Legal
Privacy Policy
Last updated: [DATE]
Draft template. Not yet in force. Not legal advice.
This page is a working draft prepared for review. Before launch it must be reviewed and adapted by a qualified lawyer, and the placeholders in brackets must be replaced with the company’s real details.
1. Who is responsible for your data
The REWIRED app (“the Service”) is operated by [COMPANY LEGAL NAME], a company registered in Sweden with organisation number [ORG NUMBER] and registered address [REGISTERED ADDRESS](“we”, “us”). We are the data controller for the personal data described in this policy under the EU General Data Protection Regulation (GDPR).
Privacy questions and requests: [PRIVACY CONTACT EMAIL].
2. What we collect
- Account data: your email address, and your first name if you choose to share it.
- Membership and billing status: whether your subscription is active, and identifiers linking your account to our payment provider. Card details are handled entirely by Stripe; we never see or store your card number.
- Program progress: which missions and lessons you have marked complete, so the app can show your progress and your coach can meet you where you are.
- Runa conversations: the messages you exchange with Runa, our AI coach, are stored so your conversation has continuity.
- Technical data: standard server logs, including IP address, used for security, abuse prevention and rate limiting.
We do not collect analytics profiles, advertising identifiers or location data.
3. Runa and AI processing
Runa is an AI coach. When you send Runa a message, that message, recent conversation history and limited account context (such as your first name and program progress) are transmitted to Anthropic, the provider of the Claude AI model, via their API, so that Runa can respond. Anthropic processes this data as our processor under a data processing agreement. Under Anthropic’s commercial API terms, inputs and outputs are not used to train their models.
Please treat Runa like a coach, not a vault: do not share information you do not want processed this way, such as health details about other people. Runa is not a medical, psychological or therapeutic service.
4. Why we process your data (legal bases)
- To provide the Service (account, membership, programs, Runa): performance of our contract with you, Article 6(1)(b) GDPR.
- Security, abuse prevention and service integrity (logs, rate limiting): our legitimate interest, Article 6(1)(f) GDPR.
- Legal obligations (bookkeeping and tax records connected to payments): Article 6(1)(c) GDPR.
5. Who processes data for us
We use a small set of processors, each under a data processing agreement:
- Anthropic (USA): AI processing for Runa conversations.
- Stripe (payments): subscription billing. Stripe also acts as an independent controller for some payment data under its own privacy policy.
- Resend (USA): delivery of login and service emails.
- Vercel (hosting): runs the application. Our compute region is in the EU (Frankfurt).
- [DATABASE PROVIDER, e.g. Neon] (database): stores the data described above in an EU region.
Where a processor is located outside the EU/EEA, transfers rely on the EU Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework. We do not sell personal data, ever.
6. How long we keep data
- Account, progress and conversation data: kept while your account exists. If you ask us to delete your account, we erase this data within [30] days.
- Billing records: kept as long as Swedish bookkeeping law requires (currently seven years), even after account deletion.
- Server logs: kept for a short rolling window, at most [90] days.
7. Your rights
Under the GDPR you can ask us to:
- access a copy of the personal data we hold about you,
- correct inaccurate data,
- erase your data (delete your account, progress and Runa conversations),
- export your data in a portable format,
- restrict or object to certain processing.
To exercise any of these rights, email [PRIVACY CONTACT EMAIL] from the address on your account. We respond within one month.
You also have the right to complain to the Swedish supervisory authority, Integritetsskyddsmyndigheten (IMY), imy.se, or to the supervisory authority in your own EU country.
8. Cookies
The Service uses a single strictly necessary cookie: an encrypted session cookie that keeps you signed in. No analytics cookies, no advertising cookies, no third-party trackers. Because the session cookie is strictly necessary for the Service to function, no cookie consent banner is required for it.
9. Changes to this policy
If we change this policy in a way that matters, we will notify you by email or in the app before the change takes effect. The date at the top shows when it was last revised.