Privacy Policy

1. Information We Collect

1.1 Account Information

• Email address - Used for authentication and account recovery
• User ID - Automatically generated identifier

1.2 Profile Information

• Location data - City and timezone for AI persona matching and realistic conversation timing
• Preferences - Time format (12h/24h), notification settings
• Subscription data - Plan type and expiration date (managed via RevenueCat)

1.3 Conversation Data

• Messages - All text messages you send to AI personas
• AI responses - Generated messages, reactions, and timing data
• Conversation metadata - Timestamps, read receipts, conversation status

1.4 Usage Information

• Message quotas - Daily message count and limits
• Conversation metrics - Number of conversations, last activity date
• Device tokens - Push notification identifiers

1.5 Technical Information

• Device information - Platform type (iOS/Android), app version
• Local storage - Session data cached on your device

2. Legal Basis and Use of Your Information

Under GDPR, we process your personal data based on the following legal grounds:

2.1 Contractual Necessity (GDPR Art. 6(1)(b))

• Provide the service - Generate AI conversations with realistic personas
• Personalize experience - Match timezones, adjust message timing, and calibrate AI responses
• Manage subscriptions - Process payments and enforce usage quotas

2.2 Legitimate Interest (GDPR Art. 6(1)(f))

• Improve the service - Analyze usage patterns to enhance conversation quality and user experience
• Provide support - Respond to your inquiries and troubleshoot issues
• Security - Detect and prevent fraud, abuse, and security incidents

2.3 Consent (GDPR Art. 6(1)(a))

• Send notifications - Deliver push notifications when AI personas respond (you may withdraw consent at any time)

3. Data Processors and International Transfers

We share your information with the following data processors. As these services may process data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:

3.1 Supabase (USA)

Purpose: Database hosting, authentication, and real-time updates

Data shared: All account, profile, and conversation data

Safeguards: Standard Contractual Clauses (SCCs), adequacy decisions where applicable

Privacy policy: https://supabase.com/privacy

3.2 Google LLC (USA) - Gemini AI

Purpose: AI conversation generation

Data shared: Your messages, conversation history, and persona context

Note: Message content is processed by Google's AI to generate realistic responses

Safeguards: Standard Contractual Clauses (SCCs), Google's EU-U.S. Data Privacy Framework certification

Privacy policy: https://policies.google.com/privacy

3.3 RevenueCat (USA)

Purpose: Subscription and payment processing

Data shared: User ID, subscription status, purchase receipts

Note: Payment details (credit cards) are processed by Apple/Google, not stored by us

Safeguards: Standard Contractual Clauses (SCCs)

Privacy policy: https://www.revenuecat.com/privacy

3.4 Apple Push Notification Service (APNs) / Firebase Cloud Messaging (FCM)

Purpose: Deliver push notifications

Data shared: Device push tokens, notification content

Note: Apple (iOS) and Google (Android) handle push notification delivery through their respective services

Safeguards: Apple and Google's standard terms and privacy frameworks

Privacy policies:

• Apple: https://www.apple.com/legal/privacy/
• Google/Firebase: https://firebase.google.com/support/privacy

Your Rights Regarding Transfers:

You have the right to obtain information about the safeguards we use for international data transfers and to object to such transfers under certain conditions.

4. Data Retention

• Active accounts: Data is retained while your account is active
• Deleted accounts: Data is permanently deleted within 30 days of account deletion
• Conversations: Stored indefinitely unless you delete your account
• Messages: Cannot be individually deleted; delete entire conversations or your account

5. Data Security

We implement industry-standard security measures to protect your personal information, including encryption in transit and at rest, access controls, and secure cloud infrastructure.

However, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

6. Your Rights Under GDPR

As a data subject in the European Union, you have the following rights:

6.1 Right of Access (Art. 15)

Request a copy of all personal data we hold about you, including information about processing activities.

6.2 Right to Rectification (Art. 16)

Request correction of inaccurate or incomplete personal data.

6.3 Right to Erasure / "Right to be Forgotten" (Art. 17)

Request deletion of your personal data when:

• No longer necessary for the purposes collected
• You withdraw consent (where processing is based on consent)
• You object to processing and no overriding legitimate grounds exist
• Data was unlawfully processed

In-app: Delete your account through app settings (all data deleted within 30 days)

6.4 Right to Restriction of Processing (Art. 18)

Request limitation of processing under certain conditions.

6.5 Right to Data Portability (Art. 20)

Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

6.6 Right to Object (Art. 21)

Object to processing based on legitimate interests or for direct marketing purposes.

6.7 Right to Withdraw Consent (Art. 7(3))

Where processing is based on consent (e.g., push notifications), withdraw consent at any time through app settings or device settings.

6.8 Right to Lodge a Complaint

File a complaint with your national supervisory authority:

• France: Commission Nationale de l'Informatique et des Libertés (CNIL) - https://www.cnil.fr
• Other EU countries: Contact your local data protection authority

6.9 Exercising Your Rights

To exercise any of these rights:

Email: texther@tmmc.me
Subject line: "GDPR Data Subject Request"

We will respond within one month of receiving your request (may be extended by two additional months in complex cases).

7. Children's Privacy

Text Her is intended for users aged 18 and older. We do not knowingly collect information from children under 18. If we discover we have collected data from a child under 18, we will delete it immediately.

8. Additional Privacy Rights

8.1 California Privacy Rights (CCPA)

California residents have additional rights:

• Right to know - What personal information we collect and how it's used
• Right to delete - Request deletion of your personal information
• Right to opt-out - We do not sell personal information
• Right to non-discrimination - Exercise rights without discriminatory treatment

To exercise these rights, contact us at texther@tmmc.me.

8.2 French Data Protection Authority

As we are based in France, you may contact the CNIL (Commission Nationale de l'Informatique et des Libertés):

Website: https://www.cnil.fr
Address: 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France

9. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority (CNIL) within 72 hours of becoming aware
• Notify affected users without undue delay if the breach poses a high risk to your rights
• Provide information about the nature of the breach and measures taken to address it

10. Automated Decision-Making and Profiling

Our AI system generates responses and feedback (red/green flags) based on your messages. This constitutes automated decision-making with the following characteristics:

• Purpose: Provide realistic conversation simulation and learning feedback
• Logic: AI analyzes message content, tone, timing, and context to generate appropriate responses
• Significance: May affect your learning experience but does not produce legal or similarly significant effects
• Your Rights: You may request human review of AI-generated feedback, object to automated processing, or delete your account at any time

11. Cookies and Tracking

• No web cookies - The mobile app does not use traditional web cookies
• Local storage - We use AsyncStorage to cache session data locally on your device
• No third-party tracking - We do not use third-party analytics or advertising trackers
• Service tokens - Authentication and push notification tokens stored locally

12. Changes to This Policy

We may update this Privacy Policy periodically. For material changes affecting GDPR compliance, we will:

• Notify you at least 30 days in advance via email or in-app notification
• Request renewed consent where required by law
• Post the new policy in the app with clear indication of changes
• Update the "Last Updated" date

Continued use of Text Her after the notice period constitutes acceptance of the updated policy.

13. Contact and Data Protection Officer

Data Controller:
Text Her
167 avenue des Grésillons, 92230 Gennevilliers, France
Email: texther@tmmc.me

For GDPR-related inquiries, data subject requests, or complaints:
Email: texther@tmmc.me
Subject: "GDPR Request" or "Data Protection Inquiry"

Supervisory Authority (France):
CNIL - Commission Nationale de l'Informatique et des Libertés
Website: https://www.cnil.fr
Address: 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France