Privacy Policy

2.1 Information You Provide to Us Directly

This is information that you knowingly and actively provide to us when using our Services.

• Account and Profile Information: When you sign up for an account with the App, we collect your first name, last name, email, country, and time zone.
• Sensitive User Content: Our App is designed to help you navigate relationship breakups. To do this, we collect the information you voluntarily provide in your journal entries, your answers to prompts and quizzes, and other content you generate within the App. We understand this information is deeply personal and sensitive, and we treat it with the highest level of care and confidentiality. If you withdraw your explicit consent for this processing, the App will no longer function. You may withdraw consent only by deleting your account, at which point all related sensitive User Content will be permanently deleted within the timelines set out in Section 6.2.
• Newsletter and Communications: We collect your email address when you sign up for our newsletter. Every newsletter email includes an unsubscribe link, and you may opt out at any time. We also collect any information you provide when you contact us for customer support, send us feedback, or communicate with us in any other way.
• Social Media Login Data: If you choose to register or log in using a third-party account (like Facebook), we receive certain profile information from that service as permitted by your settings with that service. This may include your name, email address, and profile picture.
• Payment Information: We use the third-party service Stripe to process payments for our Services. When you make a purchase, you will be directed to Stripe's secure checkout page to provide your payment details (such as credit card number, name, and billing address). This information is provided directly to Stripe and is subject to their privacy policy. We do not collect, store, or have access to your full credit card information. We do, however, receive transactional information from Stripe, which may include your name, email address, the date of the transaction, and what you purchased, to confirm your payment and grant you access to the Services.

2.2 Information We Collect Automatically

When you access our Services, we may automatically collect certain information about your device and your usage.

• Usage Data: We use services such as Google Analytics to better understand how you interact with our Website and App. This may include details about the features you use, the pages you visit, the dates and times of your visits, how long you spend on each page, and your IP address (used to derive general location). We rely on pseudonymous identifiers, which are classified as personal data under the GDPR. We process this information based on your consent, which you can manage at any time through our website’s cookie banner or within the App settings.
• Device and Technical Information: We collect information from your device, including your IP address, browser type, operating system, and device identifiers.
• Crash and Performance Data: We use services such as Sentry and Google Firebase Crashlytics to help us identify and fix bugs, crashes, and other performance issues in the App. To do this, these services may collect logs and technical data from your device (such as stack traces, device model, and operating system version). While we strive to prevent this, it is possible that some personal information from your User Content may be inadvertently included in these logs. We process this information based on our legitimate interest in maintaining a secure, stable, and reliable App.
• Push Notifications: With your permission, we may send push notifications to your mobile device to provide updates, reminders, and other relevant information. To send these messages, we collect and store a unique device token (FCM Token). You can manage your push notification preferences at any time in your device settings.
• Cookies and Mobile Identifiers:

  We use cookies on our Website and similar technologies (like mobile device identifiers) in our App to operate and analyse our Services.

  Website Cookies: We use essential cookies to securely operate our Website and store your preferences (such as your cookie consent choices). With your explicit permission, we also use third-party analytics cookies provided by Google (such as _ga and related identifiers) to help us understand how you use our Website. These analytics cookies are only set if you accept them via our cookie banner and may persist on your device for up to 2 years to distinguish unique users and sessions.

• Google Tag Manager: We use Google Tag Manager (GTM) to manage and deploy tracking tags on our Website. GTM itself does not collect personal data, but it loads the Google Analytics tags described above when you have given consent.

2.3 Information Processed for Specific Purposes

• AI Analysis for App Improvement:

  With your explicit and separate consent, we use Artificial Intelligence (AI) to help us understand if our journaling prompts are effective.

  How it works: We do not read your journal entries. Instead, we use an AI provider to analyse your response and generate technical metadata about the entry.

  What we see: Our team only sees aggregate insights, such as "The user found this question confusing" or "The user wrote a detailed response." We do not see a summary of your personal story, secrets, or specific situation.

  The Goal: This allows us to fix confusing questions and improve the "Breakup Course" without ever invading your privacy.

  Participation in this analysis is entirely optional, and you can withdraw your consent at any time without affecting your use of the App. We have conducted a Data Protection Impact Assessment (DPIA) to assess and mitigate the risks associated with this AI processing.

3.1 To Provide Our Core Services (Based on Contract and Explicit Consent)

Our primary purpose is to provide you with the journaling, educational, and wellness features of the App.

• Lawful Basis (General Information): We process your Account Information (name, country, etc.) to fulfill our contract with you, as outlined in our Terms of Service. This is necessary to create your account and deliver the basic features of the App.
• Lawful Basis (Sensitive Information): Our App's core service is to provide you with a private platform for personal reflection through journaling and guided exercises. To deliver this service, it is necessary for you to provide User Content, such as journal entries and quiz answers. As this information is sensitive by nature, we process it on the legal basis of your explicit consent. This consent is essential for the App to function, and for us to lawfully store and provide you with access to your personal content. Without it, the App cannot operate, and you must delete your account.

3.2 For Security and Performance (Based on Legitimate Interest)

We have a legitimate interest in ensuring our Services are stable, secure, and functioning correctly.

• Purpose: We use Sentry to monitor the App for bugs, crashes, and performance issues. This helps us diagnose and fix technical problems to provide you with a reliable service.
• Lawful Basis: We process the necessary technical and diagnostic data based on our legitimate interest in maintaining and securing a high-quality, functional application for our users.

3.3 For Service Improvement (Based on Your Optional Consent)

We are always looking for ways to make our App more effective. This type of processing is entirely optional and is not required to use the core features of the App.

• Purpose: We use an AI provider to analyse your response and generate technical metadata about the entry. Our team only sees aggregate insights, such as "The user found this question confusing" or "The user wrote a detailed response." We do not see a summary of your personal story, secrets, or specific situation.
• Safeguards: AI processing is automated. Experts only review technical metadata and aggregate insights, never raw entries or detailed summaries of your situation. Access is restricted and logged, and all processing occurs on secure, controlled systems.
• Transparency: Although we take strong precautions, AI processing of sensitive text always carries a residual risk. We disclose this risk openly so that you can make an informed choice.
• Your Rights: You are not required to consent to this processing. If you do not opt in, you can still use all core features of the App. You may also withdraw your consent at any time without affecting your ability to use the App.
• Lawful Basis: We will only perform this analysis with your explicit, specific, and optional opt-in consent. To be clear: This is separate from the consent required for the core journaling service. The App remains fully functional if you choose not to consent. Our internal expert will only ever see the technical metadata and insights, never your raw journal entry or personal details. You can withdraw this specific consent at any time without affecting your use of the App.

3.4 For Communications and Legal Obligations

• Communications: We may use your contact information to respond to your inquiries or send important service updates, based on our legitimate interest in providing good customer service and keeping you informed.
• Legal Compliance: We may process any of your information where necessary to comply with a legal obligation, such as responding to a court order or lawful request from a government authority.

3.5 Website Analytics (Consent — GDPR Article 6(1)(a))

• Purpose: We use Google Analytics (loaded via Google Tag Manager) to understand how visitors use our Website, measure traffic, and improve our content.
• Consent-only: Analytics cookies are only placed after you explicitly accept them via our cookie banner. If you decline, no analytics cookies are set.
• Withdrawal: You may withdraw consent at any time by clicking the "Cookie Settings" link in the footer of our Website.
• Consent Mode v2: We implement Google Consent Mode v2, which adjusts the behaviour of Google tags based on your consent choices, ensuring no analytics data is sent to Google without your approval.

4.1 With Our Service Providers

We engage third-party companies and individuals to perform services on our behalf to help us operate and improve our Services. These service providers have access to your personal information only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose. Our providers include:

• Authentication Services: We use Google Firebase Authentication to manage user accounts and securely handle sign-ins (including Facebook Login).
• Payment Processors: We use Stripe to process payments. They handle your payment information directly according to their own privacy policies. You can view Stripe's privacy policy at stripe.com/privacy.
• Analytics Providers: We share data with analytics providers to help us understand usage patterns and improve our Services. This includes pseudonymous identifiers and data about your interactions with our App and Website. While this data does not include direct identifiers like your name or email, it is treated as personal data, and we only process it with your consent. Our analytics providers are:
  • Google Analytics / Google Analytics for Firebase (Google LLC, USA) — policies.google.com/privacy
  • Google Tag Manager (Google LLC, USA)
• Error and Performance Monitoring Services: We use Sentry and Google Firebase Crashlytics to help us identify and fix technical issues in our App. These services may process diagnostic data and device information as described in Section 2.
• Infrastructure and Hosting Providers: We use Heroku and Amazon Web Services (AWS) for secure cloud hosting. We use Cloudflare for content delivery (CDN), static website hosting, and web application firewall (WAF) protection. We also use AWS Key Management Service (KMS) to manage the cryptographic keys that protect your data. While AWS manages the master keys, they do not have access to the data keys or your actual journal entries (User Content), which remain encrypted at all times.
• Communication Providers: We use MailerSend to deliver essential service-related emails (such as account verification and course updates). We also use third-party services to send newsletters (if you opt-in) and push notifications (via Google Firebase Cloud Messaging).

4.2 For Legal Reasons

We may disclose your personal information if we believe in good faith that such disclosure is necessary to:

• Comply with a legal obligation, court order, or a lawful request from a government authority.
• Protect and defend the rights, property, or safety of Resilience Labs PTY LTD, our users, or the public.
• Prevent or investigate possible wrongdoing in connection with the Services.

4.3 In a Business Transfer

If Resilience Labs PTY LTD is involved in a merger, acquisition, or sale of all or a portion of its assets, your personal information may be transferred as part of that transaction. We will provide notice before your personal information is transferred and becomes subject to a different privacy policy.

4.4 Anonymised and Aggregated Data

We may share or publicly disclose information that has been aggregated and anonymised in a way that it cannot reasonably be used to identify you. For example, we may use your anonymous feedback for marketing purposes (with your consent) or share statistical insights about our user base.

6.1 Security Measures

We have implemented a range of security measures to prevent your personal information from being accidentally lost, used, accessed in an unauthorised way, altered, or disclosed. These measures include:

• Encryption: Your personal information is encrypted when in transit between your device and our servers (using TLS/SSL). We use a multi-layered approach to protect your data when it is at rest. In addition to standard platform-level encryption, we utilize Envelope Encryption architecture. This means your sensitive User Content is encrypted with a unique data key, which is itself encrypted using a master key managed by AWS Key Management Service (KMS). This ensures that even if our database were compromised, the data would remain unreadable without the strictly controlled master keys.
• Access Controls: We limit access to your personal information to those employees and third-party service providers who have a business need to know. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality.
• Secure Development: We build our Services with privacy and security principles in mind from the start.

While we are committed to securing your data, it is important to remember that no method of transmission over the Internet or method of electronic storage is 100% secure. Therefore, while we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security.

6.2 Data Retention

We will only retain your personal information for as long as is reasonably necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting, or reporting requirements.

• Account Information and User Content: We retain your account information and all User Content (such as journal entries and quiz answers) for as long as your account is active. This is necessary to provide you with the core functionality of the App. If you choose to delete your account, we will permanently delete this information within 30 days of account deletion.
• Other Information: We may retain other information, such as anonymised analytics data and crash logs, for a limited period necessary to fulfill the purposes outlined in this policy (for example, 90 days for crash logs).
• Google Analytics Data: 2 years (Google's default retention; data is pseudonymous and subject to Google's own deletion schedule).
• Cookie Consent Record: 1 year (your consent preferences stored in browser).
• Legal Requirements: We may be required to retain certain information for longer periods to comply with our legal obligations, resolve disputes, or enforce our agreements. For example, records related to payments may be kept for several years as required by financial laws.

Once we no longer have a legitimate business need to process your personal information, we will either delete or anonymise it.

How to Exercise Your Rights

You can exercise some of these rights directly through the settings in your account. For any requests you cannot fulfill yourself, or for any questions about your rights, please contact us using the details in the "How to Contact Us" section below. We will respond to your request in accordance with applicable data protection laws.

Right to Lodge a Complaint

If you have a concern about how we handle your personal information, we hope you will contact us first to allow us to resolve it. However, you also have the right to lodge a complaint with a relevant data protection supervisory authority in your country of residence.

Note for Australian Users

Under the Privacy Act 1988 (Cth), you have the right to request access to your personal information and to ask for its correction. If you are dissatisfied with our response to a privacy complaint, you may contact the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.