Version 1.0 – July 1, 2025
1. Who We Are
Controller: Bliss App, Inc., 690 Market St #2204, San Francisco, CA 94104, USA.
2. Data We Collect
| Category | Examples | Why (Legal Basis – GDPR Art. 6) |
|---|---|---|
| Account Data | Email address, sign-in token | Contract fulfilment |
| Profile Inputs | Check-in answers, shadow-practice data, horoscope/astrology info | Contract fulfilment; explicit consent for special-category data |
| Usage & Device | IP, time-zone, device IDs, crash logs, analytics events | Legitimate interests (security & product improvement) |
| Payment Data | Last four digits of card; billing country | Contract fulfilment; legal obligation (tax) |
3. How We Use Your Data
- Deliver and personalize features (AI-powered reflections, affirmations).
- Improve the App (analytics, debugging).
- Send transactional emails (receipts, security alerts).
- Marketing emails only if you opt in (unsubscribe anytime).
4. AI Processing
User inputs are processed by OpenAI-powered models hosted in the USA. We do not re-use your content to train public models; it is used solely to provide and improve Shadow Work App.
5. Sharing & Processors
| Recipient | Purpose | Safeguard |
|---|---|---|
| Vercel / AWS | Hosting | SCCs (EU 2021/914) |
| Supabase | Auth & database | SCCs |
| Stripe / RevenueCat | Payments & subscription analytics | PCI-DSS; C2P SCC |
We never sell personal data.
6. International Transfers
EU/UK transfers rely on EU SCCs and UK IDTA as applicable. All data is processed in compliance with applicable data protection laws.
7. Cookies
We use essential cookies (sign-in) and analytics cookies (PostHog, Google Analytics). You can block analytics cookies via your browser or "Do Not Track."
8. Data Retention
- Active account: until you delete it.
- Deleted account: backups retained for up to 30 days, logs for 90 days.
- Financial records: 10 years (tax law).
9. Security
TLS encryption in transit; AES-256 at rest; least-privilege access; regular penetration tests.
10. Your Rights
| Region | Rights & How to Exercise |
|---|---|
| GDPR/EU | Access, rectify, erase, restrict, data portability, object. Email privacy@shadowwork.io. |
| CCPA/CPRA (California) | Know, delete, correct, opt-out of "sale/share" (we don't sell). Global Privacy Control honoured. |
11. Children
We do not knowingly collect data from anyone under 13. If we learn we have done so, we will delete that data immediately. Parents may contact privacy@shadowwork.io to request deletion.
12. Breach Notification
Affected users and relevant regulators will be notified within required timeframes: GDPR 72 hours; CCPA reasonable time.
13. Changes
Updates will be posted here with material changes receiving 30-day notice via email.
14. Contact
ShadowWork © 2025 Bliss App, Inc.