GDPR (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for identification, health data, or data concerning a person's sex life or sexual orientation). The App does not record symptoms, diagnoses, medical history, biometrics, or any health measurements. Breathe is a general-wellness app — it is not a medical device and not a personal health record, and the practice data it stores (technique, number of rounds, timestamps, derived streak) is not health data. For the avoidance of doubt, your session records (breathing technique, number of rounds, timestamps, and the derived streak) are general-wellness usage data and do not constitute Article 9 health (including mental-health) data.

4. What we do not collect

For the avoidance of doubt and to align exactly with our Apple App Privacy label and Google Play Data Safety declaration, we do not collect:

Microphone audio or any audio recordings.
Precise location data; and we do not use IP-derived coarse location to track you (see §3.1).
Contacts, calendar entries, or photos.
Apple HealthKit or Google Health Connect data.
Cross-app advertising identifiers (IDFA on iOS, GAID/Android Advertising ID on Android — the Android manifest removes the AD_ID permission and ad-services entries).
Other stable cross-app device identifiers used for tracking (IDFV, Android ID, IMEI, MAC address) — Firebase uses only a non-advertising app-instance/installation identifier together with device model/OS for analytics and crash diagnostics.
Biometric identifiers (fingerprints, FaceID templates, voiceprints).
Web browsing or search history outside the App.
The list of apps installed on your device, or the accounts configured on your device — we do not read either.
Coarse location derived from cell-tower or Wi-Fi scanning. The App requests no location permission and uses no location-services framework (no Apple Core Location / MapKit, no Google Location Services / Fused Location Provider).
SMS, messages, or any communication content.
Your clipboard / pasteboard contents — we do not read them for collection.
Cellular carrier name or network type (Wi-Fi / 4G / 5G).
Photos or videos uploaded, recorded, or shared — the App requests no camera or photo-library permission.
Files or documents from your device — we access no shared Documents/Downloads or other folders and request no storage permission.

We serve no advertising, use no advertising SDKs, and use no AI/ML processing of your data.

If you spot a discrepancy between this policy and either store's published declarations, the store declarations are authoritative while we correct this document.

5. How we use your data

Each use ties back to a lawful basis listed in §3. Where more than one basis applies, the primary basis is listed first and any secondary/fallback basis follows.

Purpose	Categories used	Lawful basis (primary → secondary)
Operate the App: save your sessions, compute your streak, sync settings between devices when you sign in.	§3.1, §3.2, §3.3, §3.4	Art. 6(1)(b) → Art. 6(1)(f)
Secure your account: send verification + password-reset emails, detect deletion-requested accounts, defend against abuse.	§3.2	Art. 6(1)(b) → Art. 6(1)(f)
Provide and bill for Pro features: validate purchases with the store, gate access to Pro-only features, restore purchases on reinstall.	§3.5	Art. 6(1)(b)
Send the daily reminder you opted into.	§3.4	Art. 6(1)(a)
Improve the product: analyse analytics events in aggregate to understand which features people use and where they drop off (the underlying events are account-linked as described in §3.1).	§3.1	Art. 6(1)(a) — consent (Analytics is opt-in, off by default; see §3.1)
Detect and fix crashes and software faults.	§3.1	Art. 6(1)(a) — consent (Crashlytics is opt-in, off by default; see §3.1)
Security, abuse-prevention, and fraud-prevention via server logs and platform/store anti-fraud signals.	§3.1, §3.5	Art. 6(1)(f)
Support: respond to questions, feedback, or testimonials you send us.	§3.6	Art. 6(1)(b) → Art. 6(1)(f)
Comply with legal obligations: keep tax/accounting records, respond to lawful requests, and establish/exercise/defend legal claims.	§3.1, §3.5	Art. 6(1)(c) → Art. 6(1)(f)

Any personalisation is limited to the preferences you set yourself (e.g. audio defaults, reminder time) and the streak derived from your own sessions. We do not build behavioural profiles. We do not use your data to build advertising profiles, train machine-learning models on it, sell it, or share it with marketing networks or data brokers.

Legitimate-interests assessment. For each purpose relying on Article 6(1)(f) (for example, securing your account, server-log security and abuse-prevention, and the pseudonymous app identifier), we have carried out and recorded an internal Legitimate Interests Assessment (purpose, necessity, and balancing test). Factors that weigh in favour of processing include: the data is aggregate and contains no free text, no special categories, and no advertising identifiers; and storage is EU-region. Analytics and crash diagnostics do not rely on legitimate interest — they are based on your consent (opt-in, off by default; see §3.1), which you can withdraw at any time (§9). You can object to legitimate-interest processing as described in §9.

New purposes. Before processing your personal data for any new purpose, we will assess whether the new purpose is compatible with the original purpose under Article 6(4) GDPR. Where the new purpose is incompatible and relies on consent, we will obtain fresh, specific, opt-in consent before processing. We review the lawful basis for each processing activity at least annually and whenever a processing operation materially changes.

6. Recipients and processors

We rely on a small number of third parties to deliver the Service. Except as set out in this section, we do not share personal data with any other third party. Each processor below is a processor under Article 28 GDPR — it acts only on our documented instructions, under a contract containing the obligations required by Article 28(3) (confidentiality, security, sub-processing controls, assistance, deletion/return, and audit), and may not use the data for its own purposes.

Processor	Role	Country of processing	Safeguard
Google (Firebase) — Authentication, Firestore, Cloud Functions, Analytics, Crashlytics, Hosting	Account storage, app data, server logic, analytics, crash diagnostics, hosting of public privacy/terms pages, server connection logs.	Firebase Authentication is processed in the United States; Firestore + Cloud Functions in the EU multi-region (`europe-west`); Analytics, Crashlytics, Hosting and server logs may be processed globally.	Google's Data Processing Addendum incorporating the 2021/914 SCCs + EU-US Data Privacy Framework (Google LLC is DPF-certified) where US transfer occurs.
RevenueCat	Subscription middleware: validates store receipts, manages entitlements, mirrors subscription state into our database via webhook.	United States.	RevenueCat DPA incorporating the EU Commission's 2021/914 SCCs (Module 2). RevenueCat is not DPF-certified; the SCCs + our transfer-impact assessment are the safeguard.
Cloudflare	DNS for `richicinschi.com` and Email Routing (forwarding inbound mail addressed to `hi@richicinschi.com` to the studio's primary inbox); edge handling generates transient connection logs. Email content is forwarded but not retained by Cloudflare.	Global edge network with EU points of presence.	Cloudflare's DPA + SCCs + EU-US Data Privacy Framework.

Independent controllers (payment processing). When you buy a subscription, Apple App Store (iOS) and Google Play (Android) act as the merchant of record and as independent controllers for the payment data they handle, determining the purposes and means of that processing for their own purposes. Their handling of your payment data is governed by Apple's and Google's own privacy policies. We never see your payment-card or banking details (see §3.5).

Store-provided aggregate analytics. As the App's distributors, Apple and Google also provide us, as independent controllers of their own platform analytics, with aggregate, non-identifying statistics about the App — for example install and update counts, aggregate crash and performance metrics (including Google Play's Android Vitals), and coarse regional/territory and device-mix breakdowns. These are statistics about the App in aggregate, not individual records we can tie to you, and they reach us regardless of whether you have enabled the in-App analytics and crash diagnostics in §3.1. We use them only to understand the App's reach and stability at a population level. Because these reports are aggregate and do not identify you, they are not personal data about you under the GDPR (Recital 26). (Google appears in this section in two distinct roles: as our processor for the Firebase services in the table above, and — together with Apple — as an independent controller of the store-distribution statistics described here.)

Outbound transactional email. Of the three transactional emails in §13, email-address verification and password reset (items 1–2) are sent through Firebase Authentication; the one-time purchase & withdrawal-waiver confirmation (item 3) is queued in our database and delivered via the Firebase "Trigger Email" extension through our SMTP delivery provider [LEGAL REVIEW REQUIRED — name the SMTP provider configured at deploy, add it to the §6 processor table, and confirm the verified sender address once the custom richicinschi.com sender domain is configured].

Beta-testing programs. If you take part in a pre-release test via Apple TestFlight or Google Play internal/closed testing, Apple or Google process your tester identifier (e.g. the tester email you enrol with) and any feedback or crash data you submit through their beta channels as independent controllers under their own terms. Any tester feedback that reaches us is handled like support feedback (§3.6), under the retention in §8.

Other recipients. In addition to the processors above, personal data may occasionally be made available, only to the minimum extent necessary, to:

Professional advisors (e.g. our lawyer, or our accountant for statutory bookkeeping/BTW purposes) under a duty of confidentiality, where necessary for our legitimate interests (Art. 6(1)(f)) or to comply with a legal obligation (Art. 6(1)(c)).
Fraud/abuse-prevention entities (including the stores' and RevenueCat's anti-fraud functions) where necessary to detect or prevent fraud and paywall circumvention (Art. 6(1)(f)).
A successor in a business transfer, as described below.
Public authorities, courts, regulators, or law enforcement, as described under "Disclosures required by law".

Sub-processors. Our processors engage their own sub-processors. Under each processor's DPA we have given general written authorisation for sub-processors with the right to be notified of changes and to object; processors may only engage sub-processors on terms consistent with Article 28(2) and (4). The current sub-processor lists are maintained by each processor and can be found on Google Cloud's, RevenueCat's, and Cloudflare's published sub-processor pages.

Disclosures required by law or to protect rights. We may disclose personal data where we believe in good faith that it is necessary to: (a) comply with a legal obligation, applicable law, regulation, or a valid legal request, court order, subpoena, warrant, or other enforceable legal process (Art. 6(1)(c)); (b) establish, exercise, or defend legal claims, or enforce our Terms, or protect the rights, property, or safety of Richicinschi (Art. 6(1)(f)); (c) protect the vital interests of you or another person in a genuine emergency (Art. 6(1)(d) — expected to be rare, as we hold no health or biometric data); or (d) prevent fraud or abuse. When responding to a law-enforcement or legal request, we disclose only the minimum data legally required, check the validity and legal basis of the request, and — where lawful and feasible — notify the affected user. These disclosures are an exception to the statement above that we do not share data with other third parties.

Business transfers. If Richicinschi is involved in a merger, acquisition, reorganisation (including incorporation as a BV), insolvency, bankruptcy, liquidation, or a sale of all or part of its assets, personal data may be transferred to, or accessed during due diligence by, the successor or prospective buyer as part of that transaction. Any such recipient will be required to honour this Privacy Policy (or a policy at least as protective), and your rights under the GDPR will not be diminished. We will notify you of any resulting change of data controller — via the in-App version banner and/or email — before or promptly after the transfer takes effect.

Liability split. As controller, Richicinschi is responsible for its own processing decisions; each processor is responsible, under its Article 28 DPA, for processing carried out on our documented instructions.

Compliance review. We review our processing activities and our processor list periodically, and maintain an internal record of processing activities (Article 30 GDPR).

7. International data transfers

Most of your personal data is stored in the European Union (Google's europe-west multi-region, currently in the Netherlands, Belgium, and Finland). Transfers outside the EEA occur only in the limited cases described below, and each is covered by appropriate safeguards under Chapter V GDPR:

Firebase Authentication data (your email, account identifier, authentication tokens, and connection IP) is processed by Google in the United States, regardless of our EU europe-west selection for storage. This transfer is covered by Google LLC's EU-US Data Privacy Framework certification and the 2021/914 SCCs (Module 2).
Aggregated analytics and crash diagnostics, and server connection logs, may be processed by Google globally. Google's contractual safeguards (EU-US Data Privacy Framework certification + the EU Commission's 2021/914 Standard Contractual Clauses, Module 2 controller-to-processor) apply.
RevenueCat is based in the United States and is not certified under the EU-US Data Privacy Framework. The transfer relies on the EU Commission's 2021/914 Standard Contractual Clauses (Module 2, controller-to-processor) in RevenueCat's DPA, supplemented by our documented transfer-impact assessment.
Cloudflare processing may occur globally; transfer is covered by Cloudflare's DPA + SCCs + EU-US Data Privacy Framework.
Apple and Google payment processing is performed under those companies' own privacy frameworks (both are DPF participants).

Transfer-safeguard verification. Before launch and at least annually, we verify on dataprivacyframework.gov that each US importer relying on the DPF (currently Google LLC, and Apple/Google for payment processing) holds an active EU-US DPF certification covering the relevant data; for importers relying on SCCs (RevenueCat, Inc.), we keep the signed SCCs and our transfer-impact assessment on file. We retain dated evidence of each check.

Schrems II / transfer-impact. We are aware of the CJEU "Schrems II" ruling (Case C-311/18, 16 July 2020). For US transfers, we rely on the EU-US Data Privacy Framework where the importer is certified, and on the 2021/914 SCCs supplemented by a documented transfer-impact assessment and proportionate supplementary measures (EU-region storage where available, TLS encryption in transit, Google-managed encryption at rest, data minimisation, and the absence of free-text content in analytics) where the DPF does not apply. Our transfer-impact assessment is kept as an internal compliance record.

UK and Switzerland. For UK-resident users, we rely on the UK's recognition of EEA adequacy for UK↔EEA flows, and on the UK Extension to the EU-US DPF and/or the UK Addendum to the EU SCCs (IDTA) offered by our US processors for onward US transfers, under the UK GDPR. For Swiss-resident users, where applicable we rely on the Swiss-US DPF and the Swiss FADP. The precise UK/Swiss positions are flagged for confirmation in our jurist review.

Ongoing monitoring. We monitor legal developments affecting international transfers (the EU-US DPF's adequacy status, relevant CJEU rulings, and SCC revisions) and will update the safeguards above and this policy accordingly. You may request a copy of the SCCs governing any of these transfers by emailing us at hi@richicinschi.com.

8. How long we keep your data

Data	Retention
Anonymous identifier + locally-stored session history (no account ever created)	Your session history is stored only on your device (local app storage); we keep no server copy of it. It is removed when you uninstall the App or clear its storage (though it may persist in, and be restored from, your own Android device backup — see "Your device backups" below). The anonymous Firebase Authentication identifier is held by Firebase Authentication; uninstalling or clearing the App's storage ends that session, and a new anonymous identifier is created only if you reopen the App. The App keeps only a rolling 7-day window of local session history — older local records are pruned automatically as new sessions are logged. Locally-stored challenge progress is kept alongside it and is not pruned — it stays until you uninstall the App or clear its storage. Because the local history never reaches us, we cannot remotely delete it on your behalf.
Account data (email, display name, sessions, streak, challenge progress, subscription mirror)	Until you delete your account (§11).
Inactive accounts	We keep your account data until you delete your account; we do not automatically delete an account merely because it is unused. As reserved in Terms §17.3, after a prolonged period of inactivity we may close and delete an account, but only after emailing a warning to your registered address with an opportunity to keep it active.
Account marked for deletion ("soft-deleted")	30 days in a recoverable state. Sign back in within that window to restore the account. After 30 days, an automated scheduled Cloud Function permanently deletes the account.
Crash diagnostics (Firebase Crashlytics)	Up to 90 days per Crashlytics defaults.
Analytics events (Firebase Analytics)	Up to 14 months per Google's standard analytics retention; user identifiers are reset on a 14-month rolling basis.
Server connection logs (IP, timestamp, method, status, user-agent)	Operational logs are managed by our processors (Google, Cloudflare) under their standard, short retention windows (typically a number of days to a few weeks) for security and debugging; they contain no free-text personal content. We retain no separate long-term copy.
Email-verification and password-reset tokens	Expire automatically (verification: ~3 days; reset: ~1 hour). Not stored after use.
Support / feedback communications	Retained only as long as needed to handle the matter and for a short follow-up period — generally up to 2 years from last contact — then deleted.
Consent and acceptance records	Records evidencing your consent and your acceptance of the Terms/Privacy (sign-up consent, any re-consent, the version accepted, with timestamp) are retained for the lifetime of the account plus a reasonable period afterwards, to evidence consent and acceptance under Article 7(1) GDPR, even after you withdraw consent.
Withdrawal-waiver confirmation email (queued copy)	The one-time purchase & withdrawal-waiver confirmation (§13 item 3) is queued in our database for delivery — the queued record holds your account identifier, your email address, and the plan, store, purchase date, and consent date it states. It is erased together with your account when deletion completes (§11). Lawful basis: Art. 6(1)(c) (the durable-medium confirmation required by EU consumer law) together with Art. 6(1)(b).
Erasure bookkeeping	If an automated account deletion fails (e.g. a processor outage), we keep a minimal operational record (your account identifier, attempt count, first/last attempt timestamps, the original deletion-request date, and the last error) until the erasure completes or you restore the account — the deletion is retried automatically every day and is never silently dropped. After erasure completes, a permanent pseudonymous deletion marker (the bare account identifier + deletion date) is kept as evidence the erasure was honoured and to prevent late subscription events from re-creating deleted data. Lawful basis for both records: Art. 6(1)(c) — compliance with our own GDPR obligations (honouring erasure under Article 17 and demonstrating it under Article 5(2)).
Tax / transaction / invoice records (held by us as controller)	Records we are legally obliged to keep for Dutch tax purposes (e.g. invoices and payout statements derived from the §3.5 subscription data) are retained for the statutory period of 7 years under the Dutch fiscal record-keeping obligation (fiscale bewaarplicht, art. 52 Algemene wet inzake rijksbelastingen). The exact period for an eenmanszaak will be confirmed in jurist review. Lawful basis: Art. 6(1)(c).
Payment records	Held by Apple and Google for the periods required by their own policies and applicable tax/accounting law. We do not store payment records ourselves.

Anonymisation vs. deletion. When a retention period ends, account-related data is deleted. Where we instead retain data in anonymised form, it is processed so that the Firebase UID and any direct or indirect identifiers are irreversibly removed, so the data can no longer be attributed to, or re-identified as, an individual; such anonymised data falls outside the GDPR (Recital 26). Fully anonymised, aggregated statistics that cannot be linked to any person may be retained indefinitely for statistical and product-improvement purposes.

Backups. Data lives in our processor's primary, durable storage (Firestore) rather than in separate backups we maintain. When data is purged from live systems, any replicas or backups held by our processor are overwritten or expire on the processor's standard cycle (for Firestore, point-in-time recovery retains recent changes for up to 7 days).

Your device backups (Android Auto Backup). On Android, the App participates in Android's standard device backup. If you have device backup enabled, Android may include the App's local data (your on-device session history, challenge progress, reminder time, and preferences) in the device backup stored with Google under your own Google account and restore it when you set up or migrate a device. That backup is created by your operating system on your behalf: it is encrypted by Android, we cannot access it, and it is never transmitted to our servers. You can exclude the App from backups, or turn device backup off, in your device's Android backup settings; deleting the backup is likewise managed through your Google account, not by us.

Legal-obligation and legal-claim overrides. Notwithstanding the periods above: (a) where Dutch or EU law requires it (e.g. the 7-year fiscal obligation), the relevant records are retained for the statutory period; and (b) we may retain personal data beyond the periods above where necessary to establish, exercise, or defend legal claims, for as long as such claims may be brought (under Dutch law, generally up to the applicable limitation period).

Review. We review the retention periods set out above at least annually to confirm they remain no longer than necessary, and maintain an internal retention schedule. We do not retain personal data "just in case".

As a data subject you have the rights set out below. You may exercise them by emailing hi@richicinschi.com (or by post to [REGISTERED ADDRESS]). Many can also be exercised directly in the App, as noted.

Identity verification. To protect your data, we may ask you to send your request from the email address associated with your account, or otherwise to confirm your identity, before we act (Art. 12(6) GDPR). We do not require additional ID for standard requests and will seek only proportionate further verification where there is genuine doubt about your identity.

Right of access (Art. 15). Confirmation of whether we process personal data about you and, if so, a copy of that data, together with: the purposes of processing; the categories of personal data; the recipients or categories of recipients; the retention period (or the criteria used to set it); the source of the data where not collected from you; the existence of your other rights and of the right to lodge a complaint; and information about any international transfers and their safeguards. The first copy is provided free of charge and in a commonly-used electronic format (e.g. JSON or PDF) unless you ask for another form. The copy comprises all personal data we hold about you (cross-referencing §3); note that the free-user on-device session history described in §8 never reaches us, so it is not in our possession to provide.
Right to rectification (Art. 16). Correction of inaccurate personal data, and completion of incomplete data, including by your providing a supplementary statement. Your display name can be edited from inside the App (Settings → Account); to correct your account email address, or anything else, write to us at hi@richicinschi.com and we will make the change for you after verifying the request. Where you contest accuracy, you may also ask us to restrict processing while we verify (Art. 18(1)(a)).
Right to erasure ("right to be forgotten", Art. 17). Beyond the always-available in-App deletion (§11), you may request erasure on the Article 17(1) grounds — the data is no longer necessary; you withdraw consent and there is no other basis; you object and there are no overriding grounds; processing is unlawful; a legal obligation requires erasure; or the data was collected from a child for online services. Limits (Art. 17(3)): we may retain certain data where required to comply with a legal obligation (e.g. tax records, or payment records held by Apple/Google) or for the establishment, exercise, or defence of legal claims (see §8 and §11).
Right to restriction of processing (Art. 18). You may obtain restriction where: (a) you contest the accuracy of the data (for a verification period); (b) the processing is unlawful and you prefer restriction to erasure; (c) we no longer need the data but you need it for a legal claim; or (d) you have objected under Art. 21 pending verification of overriding grounds. Effect (Art. 18(2)): while restricted, your data is only stored and not otherwise processed, except with your consent, for legal claims, to protect another person's rights, or for important public interest. We will inform you before any restriction is lifted (Art. 18(3)).
Right to data portability (Art. 20). For personal data you provided to us that we process by automated means on the basis of your consent or a contract (Art. 6(1)(a)/(b)) — e.g. your email, display name, and the session/streak history and challenge progress you generated as a subscriber — you may receive a copy in a structured, commonly-used, machine-readable format (we provide JSON). Where technically feasible, you may also ask us to transmit this data directly to another controller (Art. 20(2)); in practice we currently provide a JSON export you can transfer yourself rather than an automated controller-to-controller channel. Excluded: data processed under legitimate interests (e.g. the server-log/security processing in §3.1) is not portable but is covered by the right of access (item 1); analytics events (consent-based, account-linked pseudonymous usage events rather than content you provided) are likewise covered by the right of access; inferred or derived data (e.g. aggregate analytics insights) is not included, as you did not provide it; and free-user on-device session history never reaches us and so cannot be exported by us.
Right to object (Art. 21). You may object, on grounds relating to your particular situation, to processing carried out on the basis of our legitimate interests (for example, the pseudonymous app identifier, and our security and server-log processing). (Analytics and crash diagnostics are based on your consent and are off by default, so you control them through the right to withdraw consent in item 7 below, not this objection right.) On a valid objection we will stop the processing unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or for the establishment, exercise, or defence of legal claims. Any future direct marketing carries an absolute right to object at any time, free of charge, after which marketing stops immediately (Art. 21(2)-(3)).
Right to withdraw consent (Art. 7(3)). Where processing is based on your consent (analytics & crash diagnostics, which are off until you enable them; the reminders feature; any future marketing list), you may withdraw consent at any time, and as easily as you gave it — without needing to email us: turn the reminder toggle off (Settings) or revoke OS notification permission; turn Analytics/Crashlytics off under Settings → Data & privacy; and any future marketing email will carry a one-click unsubscribe. Withdrawal does not affect the lawfulness of processing before withdrawal. Withdrawing any consent (reminders, analytics, or crash reporting) has no detriment: it does not disable, limit, or reduce the quality of any other part of the App, and all Free and Pro features remain available.

How to exercise your rights

Email hi@richicinschi.com describing what you want. We respond within one calendar month of receipt as required by Article 12(3) GDPR. If your request is complex or you have made several requests, we may extend by up to two further months, in which case we will tell you within the first month and explain why. We do not charge a fee for normal requests; we may decline manifestly unfounded or excessive requests, or charge a reasonable fee, in line with Article 12(5). If we refuse a request, we will, without undue delay and within one month, inform you in writing of the reasons and of your right to lodge a complaint with the supervisory authority and to seek a judicial remedy (Art. 12(4)). Where appropriate, we communicate rectification or erasure to the recipients/processors to whom the data was disclosed (Art. 19). Access and portability exports are delivered securely (to the verified account email, e.g. via an authenticated or expiring download link, rather than as unprotected attachments).

Right to lodge a complaint

You have the right to lodge a complaint with the Dutch supervisory authority, the Autoriteit Persoonsgegevens (AP), or with the supervisory authority of your EU country of residence:

Autoriteit Persoonsgegevens Postbus 93374, 2509 AJ Den Haag, Netherlands Telephone: 088-1805250 Website: autoriteitpersoonsgegevens.nl

Lodging a complaint with the AP is free of charge and does not require you to contact us first or to exhaust any other remedy. For cross-border processing, the AP may act as the lead supervisory authority under the GDPR's one-stop-shop mechanism.

10. Automated decision-making and profiling

We do not engage in automated decision-making which produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR. We do not profile you for credit, employment, insurance, or any similar purpose. Our analytics events are account-linked (§3.1) but are analysed only in aggregate to inform product decisions; they do not produce individual decisions that affect your access to the Service.

11. Account deletion

You can delete your account and all associated data from inside the App:

Settings → Account → Delete account → type DELETE to confirm.

This places your account into a soft-deleted state immediately. The App shows you an in-app confirmation that your deletion request has been recorded and that you have a 30-day window to restore by signing back in. We do not send an account-deletion confirmation email (the in-app confirmation is the confirmation you receive). After 30 days, an automated Cloud Function permanently removes:

Your Firebase Authentication record.
Your Firestore user document and all sub-collections (sessions, challenges, subscription mirror).
The queued copy of any withdrawal-waiver confirmation email addressed to your account email (§13 item 3).
Your RevenueCat subscriber record (so future store events are no longer associated with your account).

Deleting your account does NOT automatically cancel a paid subscription. Subscriptions are billed by Apple or Google, not by us. If you have an active subscription, cancel it first with the Store before deleting your account, otherwise the Store may continue to bill you. You can reach the Store's cancel flow via Settings → Account → Manage subscription in the App, or directly through your Apple App Store / Google Play account settings.

Irreversibility. After the 30-day grace period the deletion is permanent and irreversible — the data cannot be recovered by you or by us.

If an automated deletion attempt fails (for example, a temporary outage at one of our processors), the deletion is retried automatically every day until it completes, and we keep the minimal operational record described in §8 ("Erasure bookkeeping") so the request is never silently dropped. Your account continues to show as pending deletion until the erasure completes.

What we may retain after deletion. We may keep: (a) fully anonymised/aggregated analytics that cannot be tied to you (within the §8 windows); (b) payment/tax records held by Apple/Google, and the minimal tax/transaction records we are legally required to keep (§8); (c) a minimal pseudonymous deletion marker (your bare account identifier and the deletion date), kept as evidence the erasure was honoured and to prevent late subscription events from re-creating deleted data (lawful basis: Art. 6(1)(c) — see §8); and (d) anything we must retain to comply with a legal obligation or to establish, exercise, or defend legal claims. Data is removed from live systems on purge; processor backups/replicas are overwritten or expire on the processor's standard cycle.

If for any reason you cannot access the App (lost device, locked out of your account), email hi@richicinschi.com from the email address associated with your account and we will action deletion within 30 days of receipt.

12. Children

The App is not directed at children and is intended for users aged 16 and over — the default age of digital consent under Article 8 GDPR (the Netherlands has not lowered this threshold to 13). Account creation is gated behind a 16+ self-attestation checkbox at sign-up — it is not pre-ticked, and sign-up cannot proceed until you confirm it; we record the confirmation timestamp (ageConfirmedAt) on your account (see §3.2). We do not knowingly collect personal data from anyone under 16.

United States (COPPA). The App is not directed at children under 13 and we do not knowingly collect personal data from them without verifiable parental consent. US users with a children's-privacy concern may also contact the U.S. Federal Trade Commission (reportfraud.ftc.gov / ftc.gov/complaint) in addition to the deletion route below.

Parents and guardians. If you are a parent or guardian and believe a child under 16 has provided us personal data or created an account, contact hi@richicinschi.com. After we verify your relationship to the child, you may review the child's data, refuse further collection, and request deletion, and we will delete the account.

The correct store age rating (not child-directed) and a pre-launch onboarding age-appropriateness review are completed as part of our store submission.

13. Marketing communications

We send only transactional emails: (1) email-address verification, (2) password reset, and (3) a one-time purchase & withdrawal-waiver confirmation when a subscription purchase that starts a new contract activates (once per contract — sent again if you re-subscribe after your subscription has ended, never on renewals) — the durable-medium record EU consumer law requires of the immediate-performance consent you gave on the paywall (see Terms §6); it states your plan, store, purchase date, and the date of that consent. Emails (1) and (2) are sent through Firebase Authentication; email (3) is delivered via the Firebase "Trigger Email" extension as described in §6. Replies reach us at hi@richicinschi.com; the sender address on our own domain (noreply@richicinschi.com) applies once the custom verified-sender configuration is in place (see §6). We do not send an account-deletion confirmation email — account deletion is confirmed in-App (see §11).

All purchase confirmations, receipts, and renewal/billing notices are issued by Apple or Google (the merchant of record), not by us; apart from the one-time withdrawal-waiver confirmation above, we do not originate any subscription, receipt, or billing email.

We do not maintain a marketing email list, and we do not send promotional or newsletter emails. If we ever wish to send marketing, we will collect a separate, explicit, unbundled opt-in consent first, kept distinct from your acceptance of the Terms, and every such email will carry a one-click unsubscribe.

14. Security

We use industry-standard technical and organisational measures appropriate to the risk:

In transit: all network traffic between the App and our servers (and between us and our processors) is encrypted with TLS / HTTPS.
At rest: Firestore and Firebase Authentication encrypt data at rest with Google-managed keys.
Server-only writes for sensitive fields: the subscription mirror lives in a private/** sub-collection that the App can read but cannot modify; only our Cloud Functions can write to it.
Access control: Firestore Security Rules restrict each user's data to that user (owner-only). The studio's sole owner holds full admin access; all automated/service-account access is scoped to the minimum required for its role.
Authentication safeguards: account credentials are handled by Firebase Authentication, which provides automated detection and throttling of suspicious sign-in attempts; we never see or store passwords.
No plaintext password storage and no third-party analytics SDKs beyond Firebase; no advertising SDKs.
Webhook protection: the subscription webhook validates a Bearer secret on every call.
Source-control hygiene: secrets are kept out of git via .env files and Google Cloud Secret Manager; signing keys are held locally and backed up encrypted.
Device security: development machines are full-disk-encrypted, screen-locked, and access-controlled; no production user data is stored on local devices.
Processor oversight: we rely on our processors' published security certifications (e.g. ISO 27001, SOC 2) and accepted DPAs, and record a brief due-diligence note per processor.
Continuity & recovery: we maintain an internal business-continuity and disaster-recovery plan, proportionate to a solo studio, covering processor outages, restoration of data from Firestore point-in-time recovery, and key-person contingencies, so we can restore availability of and access to personal data after an incident (Art. 32(1)(c) GDPR).
Periodic review: we review processing activities, the processor list, access permissions, and dependencies/SDK updates on a recurring basis.

No system is perfect. If you discover a security issue, please email hi@richicinschi.com and we will respond promptly.

15. Data breach notification

If a personal-data breach occurs that is likely to result in a risk to your rights and freedoms, we will:

Notify the Autoriteit Persoonsgegevens within 72 hours of becoming aware, in line with Article 33 GDPR. The notification will describe, in line with Article 33(3): the nature of the breach including, where possible, the categories and approximate number of data subjects and of personal-data records concerned; a contact point for more information; the likely consequences; and the measures taken or proposed to address the breach and mitigate its effects.
Notify affected users without undue delay in line with Article 34 GDPR where the breach is likely to result in a high risk, by email and, where appropriate, an in-App notice, including (per Article 34(2)) the nature of the breach in clear language, a contact point, the likely consequences, and the measures taken or proposed. Where direct notification would involve disproportionate effort, or we do not hold contact details for an affected user (for example, anonymous/guest users), we will instead make a public communication or take an equivalent measure so that affected users are informed in an equally effective manner (Article 34(3)(c)).

We maintain an internal breach register documenting the facts, effects, and remedial action for every personal-data breach (Article 33(5)), including breaches that are not notifiable, and we follow an internal incident-response procedure.

16. Cookies and similar technologies

The mobile App uses no cookies. It uses standard mobile-platform storage mechanisms — SharedPreferences (Android) and NSUserDefaults (iOS) — for purely local functional/preference settings such as your reminder time and preferred audio defaults. This storage is on-device only: it is not read by, transmitted to, or shared with us or any third party. The App may also keep temporary/cache files on the device (e.g. cached audio assets); these are local-only, are not transmitted, and are cleared when you uninstall the App or use your operating system's "clear storage" control. Separately, Firebase Authentication persists your session/authentication token in the platform secure store (iOS Keychain / Android Keystore) on your device; this token stays on-device, is not transmitted to or read by us, and is cleared when you sign out or uninstall the App. We have asked our Dutch jurist to confirm the ePrivacy/cookiewet position for app-local storage; our position is that this purely local storage is outside the scope of consent-requiring tracking.

The public web pages at richicinschi.com/breathe/* (the hosted Privacy and Terms pages required by the app stores) use only essential cookies for basic navigation. We do not serve advertising cookies, do not embed third-party trackers, and do not use analytics on those pages.

Do Not Track and Global Privacy Control. We do not track you across other companies' apps or websites, we do not serve targeted advertising, and we use no advertising identifiers. Because there is nothing cross-site to disable, we do not respond differently to browser "Do Not Track" (DNT) or Global Privacy Control (GPC) signals.

16A. Your California privacy rights (CCPA / CPRA)

This section applies to residents of California and supplements the rest of this policy. It is provided under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA").

Definitions (as used in this section).

Business — Richicinschi, the entity that determines the purposes and means of processing California consumers' personal information.
Service provider — an entity that processes personal information on the Business's behalf pursuant to a written contract that restricts its use to the specified business purpose.
Contractor — a person to whom the Business discloses personal information for a business purpose pursuant to a written contract containing the CPRA-required restrictions.
Third party — an entity that is not the Business, a service provider, or a contractor.
Sell — disclosing personal information to a third party for monetary or other valuable consideration.
Share — disclosing personal information to a third party for cross-context behavioral advertising.

No sale, no sharing. We do not sell, and have not sold, personal information, and we do not share personal information for cross-context behavioral advertising — and we have not done so in the preceding 12 months. We run no financial-incentive programs related to personal information.

Categories of personal information we collect (preceding 12 months). Mapping the data in §3 to the CCPA statutory categories:

CCPA category	Collected?	Examples (this App)	Business/commercial purpose
A — Identifiers	Yes	Email, display name, Firebase UID, IP address	Operate the Service, secure your account, support (see §5)
D — Commercial information	Yes	Subscription/purchase status mirrored from RevenueCat (not card data)	Provide and bill for Pro features
F — Internet/network activity	Yes	In-app product-interaction analytics; crash diagnostics. No browsing/search history, no ad interactions	Measure and improve the product; fix faults
All other CCPA categories (e.g. precise geolocation, biometric information, sensitive personal information, audio, professional/employment, education, inferences for profiling)	No	—	—

Sources of this information and the business/commercial purposes for collecting it are described in §3 and §5. The categories of third parties to whom we disclose information are our service providers (§6); we do not disclose personal information to other third parties except as required by law (§6).

Sensitive personal information. We do not collect or use sensitive personal information beyond what is necessary to provide the Service, so there is nothing to limit under the CPRA right to limit.

Your California rights.

Right to Know / Access (Cal. Civ. Code §1798.100, §1798.110, §1798.115) — to know the categories and specific pieces of personal information collected, the categories of sources, the business/commercial purposes, and the categories of third parties to whom it is disclosed, over the preceding 12 months. (For data collected on or after 1 January 2022, you may request information beyond the 12-month window where required.)
Right to Delete (§1798.105) — to request deletion, subject to the statutory exceptions in §1798.105(d), which include: completing the transaction; ensuring security and integrity in a manner reasonably necessary and proportionate; debugging to repair errors; exercising free-speech rights; complying with a legal obligation (such as tax retention by Apple/Google); exercising or defending legal claims; and other internal uses reasonably aligned with your expectations and compatible with the context in which you provided the information. Where an exception applies, we will tell you which exception we are relying on and delete all personal information not covered by it.
Right to Correct (§1798.106) — to correct inaccurate personal information (see §9 item 2).
Right to Opt-Out of Sale/Sharing (§1798.120) — not applicable, because we do not sell or share personal information.
Right to Limit Use of Sensitive Personal Information (§1798.121) — not applicable, because we do not collect sensitive personal information beyond providing the Service.
Right to Non-Discrimination (§1798.125) — we will not deny you service, charge different prices, or provide a different level or quality of service because you exercised your California rights.

How to submit a request. Use either of these designated methods: email hi@richicinschi.com, or the support page at https://richicinschi.com/breathe/support. You may also use the in-App controls (Settings → Account → Delete account; Settings → Data & privacy).

Verification. We verify requests by matching the request to the email address on your account and, where needed, one or more data points we hold; we will not disclose personal information without reasonable verification.

Authorized agents. An authorized agent may submit a Right-to-Know or Right-to-Delete request on your behalf with proof of authorization (e.g. a signed permission or power of attorney); we may also verify the agent's authority and your identity (per §1798.130 and Art. 12 GDPR).

Timeline, fees, and appeals. We confirm receipt within 10 business days and respond to verifiable requests within 45 days, extendable by a further 45 days with notice. Right-to-Know requests are free up to twice per 12-month period. If we deny a request, you may appeal by emailing hi@richicinschi.com with "Appeal" in the subject line; we will respond within a reasonable period. You may also contact the California Privacy Protection Agency or the California Attorney General.

Service-provider contracts. We disclose personal information to service providers and contractors only under written contracts that prohibit them from retaining, using, or disclosing it for any purpose other than performing the specified service, and that impose purpose limitation, retention limits, and reasonable security. Nothing in those arrangements restricts a service provider's or contractor's ability to comply with applicable law.

Shine the Light (Cal. Civ. Code §1798.83). California residents may request, once per calendar year, a list of the categories of personal information we disclosed to third parties for their own direct-marketing purposes in the prior year, and the names of those third parties. We do not disclose personal information to third parties for their direct-marketing purposes, so there is nothing to list. To confirm this or make a request, email hi@richicinschi.com.

17. Changes to this policy

We will update this policy when we add a new processor, collect a new category of data, change a retention period, or make any other material change. For a material change, we will give reasonable advance notice — at least 14 to 30 days before it takes effect — through:

A version banner inside the App the next time you open it after a material change, with a short plain-language "what changed" summary, and
A prompt to re-accept the updated documents: existing signed-in users are asked to re-accept via an in-App notice, and new users accept the current version at sign-up.

No retroactive changes. Changes apply prospectively only; they do not retroactively reduce the protections that applied to personal data already collected under a prior version.

Version history. The "Last updated" date and "Document version" at the top of this policy always reflect the current version. This is version 12 (2026-06-14), superseding version 11 (2026-06-11). Version 12 makes no changes to this Privacy Policy — it tracks the Terms of Service's version 12 update of the Free vs Pro feature allocation (the technique catalogue expanded to ten techniques; the five new techniques are Pro Features), so one recorded acceptance covers both documents. Version 11 (2026-06-11) adds three disclosure clarifications and does not change what data we collect or your rights: it enumerates the CCPA statutory deletion exceptions and commits to telling you which one applies (§16A); discloses the aggregate, non-identifying app statistics that Apple and Google provide to us as the App's distributors, including Google Play's Android Vitals (§6); and references our internal business-continuity/disaster-recovery plan (§14). Version 10 (2026-06-11) made no changes to this policy (it tracked the Terms of Service's version 10 update of the Free vs Pro feature allocation, so one recorded acceptance covers both documents). Version 9 (2026-06-10) disclosed the one-time purchase & withdrawal-waiver confirmation email and its delivery path (§6, §13), the cloud-synced challenge progress for subscribers (§3.3), the account-identifier linkage of analytics events and crash reports (§3.1), and the erasure retry record and pseudonymous deletion marker (§8, §11). Version 8 (2026-06-10) disclosed the one-time history migration on subscribing, Android Auto Backup, and the email-edit support route. We maintain a version history and keep an archive of superseded versions; the previous version is also available on request from hi@richicinschi.com. We review this policy at least annually.

18. Governing law

This Privacy Policy is governed by the laws of the Netherlands and EU data-protection law, including the GDPR and the Dutch implementing act, the Uitvoeringswet Algemene verordening gegevensbescherming (UAVG). Mandatory EU law (including the GDPR and EU consumer-protection law) applies and prevails where Dutch national law would otherwise conflict with it. Disputes about its interpretation may be brought before the competent Dutch courts, without prejudice to your right as an EU consumer to seek redress before the supervisory authority or courts of your country of residence.

19. Contact and accessibility

For any privacy-related question, request, or complaint: hi@richicinschi.com, or by post to [REGISTERED ADDRESS].

This policy is available in English and Dutch, in the App and on our website. If you need it in another accessible format, email hi@richicinschi.com and we will provide one.

20. Health disclaimer

The following statement applies to the entire App. It is adapted from the studio's standard health disclaimer (docs/legal/health-disclaimer.md), tailored to Breathe, and is incorporated into this Privacy Policy by reference.

Important: Not Medical Advice

The content in this app — the breathing exercises and any related wellness content — is provided for general informational and self-care purposes only. It is not medical, mental health, or psychiatric advice, diagnosis, or treatment.

If you are experiencing severe anxiety, depression, a panic attack, suicidal thoughts, or any mental-health crisis, please contact a qualified healthcare professional or one of the resources below. Always consult a doctor before changing a treatment plan or starting a new self-care practice, especially if you have a medical condition.

Crisis resources:

Netherlands: 113 Zelfmoordpreventie — 113 or 0800-0113 (free, 24/7)
International: https://findahelpline.com

By using this app you acknowledge that the studio is not liable for any decision made based on its content.