Légal
Politique de Confidentialité
Dernière mise à jour : 8 décembre 2025
1. Informations Que Nous Collectons
The controller of your personal data is:
Marcin Tobala Digital Media
ul. Służba Polsce 4/18
32-200 Miechów, Poland
VAT ID: PL6591489319
Email: •••@•••••••.•••
For any privacy-related inquiries, please contact us at: •••@•••••••.•••
2. Comment Nous Utilisons Tes Données
2.1. Account Information
When you create an account with Still You (via the mobile app or website), we collect:
- • Email address
- • Display name or nickname (optional)
- • Profile picture (optional)
- • Password (stored in encrypted form) or social login credentials (Apple Sign In, Google Sign In)
- • Authentication tokens for seamless cross-device access
2.2. Usage Data
To provide a personalized experience, we collect:
- • Meditation session history (which sessions you've completed)
- • User preferences (favorite sessions, audio settings)
- • Progress in meditation programs and series
- • App usage statistics (time spent in the app)
2.3. Technical and Analytics Data
We automatically collect technical data including:
- • Device type and operating system (iOS/Android)
- • App version and build number
- • IP address (anonymized for analytics)
- • Device identifiers (IDFA/GAID for analytics, with your consent)
- • Crash reports and performance data (via Sentry)
- • Push notification tokens (if you enable notifications)
2.4. Mobile App Specific Data
When using the Still You mobile app (iOS or Android), we additionally collect:
- • Push notification tokens — Device tokens for OneSignal to send meditation reminders and updates (only if you grant permission)
- • Subscription status — RevenueCat manages your Premium subscription status and purchase history (no payment card details)
- • App performance metrics — Sentry captures crash reports, stack traces, and performance data to help us fix bugs
- • Attribution data — Install source and campaign data for marketing analytics (AppsFlyer/Firebase)
2.5. Payment Information
We do not store your credit card information Premium subscription payments are processed through Apple App Store, Google Play Store, and RevenueCat. We do not store your credit card information — it is securely processed by these payment platforms. RevenueCat stores only subscription status, transaction IDs, and entitlement information to verify your Premium access. — Premium subscription payments are processed through Apple App Store, Google Play Store, and RevenueCat. We do not store your credit card information — it is securely processed by these payment platforms. RevenueCat stores only subscription status, transaction IDs, and entitlement information to verify your Premium access.
2.6. Information We Do NOT Collect
- • Precise GPS location
- • Contacts from your phone
- • Photos from your gallery (except profile pictures you choose to upload)
- • Microphone or camera recordings
- • Health data from Apple Health or Google Fit
3. Bases Légales (RGPD)
Si tu es en Union européenne, nous traitons tes données en vertu de :
Service Delivery
Legal basis: Contract performance (Art. 6(1)(b) GDPR)
Providing access to the app, syncing progress, personalizing recommendations.
Payment and Subscription Management
Legal basis: Contract performance (Art. 6(1)(b) GDPR)
Managing Premium subscriptions, verifying entitlements.
Analytics and Service Improvement
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) or Consent
Analyzing how users interact with the app to improve our services.
Marketing and Advertising
Legal basis: User consent (Art. 6(1)(a) GDPR)
Displaying personalized ads, remarketing — only with your consent.
Push Notifications
Legal basis: User consent (Art. 6(1)(a) GDPR)
Meditation reminders, new content alerts — you can disable these in your device settings.
We never sell your personal data to third parties for marketing purposes.
4. Partage de Tes Données
Nous ne vendons jamais tes données personnelles. Nous partageons les données uniquement dans ces cas :
Google Analytics 4 (GA4)
Provider: Google LLC (USA)
Purpose: Website and app traffic analysis. We collect data on how users interact with our services to improve them.
Compliance: Google Consent Mode V2, IP anonymization,
Google Tag Manager (GTM)
Provider: Google LLC (USA)
Purpose: Management of analytics and marketing scripts on our website.
Meta Pixel (Facebook/Instagram)
Provider: Meta Platforms, Inc. (USA)
Purpose: Remarketing, conversion tracking from Facebook and Instagram ads, campaign optimization.
Requires user consent (Advertisement category),
TikTok Pixel
Provider: TikTok Pte. Ltd. (Singapore/USA)
Purpose: TikTok ad campaign analytics, conversion tracking, remarketing.
Requires user consent (Advertisement category),
OneSignal
Provider: OneSignal, Inc. (USA)
Purpose: Delivering push notifications on web and mobile apps. We use OneSignal to send meditation reminders, new content alerts, and personalized recommendations.
Data collected: Device push token (APNs for iOS, FCM for Android), notification preferences, and interaction data (opens, dismissals). You can disable notifications in your device settings at any time.
Supabase
Provider: Supabase, Inc. (USA)
Purpose: App backend infrastructure, user authentication (Supabase Auth with social login support), PostgreSQL database for user data and meditation progress.
SOC 2 Type II compliant,
RevenueCat
Provider: RevenueCat, Inc. (USA)
Purpose: In-app subscription management for our freemium mobile app, purchase verification from Apple App Store and Google Play Store.
Data collected: Anonymous user ID, subscription status, purchase history (transaction IDs, product IDs, expiration dates), and entitlement information. RevenueCat does not receive or store your payment card information — all payments are processed directly by Apple or Google.
Vercel
Provider: Vercel Inc. (USA)
Purpose: Website hosting for stillyou.app, edge functions, access logs.
Sentry
Provider: Functional Software, Inc. (USA)
Purpose: Error tracking and performance monitoring for both our website and mobile apps (iOS and Android native SDKs). Captures application crashes, stack traces, and performance data to help us fix bugs and improve stability.
Data collected: Device type, OS version, app version, error messages, stack traces, and performance metrics. We do not send personally identifiable information to Sentry — crash reports are anonymized.
Cloudflare (including Turnstile)
Provider: Cloudflare, Inc. (USA)
Purpose: CDN (Content Delivery Network), DDoS protection, DNS management, SSL certificates, security logs, and Turnstile bot protection (CAPTCHA alternative).
Upstash
Provider: Upstash, Inc. (USA)
Purpose: Rate limiting to prevent abuse and protect our services. Temporarily stores hashed IP addresses to track request counts.
OpenAI
Provider: OpenAI, L.L.C. (USA)
Purpose: AI-powered task deconstruction in the Goblin Deconstructor tool. When you submit a task, the text is sent to OpenAI for processing.
Resend
Provider: Resend, Inc. (USA)
Purpose: Email delivery for newsletters, waitlist notifications, and transactional emails (e.g., welcome emails when you subscribe).
Algolia
Provider: Algolia, Inc. (USA/France)
Purpose: Site search functionality to help you find tools and blog posts quickly.
Bunny.net
Provider: BunnyWay d.o.o. (Slovenia, EU)
Purpose: Content delivery network (CDN) for streaming meditation audio, video content, and images in the mobile app and website. Ensures fast, reliable media playback worldwide.
Data collected: Standard CDN access logs (IP address, requested content, timestamps) for delivery optimization. No personal data is stored beyond temporary caching for performance.
EU-based company, GDPR compliant,
AppsFlyer
Provider: AppsFlyer Ltd. (Israel/USA)
Purpose: Mobile attribution and marketing analytics. Tracks which advertising campaigns lead to app installs and helps us understand our marketing effectiveness.
Data collected: Device identifiers (IDFA/GAID with consent), install source, in-app events (anonymized), and campaign data. Used only for marketing attribution.
5. Sécurité des Données
Our website uses cookies and similar technologies. When you first visit, we display a consent banner asking for your permission.
5.1. Mesures de Sécurité
Necessary
Always ActiveRequired for website functionality: user session, cookie preferences, security.
Functional
Remember your preferences, enable social media sharing.
Analytics
Google Analytics 4 — traffic analysis, visitor count, traffic sources.
Performance
Website performance monitoring, load times.
Advertisement
Meta Pixel, TikTok Pixel — remarketing, personalized ads, conversion tracking.
5.2. Signalement de Failles de Sécurité
We implement Google Consent Mode V2 for GDPR compliance. This means:
- • Analytics and advertising scripts do not load without your consent
- • You can change your cookie preferences at any time
- • Your consent is saved and respected on subsequent visits
5.3. Managing Cookies
You can manage your cookie preferences by:
- • Clicking "Customize" in the cookie consent banner
- • Adjusting settings in your browser (blocking all or specific cookies)
- • Using incognito/private browsing mode
6. Stockage et Rétention des Données
Nous conservons tes données personnelles aussi longtemps que nécessaire pour :
Right of Access (Art. 15 GDPR)
You have the right to obtain confirmation whether we process your data and receive a copy of it.
Right to Rectification (Art. 16 GDPR)
You can request correction of inaccurate data or completion of incomplete data.
Right to Erasure — "Right to be Forgotten" (Art. 17 GDPR)
You can request deletion of your data. In the app, you can delete your account in settings or by contacting us via email.
Right to Restriction of Processing (Art. 18 GDPR)
In certain circumstances, you can request restriction of processing your data.
Right to Data Portability (Art. 20 GDPR)
You have the right to receive your data in a structured format (e.g., JSON) and transfer it to another service provider.
Right to Object (Art. 21 GDPR)
You can object to processing of your data for direct marketing or based on legitimate interest.
Right to Withdraw Consent
If we process data based on your consent, you can withdraw it at any time (e.g., advertising cookie consent).
Right to Lodge a Complaint
You have the right to file a complaint with a supervisory authority. In Poland, this is the President of the Personal Data Protection Office (UODO): uodo.gov.pl
To exercise any of these rights, contact us at: •••@•••••••.•••
7. Tes Droits (RGPD & CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
Right to Know
You have the right to know what categories of personal information we collect, for what purposes, and to whom we disclose it.
Right to Delete
You can request deletion of your personal information that we have collected.
Right to Correct
You can request correction of inaccurate personal information.
Right to Non-Discrimination
We will not discriminate against you for exercising your CCPA rights.
Right to Opt-Out
You have the right to opt-out of the "sale" or "sharing" of your personal information.
Note: Still You does NOT sell your personal information as defined by CCPA.
"Do Not Sell or Share My Personal Information"
Still You does not sell or share your personal information to third parties for monetary or other valuable consideration. We only share data with our processors (see Section 4) to provide our services.
8. Cookies et Suivi
Nous utilisons des cookies et des technologies de suivi similaires. Pour plus de détails :
- • EU-US Data Privacy Framework — for certified partners (Google, Meta)
- • Standard Contractual Clauses (SCCs) — approved by the European Commission
- • Additional technical measures — encryption, pseudonymization
9. Données des Enfants
User Account Data
Retained while your account exists. Upon account deletion, data is deleted immediately.
Analytics Data
Anonymized analytics data retained for 14 months (default GA4 setting).
Transaction Data (Invoices)
Retained for 5 years from the end of the tax year in accordance with Polish tax law.
Security Logs
Retained for 90 days for security and abuse detection purposes.
10. Transferts Internationaux
The Still You app is intended for users who are at least 16 years old. We do not knowingly collect personal information from anyone under this age.
If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at •••@•••••••.•••, and we will delete this information.
11. Modifications de Cette Politique
Nous pouvons mettre à jour cette Politique de Confidentialité de temps à autre pour refléter les changements dans nos pratiques, la technologie ou la loi.
- • Data encryption in transit (TLS/SSL)
- • Data encryption at rest (AES-256)
- • Passwords stored using strong hashing algorithms
- • SOC 2 compliant infrastructure (Supabase, RevenueCat)
- • DDoS protection (Cloudflare)
- • Regular security updates
- • Secure mobile app signing (Apple App Store, Google Play)
- • Certificate pinning for API communication
12. Nous Contacter
Si tu as des questions sur cette Politique de Confidentialité ou sur comment nous traitons tes données, contacte-nous : It is not a medical device or treatment Still You is a wellness app for relaxation and meditation. It is not a medical device or treatment. We do not collect health data as defined by GDPR (special category data). For the full health disclaimer, please see our Terms of Service.
13. Autorité de Protection des Données
We may update this privacy policy from time to time. We will notify you of significant changes through:
- • Email (if you have an account)
- • In-app notification
- • Updating the "Last updated" date on this page
Continued use of the service after changes constitutes acceptance of the updated policy.
14. Contact Us
For privacy-related inquiries or to exercise your rights, contact us:
Marcin Tobala Digital Media
ul. Służba Polsce 4/18
32-200 Miechów, Poland
Email: •••@•••••••.•••
We will respond to your inquiry within 30 days of receipt.
Your peace of mind extends to your privacy. We are committed to protecting it.