Privacy Policy

At Loosen ("we," "us," or "our"), your privacy is our top priority. We are dedicated to handling your personal data transparently, securely, and in full compliance with applicable laws. Given our initial launch focus in the European Union (EU), we prioritize the General Data Protection Regulation (GDPR) and UK GDPR for users in the European Economic Area (EEA) and UK. We also comply with the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA) for US users, and other relevant regulations worldwide. This Privacy Policy explains in clear, simple terms what data we collect, why we collect it, how we use and protect it, who we share it with, and your rights to control it.

We adhere to principles of privacy by design and data minimization—collecting only what's essential to deliver a personalized flexibility coach, track your progress, and improve the App. We do not track you across other apps or websites, do not use your data for advertising, and never sell or share your personal data for cross-context behavioral advertising (as defined under CCPA). The App does perform automated personalization (e.g. computing your daily Flexibility Score and recommending a session) — this is described in Section 3, has no legal or similarly significant effect on you, and you can opt out of the AI-powered parts at any time. If you have questions or need assistance exercising your rights, our team is available at hi@stretcha.co.

By using the Loosen mobile application (the "App"), you consent to the practices outlined here. If you disagree, please do not use the App. We review and update this Policy at least annually or as needed to reflect changes in our practices, features, or laws. We will notify you of material changes via in-app notice or email.

1. Who We Are and Scope

We operate the Loosen App—a cross-platform mobile tool (iOS/Android) for guided stretching routines, progress tracking, and custom routine building, with an initial launch in the EU. This Policy applies to all personal data we process through the App. It does not cover third-party services linked from the App (e.g., external websites or payment processors' own policies).

Contact Us:
Email: hi@stretcha.co
Website: stretcha.co

For EEA/UK users, we act as the data controller under GDPR. For California residents, we are a "business" under CCPA/CPRA. We process data with EU users in mind first, using EU-based servers where possible to minimize transfers.

2. Personal Data We Collect

We collect only the minimum data required to provide, personalize, and improve the App. "Personal data" means any information relating to an identified or identifiable individual. We obtain your explicit consent for collecting sensitive data (e.g., health-related info) during onboarding, and you can withdraw it anytime. For EU users, we emphasize consent and legitimate interests as processing bases.

3. How We Use Your Personal Data

We process data only for specific, legitimate purposes, with your consent where required (e.g., for sensitive health data). We follow data minimization and pseudonymization where possible, with special attention to EU users under GDPR.

• Personalization & Safety: Use profile, assessment, feedback, and (if granted) Health/Health Connect signals to compute your daily Flexibility Score, recommend a session that fits today, filter poses for safety (e.g. avoid back strains if reported), and adapt your plan over time.
• Subscription Management: Track active subscriptions, process entitlements, enable premium features, and restore purchases across devices via RevenueCat. Legal basis: Contract performance (GDPR Article 6(1)(b)).
• Progress & Motivation: Track sessions to show streaks, totals, and achievements in-app.
• Communications: Send optional push notifications (e.g., daily reminders at your preferred time) or emails (e.g., password resets).
• Operations & Improvements: Analyze anonymous usage patterns via PostHog to fix bugs, enhance features, and improve app performance. PostHog auto-generates anonymous device IDs for session tracking; no identifiable user data is processed for analytics. We do not use your data for advertising profiling or to build cross-app behavioral profiles. Legal basis: Legitimate interest (GDPR Article 6(1)(f)).
• Legal Compliance: Retain data as required by law (e.g., for audits); delete upon request.

Automated Personalization

The App computes results automatically — your Flexibility Score, the daily session pick, and (if you have accepted AI consent) AI-generated routines and plan narratives. These outputs personalize your in-app experience. They are not used to grant or deny access to any service, set pricing, or produce any legal or similarly significant effect on you under GDPR Article 22. You can:

• Override the daily pick by choosing a different routine from the catalog or by building one yourself.
• Withdraw AI consent in Profile > AI & Data, which silently switches the App to non-AI templates and static copy.
• Revoke Health permission in iOS Settings or Health Connect, which removes those signals from the calculation.
• Contact hi@stretcha.co to ask how a specific recommendation was produced or to request human review.

Legal Bases (GDPR/UK GDPR): Consent for sensitive data; legitimate interests for core features (e.g., progress tracking); contract performance for account services. For US users, we align with CCPA requirements.

Data Retention: We keep data only as long as needed—account data until deletion; progress data for 2 years after last activity (or sooner if requested). Anonymized aggregates may be retained longer for improvements.

AI-Powered Features

The App uses Anthropic's Claude AI model (via secure server-side processing through Supabase Edge Functions) to power four optional AI features. All processing happens on our servers — no AI runs on your device.

Consent (hard gate, defense in depth): Before any data is sent to Anthropic for any of these features, you are presented with an in-app consent prompt that clearly identifies what data will be shared, who it will be shared with, and requires your explicit approval. The consent state is stored on your account (plan_ai_consent) and checked both on the device and again on our servers as the first operation of every AI call — if consent is not present, the call is rejected before any prompt is constructed, and the App falls back to non-AI templates and static copy. You can revoke this consent at any time via Profile > AI & Data; revocation takes effect immediately across all four features.

The four AI features and the data each one sends:

What is never sent: account identifiers (email, password, Apple/Google sign-in tokens) are never sent to Anthropic; raw HealthKit / Health Connect samples (individual heart-rate readings, sleep records, etc.) are never sent — only the small derived aggregates listed above. Data is processed in real time and is not stored by Anthropic after the response is generated. Your data is never used to train any AI models. For details, see Anthropic's privacy policy.

4. Sharing and Disclosure

We share data minimally, only with vetted providers under strict data processing agreements ensuring equivalent protection. For EU users, we prioritize EU-based processing to comply with GDPR data transfer rules.

• Supabase: EU servers for EEA/UK users (to avoid transfers); handles storage, auth, and real-time sync. US servers for non-EU users.
• RevenueCat: Manages subscriptions and in-app purchases. Collects and links device identifiers to your user account for fraud prevention, purchase restoration, and subscription management. Processes user IDs (anonymous UUIDs) to associate purchases with accounts. No payment card details are stored by us or RevenueCat.
• User IDs: User IDs (anonymous UUIDs) are shared with RevenueCat to link subscriptions to your account, enabling purchase restoration and cross-device access.
• Apple/Google: For in-app purchases and push notifications (they process device tokens).
• PostHog: Manages anonymous product analytics and error tracking; processes usage events, device metadata, and crash logs. Hosted in the EU (https://eu.i.posthog.com) for GDPR compliance. No identifiable user data (name, email, user ID) is shared—only anonymous device IDs auto-generated by PostHog for session tracking. Standard Contractual Clauses apply.
• Anthropic: Processes the data described in Section 3 ("AI-Powered Features") via the Claude AI model to power our four AI features (Build with AI, the adaptive plan generator, the body-state explanation, and the plan narrative). Data is sent only after you provide explicit in-app consent (plan_ai_consent = accepted) and only as long as that consent is active. Anthropic does not use your data to train their models. Anthropic is bound by their published privacy policy and our data processing terms, which require equivalent protection of user data, prohibit independent use of the data, and prohibit use for model training.
• Apple HealthKit / Android Health Connect: Not third parties in the data-sharing sense — these are platform APIs on your own device. You grant the App read-only permission and we read the metrics described in Section 2. Apple and Google do not receive any new data from us via these APIs.

International Transfers (GDPR): Data for EU users stays in the EU where possible. For transfers (e.g., to US providers), we use Standard Contractual Clauses or equivalent safeguards. We do not share with governments except as legally required (e.g., valid subpoena).

No sales or marketing shares: We do not sell, rent, or share data for advertising/marketing. Under CCPA, "sale" or "sharing" does not occur.

5. Data Security and Integrity

We implement industry-standard measures tailored to data sensitivity, especially health info, with GDPR-compliant risk assessments:

• Encryption: Data in transit (TLS 1.3+) and at rest; passwords hashed with strong algorithms.
• Access Controls: Role-based; multi-factor auth for staff; no unnecessary access.
• Security Practices: Regular vulnerability scans, penetration testing, and incident response plans. Annual independent audits.
• Breach Response: Notify affected users and authorities promptly if required (e.g., within 72 hours under GDPR).

6. Your Privacy Rights and Choices

You have full control—exercise rights without fees, discrimination, or verification delays (we verify via email). EU users benefit from enhanced GDPR rights.

• Access/Portability: View/export data in-app (Settings > Profile > Export Data) or request via hi@stretcha.co (response within 30 days; 15 under CCPA). Includes historical data back to account creation (per CCPA 2026 updates).
• Update/Rectify: Edit profile/health info directly in-app.
• Delete/Erasure ("Right to Be Forgotten"): Delete account via Settings > Delete Account—erases all personal data within 30 days (retention for legal reasons noted).
• Opt-Out/Withdraw Consent: Disable reminders/notifications in settings; revoke health data consent (resets personalization). No "Do Not Sell/Share" needed as we don't sell/share. Honor Global Privacy Control (GPC) signals.
• AI Data Consent: You can revoke consent for AI data processing at any time via Profile > AI & Data. Revocation takes effect immediately across all four AI features, both client-side (no further calls are dispatched) and server-side (any incoming calls are rejected before any prompt is constructed). The App falls back to non-AI templates and static copy until you re-consent.
• Health Permission: Revoke Apple Health (iOS) or Android Health Connect access at any time in your OS settings. The App will continue to work using your self-reported sitting hours and session feedback only.
• Sensitive Data: Explicit opt-in for health data; limit processing via settings.
• Appeals: If we deny a request, appeal via hi@stretcha.co—we review promptly.
• Opt-Out of Analytics: PostHog uses fully anonymous analytics (no identifiable data). Since no personal information is tracked, no opt-out mechanism is required under GDPR/CCPA. If you have concerns, contact hi@stretcha.co.

For CCPA: Designated agent for requests: hi@stretcha.co. We disclose metrics annually (e.g., requests received/fulfilled).

7. Children's Privacy

The App is intended for users 13+ (16+ in EEA for consent without parental involvement). We do not knowingly collect data from children under 13 (or 16 in EEA). If we discover such data, we delete it immediately. Parents/guardians: Contact hi@stretcha.co for inquiries or deletion requests.

8. Medical and Health Disclaimer

Loosen is a wellness tool, not a medical device, diagnostic service, or substitute for professional advice. Self-reported health data is used solely to personalize routines and avoid potential risks—it's not verified or intended as medical guidance. Always consult a healthcare provider before starting any exercise program, especially if you have medical conditions. We disclaim all liability for injuries or health issues arising from App use—participate at your own risk.

9. Changes to This Policy

We may update this Policy to reflect new features, legal changes, or practices. Material changes (e.g., new data uses) will be notified via in-app banner or email at least 30 days in advance, with your continued use constituting acceptance. Check back regularly.

10. Contact and Complaints

For questions, rights requests, or complaints: hi@stretcha.co (response within 30 days; 15 under CCPA). If unresolved, contact your local data protection authority (e.g., your national DPA in the EU, ICO in UK, CPPA in California) or file a complaint.