Privacy Policy

This Privacy Policy governs how Prediux processes personal data through the mobile application (iOS, with Android forthcoming) and the website at https://prediux.com (collectively, the "Service"). The full identification of the data controller, including legal name, tax ID, and registered address, is provided at the end of this document (Section 14 — Contact).

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person.

"Processing" means any operation performed on Personal Data, whether automated or not.

"Controller" means the entity identified in Section 14 (Contact).

"User" or "you" means the natural person who creates an account and uses the Service.

2. Categories of Personal Data We Collect

2.1 Account data

• Email address (provided by Apple Sign In or Google Sign In through Supabase Auth).
• A unique user identifier (UUID, generated by Supabase).
• Account creation timestamp.
• On the first Apple Sign In, your full name, only if you choose to share it during the sign-in flow.

2.2 Profile and preferences

• Time zone (IANA format) — used to schedule daily reminders in your local time.
• Push notification token — used to deliver reminders.
• Notification preferences (on/off).

2.3 Onboarding data

• Priority domain (Execution Discipline, Energy Capacity, or Direction Clarity).
• Daily time investment (in minutes).
• Self-rated baseline values (control, drift, energy).
• "Primary avoidance" — a free-text answer (1–120 characters) describing what you most often avoid.

2.4 Behavioral data (daily signals)

• Date of each daily signal.
• Execution status (Done / Partial / Skipped).
• Energy level (Low / Medium / High).
• Distraction level (Low / Medium / High).
• Optional reason — a short free-text explanation when execution is Partial or Skipped.

2.5 Computed data

• Personal vector state (control index, drift risk, momentum, volatility).
• Forecast snapshots (numeric values).
• Daily directives generated by AI: title, rationale, plan, and projections.

2.6 Subscription data

• "Prediux Pro" entitlement status (active / inactive).
• We do not see or store payment instrument data, card numbers, or billing history. All payment processing is handled by Apple, Google, and RevenueCat.

2.7 Technical data

• IP address (captured by hosting provider and error monitoring).
• User-agent string.
• Application crash logs.
• Anonymous behavioral analytics events (screen views, button taps, and similar interactions, with no free-text content).
• On the quiz funnel only (the pages under /start), the categorical answers you select in the 10-question assessment and the behavioral archetype computed from them. The quiz contains no text inputs, so no free-text content is collected. See Section 12 for how this is captured.

3. How We Use Your Data and Legal Basis

4. AI Processing

Prediux uses Anthropic's Claude API to generate the daily directive. When you submit a signal or complete onboarding, the following data is sent to Anthropic for the sole purpose of generating your directive:

• Your priority domain, daily time investment, and baseline ratings.
• Your "primary avoidance" free text.
• Your most recent 7 daily signals (including the optional reason free text).
• Your computed vector state and recent control-index trajectory.

We do not send your email, UUID, push token, name, IP address, or device identifiers to Anthropic.

The model is instructed by Prediux's system prompt to (i) treat all free-text fields as untrusted input, (ii) never echo or reveal those fields verbatim in the output, and (iii) never include any personally identifiable information in the generated directive.

You should not enter sensitive medical, financial, or third-party personal information in the "primary avoidance" or signal-reason fields. While Anthropic's API terms generally exclude content from model training, we cannot guarantee third-party processor behavior.

5. Advertising attribution

To measure the effectiveness of marketing campaigns and reach prospective users with relevant ads, Prediux uses the official advertising SDKs from Meta, TikTok, and Google (Firebase Analytics). When the iOS App Tracking Transparency (ATT) prompt appears and you grant permission, your device's advertising identifier (IDFA) is shared with these providers so that:

• Installs of the Prediux app can be attributed to the ad creative that drove them.
• Post-install events (sign-up, subscription start) can be matched back to that ad campaign.

If you deny ATT permission, no IDFA is shared. Apple's SKAdNetwork provides anonymized, privacy-preserving attribution regardless of your ATT choice.

You can revoke ATT permission at any time via: Settings → Privacy & Security → Tracking → Prediux.

For server-side conversion measurement, Prediux's backend also sends purchase events to Meta Conversions API and TikTok Events API using SHA256-hashed email and user identifier (never plain text). These hashed values are used only to match anonymous conversion events to ad campaigns; the recipients cannot reverse them to retrieve your email or identity.

6. Subprocessors

7. International Data Transfers

When we transfer Personal Data outside the European Economic Area (EEA), we rely on the Standard Contractual Clauses (SCCs) approved by the European Commission and on each provider's published Data Processing Agreement. This covers our US-based subprocessors (Render, Anthropic, RevenueCat, Expo Push, Google LLC for Firebase Analytics, Apple App Store / Google Play) as well as our advertising partners with international presence (Meta Platforms in the United States and EU; TikTok in the United States, Ireland, and Singapore).

You may request a copy of the safeguards applied by emailing contact@prediux.com.

8. Data Retention

• Account and behavioral data: retained for the lifetime of your account. The longer your signal history, the more accurately the AI calibrates to you.
• Account deletion: when you request account deletion, all associated data on the backend (signals, snapshots, directives, profile) is deleted within 30 days.
• Backups: operational backups follow rolling retention windows of approximately 30 days. Backups containing deleted data expire on their normal schedule and are not separately restored.
• Sentry (errors): retention follows Sentry's standard tier (typically 90 days for events).
• PostHog (analytics): retention follows PostHog's standard tier (typically up to 7 years for raw events).

9. Your Rights

Under GDPR and Spanish data-protection law, you have the following rights:

• Access — request a copy of the data we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Erasure (right to be forgotten) — request deletion of your data.
• Restriction — request that we limit processing in certain circumstances.
• Portability — receive your data in a machine-readable format.
• Object — object to processing based on legitimate interests.
• Withdraw consent — for any processing based on consent (for example, push notifications).
• Lodge a complaint — with the Spanish Data Protection Agency (Agencia Española de Protección de Datos, www.aepd.es) or the supervisory authority in your country of residence.

If you are a California resident, you also have rights under the California Consumer Privacy Act (CCPA), including the right to know, delete, correct, opt out of sale or sharing, and non-discrimination. We do not "sell" Personal Data as defined by the CCPA. We do, however, "share" certain identifiers (advertising IDs and SHA256-hashed identifiers) with our advertising partners for the purpose of measuring the effectiveness of our own marketing campaigns. California residents can opt out of this sharing by denying the iOS App Tracking Transparency prompt, by revoking it later in iOS Settings, or by contacting contact@prediux.com to request opt-out via the server-side hashed identifier flow.

How to exercise your rights

Send an email to contact@prediux.com describing your request. We will respond within 30 days. We may ask you to verify your identity to prevent unauthorized requests.

Account deletion: a self-service deletion option is being implemented within the app. In the meantime, request deletion by emailing contact@prediux.com. We will erase all backend data within 30 days of verifying your request.

10. Children

The Service is not intended for individuals under 16 years of age. We do not knowingly collect Personal Data from children under 16. If we become aware that we have collected data from a child under 16, we will delete that data promptly. Parents or guardians who believe their child has used the Service may contact us at contact@prediux.com.

11. Security

We protect Personal Data through technical and organizational measures including:

• TLS / HTTPS encryption in transit.
• Encrypted database storage at rest (Render-managed).
• Access controls and authentication via Supabase Auth.
• Stateless JWT-based authentication; passwords are never seen by the Prediux backend.
• Webhook authentication via shared secret.
• Rate limiting and input validation.
• No raw payment data is ever processed by Prediux servers.

Authentication tokens are stored locally on your device using your operating system's standard storage. We recommend keeping your device protected with a passcode or biometric lock.

12. Cookies and Tracking

The Prediux mobile application uses Apple's App Tracking Transparency (ATT) framework to control advertising-identifier collection by the third-party SDKs described in Section 5 (Advertising attribution). The IDFA is only shared with those SDKs when you grant ATT permission; you can revoke that permission at any time in iOS Settings.

The Prediux website at prediux.com is scoped into two zones with different treatment:

11.1 Marketing pages (no analytics)

The homepage (/), /contact, /privacy, and /terms do not set any cookies and do not load any analytics or tracking scripts. They are static pages.

11.2 Quiz funnel (cookieless analytics)

The pages under /start (the behavioral assessment funnel: /start, /start/quiz, and /start/result) load PostHog product analytics for the sole purpose of measuring funnel completion, abandonment points, and aggregate archetype distribution.

PostHog is configured in strict cookieless mode, which means:

• No cookies are set in your browser (disable_cookie: true).
• No localStorage or sessionStorage entries are written to your device (persistence: "memory").
• A randomly generated, anonymous identifier exists only in this tab’s JavaScript memory and is discarded when you close the tab or hard-refresh. It is not linked to your name, email, or any account.
• No PostHog person profiles are created (person_profiles: "identified_only") because we never call identify() on this surface.
• UTM parameters from the URL (e.g. ?utm_source=meta) and the HTTP referrer are kept in memory for the duration of the tab’s session and attached to events for attribution. They are not written to your device.

Because no information is stored on your terminal equipment under Article 5(3) of the ePrivacy Directive, the cookie-consent requirement does not apply to this configuration. We rely on legitimate interest (GDPR Art. 6(1)(f)) for the underlying processing of the resulting anonymous event data, as described in Section 3.

Trade-off: in cookieless mode, attribution and session continuity reset on every hard refresh. We consider this an acceptable cost for processing without device storage.

If you wish to opt out entirely, you can block the request to eu.posthog.com in your browser, or use a content blocker. The quiz will continue to function with analytics disabled.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via the app or by email to your registered address before they take effect. The "Last updated" date at the top of this document reflects the most recent revision.

14. Contact

For any privacy-related question or to exercise your rights, contact the data controller:

Román Zukov (sole proprietor / autónomo registered in Spain)
NIF: X7038822V
Av. Novo Mesoiro, 18, 2A, 15190, A Coruña, España
Email: contact@prediux.com

This identification is provided in compliance with article 10 of Spain's Law 34/2002 on Information Society Services and E-Commerce (LSSI-CE) and articles 13–14 of the General Data Protection Regulation (Regulation (EU) 2016/679).