Privacy Policy

1. Overview

Selfward ("we," "us," or "our") is committed to protecting your privacy. This policy explains how we collect, use, store, and safeguard your personal information and self-discovery assessment data when you use our website, applications, and services (collectively, the "Service"). We take extra care with sensitive wellness data and never share it with advertisers or third parties for marketing purposes.

2. Data Controller

Selfward is the data controller responsible for your personal data. If you have any questions about how we handle your data or wish to exercise your rights, you can contact us at:

• privacy@selfward.ai
• Data Protection Officer: privacy@selfward.ai

EU/UK Representative: If you are located in the European Economic Area or the United Kingdom, you may contact our designated representative for data protection matters at privacy@selfward.ai. We are in the process of appointing a formal EU representative pursuant to GDPR Article 27 and a UK representative under UK GDPR. Until such appointment is finalized, all inquiries should be directed to our Data Protection Officer.

3. Legal Basis for Processing

We process your personal data based on the following legal grounds under GDPR Article 6:

• Contract Performance: Contract Performance: Processing necessary to provide the Service you signed up for (account management, assessment delivery, report generation, payment processing).
• Consent: Consent: Where you have given explicit consent, such as signing up for optional email communications, participating in our referral program, or consenting to cookies.
• Legitimate Interest: Legitimate Interest: Processing necessary for our legitimate business interests, such as improving service quality through anonymized analytics, preventing fraud, and ensuring security. We conduct balancing tests to ensure our interests do not override your rights.
• Legal Obligation: Legal Obligation: Processing required to comply with applicable laws, such as tax record-keeping, responding to lawful requests from authorities, or data breach notifications.

4. Information We Collect

We collect the following categories of information:

Account Data

• Email address (for authentication and communication)
• Display name (optional, for personalization)
• Authentication provider and profile information (if using Google Sign-In: your name, email address, and profile picture as authorized by you through Google's OAuth consent screen)
• Account preferences and settings

Assessment Data

• Your responses to self-discovery assessment questions
• Time spent on each question (for data quality assurance)
• Generated reports, personality insights, and score histories
• Comparison data (if you participate in relationship comparisons, with mutual consent)

Payment Data

• Transaction records and purchase history (stored by us)
• Billing details such as card type and last four digits (processed by Apple App Store or Google Play Store; we never store full card numbers)
• Subscription status and renewal dates

Technical & Usage Data

• IP address and approximate geolocation (country/region level only)
• Browser type, operating system, and device information
• Pages visited, features used, and session duration
• Referral source and UTM parameters (if you arrived via a referral link)

5. How We Use Your Data

• To deliver the Service: generate your personalized self-discovery profile, reports, and insights
• To process payments: handle transactions, subscriptions, and refunds through Apple App Store, Google Play Store, and RevenueCat
• To improve the Service: analyze anonymized, aggregated data to improve assessment accuracy and user experience
• To communicate with you: send transactional emails (account verification, password resets, report notifications, payment receipts)
• To provide customer support: respond to your inquiries and resolve issues
• To ensure security: detect fraud, prevent abuse, and maintain platform integrity
• To comply with legal obligations: maintain records required by tax, consumer protection, or other applicable laws
• To administer the referral program: track referral sign-ups and distribute referral credits (if you participate)

7. Data Security

We implement comprehensive security measures to protect your data:

• Encryption at rest: All data is encrypted using AES-256 encryption in our database (Supabase/PostgreSQL)
• Encryption in transit: All connections use TLS 1.3 encryption
• Row-level security (RLS): Database policies ensure you can only access your own data
• Immutable audit logging: All data access and modifications are logged for security monitoring
• PII pseudonymization: Sensitive personal identifiers are stored in a separate, access-controlled vault
• Input sanitization: All user inputs are validated and sanitized to prevent injection attacks
• Rate limiting: API endpoints are rate-limited to prevent abuse
• Regular security assessments: We conduct periodic reviews of our security posture

Data Breach Notification: In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and notify you without undue delay, as required by GDPR Articles 33 and 34.

8. Data Sharing & Third-Party Services

We share your data only with the following service providers, solely for the purposes described below. We do not sell your personal data to anyone.

Our Sub-processors:

• RevenueCat (San Francisco, USA): Subscription management and payment processing via Apple App Store and Google Play Store. RevenueCat manages subscription states and purchase validation. They never receive your assessment data. Privacy: https://www.revenuecat.com/privacy
• Anthropic (San Francisco, USA): AI report generation. Anthropic receives anonymized assessment scores to generate your reports. Data is processed transiently and not retained for training. Privacy: https://www.anthropic.com/privacy
• Supabase (San Francisco, USA): Database hosting and authentication. All your account and assessment data is stored on Supabase's infrastructure with encryption at rest. Privacy: https://supabase.com/privacy
• Resend (USA): Transactional email delivery. Resend receives your email address to deliver account notifications, report alerts, and password resets. Privacy: https://resend.com/legal/privacy-policy
• Vercel (San Francisco, USA): Web application hosting. Vercel hosts our web application and processes HTTP requests, which may include IP addresses and browser information. Privacy: https://vercel.com/legal/privacy-policy
• PostHog (San Francisco, USA): Privacy-friendly product analytics. PostHog receives anonymized usage events (screen views, feature usage, performance metrics). We do not send personally identifiable information or assessment data to PostHog. Privacy: https://posthog.com/privacy
• Expo / EAS (USA): Mobile app build infrastructure and push notification delivery. Expo receives push notification tokens to deliver notifications you have opted into. Expo does not receive your assessment data. Privacy: https://expo.dev/privacy

We may also disclose your data if required by law, court order, or government request, or if necessary to protect the rights, property, or safety of Selfward, our users, or others.

9. International Data Transfers

Our service providers are primarily located in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your data may be transferred to and processed in the United States. We ensure appropriate safeguards are in place for such transfers, including Standard Contractual Clauses (SCCs) as approved by the European Commission, and our processors maintain adequate data protection measures. Supabase, RevenueCat, Anthropic, and Vercel each offer data processing agreements that include SCCs for international transfers.

10. Cookies, Tracking & Analytics

We use only essential cookies required for the Service to function (authentication, session management, preferences). We do not use advertising networks, tracking pixels, or cross-site tracking cookies. Your self-discovery data is never used for advertising purposes. For complete details about our cookie usage, please see our Cookie Policy.

Do Not Track: We respect Do Not Track (DNT) browser signals. When we detect a DNT signal, we do not engage in any tracking beyond what is strictly necessary for the Service to function.

11. Your Rights

Depending on your location, you have the following rights regarding your personal data:

Rights Under GDPR (EEA/UK Residents)

• Right of Access (Article 15): Request a copy of all personal data we hold about you
• Right to Rectification (Article 16): Correct inaccurate or incomplete personal data
• Right to Erasure (Article 17): Request deletion of your personal data ("right to be forgotten")
• Right to Data Portability (Article 20): Receive your data in a structured, commonly used, machine-readable format (JSON). You can export your data at any time from your account settings.
• Right to Restriction (Article 18): Request that we limit how we process your data
• Right to Object (Article 22): Object to processing based on legitimate interests
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing
• Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection supervisory authority

Rights Under CCPA/CPRA (California Residents)

• Right to Know: Request disclosure of the categories and specific pieces of personal information we collect, use, and share
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out of Sale: We do not sell your personal information. There is nothing to opt out of.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights
• Right to Correct: Request correction of inaccurate personal information

Categories of personal information we collect: Identifiers (email, name), internet activity (usage data), professional information (career assessment responses), and sensitive personal information (mental health screening responses). We do not share or sell any of these categories to third parties for cross-context behavioral advertising.

Rights Under Other US State Privacy Laws

• Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Oregon (OCPA), Texas (TDPSA), and other states with consumer data privacy laws grant their residents similar rights including the right to access, correct, delete, and obtain a copy of personal data, and the right to opt out of the sale of personal data, targeted advertising, and profiling.
• Selfward does not sell personal data, does not engage in targeted advertising, and does not profile users for decisions that produce legal or similarly significant effects. Therefore, there is nothing to opt out of under these laws.
• If you are a resident of any US state with a consumer data privacy law and wish to exercise your rights, contact us at privacy@selfward.ai. If we decline your request, you may appeal by emailing privacy@selfward.ai with the subject line "Privacy Rights Appeal" and we will respond within the legally required timeframe.

To exercise any of these rights, contact us at privacy@selfward.ai or use the data export/deletion features in your account settings. We will respond to verifiable requests within 30 days (GDPR) or 45 days (CCPA/state laws).

12. Referral Program & Financial Incentive Notice

Selfward offers a referral program where existing users can invite others to try the Service. When you participate:

• We collect: your unique referral code, the email addresses or identifiers of people who sign up through your link, and purchase activity tied to your referral
• Both the referrer and referee may receive a $3 credit upon the referee's qualifying purchase
• The value of the financial incentive ($3) is reasonably related to the value of the data provided, based on the cost of customer acquisition
• You may opt out of the referral program at any time by contacting us, and any unused credits will remain in your account
• Self-referrals are prohibited and automatically blocked

13. Data Retention

We retain your data according to the following schedule:

• Account data: Retained for as long as your account is active, plus 30 days after deletion request
• Assessment responses and reports: Retained for as long as your account is active. Deleted within 30 days of account deletion.
• Payment records: Retained for 7 years after the transaction date, as required by tax and financial regulations
• Audit logs: Retained for 3 years for security and compliance purposes
• Anonymized, aggregated data: May be retained indefinitely for research and service improvement. This data cannot be linked back to any individual.
• Referral data: Retained for 2 years after the referral event, or until account deletion, whichever comes first

When you delete your account, we initiate permanent deletion of all your personal data within 30 days. Some data may persist in encrypted backups for up to 90 days before being purged. Data that we are legally required to retain (e.g., payment records for tax compliance) will be retained for the legally mandated period and then deleted.

14. Children's Privacy

Selfward is not intended for users under 18 years of age. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately at privacy@selfward.ai and we will delete the data within 48 hours. If we discover that we have inadvertently collected data from a child under 18, we will delete it promptly.

15. Policy Changes

We may update this policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. For material changes, we will notify you at least 30 days in advance via email to the address associated with your account and through a prominent notice on our website. Your continued use of the Service after the effective date of changes constitutes acceptance of the updated policy. We encourage you to review this policy periodically.