# Privacy Policy **Last Updated: November 2025** --- ## 1. Introduction Pleaze App Limited ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our application and services ("StinkingThinking" or "Services"). **Company Details:** - **Legal Name:** Pleaze App Limited - **Registration Number:** 753758 - **Registered Address:** 2 Sea Haven, Trafalgar Road, Greystones, Wicklow, Ireland, A63 VN24 - **Data Protection Contact:** info@pleazeapp.com - **EU Representative:** James Lewis, CEO (james@pleazeapp.com) We are committed to complying with the General Data Protection Regulation (GDPR), the Irish Data Protection Act 2018, the California Consumer Privacy Act (CCPA), and other applicable data protection laws. --- ## 2. Information We Collect ### 2.1 Personal Information - **Email address** (for account creation and authentication) - **Full name** (optional, user-provided) - **Payment information** (processed securely through Stripe; we do not store credit card details) - **Age confirmation** (confirmation that you are 16 years or older) ### 2.2 Session Data - **Voice recordings** (temporarily processed for transcription, then immediately deleted) - **Voice transcripts** of your thought sessions - **Thought content**, categories, and emotional data - **Session timestamps and duration** - **AI-generated summaries and insights** - **Individual processed thoughts** stored in structured format ### 2.3 Technical Information - **Browser type and version** - **Device information** - **IP address** (hashed for anonymization using cryptographic hashing) - **Usage data and analytics** (API endpoint usage, token consumption, processing duration, error logs) - **Session authentication tokens** (JWT-based) - **Rate limiting data** (temporary, stored in Redis cache) - **Cookies and similar tracking technologies** ### 2.4 Communication Data - **Email communications** with our support team - **Marketing preferences** and communication history --- ## 3. How We Use Your Information We use your information to: - Provide, maintain, and improve our Services - Process your voice input through OpenAI's Whisper-1 transcription model - Analyze your thoughts using OpenAI's GPT-4 model to generate insights, categorizations, and emotional analysis - Store session transcripts, processed thoughts, emotions, and AI-generated summaries - Send you session summaries and notifications (if enabled) - Send you marketing communications (only if you opt-in during signup) - Process payments and manage subscriptions through Stripe - Monitor API usage, performance, and costs - Improve our AI models and service quality through aggregated, anonymized data analysis - Prevent fraud, abuse, and unauthorized access - Comply with legal obligations - Communicate important updates about our Services - Respond to your inquiries and provide customer support **Important Note on AI Processing:** Your voice recordings are sent to OpenAI's Whisper-1 model for transcription only. Raw audio files are NOT stored and are immediately deleted after transcription. Transcribed text is then processed by OpenAI's GPT-4 model to extract, categorize, and analyze your thoughts. We have opted out of allowing OpenAI to use your data for model training purposes. --- ## 4. Legal Basis for Processing (GDPR) We process your personal data under the following legal bases: - **Consent:** You have given explicit consent for processing your session data, AI analysis, and marketing communications - **Contract:** Processing is necessary to fulfill our service agreement with you - **Legitimate Interest:** To improve our Services, prevent fraud, ensure security, and optimize performance - **Legal Obligation:** To comply with applicable laws, regulations, tax requirements, and court orders You may withdraw your consent at any time by contacting us or adjusting your settings in your Profile page. --- ## 5. Data Sharing and Disclosure **We do NOT sell your personal information to third parties.** We may share data with the following service providers, all of whom are contractually obligated to maintain data security and comply with applicable privacy laws: ### 5.1 Essential Service Providers - **Supabase** (Database hosting - EU servers): Stores user accounts, session transcripts, processed thoughts, emotions, and usage logs - **OpenAI** (AI processing): Processes voice transcription (Whisper-1) and thought analysis (GPT-4). We have a Data Processing Agreement (DPA) with OpenAI and have opted out of data usage for model training - **Stripe** (Payment processing): Handles subscription payments and billing - **Resend** (Email service): Sends transactional and marketing emails - **Redis Labs** (Caching): Temporarily stores rate limiting and session cache data - **StackBlitz (Bolt.new)** (Hosting and CDN): Hosts application infrastructure ### 5.2 Legal Requirements We may disclose your information when required by law, regulation, legal process, or governmental request, or when necessary to: - Comply with a court order, subpoena, or other legal obligation - Protect our rights, property, or safety, or that of our users or the public - Investigate, prevent, or take action regarding illegal activities, fraud, or security threats ### 5.3 Business Transfers In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred to the successor entity. We will provide notice via email and/or prominent notice in the app at least 30 days before any such transfer, and you will have the opportunity to delete your account before the transfer occurs. --- ## 6. Your Rights Under GDPR and CCPA ### 6.1 GDPR Rights (EU/EEA Users) You have the following rights regarding your personal data: - **Right to Access:** Request a copy of your personal data in CSV format - **Right to Rectification:** Correct inaccurate or incomplete data - **Right to Erasure ("Right to be Forgotten"):** Request deletion of your personal data - **Right to Data Portability:** Receive your data in a machine-readable CSV format - **Right to Restrict Processing:** Limit how we use your data - **Right to Object:** Object to certain types of processing (e.g., marketing communications) - **Right to Withdraw Consent:** Withdraw consent at any time without affecting prior processing - **Right to Lodge a Complaint:** File a complaint with your local data protection authority (see Section 14) ### 6.2 CCPA Rights (California Residents) California residents have additional rights: - **Right to Know:** What personal information we collect, use, disclose, and sell - **Right to Delete:** Request deletion of your personal information - **Right to Opt-Out:** We do not sell personal information, so no opt-out is necessary - **Right to Non-Discrimination:** We will not discriminate against you for exercising your privacy rights ### 6.3 Other U.S. State Privacy Rights Residents of Virginia, Colorado, Connecticut, Utah, and other states with comprehensive privacy laws have similar rights to access, correct, delete, and obtain copies of their personal data. ### 6.4 How to Exercise Your Rights To exercise any of these rights: - Visit your **Profile page** in the app to manage data, preferences, and deletion requests - Email us at **info@pleazeapp.com** - Contact our EU Representative: **james@pleazeapp.com** We will respond to your request within **30 days** (GDPR) or **45 days** (CCPA). We may request additional information to verify your identity before processing your request. --- ## 7. Data Security We implement industry-standard security measures to protect your data: ### 7.1 Technical Safeguards - **End-to-end encryption** for data transmission (TLS 1.3) - **Encryption at rest** for all stored data (AES-256) - **Hashed IP addresses** using cryptographic hashing algorithms - **Hashed passwords** using bcrypt via Supabase Auth - **JWT-based authentication** with secure session management - **Row Level Security (RLS)** on all database tables ensuring users can only access their own data - **API rate limiting** to prevent abuse and brute-force attacks - **SQL injection prevention** through parameterized queries - **CORS configuration** to prevent unauthorized cross-origin requests - **Regular security audits** and penetration testing ### 7.2 Organizational Safeguards - Access controls and role-based permissions for internal staff - Secure data centers with physical security (Supabase EU region) - Regular security training for employees - Incident response and data breach notification procedures - Vulnerability reporting process (info@pleazeapp.com) ### 7.3 Third-Party Security All service providers (OpenAI, Stripe, Supabase, Resend, Redis, StackBlitz) maintain SOC 2 Type II or equivalent certifications and comply with GDPR requirements. **Important Notice:** While we implement robust security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we continuously work to improve our protections. --- ## 8. Data Retention We retain your data according to the following schedule: ### 8.1 Active Account Data - **User account information:** Retained while your account is active - **Session transcripts and thoughts:** Retained while your account is active - **AI-generated summaries:** Retained while your account is active - **Usage logs:** Retained for 12 months for performance monitoring and billing purposes ### 8.2 Deleted Account Data Upon account deletion: - **User content** (transcripts, thoughts, emotions, summaries): Permanently deleted within **30 days** - **Database backups:** Purged within **30 days** of deletion request - **Payment records:** Retained for **7 years** as required by Irish tax and accounting laws - **Anonymized usage statistics:** May be retained indefinitely for service improvement ### 8.3 Temporary Data - **Voice recordings:** Deleted immediately after transcription (not stored) - **Redis cache data:** Automatically expires within 24 hours - **Session tokens:** Expire based on session duration settings ### 8.4 Legal Retention We may retain certain data longer if required by law, regulation, or to resolve disputes and enforce agreements. --- ## 9. International Data Transfers Your data may be transferred to and processed in countries outside your country of residence, including the United States (for OpenAI processing). ### 9.1 GDPR Safeguards for EU Data For transfers outside the EU/EEA, we ensure appropriate safeguards: - **Standard Contractual Clauses (SCCs)** approved by the European Commission - **Data Processing Agreements (DPAs)** with all service providers - **Adequacy decisions** where applicable (e.g., EU-U.S. Data Privacy Framework participation) - **OpenAI DPA:** We have executed a Data Processing Agreement with OpenAI that includes SCCs ### 9.2 Primary Data Storage - **Database (Supabase):** Hosted in **EU region** - **AI Processing (OpenAI):** Processed in **United States** (with DPA and SCCs) - **Payment Processing (Stripe):** Global infrastructure with GDPR compliance - **Hosting (StackBlitz):** Distributed CDN with EU servers --- ## 10. Children's Privacy StinkingThinking is not intended for individuals under **16 years of age**. - We require all users to confirm they are 16 or older during account creation via a mandatory checkbox - We do not knowingly collect personal information from anyone under 16 - If we discover we have collected information from a child under 16, we will delete it immediately - If you believe we have collected information from a child under 16, please contact us at **info@pleazeapp.com** **Parental Rights:** Parents or guardians who believe their child has provided us with personal information may contact us to request deletion. --- ## 11. Cookies and Tracking Technologies We use cookies and similar tracking technologies to enhance your experience and analyze usage patterns. ### 11.1 Types of Cookies We Use - **Essential Cookies:** Required for authentication, session management, and core functionality (cannot be disabled) - **Functional Cookies:** Remember your preferences and settings - **Analytics Cookies:** Track usage patterns and performance (anonymized) ### 11.2 Cookie Management - A **cookie consent banner** is displayed on your first visit - You can manage cookie preferences through your browser settings - Disabling certain cookies may affect functionality For detailed information, see our **Cookie Policy** [link to separate policy if applicable]. ### 11.3 Do Not Track We respect "Do Not Track" (DNT) browser signals where technically feasible. --- ## 12. Marketing Communications ### 12.1 Opt-In and Consent - You may opt-in to receive marketing emails during account signup - We will only send promotional content if you explicitly consent - Marketing emails include product updates, tips, and special offers ### 12.2 Opt-Out You can opt-out of marketing communications at any time: - Click the **"Unsubscribe" link** in any marketing email - Adjust preferences in your **Profile settings** - Email us at **info@pleazeapp.com** ### 12.3 Transactional Emails You cannot opt-out of transactional emails (e.g., password resets, billing notifications, security alerts) as they are necessary for the Services. --- ## 13. California "Shine the Light" Law California residents may request information about personal information we disclose to third parties for direct marketing purposes. Since we do not share personal information with third parties for their direct marketing purposes, this does not apply to our Services. --- ## 14. Data Breach Notification In the event of a data breach that poses a risk to your rights and freedoms: - We will notify affected users within **72 hours** of becoming aware of the breach (GDPR requirement) - We will notify the Irish Data Protection Commission and other relevant authorities as required - Notifications will include: - Nature of the breach - Likely consequences - Measures taken to address the breach - Recommended actions for affected users To report a suspected security vulnerability, contact: **info@pleazeapp.com** --- ## 15. Changes to This Privacy Policy We may update this Privacy Policy from time to time to reflect: - Changes to our data practices - New features or Services - Legal or regulatory requirements - Feedback from users or regulators ### 15.1 Notification of Changes For **material changes**, we will notify you: - Via email to your registered email address (at least 30 days in advance) - Through a prominent notice in the app - By updating the "Last Updated" date at the top of this policy ### 15.2 Your Options After notification of changes: - Continued use of our Services constitutes acceptance of the updated policy - If you do not agree to the changes, you may delete your account before they take effect We encourage you to review this Privacy Policy periodically. --- ## 16. Third-Party Links and Services Our Services may contain links to third-party websites, applications, or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information. --- ## 17. Contact Us For questions, concerns, or requests regarding this Privacy Policy or your personal data: **General Privacy Inquiries:** - Email: info@pleazeapp.com **Data Protection Officer:** - Email: info@pleazeapp.com **EU Representative:** - Name: James Lewis, CEO - Email: james@pleazeapp.com **Security Issues:** - Email: info@pleazeapp.com **Mailing Address:** - Pleaze App Limited - Privacy Department - 2 Sea Haven, Trafalgar Road - Greystones, Wicklow, Ireland - A63 VN24 --- ## 18. Supervisory Authority If you are located in the EU/EEA, you have the right to lodge a complaint with your local data protection authority if you believe our processing of your personal data violates GDPR. **Irish Data Protection Commission:** - Website: https://www.dataprotection.ie - Phone: +353 57 868 4800 - Email: info@dataprotection.ie **Find your local EU data protection authority:** https://edpb.europa.eu/about-edpb/board/members_en --- ## 19. Additional Information for Specific Jurisdictions ### 19.1 Nevada Residents Nevada residents may opt-out of the sale of personal information. We do not sell personal information as defined by Nevada law. ### 19.2 Brazil (LGPD) Brazilian residents have rights under the Lei Geral de Proteção de Dados (LGPD) similar to GDPR rights outlined in Section 6. ### 19.3 Other Jurisdictions We comply with all applicable local privacy laws. If you have specific questions about your rights under local law, contact us at privacy@pleazeapp.com. --- **By using StinkingThinking, you acknowledge that you have read, understood, and agree to this Privacy Policy.** --- *This Privacy Policy is effective as of the "Last Updated" date above and supersedes all prior versions.*