Privacy Policy

At Loosen ("we," "us," or "our"), your privacy is our top priority. We are dedicated to handling your personal data transparently, securely, and in full compliance with applicable laws. Given our initial launch focus in the European Union (EU), we prioritize the General Data Protection Regulation (GDPR) and UK GDPR for users in the European Economic Area (EEA) and UK. We also comply with the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA) for US users, and other relevant regulations worldwide. This Privacy Policy explains in clear, simple terms what data we collect, why we collect it, how we use and protect it, who we share it with, and your rights to control it.

We adhere to principles of privacy by design and data minimization—collecting only what's essential to deliver safe, personalized stretching routines, track your progress, and improve the App. We do not track you across other apps or websites, do not use your data for advertising, automated profiling, or decision-making, and never sell or share your personal data for cross-context behavioral advertising (as defined under CCPA). If you have questions or need assistance exercising your rights, our team is available at hi@stretcha.co.

By using the Loosen mobile application (the "App"), you consent to the practices outlined here. If you disagree, please do not use the App. We review and update this Policy at least annually or as needed to reflect changes in our practices, features, or laws. We will notify you of material changes via in-app notice or email.

1. Who We Are and Scope

We operate the Loosen App—a cross-platform mobile tool (iOS/Android) for guided stretching routines, progress tracking, and custom routine building, with an initial launch in the EU. This Policy applies to all personal data we process through the App. It does not cover third-party services linked from the App (e.g., external websites or payment processors' own policies).

Contact Us:
Email: hi@stretcha.co
Website: stretcha.co

For EEA/UK users, we act as the data controller under GDPR. For California residents, we are a "business" under CCPA/CPRA. We process data with EU users in mind first, using EU-based servers where possible to minimize transfers.

2. Personal Data We Collect

We collect only the minimum data required to provide, personalize, and improve the App. "Personal data" means any information relating to an identified or identifiable individual. We obtain your explicit consent for collecting sensitive data (e.g., health-related info) during onboarding, and you can withdraw it anytime. For EU users, we emphasize consent and legitimate interests as processing bases.

3. How We Use Your Personal Data

We process data only for specific, legitimate purposes, with your consent where required (e.g., for sensitive health data). We follow data minimization and pseudonymization where possible, with special attention to EU users under GDPR.

• Personalization & Safety: Use profile and health data to generate routines, filter poses (e.g., avoid back strains if reported), and suggest durations.
• Subscription Management: Track active subscriptions, process entitlements, enable premium features, and restore purchases across devices via RevenueCat. Legal basis: Contract performance (GDPR Article 6(1)(b)).
• Progress & Motivation: Track sessions to show streaks, totals, and achievements in-app.
• Communications: Send optional push notifications (e.g., daily reminders at your preferred time) or emails (e.g., password resets).
• Operations & Improvements: Analyze anonymous usage patterns via PostHog to fix bugs, enhance features, and improve app performance. PostHog auto-generates anonymous device IDs for session tracking; no identifiable user data is processed for analytics. We do not perform automated decision-making or advertising profiling. Legal basis: Legitimate interest (GDPR Article 6(1)(f)).
• Legal Compliance: Retain data as required by law (e.g., for audits); delete upon request.

Legal Bases (GDPR/UK GDPR): Consent for sensitive data; legitimate interests for core features (e.g., progress tracking); contract performance for account services. For US users, we align with CCPA requirements.

Data Retention: We keep data only as long as needed—account data until deletion; progress data for 2 years after last activity (or sooner if requested). Anonymized aggregates may be retained longer for improvements.

AI-Powered Features

We use Anthropic's Claude AI model (via secure server-side processing through Supabase Edge Functions) to power our conversational AI Routine Builder. All processing happens on our servers—no AI runs on your device.

Consent: Before any data is sent to Anthropic, you are presented with an in-app consent prompt that clearly identifies what data will be shared, who it will be shared with, and requires your explicit approval before proceeding. You can revoke this consent at any time via Profile > AI & Data, which requires re-consent on next use.

Data sent: The following data may be sent to Anthropic when you use Build with AI:

• Your chat messages (the text you type describing what routine you want)
• Profile preferences: fitness level, flexibility level, health goals, focus areas, and any self-reported health conditions

No account identifiers (email, user ID) are sent to Anthropic. Data is processed in real-time and is not stored by Anthropic after the response is generated. Your data is never used to train any AI models. For details, see Anthropic's privacy policy.

4. Sharing and Disclosure

We share data minimally, only with vetted providers under strict data processing agreements ensuring equivalent protection. For EU users, we prioritize EU-based processing to comply with GDPR data transfer rules.

• Supabase: EU servers for EEA/UK users (to avoid transfers); handles storage, auth, and real-time sync. US servers for non-EU users.
• RevenueCat: Manages subscriptions and in-app purchases. Collects and links device identifiers to your user account for fraud prevention, purchase restoration, and subscription management. Processes user IDs (anonymous UUIDs) to associate purchases with accounts. No payment card details are stored by us or RevenueCat.
• User IDs: User IDs (anonymous UUIDs) are shared with RevenueCat to link subscriptions to your account, enabling purchase restoration and cross-device access.
• Apple/Google: For in-app purchases and push notifications (they process device tokens).
• PostHog: Manages anonymous product analytics and error tracking; processes usage events, device metadata, and crash logs. Hosted in the EU (https://eu.i.posthog.com) for GDPR compliance. No identifiable user data (name, email, user ID) is shared—only anonymous device IDs auto-generated by PostHog for session tracking. Standard Contractual Clauses apply.
• Anthropic: Processes user messages and profile preferences (fitness level, goals, health disclosures) via the Claude AI model to generate personalized stretching routines. Data is sent only when you use the "Build with AI" feature and only after you provide explicit in-app consent. Anthropic does not use your data to train their models. Anthropic is bound by their published privacy policy and our data processing terms, which require equivalent protection of user data, prohibit independent use of the data, and prohibit use for model training.

International Transfers (GDPR): Data for EU users stays in the EU where possible. For transfers (e.g., to US providers), we use Standard Contractual Clauses or equivalent safeguards. We do not share with governments except as legally required (e.g., valid subpoena).

No sales or marketing shares: We do not sell, rent, or share data for advertising/marketing. Under CCPA, "sale" or "sharing" does not occur.

5. Data Security and Integrity

We implement industry-standard measures tailored to data sensitivity, especially health info, with GDPR-compliant risk assessments:

• Encryption: Data in transit (TLS 1.3+) and at rest; passwords hashed with strong algorithms.
• Access Controls: Role-based; multi-factor auth for staff; no unnecessary access.
• Security Practices: Regular vulnerability scans, penetration testing, and incident response plans. Annual independent audits.
• Breach Response: Notify affected users and authorities promptly if required (e.g., within 72 hours under GDPR).

6. Your Privacy Rights and Choices

You have full control—exercise rights without fees, discrimination, or verification delays (we verify via email). EU users benefit from enhanced GDPR rights.

• Access/Portability: View/export data in-app (Settings > Profile > Export Data) or request via hi@stretcha.co (response within 30 days; 15 under CCPA). Includes historical data back to account creation (per CCPA 2026 updates).
• Update/Rectify: Edit profile/health info directly in-app.
• Delete/Erasure ("Right to Be Forgotten"): Delete account via Settings > Delete Account—erases all personal data within 30 days (retention for legal reasons noted).
• Opt-Out/Withdraw Consent: Disable reminders/notifications in settings; revoke health data consent (resets personalization). No "Do Not Sell/Share" needed as we don't sell/share. Honor Global Privacy Control (GPC) signals.
• AI Data Consent: You can revoke consent for AI data processing at any time via Profile > AI & Data. This stops data from being sent to Anthropic until you re-consent.
• Sensitive Data: Explicit opt-in for health data; limit processing via settings.
• Appeals: If we deny a request, appeal via hi@stretcha.co—we review promptly.
• Opt-Out of Analytics: PostHog uses fully anonymous analytics (no identifiable data). Since no personal information is tracked, no opt-out mechanism is required under GDPR/CCPA. If you have concerns, contact hi@stretcha.co.

For CCPA: Designated agent for requests: hi@stretcha.co. We disclose metrics annually (e.g., requests received/fulfilled).

7. Children's Privacy

The App is intended for users 13+ (16+ in EEA for consent without parental involvement). We do not knowingly collect data from children under 13 (or 16 in EEA). If we discover such data, we delete it immediately. Parents/guardians: Contact hi@stretcha.co for inquiries or deletion requests.

8. Medical and Health Disclaimer

Loosen is a wellness tool, not a medical device, diagnostic service, or substitute for professional advice. Self-reported health data is used solely to personalize routines and avoid potential risks—it's not verified or intended as medical guidance. Always consult a healthcare provider before starting any exercise program, especially if you have medical conditions. We disclaim all liability for injuries or health issues arising from App use—participate at your own risk.

9. Changes to This Policy

We may update this Policy to reflect new features, legal changes, or practices. Material changes (e.g., new data uses) will be notified via in-app banner or email at least 30 days in advance, with your continued use constituting acceptance. Check back regularly.

10. Contact and Complaints

For questions, rights requests, or complaints: hi@stretcha.co (response within 30 days; 15 under CCPA). If unresolved, contact your local data protection authority (e.g., your national DPA in the EU, ICO in UK, CPPA in California) or file a complaint.