Privacy Policy

Last Updated: November 10, 2025

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

• Email address (if you choose email sign-up)
• Authentication credentials (Google/Apple Sign-In or anonymous)
• Display name (optional)

1.2 Health & Wellness Data

You have full control over what you share. This may include:

• Trigger logs: Timestamps, intensity ratings, notes (stored locally and encrypted)
• Mood check-ins: Daily emotional state records
• Grounding exercise usage: Which techniques you use and when
• Coping strategy tracking: Personal coping mechanisms and effectiveness ratings
• Chatbot conversations: AI interaction history for context (can be deleted anytime)

1.3 Automatically Collected Data

• Device information: Device type, OS version, app version
• Usage analytics: Feature usage patterns (anonymized)
• Crash reports: Technical diagnostics (no personal health data)
• Location data: Optional, only for trigger context if you choose to enable it

2. How We Use Your Information

2.1 Core Functionality

• Provide trigger tracking and pattern analysis
• Deliver personalized grounding exercises
• Power the AI chatbot with conversation context
• Send gentle daily mood check-in reminders (optional)
• Sync your data across devices (encrypted)

2.2 Service Improvement

• Analyze usage patterns to improve features (anonymized data only)
• Identify and fix technical issues
• Develop new trauma-informed features

2.3 Communication

• Send essential service updates
• Respond to support requests
• Share educational content (opt-in only)

3. Data Storage & Security

3.1 Encryption & Protection

• Local encryption: Highly sensitive data (trigger logs, notes) stored encrypted on your device using industry-standard secure storage
• Cloud encryption: Data synced to Firebase Firestore with AES-256 encryption in transit and at rest
• Zero-knowledge architecture: Your private notes never leave your device unencrypted
• Secure authentication: Firebase Auth with industry-standard OAuth 2.0

3.2 Data Compartmentalization

We use Firebase Security Rules to ensure:

• Users can only access their own data
• Sensitive health data is isolated from analytics
• Admin access is strictly limited and logged

3.3 Offline-First Design

• App works fully offline for crisis moments
• Data syncs when you're ready and connected
• You control what data is synced to the cloud

4. Data Sharing & Third Parties

4.1 We DO NOT Sell Your Data

Never. Period. Your mental health data is not a commodity.

4.2 Service Providers We Use

• Firebase (Google Cloud): Authentication, database, analytics, crash reporting
• OpenAI/Anthropic: AI chatbot functionality (anonymized, no PII sent)
• Apple/Google: Authentication via Sign-In with Apple/Google
• Stripe: Payment processing for premium subscriptions (no health data shared)

4.3 Legal Requirements

We may disclose information if required by law, but we will:

• Notify you when legally permitted
• Challenge overly broad requests
• Provide only the minimum necessary data

5. Your Rights & Control

5.1 Access & Export

• Download all your data in JSON format anytime
• Request a human-readable report of stored data
• Export conversation history with the chatbot

5.2 Deletion & Erasure

• Individual entries: Delete trigger logs, mood entries, or conversations anytime
• Account deletion: Permanently delete your account and all associated data within 30 days
• Right to be forgotten: Request complete erasure from all systems (GDPR/CCPA)

5.3 Consent Management

• Opt out of analytics tracking
• Disable location services
• Turn off push notifications
• Withdraw consent for AI chatbot data use

6. Children's Privacy

Unpanic is not intended for users under 18. We do not knowingly collect data from minors. If you believe a child has provided us information, please contact us immediately at privacy@unpanic.app.

7. International Users & GDPR Compliance

7.1 Legal Basis for Processing (GDPR)

• Contract performance: Providing app services you signed up for
• Legitimate interests: Improving service quality, security, fraud prevention
• Consent: Optional features like analytics, marketing emails

7.2 Data Transfers

Your data may be processed in the United States where Firebase servers are located. We use Standard Contractual Clauses (SCCs) approved by the EU Commission.

7.3 European Economic Area (EEA) Rights

If you're in the EEA, you have additional rights:

• Right to access, rectification, erasure
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Right to lodge a complaint with your supervisory authority

8. California Privacy Rights (CCPA)

California residents have the right to:

• Know what personal information is collected, used, shared, or sold
• Delete personal information held by us
• Opt out of the sale of personal information (we don't sell data)
• Non-discrimination for exercising privacy rights

9. Cookies & Tracking Technologies

9.1 What We Use

• Essential cookies: Authentication, session management
• Analytics cookies: Firebase Analytics (can be disabled)
• No advertising trackers: We don't use ad networks

9.2 Your Choices

You can control cookies through:

• In-app settings (disable analytics)
• Browser settings (web version)
• Device settings (mobile apps)

10. Data Retention

• Active accounts: Data retained as long as your account is active
• Deleted accounts: Data permanently deleted within 30 days
• Anonymized analytics: May be retained indefinitely for research
• Legal holds: Data subject to legal proceedings may be retained longer

11. Changes to This Policy

We may update this policy to reflect new features or legal requirements. Changes will be communicated via:

• In-app notification
• Email (if you've provided one)
• Updated "Last Modified" date at the top

Material changes require re-consent for continued use.

12. Contact Us

Questions, concerns, or requests about your privacy?

• Email: privacy@unpanic.app
• Data Protection Officer: dpo@unpanic.app
• Support: support@unpanic.app