Privacy Policy

• App users: Individuals who have downloaded and use the Sine app, whether registered with an account or using the app in a limited capacity before registration.
• Website visitors: Individuals who visit sine-immersive.com, including those who make purchases through the website checkout.

• Provision and operation of the Sine app, including delivery of core audio and meditation features
• User account management, authentication, and profile personalization
• Premium subscription management, billing verification, and in-app purchase processing
• Community features, including preset sharing, discovery, likes, and downloads
• AI-powered preset generation based on user mood inputs and preferences
• Bio-Resonance analysis (exclusively on-device processing of health data from HealthKit)
• Streak tracking, gamification, and reward systems to encourage regular meditation practice
• Website hosting, delivery of web pages, and website-based checkout processing
• Customer support and response to user inquiries
• App improvement and optimization through anonymized, aggregated analytics
• Security, fraud prevention, and protection of our services

Where you have given us your freely given, specific, informed, and unambiguous consent to process your personal data for one or more specific purposes. Consent is always voluntary, and you may withdraw it at any time with effect for the future without affecting the lawfulness of processing carried out prior to withdrawal. This legal basis applies in particular to:

• HealthKit data access: Opt-in consent granted through the iOS system permission dialog before any health data is read.
• Push notifications: Opt-in consent granted through the iOS notification permission dialog.
• Non-essential website cookies: Such as the FirstPromoter affiliate tracking cookie.
• Community preset sharing: Your voluntary decision to make a preset publicly available.

Processing that is necessary for the performance of a contract to which you are a party (our Terms of Use), or in order to take steps at your request prior to entering into a contract. This applies to:

• User account creation, authentication, email verification, and profile management
• Subscription processing, renewal management, and premium feature activation
• Preset creation, saving, editing, and cloud synchronization
• AI-powered features including preset generation and sequencer configuration
• Mood check-ins and session tracking as core features of the wellness experience
• Community participation, including uploading, browsing, and downloading shared presets
• Token management (allocation, usage tracking, and top-up purchases)

Processing that is necessary for compliance with a legal obligation to which we, as the data controller, are subject. This includes:

• Retention of purchase and transaction records for tax, accounting, and VAT compliance purposes (typically 6–10 years under applicable Cypriot and EU tax law)
• Response to lawful requests from competent public authorities or courts
• Compliance with consumer protection regulations

Processing that is necessary for the purposes of legitimate interests pursued by us or by a third party, except where such interests are overridden by your fundamental rights, interests, or freedoms requiring the protection of personal data. We have conducted a balancing test for each of the following processing activities:

• Anonymized analytics: Firebase Analytics helps us understand feature usage patterns and improve app quality. Our interest: maintaining and improving our service. Impact on you: minimal, as data is anonymized and aggregated.
• Security and fraud prevention: Firebase App Check verifies app integrity. Our interest: protecting our infrastructure and users. Impact on you: negligible.
• Crash reporting and error diagnosis: Helps us identify and resolve technical issues promptly. Our interest: service reliability. Impact on you: minimal, as reports contain only technical data.
• Affiliate tracking (FirstPromoter): Helps us measure the effectiveness of our partnership program. Our interest: business development. Impact on you: limited to a single cookie.

You have the right to object to processing based on legitimate interests at any time (see Section 8.6).

Health data, including heart rate, heart rate variability (HRV), resting heart rate, and sleep analysis data, constitutes a special category of personal data under Art. 9 GDPR. Such data receives enhanced protection and may only be processed under specific conditions.

We process health data exclusively on the basis of your explicit consent, which is obtained through the iOS HealthKit permission dialog before any health data is accessed. This consent is granular (you can grant or deny access to individual data types) and can be revoked at any time in your iOS Settings without affecting the lawfulness of prior processing.

The following service providers are based in the United States of America:

• Google / Firebase: Certified under the EU-US Data Privacy Framework (DPF), ensuring an adequate level of data protection as recognized by the EU Commission. Additionally, Firebase application data is stored in the EU region (eur3), minimizing actual data transfers to the US.
• RevenueCat Inc.: Data transfer is governed by Standard Contractual Clauses (SCCs) as approved by the EU Commission (Decision 2021/914). RevenueCat only processes anonymized user IDs and subscription metadata.
• OpenAI, L.L.C.: Data transfer is governed by SCCs. Importantly, only anonymized mood and preference data is transmitted to OpenAI. No personally identifiable information is included in any AI request (see Section 17.3 for details).
• Vercel Inc.: Our website hosting provider. Certified under the EU-US DPF and additionally governed by SCCs. Processes server logs containing IP addresses and HTTP request metadata.

• Paddle.com Market Limited (Dublin, Ireland) Processes all website purchases within the EEA. As an Irish company, Paddle is directly subject to the GDPR. No third-country data transfer is required.
• Google Ireland Ltd (Dublin, Ireland) Acts as the data controller or processor for Firebase services within the EEA.

Firebase Firestore, Cloud Functions, and Firebase Storage are configured to use the EU multi-region (eur3), which spans data centers in Belgium and the Netherlands. This ensures that your primary application data, including account information, presets, mood data, session insights, and entitlements, remains stored within the European Union.

You can delete your account at any time using one of the following methods:

1. In the app: Navigate to Profile → Settings → Delete Account
2. By email: Send a deletion request to support@sine-immersive.com

Upon account deletion, the following data is permanently removed:

• All account and profile data (name, email, alias, profile picture)
• All saved presets (both local and cloud-synced copies)
• All session history, mood check-ins, and progress data
• All streak data and token balances
• All community presets (anonymized or removed from public view)

Please note that active subscriptions are managed separately through Apple (for app purchases) or Paddle (for website purchases). You should cancel any active subscription before deleting your account to avoid continued billing.

You have the right to obtain confirmation as to whether personal data concerning you is being processed by us. If so, you have the right to access that data and to receive information about the purposes of processing, the categories of personal data concerned, the recipients or categories of recipients to whom the data has been or will be disclosed, the envisaged retention period, the existence of your rights, and the source of the data (if not collected directly from you). We will provide a copy of your personal data free of charge upon request.

You have the right to obtain the rectification of inaccurate personal data concerning you without undue delay. Taking into account the purposes of the processing, you also have the right to have incomplete personal data completed, including by means of providing a supplementary statement. You can update most of your profile data directly within the Sine app.

You have the right to obtain the deletion of your personal data without undue delay (the "right to be forgotten") where one of the following grounds applies: the data is no longer necessary for its original purpose; you withdraw consent and there is no other legal ground for processing; you object to processing and there are no overriding legitimate grounds; the data has been unlawfully processed; or the data must be erased to comply with a legal obligation. This right is subject to certain exceptions, such as where processing is necessary for compliance with a legal obligation or for the establishment, exercise, or defense of legal claims.

You have the right to obtain the restriction of processing where: the accuracy of the data is contested (for the period needed to verify accuracy); the processing is unlawful and you oppose erasure but request restriction instead; we no longer need the data but you require it for legal claims; or you have objected to processing pending verification of whether our legitimate grounds override yours.

You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format (e.g., JSON or CSV). You also have the right to transmit that data to another controller without hindrance from us, where the processing is based on consent or contract performance, and the processing is carried out by automated means.

Where processing is based on your consent, you have the right to withdraw that consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. You can withdraw specific consents as follows:

• HealthKit access: iOS Settings → Health → Data Access & Devices → Sine
• Push notifications: iOS Settings → Notifications → Sine
• Community sharing: Delete individual presets from the community within the app

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. For details on how this applies to Sine's AI and Bio-Resonance features, see Section 21.

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of your personal data infringes the GDPR. For the competent supervisory authority, see Section 23.

Our website sine-immersive.com is hosted by Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA. When you visit our website, Vercel automatically processes the following technical data as part of standard web hosting operations, for the purpose of delivering web pages, ensuring security, and preventing abuse:

• IP address
• Browser type and version
• Operating system
• Date and time of access
• Requested URL and page path
• Referring URL (the page that linked you to our site)
• Amount of data transferred

This data is processed in server log files and is not combined with other data sources. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in providing and securing the website).

Privacy policy: vercel.com/legal/privacy-policy

The Sine app is distributed exclusively through the Apple App Store. When you download the app, Apple processes certain technical data (such as your Apple ID, device identifiers, and download metadata) in accordance with Apple's own privacy policy. We receive only anonymized, aggregated download statistics from Apple and no personally identifiable information from the download process itself.

• Heart rate Measured during active meditation sessions to track cardiovascular response.
• Heart rate variability (HRV) Measured during meditation to assess autonomic nervous system balance.
• Resting heart rate Used for baseline comparison and long-term trend analysis.
• Sleep analysis Used for delayed correlation between meditation and sleep quality.

• Workout sessions Completed meditation sessions are optionally logged as mindfulness workout entries in your HealthKit data.

1. HealthKit data is processed exclusively on your device. Raw health measurements never leave your iPhone.
2. Health data is never transmitted to our servers, Firebase, or any third party whatsoever.
3. HealthKit data is not used for advertising, marketing, data mining, or data brokering purposes.
4. HealthKit data is not shared with insurance companies, employers, data brokers, or any other third parties.
5. HealthKit access is entirely optional and can be revoked at any time in iOS Settings → Health → Data Access & Devices → Sine.
6. The app functions fully without HealthKit access. All features except Bio-Resonance analysis remain fully available.

When you use the Bio-Resonance feature, raw health measurements are temporarily cached in memory for the duration of the active meditation session only. After the session concludes, only aggregated values (averages and trends) are stored locally on your device as part of the session insight. These aggregated values are never uploaded to any server or cloud service.

The following in-app purchases are available through the Apple App Store:

• Premium Monthly Monthly auto-renewing subscription with a 7-day free trial.
• Premium Yearly Annual auto-renewing subscription with a 7-day free trial.
• Token Top-Up (10 Tokens) One-time consumable purchase of 10 additional AI tokens.

Apple handles all payment processing for App Store purchases. We never receive, access, or store your credit card number, bank account details, or any other payment instrument data. From Apple, we receive only a transaction confirmation (receipt) and the current subscription status, which is used to activate your premium features.

Purchases made through our website (sine-immersive.com) are processed by Paddle.com Market Limited, Core B, Block 71, The Plaza, Park West, Dublin 12, Ireland. Paddle acts as the Merchant of Record, meaning Paddle is the legal seller for all website transactions, not Divinebeingmetatron Ltd.

As the Merchant of Record, Paddle directly collects and processes:

• Full name and email address
• Payment information (credit card, PayPal, Apple Pay, Google Pay, etc.)
• IP address and device/browser information
• Billing address and country
• Tax-related information (VAT number, if applicable)

From Paddle, we receive: transaction confirmation, subscription status, and the customer email address. We never receive or store your credit card number or payment details.

Privacy policy: paddle.com/legal/privacy

Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland.

Firebase is the primary backend infrastructure for the Sine app. We use the following Firebase services:

• Firebase Authentication: Processes email address, password hash (bcrypt), and a unique user ID for secure account registration, login, and session management.
• Cloud Firestore (database): Stores user profile data, presets, settings, entitlements, streaks, mood check-in data, session insights, and token history.
• Firebase Storage: Stores user-uploaded profile pictures in the EU region.
• Firebase Analytics: Collects anonymized, aggregated usage statistics (feature usage, screen views, session counts) for app improvement. We do not use IDFA, ATT, or any advertising identifiers.
• Cloud Functions: Server-side processing environment for AI requests (proxied to OpenAI), webhook handling (RevenueCat, Paddle), and scheduled background tasks.
• App Check: Verifies the integrity and authenticity of app instances to protect our backend from unauthorized access and abuse.

All Firebase application data is stored in the EU multi-region (eur3). Google Ireland Ltd is the data processor and is certified under the EU-US Data Privacy Framework.

Privacy policy: firebase.google.com/support/privacy

633 Howard Street, San Francisco, CA 94105, USA.

RevenueCat provides subscription management and in-app purchase verification. It processes:

• An anonymized app user ID (not your email or name)
• Subscription status, type, and renewal information
• Purchase transaction metadata (transaction IDs, product IDs, timestamps, no payment details)

RevenueCat does not receive any personally identifiable information such as your name, email address, or HealthKit data.

Privacy policy: revenuecat.com/privacy

3180 18th Street, San Francisco, CA 94110, USA.

Privacy policy: openai.com/policies/privacy-policy

One Apple Park Way, Cupertino, CA 95014, USA.

We use the following Apple platform services:

• CloudKit (iCloud): Enables cross-device synchronization of your data through your personal iCloud account, subject to Apple's privacy policy.
• APNs (Apple Push Notification Service): Delivers push notifications from our server to your device.
• App Store: Handles app distribution, downloads, in-app purchases, subscription management, and App Store review.
• HealthKit: Provides on-device access to health data. All HealthKit data is processed locally on your device and is never transmitted to Apple's servers or to ours.

Core B, Block 71, The Plaza, Park West, Dublin 12, Ireland.

Paddle serves as the Merchant of Record for all purchases made through our website. As the legal seller, Paddle directly collects and processes all payment-related data, including credit card information, billing addresses, and tax information. We never receive or store your credit card data. Paddle is PCI-DSS Level 1 certified.

Privacy policy: paddle.com/legal/privacy

340 S Lemon Ave #4133, Walnut, CA 91789, USA.

Vercel hosts our website (sine-immersive.com) and executes Serverless Functions that power our website's backend logic. Vercel processes IP addresses, HTTP request metadata, and browser information as part of standard web hosting and CDN operations.

Privacy policy: vercel.com/legal/privacy-policy

Jepto SRL, Romania (EU Member State).

We use FirstPromoter for affiliate tracking related to website purchases. When you arrive at our website through an affiliate link, FirstPromoter sets an "fpr" cookie with a 60-day duration to attribute the visit and any subsequent purchase to the referring affiliate partner. It processes:

• Referrer URL (the page that linked you to our site)
• Click ID (a unique identifier for the affiliate click)
• Conversion data (confirmation that a purchase was made, without payment details)

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in measuring the effectiveness of our affiliate partnership program).

Privacy policy: firstpromoter.com/privacy