Anxiety Kit
Download

Privacy

Privacy Policy

We kept this short, honest, and human — because your data matters and so does your time.

Last updated: May 5, 2026

Effective: May 5, 2026

Indelible Cloud - Unipessoal LDA (“we”, “us”, “our”), a company registered in Portugal, operates the Anxiety Kit mobile app and the anxietykit.app website (together, the “Service”). This policy explains what personal information we collect, why, who we share it with, and the rights you have over your data.

We wrote this in plain English on purpose. If something is unclear, write to privacy@anxietykit.app — we read everything.

1. Quick summary

  • We collect only what we need to run the app: account info, your check-ins, journal entries, voice notes, mood logs, and conversations with Kit.
  • We do not sell your data.
  • We do not use your content to train any public AI model.
  • We work with a small set of trusted providers (Supabase, RevenueCat, Sentry, PostHog, Google Analytics on the website only, expo-notifications, and our AI providers) under contracts that protect your data.
  • You can export, correct, or delete your data at any time — from inside the app, or by emailing us.
  • When you delete your account, we delete your personal data immediately, except where the law requires us to keep specific records (e.g. billing).

2. Information we collect

Account information

When you create an account using Sign in with Apple or Sign in with Google, we collect:

  • Your email address.
  • An authentication identifier from Apple or Google (a stable ID, not your password).
  • Your first name (you choose what to enter; you can change it at any time).

When you use Sign in with Apple or Google, we receive only the minimum information those providers offer (a stable identifier and, if you choose, your email). We never see your Apple or Google password.

Check-ins, journal entries, and voice notes

  • Mood check-ins — the level you select (Mild, Moderate, Severe, or Crisis), the time, and any tags.
  • Journal entries — the text you write, tags you attach, and timestamps.
  • Voice notes — the audio file is stored in our database (Supabase Storage) and transcribed to text so Kit can read it. You can delete the audio, the transcription, or both.
  • Exercise sessions — which breathing, grounding, walking, or CBT exercise you ran, when, for how long, and any optional mood-change card you fill in afterwards.

Conversations with Kit

Messages you send to Kit, our AI companion, are processed so Kit can respond. To make Kit’s responses fit your week, we also pass relevant context — your recent journal entries, mood data, and previous Kit messages — to the AI provider for that single response. This is described inside the app every time you start a Kit session.

Subscriptions

Anxiety Kit PRO subscriptions are managed through Apple’s App Store and Google Play, with billing and renewals handled by Apple/Google. We use RevenueCat as the layer that tells our app whether your subscription is active. We never see your card numbers. RevenueCat shares with us:

  • An anonymous user identifier we generate.
  • Your subscription status and plan (e.g. monthly / annual / trial).
  • Renewal dates and cancellation events.

Notifications

If you enable push notifications, we collect a device push token (from Apple Push Notification service or Firebase Cloud Messaging via Expo) so we can deliver Kit check-ins, weekly insights, and reminders you opted in to. You can turn this off in your device settings or inside the app.

Emergency contacts

If you choose to add emergency contacts, those names and phone numbers are stored encrypted on our servers so they sync across your devices. You can import contacts from your device’s address book (this requires a one-time permission). We don’t read or upload your other contacts.

Technical and diagnostic information

  • Crash and error reports (Sentry) — when something breaks, we collect the error type, app version, OS version, and a stack trace. We strip user content before sending.
  • Product analytics (PostHog) — we record anonymised events such as “exercise started” or “journal entry saved”, with a hashed user identifier. PostHog respects your device’s “Do Not Track” setting and is disabled in development builds. You can opt out inside the app at any time.
  • Server logs — when your app talks to our backend, we automatically log the IP address, request path, and timestamp for security and debugging. Logs are kept for 30 days.

What we do NOT collect

  • Precise location.
  • Health data from Apple Health or Google Health Connect.
  • Advertising identifiers (IDFA / GAID).
  • Your contacts, photos, calendar, or other apps’ data.
  • Marketing or advertising cookies on anxietykit.app. We use a single privacy-respecting analytics tool (Google Analytics with IP anonymization, default-deny consent), described below in section 11.

3. How we use your information

  • To provide the app and the features you use.
  • To generate your check-in history, streak, mood trends, activity heatmap, and weekly insights.
  • To let Kit respond to you with context.
  • To process voice notes (transcribe + analyse for Kit).
  • To deliver push notifications you opted in to (Kit check-ins, weekly insights, daily routine).
  • To detect crashes, prevent abuse, and keep the service secure.
  • To send you account-related emails you expect (sign-in confirmations, password resets, deletion receipts). We do not send marketing emails.

We do not sell your data, share it with advertisers, or use your journal entries, voice notes, or Kit conversations to train any public AI model.

4. Legal basis for processing (GDPR)

Purpose Legal basis
Providing the app and account Performance of contract
Subscription and billing Performance of contract
Push notifications Consent (you can withdraw any time)
Voice recording and microphone Consent (per-permission)
Importing contacts for emergency list Consent (per-permission)
Analytics (PostHog) Consent (you can opt out)
Crash reports, security, fraud prevention Legitimate interests, balanced against your rights
Legal record-keeping (e.g. tax) Legal obligation

5. Who we share data with

We work with a small set of service providers who process data on our behalf, under data-processing agreements. We never sell your data.

Provider What they do Data shared
Supabase, Inc. Database, authentication, storage (voice notes), realtime, edge functions All your account and content data, encrypted in transit and at rest
RevenueCat, Inc. Subscription state from App Store / Google Play Anonymous user ID, subscription status
Apple Inc. App distribution, in-app purchases, Sign in with Apple, push notifications Apple-managed account info, billing, device push token
Google LLC Play Store distribution, in-app purchases, Sign in with Google, Firebase Cloud Messaging Google-managed account info, billing, device push token
OpenAI, Anthropic, Google (Gemini), Mistral AI, DeepSeek AI models that power Kit, voice transcription, journal summarisation, weekly insights The specific message and context needed for that single response. Not used to train their public models.
Sentry (Functional Software, Inc.) Crash and error tracking Error type, stack trace, app/OS version, anonymous user ID
PostHog, Inc. Product analytics (only if you don’t opt out) Anonymous events with a hashed user ID
Expo (650 Industries, Inc.) Push notification delivery (relays to Apple / Google) Device push token, notification payload
Google Analytics (Google LLC) — website only Aggregated visitor analytics on anxietykit.app, only if you accept the cookie banner Anonymised IP, page views, referrer, device type

We may also disclose information when required by law (court order, legal obligation, or to protect the safety of our users) or in connection with a business transfer (merger, acquisition, sale of assets) — in which case we will notify you before your data becomes subject to a different policy.

6. International data transfers

Some of our service providers process data outside the European Economic Area, including in the United States. Where this happens, we rely on appropriate safeguards — the European Commission’s Standard Contractual Clauses, the EU–US Data Privacy Framework where applicable, and additional technical measures where needed.

7. How long we keep it

We keep your data for as long as your account is active. When you delete your account, we delete your personal data immediately, except where the law requires us to keep specific records (for example, subscription billing records for tax purposes, which we keep for the period required by Portuguese law).

Server logs are kept for 30 days. Crash reports in Sentry are kept for 90 days. Anonymous analytics events in PostHog are kept for up to 12 months.

8. Security

We encrypt your data in transit (TLS 1.2+) and at rest. Access to production data is limited to a small number of people on a need-to-know basis, with audit logging. Voice notes are stored in a private bucket with strict access policies.

No system is 100% secure. If you discover a vulnerability, please email privacy@anxietykit.app — we’ll get back to you quickly.

9. Your rights

Everyone

You can, at any time:

  • Access the information associated with your account from inside the app.
  • Correct anything inaccurate — from the app or by emailing us.
  • Delete your data while keeping your account.
  • Delete your account entirely.
  • Export a copy of your data — from inside the app (Profile → Privacy & security → Export all data), or by emailing privacy@anxietykit.app.
  • Withdraw consent for analytics, push notifications, microphone, or contacts at any time.

EEA / UK / Switzerland (GDPR)

You also have the right to:

  • Restrict processing of your data while a complaint is being resolved.
  • Object to processing based on our legitimate interests.
  • Receive your data in a portable, machine-readable format.
  • Lodge a complaint with your local data protection authority. In Portugal that is the Comissão Nacional de Proteção de Dados (CNPD — cnpd.pt). We’d rather hear from you first — write to dpo@anxietykit.app.

California residents (CCPA / CPRA)

You have the right to:

  • Know what personal information we collect, use, and share (this whole policy is that).
  • Delete your personal information.
  • Correct inaccurate information.
  • Opt out of selling or sharing — we don’t sell or share your personal information for cross-context behavioural advertising.
  • Limit use of sensitive personal information — we only use sensitive information (such as journal entries) to provide the Service to you.
  • Non-discrimination — we won’t treat you differently for exercising any of these rights.

To exercise any of these rights, email privacy@anxietykit.app with “CCPA Request” in the subject. We’ll respond within 45 days.

10. Children

Anxiety Kit is not intended for children under 16. The minimum age of digital consent in Portugal is 16. We don’t knowingly collect data from anyone under 16. If you believe a child has provided us with information, please write to privacy@anxietykit.app and we will delete it.

11. Cookies and similar technologies

On the anxietykit.app website, we use Google Analytics 4 (with IP anonymization, no advertising signals, and Google Consent Mode v2 set to default-deny) to understand which pages help and how to make the site better. Analytics cookies are blocked by default until you accept them in the cookie banner. If you reject, the site keeps working exactly the same.

We do not use marketing or advertising cookies. The mobile app does not use cookies in the classic sense; it stores a small number of strictly- necessary items on your device. Full details, including cookie names and durations, are in our Cookie Policy.

12. Changes to this policy

If we make meaningful changes, we’ll update the “Last updated” date and, where appropriate, notify you in the app or by email. Continued use of the Service after changes means you accept the updated policy.

13. Contact us

Indelible Cloud - Unipessoal LDA, Portugal.