Privacy Policy

1. INTRODUCTION

This Privacy Policy describes how Lytyr ("we," "us," or "our") collects, uses, processes, stores, shares, and protects your personal information when you use the Lytyr mobile application (the "App" or "Service").

Lytyr is a journaling and habit tracking application that uses artificial intelligence to provide personalized insights and support for your wellness journey. We are committed to protecting your privacy and maintaining the confidentiality of your personal information, including sensitive wellness and health-related data you entrust to us.

Your privacy is our priority. This Privacy Policy is designed to help you understand:

• What personal information we collect and why
• How we use, process, and protect your information
• Your rights and choices regarding your personal data
• How to contact us with questions or concerns

By using the Lytyr App, you agree to the collection, use, and disclosure of your information as described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not use our App.

2. INFORMATION WE COLLECT

2.1 Information You Provide Directly

Account Information:

• Name (full name or preferred name)
• Email address
• Password (encrypted and never stored in plain text)
• Profile information (profile picture, display name, preferences)
• Account settings and preferences

Wellness and Personal Data (Special Category Data):

• Journal entries: Written reflections, thoughts, feelings, and experiences you document in the App
• Habit tracking data: Information about habits you're tracking, completion status, streaks, and progress
• Onboarding questionnaire responses: Information about your wellness goals, current state, areas of focus, and personal dimensions (emotional, physical, mental health, relationships, etc.)
• Mood and emotional data: Self-reported mood states, emotional check-ins, and wellness assessments
• Goals and intentions: Personal objectives, aspirations, and targets you set within the App
• AI chat interactions: Messages, questions, and conversations you have with our AI-powered assistant

IMPORTANT NOTICE: Under the General Data Protection Regulation (GDPR), much of the information collected by Lytyr constitutes "special category data" (also known as sensitive personal data), including health data, emotional wellbeing information, and other data revealing aspects of your mental and physical health. We treat this data with the highest level of protection and will only process it with your explicit consent or as otherwise permitted by law.

2.2 Information Collected Automatically

Device and Usage Information:

• Device type, model, and operating system version (iOS)
• Unique device identifiers (IDFA, device ID)
• App version and build information
• IP address (temporarily processed for authentication and security)
• App usage data (features used, frequency of use, session duration)
• Crash reports and performance diagnostics
• Error logs and debugging information

Analytics Information:

• In-app behavior and navigation patterns
• Feature engagement and interaction data
• Time stamps of activities
• Screen views and user flows

2.3 Information We DO NOT Collect

We want to be transparent about what we do not collect:

• We do NOT collect precise geolocation data
• We do NOT access your contacts, photos, or other apps without explicit permission
• We do NOT collect information from third-party social media accounts (unless you explicitly connect them)
• We do NOT collect biometric data beyond what is used locally on your device for authentication (e.g., Face ID, Touch ID)
• We do NOT sell your personal data to third parties
• We do NOT target children under 13 years of age (see Section 11)

3. HOW WE USE YOUR INFORMATION

We use your personal information for the following purposes:

3.1 Providing and Improving the Service

Legal Basis: Performance of contract, legitimate interests, explicit consent (for special category data)

• Service Delivery: To provide, maintain, and improve the Lytyr App's core functionality, including journaling, habit tracking, and AI-powered insights
• Personalization: To customize your experience, provide relevant AI-generated reflections, insights, and recommendations based on your journal entries and habits
• AI Processing: To process your journal entries, habit data, and chat interactions through our AI service provider (OpenAI) to generate personalized responses, insights, and wellness support
• Feature Development: To develop new features, test functionality, and improve existing capabilities
• User Support: To respond to your inquiries, provide customer support, and troubleshoot technical issues

3.2 Account Management and Authentication

Legal Basis: Performance of contract, legal obligation

• Account Creation and Management: To create and manage your Lytyr account
• Authentication: To verify your identity and secure your account
• Security: To protect against unauthorized access, fraud, and security threats

3.3 Communications

Legal Basis: Performance of contract, legitimate interests, consent (for marketing)

• Service Communications: To send you important updates about the App, changes to our policies, security alerts, and technical notices
• Customer Support: To communicate with you regarding support requests and feedback
• Marketing Communications (only with your consent): To send you promotional materials, newsletters, and information about new features (you may opt out at any time)

3.4 Analytics and Performance Monitoring

Legal Basis: Legitimate interests, consent (where required)

• App Performance: To monitor app stability, identify and fix bugs, and optimize performance
• Usage Analytics: To understand how users interact with the App and which features are most valuable
• Crash Reporting: To diagnose and resolve technical issues that cause app crashes

3.5 Legal Compliance and Protection

Legal Basis: Legal obligation, vital interests, legitimate interests

• Legal Compliance: To comply with applicable laws, regulations, and legal processes
• Rights Protection: To protect our legal rights, property, and safety, as well as those of our users and the public
• Fraud Prevention: To detect, prevent, and address fraud, security issues, and potentially illegal activities

4. LEGAL BASIS FOR PROCESSING (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process your personal data based on the following legal grounds:

Special Note on Sensitive Data: Because Lytyr processes special category data (including health data, emotional wellbeing information, and mental health-related content), we rely primarily on your explicit consent as our legal basis for processing this sensitive information. You provide this consent when you:

• Accept this Privacy Policy during account creation
• Use features that process sensitive data (journaling, AI chat, habit tracking)
• Explicitly opt-in to share such data with our AI service provider

You have the right to withdraw your consent at any time (see Section 9).

5. HOW WE SHARE YOUR INFORMATION

We do not sell, rent, or trade your personal information. We share your information only in the following limited circumstances:

5.1 Third-Party Service Providers

We engage trusted third-party service providers to help us deliver and improve the Lytyr App. These providers process your data on our behalf and are contractually obligated to protect your information and use it only for the purposes we specify.

Current Service Providers:

Supabase (Database and Authentication Provider)

• Services Provided: Database hosting, data storage, user authentication, real-time data synchronization
• Data Shared: All user data including account information, journal entries, habit data, and app content
• Data Location: Stored in Supabase's secure cloud infrastructure (you may select EU or US regions)
• Data Processing Agreement: We have a Data Processing Agreement (DPA) in place with Supabase
• Privacy and Security:
  • Supabase is SOC 2 Type II certified
  • Data is encrypted in transit (TLS) and at rest (AES-256)
  • Supabase complies with GDPR requirements
  • For more information: https://supabase.com/privacy

OpenAI (AI Processing Provider)

• Services Provided: AI-powered chat assistant, journal analysis, personalized insights generation, conversational support
• Data Shared: Journal entries, habit data, AI chat messages, and other content you choose to process through AI features
• Purpose: To generate personalized AI responses, reflections, insights, and wellness support
• Data Processing Agreement: We have a Data Processing Agreement (DPA) in place with OpenAI under their API Terms of Service
• Data Retention and Usage:
  • API Data Retention: OpenAI may retain API inputs and outputs for up to 30 days for abuse monitoring and safety purposes
  • No Training on Your Data: OpenAI does NOT use data submitted via the API to train or improve their models unless you explicitly opt-in (which Lytyr does not)
  • Data is encrypted in transit (TLS) and at rest (AES-256)
  • OpenAI maintains security certifications including SOC 2 Type II
• International Transfer: Your data may be transferred to and processed in the United States by OpenAI. This transfer is protected by Standard Contractual Clauses (SCCs) and OpenAI's participation in the EU-U.S. Data Privacy Framework (DPF)
• For more information: https://openai.com/privacy

IMPORTANT AI PROCESSING DISCLOSURE: When you use AI-powered features in Lytyr (including the AI chat assistant and journal insights), your journal entries, messages, and related context are sent to OpenAI's servers for processing. While OpenAI provides strong security and privacy protections, you should be aware that your sensitive personal data leaves our direct control during this processing. We have implemented contractual safeguards, but you should only use AI features with content you're comfortable sharing for this purpose.

5.2 Sub-Processors

Our primary service providers (Supabase and OpenAI) may engage their own sub-processors to deliver services. These sub-processors include:

Supabase Sub-Processors (examples may include):

• Cloud infrastructure providers (AWS, Google Cloud)
• Authentication services
• Data warehousing and analytics providers
• Customer support platforms

OpenAI Sub-Processors (examples may include):

• Cloud computing providers (Microsoft Azure)
• Content moderation services
• Security and monitoring services

For current, complete lists of sub-processors:

• Supabase: Available in their DPA documentation
• OpenAI: https://openai.com/enterprise-privacy

5.3 Legal Requirements and Protection

We may disclose your information if required to do so by law or if we believe in good faith that such action is necessary to:

• Comply with legal obligations, court orders, subpoenas, or valid requests by government authorities
• Enforce our Terms of Service or other agreements
• Protect and defend our rights, property, or safety, or that of our users or the public
• Detect, prevent, or address fraud, security issues, or technical problems
• Protect against legal liability

We will notify you of legal requests for your information unless prohibited by law or if the request involves imminent harm.

5.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice in the App before your information is transferred and becomes subject to a different privacy policy.

5.5 With Your Consent

We may share your information with third parties when you explicitly consent to such sharing.

5.6 Aggregated and De-Identified Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you. For example, we may share aggregated usage statistics about the App or anonymized research findings. This data is not considered personal information.

6. INTERNATIONAL DATA TRANSFERS

Lytyr is based in [Your Location], and we process and store data using service providers located in different countries, including the United States.

6.1 Transfers from the EEA/UK/Switzerland

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, please be aware that your personal information may be transferred to, stored in, and processed in countries outside your country of residence, including the United States, which may have different data protection laws.

Transfer Mechanisms:

We ensure appropriate safeguards are in place for these transfers:

• EU-U.S. Data Privacy Framework (DPF): OpenAI participates in the EU-U.S. Data Privacy Framework, which provides an adequacy mechanism for transfers to the United States
• Standard Contractual Clauses (SCCs): We have implemented Standard Contractual Clauses approved by the European Commission with our service providers
• Data Processing Agreements: We maintain comprehensive Data Processing Agreements with all providers processing your personal data
• Additional Safeguards: Our service providers implement technical and organizational security measures equivalent to those required by the GDPR

6.2 Data Storage Locations

• Supabase: You may select your preferred data region (EU or US) during setup. We recommend EU users select EU regions for data residency
• OpenAI: Data is processed in the United States with safeguards as described above
• Backups: Encrypted backups may be stored in multiple geographic regions for redundancy and disaster recovery

7. DATA RETENTION

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

7.1 Retention Periods

7.2 Account Deletion

When you delete your Lytyr account:

1. Immediate Actions (within 24 hours):

   • Your account is deactivated and you can no longer access the App
   • Your account is marked for deletion in our systems

2. Full Deletion (within 30 days):

   • All your personal data (journal entries, habit data, AI chat history, account information) is permanently deleted from our production databases
   • Data is removed from our service providers' systems (Supabase, OpenAI)
   • Backups containing your data are deleted according to our backup retention cycle (maximum 90 days)

3. Exceptions:

   • We may retain limited information if required by law (e.g., for tax or legal obligations)
   • Aggregated, anonymized data that cannot identify you may be retained indefinitely for analytics
   • Data necessary to resolve disputes or enforce our agreements may be retained as legally required

7.3 Data Minimization

We follow the principle of data minimization and only collect and retain data that is necessary for the purposes described in this Privacy Policy. We regularly review our data retention practices to ensure compliance with applicable laws.

8. SECURITY MEASURES

We implement comprehensive technical, administrative, and physical security measures to protect your personal information from unauthorized access, disclosure, alteration, and destruction.

8.1 Technical Security Measures

Encryption:

• In Transit: All data transmitted between your device and our servers uses TLS (Transport Layer Security) encryption
• At Rest: All data stored in our databases is encrypted using AES-256 encryption
• End-to-End Protection: Sensitive data is encrypted throughout its lifecycle

Access Controls:

• Multi-factor authentication (MFA) for administrative access
• Role-based access control (RBAC) limiting employee access to data
• Principle of least privilege (employees only access data necessary for their role)
• Regular access reviews and audits

Authentication and Authorization:

• Secure authentication using industry-standard protocols
• Password hashing using bcrypt or similar secure algorithms
• Support for biometric authentication (Face ID, Touch ID) on compatible devices
• Session management and automatic logout

Infrastructure Security:

• Secure cloud infrastructure provided by SOC 2 certified providers
• Regular security patching and updates
• Intrusion detection and prevention systems
• DDoS protection and rate limiting
• Continuous security monitoring and logging

8.2 Organizational Security Measures

Personnel Security:

• Background checks for employees with access to personal data
• Confidentiality and data protection training for all staff
• Strict confidentiality agreements and policies
• Limited number of employees with access to sensitive data

Security Policies and Procedures:

• Comprehensive information security policies
• Incident response and breach notification procedures
• Regular security risk assessments
• Data protection impact assessments (DPIAs) for high-risk processing
• Business continuity and disaster recovery plans

Third-Party Security:

• Vendor security assessments and due diligence
• Data Processing Agreements with strict security requirements
• Regular audits of third-party security practices
• Contractual obligations for sub-processors

8.3 Your Role in Security

While we implement strong security measures, you also play a crucial role:

• Protect Your Credentials: Keep your password secure and do not share it with others
• Enable Device Security: Use device passcodes and biometric authentication
• Update Regularly: Keep your App and device operating system updated
• Be Vigilant: Report any suspicious activity or security concerns to us immediately
• Secure Your Device: Use anti-malware software and avoid jailbreaking/rooting

8.4 Data Breach Notification

In the unlikely event of a data breach that affects your personal information, we will:

• Notify affected users without undue delay (within 72 hours where required by law)
• Provide clear information about the breach, data affected, and potential risks
• Describe the measures we are taking to address the breach and prevent future incidents
• Notify relevant supervisory authorities as required by law
• Provide guidance on steps you can take to protect yourself

9. YOUR RIGHTS AND CHOICES

We respect your rights regarding your personal data. Depending on your location, you may have the following rights:

9.1 Rights Under GDPR (EEA, UK, Switzerland)

If you are in the European Economic Area, United Kingdom, or Switzerland, you have the following rights:

1. Right to Be Informed

• You have the right to clear, transparent information about how we use your data (this Privacy Policy)

2. Right of Access (Data Subject Access Request)

• You can request a copy of the personal data we hold about you
• We will provide this in a structured, commonly used, machine-readable format
• How to exercise: Contact us at privacy@lytyr.com or use the in-app "Download My Data" feature

3. Right to Rectification

• You can request correction of inaccurate or incomplete personal data
• How to exercise: Update your information in the App settings or contact us

4. Right to Erasure ("Right to Be Forgotten")

• You can request deletion of your personal data in certain circumstances:
  • The data is no longer necessary for the purpose it was collected
  • You withdraw consent and there is no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • Erasure is required for legal compliance
• How to exercise: Use the in-app "Delete Account" feature or contact us at privacy@lytyr.com
• Timeframe: Account and data deletion completed within 30 days

5. Right to Restrict Processing

• You can request that we limit how we use your data in certain circumstances:
  • You contest the accuracy of the data
  • Processing is unlawful but you don't want erasure
  • We no longer need the data, but you need it for legal claims
  • You've objected to processing and we're verifying our legitimate grounds
• How to exercise: Contact us at privacy@lytyr.com

6. Right to Data Portability

• You can receive your personal data in a structured, machine-readable format (JSON, CSV)
• You can request that we transfer your data directly to another service where technically feasible
• How to exercise: Use the in-app "Export Data" feature or contact us

7. Right to Object

• You can object to processing based on legitimate interests or for direct marketing
• We will stop processing unless we have compelling legitimate grounds
• How to exercise: Contact us at privacy@lytyr.com or adjust preferences in App settings

8. Rights Related to Automated Decision-Making and Profiling

• You have the right not to be subject to decisions based solely on automated processing that significantly affects you
• Lytyr's AI features provide insights and suggestions but do not make automated decisions that produce legal or similarly significant effects
• You always retain control over how you use AI-generated insights

9. Right to Withdraw Consent

• Where we process your data based on consent (especially special category data), you can withdraw consent at any time
• This does not affect the lawfulness of processing before withdrawal
• How to exercise: Adjust settings in the App or contact us at privacy@lytyr.com

10. Right to Lodge a Complaint

• You have the right to complain to a data protection supervisory authority if you believe we have violated your data protection rights
• EU/EEA: Contact your local data protection authority (list available at https://edpb.europa.eu/)
• UK: Information Commissioner's Office (ICO) - https://ico.org.uk/

9.2 Rights Under CCPA/CPRA (California)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

1. Right to Know

• You can request information about the personal information we have collected about you in the past 12 months, including:
  • Categories of personal information collected
  • Categories of sources
  • Business or commercial purposes for collection
  • Categories of third parties with whom we share data
  • Specific pieces of personal information collected about you

2. Right to Delete

• You can request deletion of personal information we have collected from you, subject to certain exceptions

3. Right to Correct

• You can request correction of inaccurate personal information

4. Right to Opt-Out of Sale or Sharing

• IMPORTANT: Lytyr does NOT sell or share your personal information for cross-context behavioral advertising. Therefore, this right does not apply.

5. Right to Limit Use and Disclosure of Sensitive Personal Information

• You can limit our use of sensitive personal information to only what is necessary to provide the Service
• How to exercise: Contact us at privacy@lytyr.com to discuss limitations

6. Right to Non-Discrimination

• We will not discriminate against you for exercising your CCPA/CPRA rights
• We will not:
  • Deny goods or services
  • Charge different prices or rates
  • Provide a different level of quality
  • Suggest you will receive different pricing or quality

7. Right to Opt-In for Sale of Data (Minors)

• We do not sell the personal information of minors under 16 years of age
• We do not knowingly collect information from users under 13 (see Section 11)

How to Exercise Your California Rights:

• Email: privacy@lytyr.com
• In-App: Use account settings or data management features
• Authorized Agent: You may designate an authorized agent to make requests on your behalf (written authorization required)

Verification Process:

• We will verify your identity before responding to requests to protect your privacy
• We may request additional information (email verification, account details)
• We will respond to verified requests within 45 days (may be extended by 45 days with notice)

9.3 Marketing Communications

Opt-Out of Marketing:

• You can opt out of promotional emails by clicking "Unsubscribe" in any marketing email
• You can adjust notification preferences in the App settings
• You can contact us at privacy@lytyr.com to opt out

Note: Even if you opt out of marketing communications, we will still send you transactional and service-related communications (e.g., account notifications, security alerts, updates to policies).

9.4 Response Times

We are committed to responding to your requests promptly:

• GDPR Requests: Within 1 month (may be extended by 2 months for complex requests)
• CCPA Requests: Within 45 days (may be extended by 45 days with notice)
• General Inquiries: Within 5-7 business days

10. COOKIES AND TRACKING TECHNOLOGIES

10.1 What We Use

Lytyr is a native mobile application and does not use traditional web cookies. However, we use similar technologies for analytics, performance monitoring, and authentication:

Authentication Tokens:

• Secure tokens to maintain your logged-in session
• Stored securely on your device
• Required for App functionality

Analytics and Performance:

• Anonymous usage analytics to understand how users interact with the App
• Crash reporting to identify and fix bugs
• Performance monitoring to optimize App speed and stability

Device Identifiers:

• Unique device identifiers for authentication and security
• Advertising identifiers (IDFA on iOS) - used only with your consent and never for cross-app tracking

10.2 Third-Party SDKs

We may use third-party software development kits (SDKs) for analytics and performance monitoring. These SDKs may collect:

• Device information
• App usage data
• Crash reports
• Performance metrics

Your Choices:

• You can limit ad tracking through your device settings (iOS: Settings > Privacy > Tracking)
• You can opt out of analytics through App settings
• Certain tracking is essential for App functionality and cannot be disabled

11. CHILDREN'S PRIVACY

11.1 Age Restrictions

Lytyr is not directed to children under the age of 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children under 13.

Age Requirements by Jurisdiction:

• United States: Must be 13 years or older (COPPA)
• European Union: Must be 16 years or older (or age of digital consent in your country, which may be lower with parental consent)
• Other Jurisdictions: Must meet the minimum age requirement in your location

11.2 Parental Verification

By using Lytyr, you represent and warrant that you meet the minimum age requirement in your jurisdiction. If you are a parent or guardian and believe your child under 13 (or applicable age) has provided us with personal information, please contact us immediately at privacy@lytyr.com.

11.3 Discovery of Child Data

If we discover that we have inadvertently collected personal information from a child under the applicable age without proper parental consent:

• We will delete the information as quickly as possible
• We will terminate the account
• We will not use the information for any purpose

11.4 Minors Between 13-18

If you are between 13-18 years old (or between the age of digital consent and 18 in your jurisdiction), you may use Lytyr, but we encourage you to review this Privacy Policy with a parent or guardian. Certain features, such as AI processing of sensitive wellness data, involve complex privacy considerations that minors should discuss with trusted adults.

12. AUTOMATED DECISION-MAKING AND AI PROCESSING

12.1 AI Features in Lytyr

Lytyr uses artificial intelligence (powered by OpenAI) to provide the following features:

AI Chat Assistant:

• Provides conversational support, reflections, and insights based on your journal entries and habits
• Asks reflective questions to deepen your self-awareness
• Offers personalized wellness suggestions and perspectives

Journal Analysis:

• Analyzes your journal entries to identify patterns, themes, and emotional trends
• Generates insights about your wellness journey
• Provides personalized reflections and observations

Habit Insights:

• Analyzes your habit tracking data to provide progress reports and recommendations
• Identifies correlations between habits and your wellbeing

12.2 Transparency About AI Processing

How AI Works in Lytyr:

1. When you use AI features, your journal entries, messages, or habit data are sent to OpenAI's servers
2. OpenAI's language models process this data and generate personalized responses, insights, or analyses
3. The AI-generated content is returned to you within the App
4. Your inputs and AI outputs may be temporarily retained by OpenAI for up to 30 days for abuse monitoring

Limitations and Considerations:

• AI-generated insights are suggestions, not professional medical or mental health advice
• AI may occasionally produce inaccurate or incomplete information
• AI responses are based on patterns in data, not human judgment or clinical expertise
• AI cannot understand the full context of your life or situation

12.3 No Automated Decision-Making with Legal Effect

IMPORTANT: Lytyr does NOT use automated decision-making (including AI) to make decisions that produce legal or similarly significant effects concerning you.

• AI features are assistive tools that provide insights and suggestions
• You retain full control over all decisions regarding your wellness, habits, and how you use the App
• AI does not make decisions about your access to services, benefits, or any legally significant outcomes
• You can always choose not to use AI features and still access Lytyr's core functionality

12.4 Your Rights Regarding AI

• Right to Human Review: While we don't make automated decisions with legal effect, you can always contact our support team for human assistance with any App-related issues
• Right to Explanation: You can request information about how AI features work by contacting us at privacy@lytyr.com
• Right to Object: You can choose not to use AI features or opt out of AI processing at any time
• Right to Feedback: We welcome feedback about AI-generated content to help us improve

12.5 AI Safety and Guardrails

We have implemented safety measures in our AI features:

• Content moderation to prevent harmful or inappropriate outputs
• Clear disclaimers that AI is not a substitute for professional mental health care
• Crisis detection with guidance to contact professional help
• Regular monitoring and improvement of AI quality and safety

If you are in crisis or need professional help, please contact:

• US: National Suicide Prevention Lifeline: 988 or 1-800-273-8255
• UK: Samaritans: 116 123
• EU: Find your local crisis line at https://www.iasp.info/resources/Crisis_Centres/

13. APPLE APP STORE PRIVACY REQUIREMENTS

13.1 App Privacy Nutrition Label

In accordance with Apple's App Store requirements, we disclose the following data collection practices in our App Store listing:

Data Used to Track You: None. We do not track you across apps and websites owned by other companies for advertising or advertising measurement purposes.

Data Linked to You:

• Contact Information (email address, name)
• Health & Fitness (journal entries, mood data, wellness information)
• User Content (journal entries, notes, AI chat messages)
• Identifiers (user ID, device ID)
• Usage Data (app interactions, feature usage)
• Diagnostics (crash logs, performance data)

Data Not Linked to You:

• Aggregated analytics data that cannot identify you

13.2 Privacy Manifest

Lytyr's privacy manifest (required by Apple) is available within the App bundle and declares all data collection practices and SDK usage in accordance with Apple's requirements.

14. CHANGES TO THIS PRIVACY POLICY

14.1 Policy Updates

We may update this Privacy Policy from time to time to reflect changes in:

• Our data practices
• Legal or regulatory requirements
• New features or services
• User feedback and best practices

14.2 Notification of Changes

Material Changes: For significant changes that affect your rights or how we handle your data, we will:

• Notify you via email (to the address on your account)
• Display a prominent notice in the App
• Request your renewed consent where required by law
• Provide at least 30 days' notice before changes take effect (where required)

Non-Material Changes: For minor updates (e.g., clarifications, formatting, contact information), we will:

• Update the "Last Updated" date at the top of this Privacy Policy
• Make the updated policy available in the App and on our website

14.3 Your Options

If you disagree with changes to this Privacy Policy:

• You may discontinue use of the App
• You may delete your account (see Section 7.2)
• Your continued use of the App after changes take effect constitutes acceptance of the updated Privacy Policy

14.4 Version History

Previous versions of this Privacy Policy are available upon request by contacting privacy@lytyr.com.

15. CONTACT INFORMATION

15.1 Privacy Inquiries

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: privacy@lytyr.com

Data Protection Officer (if applicable): [If you appoint a DPO, include name and contact information here]

Mailing Address: Lytyr [Your Company Legal Address] [City, State, ZIP] [Country]

15.2 Response Times

We strive to respond to all privacy inquiries within:

• General Questions: 5-7 business days
• Data Subject Rights Requests: Within legally required timeframes (see Section 9)
• Security Concerns: Within 24-48 hours

15.3 Supervisory Authority

If you are in the EEA, UK, or Switzerland and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local data protection supervisory authority:

EU/EEA Data Protection Authorities: Find your local authority at: https://edpb.europa.eu/about-edpb/board/members_en

UK Information Commissioner's Office (ICO): Website: https://ico.org.uk/make-a-complaint/ Phone: 0303 123 1113

Swiss Federal Data Protection and Information Commissioner (FDPIC): Website: https://www.edoeb.admin.ch/edoeb/en/home.html

16. JURISDICTION-SPECIFIC DISCLOSURES

16.1 California Residents

California "Shine the Light" Law: California Civil Code Section 1798.83 permits California residents to request information about disclosure of personal information to third parties for direct marketing purposes. Lytyr does not share personal information with third parties for their direct marketing purposes.

CCPA/CPRA Metrics (Annual Disclosure): We will publish annual statistics about CCPA/CPRA requests at: [Your Website]/ccpa-metrics

16.2 Nevada Residents

Nevada residents have the right to opt-out of the sale of certain personal information. Lytyr does not sell personal information as defined under Nevada law. If you have questions, contact us at privacy@lytyr.com.

16.3 Brazil (LGPD)

For users in Brazil, we comply with the Lei Geral de Proteção de Dados (LGPD). You have rights similar to those described in Section 9, including the right to access, correct, delete, and port your data. Contact us at privacy@lytyr.com to exercise these rights.

16.4 Australia (Privacy Act)

For Australian users, we comply with the Australian Privacy Principles (APPs). You have the right to access and correct your personal information. Complaints can be made to the Office of the Australian Information Commissioner (OAIC): https://www.oaic.gov.au/

17. ADDITIONAL INFORMATION

17.1 Do Not Track Signals

Lytyr is a mobile app and does not respond to web browser "Do Not Track" signals. However, you can control tracking through your device settings (iOS: Settings > Privacy > Tracking).

17.2 Third-Party Links

The App may contain links to third-party websites, services, or resources. This Privacy Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party services you access.

17.3 Data Accuracy

We rely on you to ensure that your account information is accurate, complete, and up to date. You can update your information at any time through the App settings. If you discover inaccuracies in your data, please contact us or update it directly.

17.4 Account Security

You are responsible for maintaining the confidentiality of your account credentials. Please notify us immediately if you suspect unauthorized access to your account at privacy@lytyr.com or through the App's support feature.

17.5 No Professional Advice

Lytyr is a wellness journaling and habit tracking tool. It is not a substitute for professional medical, mental health, or therapeutic services. AI-generated insights and content are for informational and reflective purposes only and should not be relied upon as professional advice.

If you are experiencing a mental health crisis or emergency, please contact emergency services or a mental health professional immediately.

18. LEGAL BASIS SUMMARY (GDPR)

For transparency, here is a complete summary of our legal bases for processing:

19. CONSENT AND ACCEPTANCE

By creating an account and using the Lytyr App, you acknowledge that you have read, understood, and agree to this Privacy Policy.

For Special Category Data (Sensitive Data): By using features that process wellness, health, emotional, or other sensitive personal data, you provide your explicit consent for us to process this special category data as described in this Privacy Policy. You may withdraw this consent at any time by discontinuing use of these features or deleting your account.

For Marketing Communications: We will only send you marketing communications if you opt-in to receive them. You can withdraw consent at any time.

For Users in the EEA/UK/Switzerland: You have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

20. GLOSSARY OF TERMS

To help you understand this Privacy Policy, here are definitions of key terms:

Personal Data/Personal Information: Any information relating to an identified or identifiable individual (e.g., name, email, journal entries).

Special Category Data/Sensitive Personal Data: Personal data revealing health, emotional wellbeing, mental state, or other sensitive characteristics (receives extra protection under GDPR).

Processing: Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.

Controller/Data Controller: The entity that determines the purposes and means of processing personal data (Lytyr).

Processor/Data Processor: An entity that processes personal data on behalf of the controller (e.g., Supabase, OpenAI).

Data Subject: An individual whose personal data is being processed (you, the user).

DPA (Data Processing Agreement): A contract between a controller and processor governing data processing activities.

GDPR: General Data Protection Regulation - EU privacy law.

CCPA/CPRA: California Consumer Privacy Act / California Privacy Rights Act - California privacy law.

Explicit Consent: Clear, specific, and affirmative consent given through a statement or action (required for special category data under GDPR).

Legitimate Interests: A legal basis for processing where the controller has a legitimate reason to process data and it doesn't override the individual's rights.

Anonymization: Process of removing or altering data so that individuals cannot be identified.

Encryption: Converting data into a coded format to prevent unauthorized access.

Thank you for trusting Lytyr with your personal information. Your privacy and security are our top priorities.

Last Updated: November 13, 2025 Version: 1.0