Privacy Policy — BreakrAI

1 · Who We Are (Data Controller)

BreakrAI

BreakrAI is an independent application and the sole data controller for all personal data collected through this Service.

Contact: help@breakrai.com
Website: breakrai.com

All privacy requests (access, deletion, portability, correction) must be submitted to the email above. We respond within 30 days.

2 · Data We Collect, Why & Legal Basis

Category	Specific Data	Legal Basis (GDPR)	Purpose
Account Data	Name, email, Google profile photo (via Google Sign-In)	Contract performance	Account creation, authentication, identification
Recovery Data	Streak count, relapse logs, last relapse date, join date, subscription status	Contract performance	Core app functionality; cross-device sync via Firestore
Journal Entries	Text responses to CBT-inspired exercises and self-reflection prompts	Explicit consent (recorded at signup)	Saving your work; displayed only to you; never used to train AI models
AI Chat Messages	Messages you send to the AI coaching feature	Contract performance	Generating AI coach responses; transmitted to Anthropic API (see §4)
Usage Data	Daily AI message count, feature interactions, session timestamps	Legitimate interest	Enforcing free-tier limits; app performance analytics
Local Storage Data	Session tokens, cached auth state, UI preferences stored in browser/device local storage	Legitimate interest (strictly necessary)	Keeping you signed in; app performance. Cannot be disabled without breaking core functionality.
Consent Record	Timestamp of your Terms/Privacy consent, version accepted	Legal obligation	Demonstrating GDPR compliance; stored in Firestore
Device & Technical Data	Browser type, OS version, approximate IP address (automatically collected by Firebase)	Legitimate interest	Security, fraud prevention, debugging

3 · Cookies & Local Storage

What we store on your device

BreakrAI uses browser localStorage and session storage to maintain authentication tokens and cached UI state. These are strictly functional — the app cannot operate without them. We do not use advertising cookies, cross-site tracking cookies, or any third-party tracking technologies.

Firebase Authentication may set session cookies as part of the sign-in process. These expire automatically and are strictly necessary for authentication.

What we do NOT use

We do not use Google Analytics, Facebook Pixel, advertising trackers, or any cross-site behavioral tracking tools. We do not respond to "Do Not Track" browser signals because we do not engage in cross-site tracking in any form.

4 · Third-Party Processors

Google Firebase (Authentication, Firestore, Remote Config)

Google Firebase processes your account and recovery data on our behalf. Data may be stored on servers in the United States and the European Union. Firebase is certified under the EU-U.S. Data Privacy Framework. See policies.google.com/privacy

Anthropic (Claude API — AI Coaching)

Messages sent to the AI coach are processed by Anthropic's API. Anthropic does not use API conversation data to train its models by default under their API usage policy. Your journal entries and recovery data are NOT sent to Anthropic — only your chat messages. See anthropic.com/legal/privacy

Apple App Store / Google Play (Payments)

In-app purchases are processed by Apple and Google under their respective privacy policies. We receive only confirmation of subscription status — never your payment card details or billing address. We do not process payments directly.

Netlify (Web Hosting)

Our web app is hosted on Netlify, Inc. Netlify may collect standard server logs including IP addresses for security purposes. See netlify.com/privacy

5 · International Data Transfers

BreakrAI is accessible worldwide. By using the app, you acknowledge that your data may be processed in countries outside your own, including the United States, where our processors (Google Firebase, Anthropic, Netlify) operate.

For transfers from the European Economic Area (EEA), we rely on Standard Contractual Clauses (SCCs) and adequacy decisions where applicable. Firebase is certified under the EU-U.S. Data Privacy Framework.

6 · Your Rights — GDPR · CCPA · Global

Rights available to all users

Right of Access: Request a copy of all personal data we hold about you.
Right to Rectification: Request correction of inaccurate or incomplete data.
Right to Erasure ("Right to be Forgotten"): Request permanent deletion of your account and all associated data within 30 days.
Right to Data Portability: Receive your data in a structured, machine-readable format (JSON).
Right to Restriction: Request we limit how we process your data in specific circumstances.
Right to Object: Object to processing based on legitimate interests.
Right to Withdraw Consent: Withdraw consent at any time without affecting prior processing.

To exercise any right, email: help@breakrai.com. We respond within 30 days.

California Residents (CCPA / CPRA)

We do not sell or share personal information for cross-context behavioral advertising. California residents have the right to know, delete, and opt-out. To submit a CCPA request, email help@breakrai.com with subject line "CCPA Request".

Right to Lodge a Complaint

If you believe we have violated your privacy rights, you have the right to lodge a complaint with your local data protection authority (e.g., ICO in the UK, CNIL in France, or your national DPA).

7 · Data Retention

• Account & recovery data: Retained while your account is active.
• Journal entries: Deleted within 30 days of account deletion request.
• AI chat messages: Not retained by us beyond the session; subject to Anthropic's retention policies.
• Consent records: Retained for 7 years for legal compliance purposes.
• Anonymized aggregate data: May be retained indefinitely.

8 · Security

All data is transmitted using HTTPS/TLS 1.2+ encryption. Firestore is protected by server-side security rules ensuring only authenticated users can read or write their own data. Access credentials are never stored in plaintext.

In the event of a personal data breach likely to result in a high risk to your rights and freedoms, we will notify you within 72 hours of becoming aware, as required by GDPR Article 33.

9 · Children's Privacy (COPPA & Global)

BreakrAI is strictly for users aged 18 and older. We do not knowingly collect data from minors under the age of 18 (or the applicable age of majority in your jurisdiction). We do not knowingly collect personal information from children under 13 as defined by COPPA (United States) or equivalent legislation. If we discover a user is under 18, we will immediately terminate their account and delete all associated data. Contact help@breakrai.com if you believe a minor has registered.

10 · Changes to This Policy

Material changes will be communicated via in-app notification and email at least 14 days before taking effect. The version number and effective date at the top of this document will be updated. Continued use after the effective date constitutes acceptance.

Privacy Policy v4.0