[00]Privacy policy

Your data, protected by design.

Inner Navigation was built with privacy as an architectural constraint, not a marketing promise. This document explains, in plain language, exactly what happens to your data.

Last updated · July 10, 2026 · v2026-07-10

[01]At a glance

The five things you need to know.

  • 01
    Your logs stay on your phone

    By default, your raw personal data — logs, journal notes, if-then intentions, 21-day program progress — stays on your device. The guided sessions (breathing, somatic, visualization) run entirely on-device and transmit nothing. Personal cloud backup and community statistics are separate opt-ins, and each can be withdrawn independently.

  • 02
    EU-hosted, GDPR-compliant

    All server-side data — pseudonymized contributions, account authentication, backup snapshots, AI memory — is stored on Supabase EU infrastructure (Dublin, Ireland), subject to European data protection law. The one exception is the opt-in AI features (AI analyses, the conversational AI coach, memory distillation): when you enable them, selected data is sent to US AI providers (Google, Anthropic) under EU Standard Contractual Clauses.

  • 03
    Pseudonymized at rest, k-anonymous in published aggregates

    When you opt in to community statistics, data is stripped of direct identifiers before it is sent (no names, no email, no device IDs, and no precise GPS — location is rounded before use) — at this stage it is pseudonymized in the GDPR sense (Article 4(5)): we can still link it back to your account to honor a deletion request. Data published to the community as collective insights is then aggregated with k-anonymity (≥ 10 contributors per cell, ~110 km) and statistical noise (±0.3) — at that level it is no longer attributable to any individual.

  • 04
    No advertising, no data sales

    We do not run ads. We do not sell, rent, or share your data with third-party marketers, brokers, or partners. Ever.

  • 05
    You control everything

    Full export in one tap. Full deletion in another. No retention games, no dark patterns.

[02]Who is responsible

Data controller identity.

Under the EU General Data Protection Regulation (GDPR), the data controller for Inner Navigation is:

Controller

Esteban Pedreira — operating Inner Navigation. Tracker MW is the mobile app for the Inner Navigation service; Manifest Wealth is the wider ecosystem and umbrella brand.

All privacy requests — access, rectification, erasure, objection, portability — are handled at the address above. We respond within 30 days, as required by GDPR Article 12.

[03]What we collect

The data we hold, and why.

[On-device only]

Your personal logs, journal & practice data

To generate your personal correlations, graphs, journal, and program progress, locally, on your phone.

Stored
Locally, on your device, in encrypted storage.
Fields
  • Mood, energy, willpower, focus ratings
  • Sleep duration and subjective quality
  • Food, exercise, meditation entries
  • Intimate life (libido, sexual activity), if you fill in those fields
  • Free-text journal notes — typed or dictated (voice input uses your device’s speech recognition under Apple/Google platform rules; we never receive the audio)
  • If-then intentions (situation, action, expected outcome) and their notification reminders
  • 21-day Foundations program progress
  • Guided-session activity (breathing, somatic, visualization) — 100% local, never transmitted
  • Custom variables you define
  • Timestamps of each log
[Opt-in · EU servers]

Pseudonymized contributions (aggregated before publication)

To compute collective patterns and Quarterly Reports. Shared only if you explicitly opt in to community statistics. Stored linked to your account so we can delete it on request — it is not anonymous data in the GDPR sense (Article 4(5)). What is published to the community is aggregated with k ≥ 10 + statistical noise.

Stored
Supabase EU infrastructure (Dublin, Ireland).
Fields
  • Numerical ratings, rounded to reduce precision (5-point bins)
  • Tags drawn from a closed whitelist (no free-text)
  • Coarse location rounded on your device (~11 km) before transmission — never precise GPS; published only as ~110 km cells (k ≥ 10)
  • Coarse timestamp (day + 4-hour slot) — no exact time of day
  • No name, no email, no device ID, no IP address retained
[Account · EU servers]

Authentication data

To let you sign in. Creating an account does not by itself activate personal data sync.

Stored
Supabase EU Auth (Dublin, Ireland).
Fields
  • Email address (if you create an account)
  • Hashed password (never stored in plaintext)
  • Session tokens

Creating an account is optional. The app is fully functional without one — your data simply stays on one device.

[Separate opt-in · EU servers]

Personal cloud backup

To back up your personal logs and, for Premium users, restore or merge them across devices. This runs only after a separate cloud-backup consent in the mobile app.

Stored
Supabase EU infrastructure (Dublin, Ireland).
Fields
  • Mood and daily journal snapshot — including your free-text journal notes
  • If-then intentions (intentions table)
  • 21-day Foundations program progress (program_progress table)
  • Settings and consent state
  • Illness episodes entered by you
  • One app-open row per UTC day only while cloud backup is enabled

daily_app_opens rows are retained for 90 days. The product goal is to remove this named counter or anonymize it before broad launch.

[Opt-in · AI providers]

AI coach, AI analyses & persistent AI memory

To power the conversational AI coach, on-demand AI analyses (including the 21-day program milestone reviews at days 7, 14, and 21), and — under its own dedicated opt-in — a persistent AI memory. Nothing in this category is processed without the corresponding consent toggle.

Stored
Chat and analysis payloads transit through our Cloudflare Worker to the configured AI provider (Google Gemini Flash by default, Anthropic Claude as an alternative) for the duration of one inference. Distilled AI memories are stored in the user_ai_memory table on Supabase EU (Dublin, Ireland) — not with the AI providers.
Fields
  • Structured well-being indicators (mood, sleep, activity, symptoms; intimate life — libido, sexual activity — if you fill in those fields) — under the AI health consent
  • Free-text journal notes — only under the separate “free-text notes → AI” consent; without it, your notes are never added to any AI payload
  • Messages you write to the AI coach — 3 per day free, up to 40 per day with Premium; quotas are counted server-side against your pseudonymized account to prevent abuse
  • Distilled memory entries (user_ai_memory) — reused in coach replies and analyses; you can delete individual memories or wipe the memory entirely

Neither we nor the AI providers train models on your data: under their commercial API terms, Anthropic and Google do not use API content to train their models.

[Technical · minimal]

Service telemetry

To diagnose crashes and keep the app working. Privacy-respecting by design.

Stored
Aggregated, short retention (≤ 30 days).
Fields
  • Crash reports (no personal content, no logs)
  • App version, OS version, device model category
  • No advertising identifiers, no fingerprinting, no third-party trackers

If crash telemetry is enabled, it runs through Sentry — configured with IP masking and payload scrubbing (no journal notes, no AI prompts, no raw health data).

[04]Legal basis (GDPR)

Why we’re allowed to process your data.

GDPR Article 6 requires a lawful basis for every processing activity. Ours are narrow and explicit:

  • 01
    Consent (Art. 6(1)(a))

    Contributing to the collective dataset (pseudonymized at rest, aggregated with k-anonymity before publication). You opt in separately from personal cloud backup. You can withdraw consent at any time — one tap, no questions.

  • 02
    Explicit consent for health data (Art. 9(2)(a))

    Your mood, sleep, illness and well-being logs — and, if you fill in those fields, your intimate-life logs (libido, sexual activity) — may constitute data concerning health or sex life, special categories under GDPR Article 9. We process such data only on your explicit consent under Article 9(2)(a), given through the in-app toggles: the cloud-backup consent before any health log leaves your device for storage; the AI health consent before structured indicators are sent to an AI provider (for analyses or the AI coach); the separate free-text-notes consent before any journal note joins an AI payload; and the dedicated persistent-AI-memory opt-in. Each consent can be withdrawn at any time, independently of the others.

  • 03
    Contract (Art. 6(1)(b))

    Operating your account (if you create one), delivering the Premium subscription or the AI credit packs you purchase, and enforcing the corresponding AI usage quotas (daily coach message limits, analysis credits).

  • 04
    Legitimate interest (Art. 6(1)(f))

    Minimal crash telemetry to keep the app working. Balanced against a privacy-respecting architecture — no identifiers, short retention.

  • 05
    Legal obligation (Art. 6(1)(c))

    Where accounting, tax, or consumer-protection law requires us to retain certain transaction records.

[05]Where your data lives

EU hosting, by deliberate choice.

Any data that leaves your device — pseudonymized contributions, account credentials — is stored exclusively on EU-based infrastructure:

[Primary]

Supabase EU

Database, authentication, and storage hosted in Dublin, Ireland. Subject to GDPR, operated under European data protection law.

supabase.com · EU region

[Transit]

HTTPS + HSTS

All connections are TLS-encrypted. The .app TLD enforces HTTPS at the DNS level — no insecure fallback is possible.

TLS 1.3 · HSTS preloaded

No data is transferred outside the European Economic Area without explicit consent and a valid transfer mechanism — the one opt-in exception being AI analysis, detailed just below.

AI features use separate, granular consents: a first one to send structured well-being indicators (mood, sleep, activity, symptoms, intimate life if you fill in those fields), a second, distinct consent for including your free-text journal notes, and a dedicated opt-in for persistent AI memory. Without the notes consent, your written notes are not added to any AI payload. When you opt in, the selected data — analysis context, your AI coach messages, and memory distillation runs — is sent to our AI providers (Google Gemini Flash by default, Anthropic Claude as an alternative) hosted in the United States, under EU Standard Contractual Clauses (Commission Decision 2021/914). These transfers occur only for the duration of the inference and only when you explicitly enable the relevant AI feature in the app. The distilled AI memories themselves are stored on Supabase EU (Dublin), not with the AI providers. Separately, requests to the AI proxy and IAP verification pass through Cloudflare’s global edge network, which processes personal data in transit (but does not store it outside Supabase), also under Standard Contractual Clauses. The full list of sub-processors and their transfer mechanisms is in the Sub-processors section below. We will notify you before adding any new sub-processor or materially changing the purpose of an existing one.

[06]How long we keep it

Retention, in plain numbers.

  • 01
    On-device logs

    Kept as long as you keep the app installed. Uninstalling the app on most platforms clears local storage.

  • 02
    Pseudonymized contributions

    Kept linked to your account so we can honor a deletion request — they are not anonymous in the GDPR sense. You can wipe your past contributions at any time from the app. Aggregated statistics already published (k ≥ 10 cells with noise) cannot be tied back to you and remain in the public dataset.

  • 03
    Journal, intentions & program progress (cloud backup)

    Included in the backup snapshot and the intentions / program_progress tables only while cloud backup is enabled. Deleted with your account. You can disable cloud backup at any time and keep everything locally.

  • 04
    Persistent AI memory (user_ai_memory)

    Kept while the AI-memory opt-in is active. You can delete individual memories or wipe the whole memory from the app at any time; deleting your account removes it as well.

  • 05
    AI chat & analysis payloads

    Processed by the AI provider for the duration of one inference and not used for training. Any analysis history stored in the app follows the AI retention setting you configure, or is removed when you delete it.

  • 06
    Account data

    Kept as long as your account exists. Deleting your account erases authentication data within 30 days.

  • 07
    Crash telemetry

    30 days maximum, then automatically purged.

  • 08
    Billing records (Premium subscription & credit packs)

    Purchase and transaction records are retained for the period required by tax and accounting law — typically 6 to 10 years depending on jurisdiction — then deleted.

[07]Your rights

What you can ask, and how.

Under GDPR, you have the following rights over your personal data. Most of them are exercisable directly from the app, in one or two taps. The rest are handled by email at privacy@innernavigation.app.

  1. Right[01]

    Access

    Request a copy of all personal data we hold about you. In-app: one-tap full export as CSV or JSON.

  2. Right[02]

    Rectification

    Correct inaccurate data. Most logs are directly editable from the app.

  3. Right[03]

    Erasure (right to be forgotten)

    Delete your account and all associated data. In-app: Settings -> Account -> Delete my online account. Web: /account/delete.

  4. Right[04]

    Restriction

    Ask us to pause processing of your data while a dispute is resolved.

  5. Right[05]

    Objection

    Object to processing based on legitimate interest. We stop unless we demonstrate overriding grounds.

  6. Right[06]

    Portability

    Receive your data in a structured, machine-readable format, and transfer it elsewhere.

  7. Right[07]

    Withdraw consent

    Withdraw at any time from the sharing toggles. Past pseudonymized contributions remain in the dataset unless you explicitly request their removal. Aggregated statistics already published (k ≥ 10) cannot be unwound.

  8. Right[08]

    Lodge a complaint

    You have the right to complain to your national data-protection authority (e.g. CNIL in France, BfDI in Germany).

[08]Sub-processors

Who else touches your data.

We use a small, deliberately-chosen set of service providers. Each one is listed here, with a data processing agreement (DPA) and, for any transfer outside the EEA, the European Commission’s Standard Contractual Clauses (SCCs) plus technical safeguards (encryption, data minimization).

Sub-processor update policy. We keep an internal register of sub-processors and their safeguards up to date. If this list changes materially — a new or replacement provider that affects your data — we update this page (date and version at the top) and, for a substantial change, notify active users in the app. The current list is also available on request at the contact below.

ProviderPurpose
SupabaseDatabase, authentication, optional personal cloud backup (including journal notes, intentions, and program progress), persistent AI memory (user_ai_memory), consent records, and opted-in community data. DPA in place; primary storage kept in the EU.
CloudflareDNS, DDoS protection and CDN for static assets. Workers (compute) run the AI proxy (analyses and coach chat) and IAP verification, which means they transit personal data in flight (analysis context, AI coach messages, opt-in journal notes, transaction identifiers). No personal data is persisted on Cloudflare outside Supabase, but it is processed in transit. DPA + SCCs in place.
Apple App Store / Google PlayIn-app purchase processing for mobile subscriptions or AI credits. We do not receive your full card number.
StripeReserved for a future web checkout if offered. Not used for current mobile in-app purchases.
Google (Gemini Flash)Default AI provider for the conversational AI coach, AI analyses, and personal AI-memory distillation, invoked only when the relevant AI consents are enabled. We send structured well-being indicators, your coach messages, and journal notes only under the separate notes consent, for the duration of one inference. Google does not train on Gemini API content under our paid tier configuration.
Anthropic (Claude)Alternative AI provider for the AI coach and AI analyses, invoked only when you explicitly opt in to AI features and select it (or when configuration routes to it). Same data scope as above: structured indicators, coach messages, and journal notes only under the separate notes consent, for the duration of one inference. Anthropic does not train on API content under the applicable commercial API terms.
Open-MeteoWeather, UV-index and air-quality provider. Receives the device latitude/longitude for your logged days to return local environmental conditions; no account identifier is sent, and coordinates are used only to fetch and cache that data. EU-based, so no transfer outside the EEA is involved.
NOAA/SWPC · USGS · NASA DONKIPublic scientific open-data sources for space weather (NOAA/SWPC), earthquakes (USGS) and solar events (NASA DONKI). They are queried for global public datasets by date only — your location is not sent to them. As US public-sector open-data providers they are data recipients, not Article 28 processors.
SentryCrash and stability telemetry — only if enabled by the publisher. Configured with no raw personal data (no journal notes, no AI prompts, no health data), IP masking and payload scrubbing (sendDefaultPii: false). DPA + SCCs in place.
[09]Cookies & trackers

Cookies, trackers, and what we don’t use.

This website uses strictly necessary cookies only: the Supabase session cookies required to keep you signed in and to sync your own data. They are essential to the service and are never used for advertising or profiling.

We do not use advertising cookies, marketing trackers, fingerprinting, or non-essential analytics. No third-party analytics tool runs without your prior consent. If we ever add one, it will only load after you have given consent through a banner or choice screen, and you will be able to refuse it.

The mobile app follows the same principle: no advertising identifiers, no fingerprinting, no third-party trackers — only the session tokens needed to sign in and sync.

[10]Security

How we keep your data safe.

  • 01
    Encryption in transit

    All client-server communication uses TLS 1.3. HTTPS is enforced at the DNS level via the .app TLD (HSTS preloaded).

  • 02
    Encryption at rest

    Server-side data is encrypted at rest on Supabase EU infrastructure. Local on-device data uses platform-native encrypted storage.

  • 03
    Minimal attack surface

    We collect the minimum data required. Fields we don’t need, we don’t store. Every column on the server is there for a reason we can justify.

  • 04
    Access controls

    Server access is restricted to the project maintainer, with two-factor authentication required. No analytics personnel, no marketing team — because there is no analytics personnel or marketing team.

  • 05
    Breach notification

    In the unlikely event of a data breach, we will notify affected users and the relevant supervisory authority within 72 hours, as required by GDPR Article 33.

[11]Minors

Inner Navigation is not for children.

The service is not directed at children under the age of 15. We do not knowingly collect personal data from anyone under 15. If you believe a minor has created an account, please contact us at privacy@innernavigation.app and we will delete the account and associated data.

[12]Changes to this policy

When things evolve.

This policy may evolve as the project grows. When we make material changes — anything that affects your rights, how we use your data, or who we share it with — we will:

This English version belongs to the same legal document set as the French, Spanish, Portuguese, and German versions planned for app distribution. Those versions must remain aligned on the same version number and review date before publication in those languages.

  • Update the "Last updated" date at the top of this page.
  • Notify active users in-app and, where we have an email address, by email.
  • Preserve previous versions of this document in our public changelog.

Minor changes — typo fixes, clarifications that don’t alter substance — will be made silently, but still reflected in the date stamp.

[13]Governing law

Which law applies to this policy.

This privacy policy is governed by French law, together with the GDPR and the French Data Protection Act (Loi Informatique et Libertés), which apply directly.

For users acting as professionals (non-consumers), any dispute relating to this policy falls to the French courts of the publisher’s registered office — Mont-de-Marsan, Landes. If you are a consumer, nothing in this clause deprives you of the mandatory protections of the law of your country of residence, or of your right to bring proceedings before the courts of the place where you live.

None of this limits your right to lodge a complaint with your data-protection authority at any time — the CNIL in France, or the authority of your own country.

Questions, corrections, concerns?

If anything on this page is unclear — or if you believe we’ve handled your data in a way inconsistent with what it describes — tell us.

privacy@innernavigation.app

See also · Terms of service · Data sources