Privacy Policy

1. Introduction

This Privacy Policy explains how PurrfectPlan ("Company," "we," "our," or "us"), registered in Ukraine at Poliarna Street 11, Kyiv, 02000, collects, uses, discloses, and protects your personal data when you use the PurrfectPlan mobile application (the "App") and related services (collectively, the "Services").

We act as the data controller for the personal data we process through the Services. This means we determine the purposes and means of processing your personal data and are responsible for compliance with applicable data protection laws.

Some features of the App use third-party artificial intelligence models to provide personalized recommendations, chat assistance, and content generation. As of the date of this Privacy Policy, our AI provider is Anthropic, PBC ("AI Provider"). When you use these AI-powered features, certain data is processed by our AI Provider as described in detail in Sections 4 and 5 of this Privacy Policy.

By creating an account or using the Services, you acknowledge that you have read and understood this Privacy Policy. Where we rely on consent as a legal basis for processing, we will obtain your consent separately at the relevant point of data collection.

2. Information We Collect

2.1 Information You Provide

Account Information. When you create an account, we collect your name, email address, and authentication method (Google Sign-In or Apple Sign-In). We do not store your third-party authentication passwords.

Profile Preferences. Language, currency, display theme, and notification settings.

User Content. Data you create within the App, including:

• Projects, tasks, tags, subtasks, deadlines, and attachments
• Financial transactions, expense categories, budgets, savings goals, debt management plans, and payment history
• Habits, completion records, and streaks
• Lists and list items
• Personal Reflections: gratitude diary entries, thought journal entries, Life Balance Wheel assessments, and self-discovery reflections

AI Onboarding Data. If you use the AI-powered setup feature, you may provide personal preferences including daily routine, health and fitness goals, career information, financial overview (income ranges, expense categories, savings goals), habit preferences, stress and wellness indicators, and self-care preferences. This data is used once to generate your personalized App setup and is processed through our AI provider as described in Section 4.

AI Chat Messages. When you use AI chat features, we collect the messages you send and the AI responses you receive.

2.2 Information Collected Automatically

• Device Information: Device model, operating system version, app version, and language settings
• Usage Data: Features used, screens visited, and interaction patterns
• Crash and Performance Data: Error reports and app performance metrics

We do not use advertising identifiers and do not engage in cross-app tracking.

2.3 Information from Third Parties

When you sign in using Google or Apple, the authentication provider shares your name and email address with us, as authorized by you during the sign-in process.

3. How We Use Your Information

To provide and maintain the Services. We use your information to perform our contractual obligation towards you — to allow you to create an account, sync your data, manage your content, and use the App's features including task management, financial tracking, habit tracking, and personal reflections.

To power AI features. With your consent, we process your data through our AI provider to deliver personalized onboarding, chat assistance, and lifestyle recommendations. You can use the App without AI features, and you may withdraw your consent for AI data processing at any time.

To process purchases. We use your account information to fulfill our contractual obligation to deliver subscription features and manage in-app purchases (processed by Apple).

To improve our Services. It is in our legitimate interest to analyze how our users interact with the App (using aggregated, de-identified data) so we can improve features, fix issues, and enhance overall user experience. We balance these interests against your privacy rights and only use anonymized or aggregated data for this purpose.

To ensure security and prevent abuse. It is in our legitimate interest to protect the App, our users, and our infrastructure from fraud, unauthorized access, and other security threats.

To send service-related communications. We use your information to send push notifications and important updates about the Services as part of our contractual obligation to you.

To comply with legal obligations. We may process your data when required by applicable law, regulation, or legal process.

Health and Wellness Data. Where we process health and wellness information (such as fitness goals, stress levels, or wellness assessments) through AI features, we rely on your explicit consent. This consent is separate from your general acceptance of this Privacy Policy and can be withdrawn at any time without affecting the lawfulness of processing carried out before withdrawal.

4. AI Features and Data Processing

4.1 How Our AI Features Work

The App includes optional AI-powered features: personalized onboarding setup, in-app chat assistance across all modules, and lifestyle recommendations. These features are powered by our AI Provider, accessed exclusively through our secure server-side infrastructure (Firebase Cloud Functions hosted in the EU). There is no direct connection between your device and our AI Provider — all data passes through our servers first.

4.2 Data Sent to Our AI Provider

When you use AI features, the following data may be transmitted to our AI Provider for processing:

• AI Onboarding: Your responses to onboarding questions (personal preferences, lifestyle goals, career overview, financial overview, health goals, habit preferences)
• AI Chat: Your chat messages, conversation history (up to 10 most recent messages per conversation), and contextual module data including recent transactions (amounts, categories, dates — up to 10), spending category summaries, task completion rates, and habit streaks
• Lifestyle Tips: Life area category name only

4.3 Data NOT Sent to Our AI Provider

The following data is never transmitted to our AI Provider:

• Personal Reflection content (diary entries, thought journal entries, self-discovery responses) — only aggregated statistics such as entry counts
• Your authentication credentials or passwords
• Your encryption keys

4.4 AI Provider Data Retention

Our AI Provider may temporarily retain data submitted through their API for a limited period for safety and abuse monitoring purposes, in accordance with their data usage policies, after which it is automatically deleted.

4.5 No AI Model Training

We do not use your data to develop, train, or improve artificial intelligence or machine learning models. Our AI Provider does not use data submitted via its API to train its models. This is contractually guaranteed through our data processing agreement with the AI Provider and confirmed by our account configuration.

4.6 AI Chat History

AI chat conversations within the App are stored for up to 90 days to provide conversation continuity, after which they are automatically deleted. Each conversation retains a maximum of 10 messages. All AI chat messages (both your messages and AI responses) are encrypted using AES-256 encryption at rest (see Section 7.1 for details). You can delete your chat history at any time within the App.

5. Data Sharing and Third-Party Processors

We share personal data only with the following categories of third-party service providers, each acting as a data processor under our instructions:

Provider	Purpose	Data Categories	Location
Google LLC (Firebase)	Infrastructure, authentication, database, analytics, crash reporting, push notifications, cloud functions	All App data, usage analytics, crash logs	EU (europe-west3)
Anthropic, PBC	AI content generation, chat assistance	AI onboarding answers, module context, chat messages (see Section 4.2)	United States
Apple Inc.	Authentication, in-app purchases, push notification delivery	Account identifiers, purchase data, device tokens	United States
ExchangeRate-API	Currency conversion rates	Server-side only; currency codes only (no personal data transmitted from user devices)	—

We may also disclose your personal data if required to do so by law, to protect our legal rights, to prevent fraud, or in connection with a merger, acquisition, or sale of assets (in which case you will be notified).

We do not sell your personal data. We do not share your personal data for cross-context behavioral advertising.

6. International Data Transfers

Your personal data is primarily stored in the European Union (Firebase infrastructure in Frankfurt, Germany — europe-west3 region).

When you use AI features, your data is transferred to the United States for processing by our AI Provider. These transfers are protected by:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• EU-US Data Privacy Framework certifications held by our processors where applicable
• Google Cloud Data Processing Addendum with Standard Contractual Clauses for Firebase data transfers

For users in the European Economic Area (EEA), United Kingdom, or Switzerland: all international transfers of your personal data are carried out in compliance with Chapter V of the GDPR using the safeguards listed above.

7. Data Security

7.1 Encryption at Rest

Personal Reflections — including gratitude diary entries, thought journal entries, Life Balance Wheel notes, and self-discovery responses — are encrypted using AES-256 encryption before being stored in our database. This means that even in the event of unauthorized access to our database, this content would remain unreadable without the corresponding encryption key.

AI chat messages — including all messages you send to the AI assistant and all AI-generated responses — are also encrypted using AES-256 encryption before being stored in our database. This ensures that your AI chat conversations remain protected and unreadable without the corresponding encryption key, even in the event of unauthorized database access.

7.2 Encryption in Transit

All data transmitted between your device and our servers, and between our servers and third-party processors, is encrypted using HTTPS/TLS protocols.

7.3 Access Control

Database security rules ensure that your data is accessible only through your authenticated account. No other user can access your data. AI provider API keys are managed server-side; no third-party credentials are stored on your device.

7.4 Infrastructure Security

Our infrastructure provider (Google Cloud/Firebase) maintains ISO 27001, SOC 2, and SOC 3 certifications, as well as comprehensive physical and network security measures as detailed in their Data Processing Addendum.

8. Data Retention

We retain your personal data for the following periods:

Data Category	Retention Period
Account data (name, email, preferences)	Until account deletion
User Content (tasks, transactions, habits, lists, reflections)	Until account deletion
AI chat history	90 days (automatically deleted)
AI onboarding responses	Stored to enable future plan generation (e.g., after Premium purchase); deleted upon account deletion
Data processed by our AI Provider	Temporarily retained for safety monitoring per AI Provider's data usage policies
Analytics data (Firebase Analytics)	14 months (Google default)
Crash reports (Firebase Crashlytics)	90 days

When you delete your account, all personal data, User Content, AI chat history, and associated files are permanently removed from our active systems within 30 days. Residual copies in automated backups are purged within 90 days of account deletion.

9. Your Rights

9.1 All Users

Regardless of your location, you may:

• Access the personal data we hold about you
• Correct inaccurate or incomplete data
• Delete your account and all associated data (available in-app via Settings, or by contacting us)
• Opt out of AI features — AI features are entirely optional; the core App functionality works without them
• Delete AI chat history at any time within the App

9.2 European Economic Area, United Kingdom, and Switzerland (GDPR)

If you are located in the EEA, UK, or Switzerland, you have additional rights under the GDPR:

• Right of access (Art. 15) — obtain a copy of your personal data
• Right to rectification (Art. 16) — correct inaccurate data
• Right to erasure (Art. 17) — request deletion of your data
• Right to restriction of processing (Art. 18) — limit how we use your data
• Right to data portability (Art. 20) — receive your data in a structured, machine-readable format
• Right to object (Art. 21) — object to processing based on legitimate interests
• Right to withdraw consent (Art. 7(3)) — withdraw consent at any time for processing based on consent (including AI features and health/wellness data processing)
• Right to lodge a complaint with your local data protection supervisory authority

Our AI features provide suggestions and recommendations only. No automated decisions with legal or similarly significant effects are made about you through the Services.

To exercise any of these rights, contact us at privacy@purrfectplan.com. We will respond within 30 days.

9.3 California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (as amended by the California Privacy Rights Act):

• Right to know what personal information we collect, use, and disclose
• Right to delete your personal information
• Right to correct inaccurate personal information
• Right to opt out of the sale or sharing of personal information — we do not sell or share your personal information
• Right to non-discrimination for exercising your privacy rights

To exercise these rights, contact us at privacy@purrfectplan.com.

10. Children's Privacy

The Services are intended for users aged 13 and older. In jurisdictions where a higher minimum age of consent for data processing applies (such as 16 in certain EU member states), the higher age requirement prevails, and parental or guardian consent is required for users below that age.

We do not knowingly collect personal data from children below the applicable minimum age. If we learn that we have collected personal data from a child below the applicable minimum age without proper consent, we will take steps to delete that information promptly.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@purrfectplan.com.

11. Cookies and Tracking Technologies

The App uses Firebase Analytics to collect anonymized usage events and performance data. We do not use advertising identifiers, cookies, or cross-app tracking technologies within the App.

Our website (purrfectplan.com) may use essential cookies required for basic website functionality. No third-party tracking or advertising cookies are used on our website.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by:

• Posting the updated Privacy Policy on this page with a new "Last updated" date
• Providing an in-app notification or email where required by law

We encourage you to review this Privacy Policy periodically. Your continued use of the Services after any changes constitutes your acceptance of the updated Privacy Policy. Previous versions are available upon request.

13. Governing Law

This Privacy Policy is governed by the laws of Ukraine. Where the General Data Protection Regulation (EU) 2016/679, the UK GDPR, or the Swiss Federal Act on Data Protection applies to the processing of your personal data, the provisions of the applicable regulation prevail in the event of conflict.

14. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how your data is processed, please contact us:

For GDPR-related inquiries, you may also contact your local data protection supervisory authority.