Skip to content

Legal

Privacy Policy

Last updated June 2026

Particle exists so you can do your most meaningful work. That only works if your data stays yours. This policy explains what we collect, why we collect it, and how you stay in control. It applies to all users of Particle, whether you use the free tier or a paid subscription.

01

Data Controller

The data controller responsible for your personal data is Particle, operated from Germany. For full contact details, see our Legal Notice. You can reach us at legal@particle.day.

02

What We Collect

Account Data

  • Authentication Information — email address, name, and profile picture provided through your authentication provider (Clerk). We do not store passwords directly.
  • Account Identifiers — internal user IDs linking your authentication to your stored data

Usage Data

  • Session Data — focus sessions including start time, duration, task descriptions, and project assignments stored in Supabase
  • Projects and Intentions — project names, descriptions, and personal intentions you create
  • Todos and Plans — task lists and daily/weekly plans
  • AI Coach Data — conversation history with the AI Coach, personalized learnings, and recommendations
  • Acquisition Channel — when you create an account, we record a one-time label of the channel that brought you here (for example a campaign tag like "producthunt" or the referring site). Just the label, recorded once — no ongoing tracking is attached to it.

Payment Data

  • Subscription Information — subscription status, plan type, and billing history processed by Stripe. We never store credit card numbers, CVVs, or full payment details on our servers.

Preferences and Settings

  • App Preferences — timer durations, themes, atmosphere selections, sound settings, notification preferences, and UI configuration. These are stored locally and synced to the cloud for cross-device access.
  • Feature Progress — onboarding completion states, sanctuary progress, and meditation tracking

Letters (Email Subscriptions)

  • Series Letters — if you request an essay series as email letters, we store your email address, the chosen series, your delivery progress, and timestamps proving signup, confirmation, and opt-out. No account is required and none is created. Subscriptions use double opt-in: nothing is sent beyond a single confirmation email until you confirm (consent, Art. 6(1)(a) GDPR). Every letter contains a one-click unsubscribe link; after opt-out we retain only the suppression record (email, series, opt-out timestamp) so we can honor it. Letters are delivered via Resend (see Service Providers).
  • The Particle Letter — if you subscribe to our occasional product letter, we store your email address, the page where you signed up, a record of which letters we have sent you, and timestamps proving signup, confirmation, and opt-out. The same rules apply: no account, double opt-in (Art. 6(1)(a) GDPR), a one-click unsubscribe link in every letter, and after opt-out we retain only the suppression record (email, opt-out timestamp) so we can honor it. We do not use open- or click-tracking pixels in the letters. Delivery via Resend (see Service Providers).

03

How We Use Your Data

  • Service Delivery — to provide the core focus timer, task planning, sound environments, and all application features
  • Cross-Device Sync — to keep your data consistent across all your devices via cloud synchronization
  • AI Features — to power the Coach with personalized suggestions based on your focus patterns and conversation history
  • Billing — to process payments and manage subscriptions via Stripe
  • Improvement — to understand usage patterns through privacy-focused, anonymized analytics

We do not sell your personal data. We do not use your data for advertising. We do not share your data with third parties except the service providers listed below.

04

Legal Basis for Processing (GDPR)

  • Contract Performance — processing necessary to provide you with the Particle service (Art. 6(1)(b) GDPR)
  • Legitimate Interest — security and error monitoring (no personal data, no session recording); the one-time acquisition-channel label recorded at signup; and, for visitors outside the EU/EEA/UK, privacy-focused product analytics to understand and improve the service (Art. 6(1)(f) GDPR). You can opt out of analytics at any time in Settings.
  • Legal Obligation — retaining billing records as required by tax law (Art. 6(1)(c) GDPR)
  • Consent — optional AI Coach features, and non-essential analytics for visitors in the EU/EEA/UK (asked via the cookie banner). You can grant, withdraw, or change this at any time in Settings → Privacy; withdrawal is as easy as granting (Art. 6(1)(a) GDPR).

05

Service Providers

We work with a small number of trusted partners to operate the service:

ServicePurposeLocation
SupabaseDatabase & cloud syncEU (Frankfurt)
ClerkAuthentication & user managementUSA
StripePayment processingUSA
VercelApplication hostingGlobal Edge
OpenRouterAI Coach (LLM routing)USA
Anthropic (Claude)AI Coach modelUSA
Google (Gemini)AI Coach modelUSA
SentryError & performance monitoringEU (Frankfurt)
PostHogProduct analytics (consent-gated)EU (Frankfurt)
UpstashRate limiting (Redis)EU (Frankfurt)
ResendTransactional, contact & letters emailUSA
CloudflareBot protection (Turnstile)Global Edge

Each provider processes data only as necessary to deliver their specific service and is bound by a Data Processing Agreement (DPA) pursuant to Art. 28 GDPR. For the full list with data categories and transfer safeguards, see our Sub-Processors page.

06

International Data Transfers

Some of our providers are located in the USA. We protect these transfers through the EU-U.S. Data Privacy Framework and Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring your data receives an adequate level of protection regardless of where it is processed.

07

Data Retention

  • Active accounts — your sessions, projects, and settings are stored for as long as your account is active
  • After account deletion — personal data is removed within 30 days
  • Anonymized analytics — may be retained indefinitely as they cannot be linked to you
  • Payment records — kept as required by German tax law, typically 10 years
  • AI Coach conversations — deleted along with your account data

08

Cookies, Local Storage, and Tracking

What We Use

  • Authentication Cookies — set by Clerk to maintain your login session. These are essential and cannot be disabled.
  • Local Storage — used to store your preferences (timer settings, theme, sound configuration, UI state) locally on your device for fast access. This data is also synced to the cloud for cross-device consistency.
  • IndexedDB — used to store session data, todos, and projects locally for offline access and faster loading. Synced with Supabase.
  • Bot-Protection Token — Cloudflare Turnstile sets a transient challenge token only on the contact page to distinguish humans from bots when you submit the form. It is strictly necessary to deliver the contact function you requested, contains no cross-site tracking, and requires no consent.

What We Do Not Use

  • No third-party advertising cookies
  • No cross-site tracking pixels
  • No fingerprinting techniques
  • No social media tracking widgets

We use two analytics services, both behind the same choice. Vercel Analytics is cookieless: data is anonymized and cannot be linked to individual users. PostHog (hosted in the EU, Frankfurt) measures how the product is used — pageviews and feature events such as "a session was completed". It stores a random identifier in your browser's local storage and, when you are signed in, links events pseudonymously to your account ID — never to your email or name, and never to the content of your work (no task titles, no project names). Visitors in the EU/EEA/UK are asked for consent via a cookie banner before any of this runs (default: off); we re-ask at most once every 12 months or when our processing purposes change. Visitors outside the EU/EEA/UK are covered by legitimate interest with the same one-click opt-out. Declining or withdrawing stops both services immediately and removes the stored identifier. You can change your choice at any time in Settings → Privacy.

We also use Sentry for security and error monitoring. It is configured without personal data and without session recording or replay, runs only in production, and operates under legitimate interest to keep the service secure and functional — it is not tied to the analytics consent choice. Authentication-provider product telemetry (Clerk) is disabled.

09

AI Features and Data Processing

Particle's AI Coach generates suggestions, reflections, and productivity insights based on your focus patterns and conversations. These are generated by large language models (LLMs) from Anthropic (Claude) and Google (Gemini), routed via OpenRouter.

How your data flows: When you interact with the AI Coach, your message and relevant session context are transmitted from our servers to OpenRouter (USA), which routes the request to either Anthropic or Google for processing. The AI response is returned to you and may be stored in your Supabase account for conversation continuity.

  • AI-generated content is not medical, therapeutic, psychological, or professional advice
  • The Coach is a productivity companion, not a licensed professional
  • AI responses may be inaccurate or incomplete
  • Your Coach conversation data is not used to train AI models — processing is solely to generate your response
  • All AI providers are bound by data processing agreements and transfer safeguards (see Sub-Processors)
  • You can disable AI features at any time in Settings — this prevents any data from being sent to AI providers

10

Your Rights

Under GDPR, CCPA, and similar regulations, you have the right to:

  • Access — request a copy of all your data. You can export your data directly from Settings or via the API.
  • Rectification — correct inaccurate personal data
  • Erasure — delete your account and all associated data through Settings
  • Portability — export your data in machine-readable JSON format
  • Restriction — request that we limit processing of your data
  • Objection — opt out of analytics tracking in Settings
  • Withdraw Consent — for consent-based processing (AI features, optional analytics), you can withdraw at any time
  • Complaint — lodge a complaint with your local data protection authority

For California Residents (CCPA)

Under the California Consumer Privacy Act, you additionally have the right to:

  • Know what personal information we collect and how it is used
  • Request deletion of your personal information
  • Opt out of the sale of personal information — we do not sell your data
  • Non-discrimination for exercising your CCPA rights

To exercise any of these rights, contact us at legal@particle.day or use the self-service options in your account Settings.

11

Children's Privacy

Particle is not intended for children under the age of 13 (or under 16 in the European Union). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at legal@particle.day and we will delete it promptly.

12

Data Security

We implement appropriate technical and organizational measures to protect your data:

  • All data in transit is encrypted via TLS/HTTPS
  • Data at rest is encrypted in Supabase (AES-256)
  • Authentication is handled by Clerk with industry-standard security
  • Access to production systems is restricted and logged
  • We conduct regular security reviews

13

Changes to This Policy

We may update this policy from time to time. For significant changes, we'll notify you via email or in-app notification at least 14 days before they take effect. The “last updated” date at the top reflects the most recent revision.

14

Contact

For privacy-related questions, data requests, or to exercise your rights:

We aim to respond to all privacy requests within 30 days. You also have the right to lodge a complaint with your local supervisory authority — in Germany, this is the relevant Landesbeauftragter für Datenschutz in your state of residence.