Privacy Policy

01

Data Controller

The data controller responsible for your personal data is Particle, operated from Germany. For full contact details, see our Legal Notice. You can reach us at privacy@particle.day.

02

What We Collect

Account Data

• Authentication Information — email address, name, and profile picture provided through your authentication provider (Clerk). We do not store passwords directly.
• Account Identifiers — internal user IDs linking your authentication to your stored data

Usage Data

• Session Data — focus sessions including start time, duration, task descriptions, and project assignments stored in Supabase
• Projects and Intentions — project names, descriptions, and personal intentions you create
• Todos and Plans — task lists and daily/weekly plans
• AI Coach Data — conversation history with the AI Coach, personalized learnings, and recommendations

Payment Data

• Subscription Information — subscription status, plan type, and billing history processed by Stripe. We never store credit card numbers, CVVs, or full payment details on our servers.

Preferences and Settings

• App Preferences — timer durations, themes, atmosphere selections, sound settings, notification preferences, and UI configuration. These are stored locally and synced to the cloud for cross-device access.
• Feature Progress — onboarding completion states, sanctuary progress, and meditation tracking

03

How We Use Your Data

• Service Delivery — to provide the core focus timer, task planning, sound environments, and all application features
• Cross-Device Sync — to keep your data consistent across all your devices via cloud synchronization
• AI Features — to power the Coach with personalized suggestions based on your focus patterns and conversation history
• Billing — to process payments and manage subscriptions via Stripe
• Improvement — to understand usage patterns through privacy-focused, anonymized analytics

We do not sell your personal data. We do not use your data for advertising. We do not share your data with third parties except the service providers listed below.

04

Legal Basis for Processing (GDPR)

• Contract Performance — processing necessary to provide you with the Particle service (Art. 6(1)(b) GDPR)
• Legitimate Interest — anonymized analytics to improve the service (Art. 6(1)(f) GDPR)
• Legal Obligation — retaining billing records as required by tax law (Art. 6(1)(c) GDPR)
• Consent — optional AI Coach features and non-essential analytics, which you can disable in Settings (Art. 6(1)(a) GDPR)

05

Service Providers

We work with a small number of trusted partners to operate the service:

Each provider processes data only as necessary to deliver their specific service and is bound by a Data Processing Agreement (DPA) pursuant to Art. 28 GDPR. For the full list with data categories and transfer safeguards, see our Sub-Processors page.

06

International Data Transfers

Some of our providers are located in the USA. We protect these transfers through the EU-U.S. Data Privacy Framework and Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring your data receives an adequate level of protection regardless of where it is processed.

07

Data Retention

• Active accounts — your sessions, projects, and settings are stored for as long as your account is active
• After account deletion — personal data is removed within 30 days
• Anonymized analytics — may be retained indefinitely as they cannot be linked to you
• Payment records — kept as required by German tax law, typically 10 years
• AI Coach conversations — deleted along with your account data

08

Cookies, Local Storage, and Tracking

What We Use

• Authentication Cookies — set by Clerk to maintain your login session. These are essential and cannot be disabled.
• Local Storage — used to store your preferences (timer settings, theme, sound configuration, UI state) locally on your device for fast access. This data is also synced to the cloud for cross-device consistency.
• IndexedDB — used to store session data, todos, and projects locally for offline access and faster loading. Synced with Supabase.

What We Do Not Use

• No third-party advertising cookies
• No cross-site tracking pixels
• No fingerprinting techniques
• No social media tracking widgets

Our analytics are privacy-focused and cookieless. Data is anonymized and cannot be linked to individual users. You can opt out entirely in Settings.

09

AI Features and Data Processing

Particle's AI Coach generates suggestions, reflections, and productivity insights based on your focus patterns and conversations. These are generated by large language models (LLMs) from Anthropic (Claude) and Google (Gemini), routed via OpenRouter.

How your data flows: When you interact with the AI Coach, your message and relevant session context are transmitted from our servers to OpenRouter (USA), which routes the request to either Anthropic or Google for processing. The AI response is returned to you and may be stored in your Supabase account for conversation continuity.

• AI-generated content is not medical, therapeutic, psychological, or professional advice
• The Coach is a productivity companion, not a licensed professional
• AI responses may be inaccurate or incomplete
• Your Coach conversation data is not used to train AI models — processing is solely to generate your response
• All AI providers are bound by data processing agreements and transfer safeguards (see Sub-Processors)
• You can disable AI features at any time in Settings — this prevents any data from being sent to AI providers

10

Your Rights

Under GDPR, CCPA, and similar regulations, you have the right to:

• Access — request a copy of all your data. You can export your data directly from Settings or via the API.
• Rectification — correct inaccurate personal data
• Erasure — delete your account and all associated data through Settings
• Portability — export your data in machine-readable JSON format
• Restriction — request that we limit processing of your data
• Objection — opt out of analytics tracking in Settings
• Withdraw Consent — for consent-based processing (AI features, optional analytics), you can withdraw at any time
• Complaint — lodge a complaint with your local data protection authority

For California Residents (CCPA)

Under the California Consumer Privacy Act, you additionally have the right to:

• Know what personal information we collect and how it is used
• Request deletion of your personal information
• Opt out of the sale of personal information — we do not sell your data
• Non-discrimination for exercising your CCPA rights

To exercise any of these rights, contact us at privacy@particle.day or use the self-service options in your account Settings.

11

Children's Privacy

Particle is not intended for children under the age of 13 (or under 16 in the European Union). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@particle.day and we will delete it promptly.

12

Data Security

We implement appropriate technical and organizational measures to protect your data:

• All data in transit is encrypted via TLS/HTTPS
• Data at rest is encrypted in Supabase (AES-256)
• Authentication is handled by Clerk with industry-standard security
• Access to production systems is restricted and logged
• We conduct regular security reviews

13

Changes to This Policy

We may update this policy from time to time. For significant changes, we'll notify you via email or in-app notification at least 14 days before they take effect. The “last updated” date at the top reflects the most recent revision.

14

Contact

For privacy-related questions, data requests, or to exercise your rights:

• Email: privacy@particle.day
• Postal address: see our Legal Notice for full contact details

We aim to respond to all privacy requests within 30 days. You also have the right to lodge a complaint with your local supervisory authority — in Germany, this is the relevant Landesbeauftragter für Datenschutz in your state of residence.