Privacy Policy

This Privacy Policy explains how Inhale ("we", "us", or "our") collects, uses, and protects your personal information when you use our mobile application. Inhale is operated by Brackets Store Ltd, a company registered in England and Wales, which is the data controller for the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

We have designed Inhale to be privacy-first and anonymous by default. This policy explains exactly what that means in practice.

1. Information We Collect

1.1 Information you provide during onboarding

When you first open Inhale, we ask you a few optional questions to personalise your experience. This information is stored against an anonymous identifier (not an email or name) in our backend. It includes:

• A display name (optional — you can leave it blank or enter anything you like)
• Your wellness goals (for example: stress relief, better sleep, focus)
• Your experience level with breathwork
• Your notification preferences (reminder time and frequency)

We do not ask for your email address, date of birth, phone number, or any government ID. We do not link this information to your real-world identity.

1.2 Information collected automatically

When you use the app, we and our third-party processors automatically collect:

• An anonymous install identifier generated by the app
• Device model, operating system and version, app version
• Language and region settings
• Usage events (which breathing techniques you open, session length, screens viewed)
• Crash reports and error diagnostics
• Subscription and purchase events from the Apple App Store
• Your IP address (used transiently by our processors and not retained by us as a stable identifier)
• Your Apple Advertising Identifier (IDFA) — only if you grant permission via Apple's App Tracking Transparency (ATT) prompt. If you decline, no IDFA is collected.

1.3 Information stored only on your device

Some information — such as your detailed session history, streaks, and favourites (where applicable) — stays on your device and is not transmitted to us. Uninstalling the app or clearing its data will remove it.

1.4 Apple HealthKit

Inhale does not currently read from or write to Apple HealthKit. If we add this in the future, we will request your explicit permission through the standard HealthKit prompt and update this policy. Health data is never used for advertising.

2. How We Use Your Information

We use the information described above for the following purposes:

• To provide the app: delivering breathing sessions, personalising content based on your goals, and syncing your preferences
• To manage subscriptions: verifying purchases, restoring access across your devices, and processing renewals via the Apple App Store
• To improve the app: understanding which features are used, where users get stuck, and what to build next
• To keep the app stable: diagnosing crashes and fixing bugs
• To measure install attribution: understanding which marketing channels bring new users, so we can spend our marketing budget responsibly
• To send notifications: if you have opted in, we send gentle reminders to practice
• To provide support: responding to questions you send us by email

3. Legal Bases for Processing (UK GDPR)

Under the UK GDPR we must have a lawful basis for each way we use your information. Ours are:

• Performance of a contract — providing the Inhale app to you and managing your subscription. Without this, we cannot deliver the service.
• Legitimate interests — product analytics, crash reporting, and improving the app. We balance these interests against your privacy rights, and we use anonymous identifiers rather than real-world identities wherever possible.
• Consent— IDFA-based install attribution (granted via Apple's App Tracking Transparency prompt) and push notifications. You can withdraw consent at any time in your iOS settings.
• Legal obligation — retaining transaction records required for tax and accounting purposes.

4. Third-Party Processors

We use a small number of trusted third-party services to run Inhale. Each one acts as a data processor and handles only the data it needs for its specific purpose.

5. International Data Transfers

Inhale is operated from the United Kingdom. Some of our third-party processors are based outside the UK and the European Economic Area, including in the United States. Where your data is transferred outside the UK/EEA, we rely on appropriate safeguards such as the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or adequacy decisions recognised by the UK Government.

6. Data Retention

We keep your information only for as long as we need it:

• Onboarding data in Supabase: retained while your install is active. If you ask us to delete it, we will do so within 30 days.
• Analytics and crash data:retained according to each processor's standard retention (typically between 90 days and 14 months).
• Purchase records: retained for as long as required by UK tax and accounting law (currently six years).
• On-device data: retained until you uninstall the app or clear its storage.

7. Data Security

We take reasonable and appropriate measures to protect your information:

• Encryption in transit: all traffic between the app and our backend uses HTTPS/TLS.
• Encryption at rest: data in our Supabase backend is encrypted at rest.
• Access controls: access to backend systems is limited to authorised personnel on a need-to-know basis.
• Principle of least data: the app is anonymous by design, which limits the impact of any incident.

No system can be 100% secure, and we cannot guarantee absolute security. If we become aware of a personal data breach likely to result in a risk to your rights, we will notify the ICO within 72 hours as required by UK GDPR.

8. Your Rights

Under the UK GDPR you have the following rights:

• Access — request a copy of the personal data we hold about you
• Rectification — ask us to correct inaccurate or incomplete data
• Erasure — ask us to delete your data
• Restriction — ask us to limit how we use your data
• Portability — receive your data in a machine-readable format
• Objection — object to processing based on legitimate interests
• Withdraw consent — where we rely on consent (such as ATT tracking or push notifications), you can withdraw it at any time in your iOS settings

To exercise any of these rights, email us at support@getinhaleapp.com. We will respond within one month.

9. App Tracking Transparency (iOS)

When you first open Inhale, iOS will show you Apple's App Tracking Transparency prompt asking whether you allow the app to track you across other apps and websites. This only affects our install-attribution processor, Tenjin, and specifically whether it may use your IDFA.

• If you allow tracking: Tenjin may use your IDFA to measure which marketing channel you came from.
• If you decline: Tenjin operates without the IDFA. The app works identically.

You can change your choice at any time in Settings → Privacy & Security → Tracking.

10. Children's Privacy

Inhale is not directed at children under 13, and we do not knowingly collect personal information from children under 13. In the United Kingdom, children aged 13–15 should have the consent of a parent or guardian before using the app. If you believe a child under 13 has provided us with personal information, please contact us at support@getinhaleapp.com and we will delete it promptly.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last Updated" date at the top of this page and, for material changes, show a notice in the app. Your continued use of Inhale after the changes take effect constitutes acceptance of the updated policy.

12. Contact Us

If you have any questions about this Privacy Policy or how we handle your data, please get in touch: