SiaSia
Get App

Privacy Policy

How Sia protects your personal data

Effective date: February 24, 2025 · Version 3.0. We developed Sia for highly sensitive people and treat privacy as part of the product experience. This policy outlines the information we collect and how you remain in control.

1. Introduction & Scope

  • Welcome to Sia, operated by Peaceflow OÜ ("we," "us," or "our"). This Privacy Policy explains how we collect, use, protect, and share your information when you use our services.
  • This policy covers: The Sia mobile application (iOS and Android), the Sia website (entersia.com), the Expert Portal (for wellness professionals), cloud backup services, and any related APIs or integrations.
  • We are committed to protecting your privacy. Sia follows a privacy-by-design approach, storing most of your personal data locally on your device with encryption, ensuring your sensitive information remains private and secure.
  • What This Means For You: Your personal wellness data (mood tracking, journal entries, HSP assessments) stays on your device by default. We only receive data that is necessary to provide our services, and we are transparent about everything we collect.

2. Legal Bases for Processing

  • Under GDPR Article 6, we process your personal data based on the following legal grounds:
  • Consent: For optional features like cloud backups, enhanced AI services, newsletter subscriptions, analytics tracking (you can opt out anytime), and marketing communications.
  • Contractual Necessity: To provide services you have requested, including account creation and authentication, expert subscriptions and payments, access to premium features, and fulfilling your bookings or purchases.
  • Legitimate Interest: For core functionality and service improvements, including fraud prevention and security, anonymous usage analytics to improve our services, customer support, and system maintenance.
  • Legal Obligation: When required by law, including responding to lawful requests from authorities, tax and accounting requirements, and regulatory compliance.

3. Categories of Users

  • Guest Users: Use the app without an account. We collect minimal anonymous analytics. All personal data stays on your device.
  • Registered Users: Create an account via Google, Apple, or email. We store authentication data and, optionally, cloud backups.
  • Beta Co-Creators: Participate in our beta program. Additional usage data may be collected to improve features. See our Beta Terms for details.
  • Expert Users: Wellness professionals who join our Expert Platform. We collect professional information, payment data, and content you submit. See Section 6 for details.
  • Admin Users: Internal team members with elevated access for platform management.

4. Data Stored Locally on Your Device

  • The following data is stored only on your device with AES-256 encryption and is never transmitted to our servers unless you explicitly enable cloud backup:
  • MySia Personal Dashboard Data: Daily mood tracking entries, personal reflections and journal entries, breathing session logs and wellness metrics, achievement tracking and personal goals, HSP profile assessment results, personal emergency toolkit configuration, saved techniques with effectiveness ratings, and personal growth observations.
  • App Preferences: Display settings (theme, font size), technique settings and favorites, personal relief combo configurations, card style preferences, and notification preferences.
  • What This Means For You: This data is fully under your control. Deleting the app removes it completely from your device. We cannot access, recover, or view this information.

5. Data Collected on Servers

  • Authentication Information (via Auth0, Firebase, Google, or Apple): Basic profile information (name, email), authentication tokens for secure access, device identifiers for session management, login method (Google, Apple, Guest, or Email), and last login timestamp.
  • Usage Analytics (via PostHog, EU-hosted): Anonymous app usage patterns and feature engagement, screen views and session duration, device type, OS version, and app version, UI preference analytics (anonymized), crash reports and error logs, and A/B test assignments.
  • Cloud Backup Data (Optional, AWS Frankfurt): If you enable cloud backup, we store encrypted backup of your MySia data, backup metadata (timestamp, size), auto-backups (single "latest" document, overwritten on each sync), and manual backups (persist until explicitly deleted).
  • What This Means For You: You can opt out of analytics in app settings. Cloud backups are optional and always encrypted. We use EU-hosted services to keep your data protected under GDPR.

6. Expert Application & Profile Data

  • When you apply to become a Sia Expert, we collect:
  • Professional Information: Full name and professional title, email address and phone number, professional biography and credentials, areas of expertise and specializations, years of experience, certifications and licenses, profile photo, website and social media links, and timezone and availability.
  • Application Details: Application submission date, responses to application questions, credential verification status, and approval or rejection decision.
  • Ongoing Expert Data: Published content (articles, techniques, sessions), subscriber and follower counts, booking and session data, earnings and payout information, and performance analytics.
  • Legal Basis: Contractual necessity (to provide expert services) and legitimate interest (platform quality assurance).

7. Expert Lead Generation Data

  • When users express interest in expert services, we collect lead information to connect them with appropriate experts:
  • Lead Information: Name, email address, and phone number (optional), area of interest or need, preferred contact method, and message or inquiry content.
  • Technical Data: IP address (anonymized after 30 days), browser user-agent string, referring URL, timestamp of inquiry, and geographic region (country/state level).
  • Tracking Data: Affiliate cookie ID (_sia_ref) if applicable, expert landing page visited, and source/medium/campaign parameters.
  • Purpose: This data is used to route inquiries to appropriate experts, track referral and affiliate relationships, improve lead matching algorithms, and prevent spam and abuse.

8. Beta Program Data

  • When you join the Sia Beta Co-Creator Program, we collect:
  • Application Data: Name, email, reasons for joining, device information, HSP experience level, and areas of interest.
  • Engagement Data: Feature usage patterns (more detailed than regular analytics), feedback submissions, survey responses, bug reports and crash logs, and feature request votes.
  • Communication Data: Email correspondence, interview recordings (with consent), and community discussion participation.
  • Legal Basis: Consent (you agree to Beta Terms) and legitimate interest (product improvement).
  • See our Beta Terms at /beta-terms for complete details.

9. Newsletter & Marketing Data

  • When you subscribe to our newsletter or marketing communications, we collect:
  • Subscription Data: Email address, subscription date and source, consent record and timestamp, and communication preferences.
  • Engagement Data: Email open rates, click-through data, unsubscribe history, and preferred content topics.
  • We use external form processors to manage newsletter subscriptions. You can unsubscribe at any time using the link in any email or by contacting us.
  • Legal Basis: Consent (you actively subscribe).

10. Tracking & Analytics

  • PostHog Analytics (EU-hosted, posthog.com): We use PostHog for anonymous usage analytics. Data collected includes page views and session data, feature usage patterns, user journey analysis, A/B test results, and performance metrics. You can opt out in app settings.
  • Expert Tracking: For our Expert Platform, we track profile views and click-through rates, content engagement metrics, booking conversions, and affiliate attribution.
  • Affiliate Tracking: We use a cookie (_sia_ref) to track affiliate referrals. This cookie tracks affiliate ID and referral source, timestamp of first visit, conversion events, and has a 30-day expiration.
  • Pixel Tracking: We may use 1x1 transparent GIF pixels in emails to track open rates. These contain no personal information beyond email delivery confirmation.
  • App Store Attribution: We receive anonymous install attribution data from Apple App Store and Google Play Store to understand marketing effectiveness.
  • Apple App Tracking Transparency (ATT): On iOS 14.5+, we request your permission before accessing the device advertising identifier (IDFA) for attribution purposes. If you choose "Ask App Not to Track," we will not access your IDFA and will use only anonymous, aggregated analytics. Your choice does not affect app functionality.
  • Device Identifiers: We may collect device identifiers for analytics, fraud prevention, and session management. On iOS, this includes IDFV (Identifier for Vendor). On Android, this includes Android ID or similar identifiers. These are used in accordance with platform policies.
  • LocalStorage Usage: We use browser localStorage for session management, UI preferences (theme, language), form data persistence, and authentication tokens.

11. Sia Sense Feature

  • Sia Sense is an optional feature that provides situation-aware recommendations using your device sensors. All processing happens on-device using Google ML Kit.
  • Camera Analysis: Visual environment analysis (office, outdoors, home), scene and object recognition, and facial expression detection for mood context. Images are processed in real-time and immediately discarded. No images are stored or transmitted.
  • Audio Analysis: Ambient noise level detection and audio environment classification (quiet, busy, nature). Audio is analyzed locally in real-time and is never recorded or transmitted.
  • Location Context: General location type (home, work, transit), activity recognition (walking, stationary, vehicle), and place context via Google Places SDK. Precise location data is not stored or transmitted.
  • What This Means For You: Sia Sense works entirely on your device. Raw camera images, audio recordings, and precise location data never leave your phone. You can disable Sia Sense at any time in settings.

12. Optional AI Services (Enhanced Mode)

  • When Enhanced Mode is enabled (requires developer configuration), additional AI services may process data:
  • OpenAI (GPT-4o Vision): May receive environment images for advanced visual analysis. Images are processed immediately and not stored per OpenAI API data policies.
  • Anthropic Claude: May receive image descriptions and context for synthesis and interpretation. No images are transmitted, only text descriptions.
  • Perplexity: May receive location context queries for environmental understanding. Queries are anonymized and contain no personal identifiers.
  • These services are only active when explicitly configured by developers. Standard users do not have access to Enhanced Mode.
  • Legal Basis: Consent (explicit opt-in required).

13. Payment Processing

  • Expert Subscriptions (via Stripe): Experts subscribe to our platform using Stripe for payment processing. We offer three tiers: Basic ($49/month) for core listing features, Featured ($99/month) for enhanced visibility and analytics, and Premium ($149/month) for full API access and priority support.
  • Data shared with Stripe: Name, email, billing address, payment method details, subscription tier and status, and transaction history. Stripe is a PCI-DSS Level 1 certified payment processor. See Stripe's privacy policy at stripe.com/privacy.
  • In-App Purchases (via RevenueCat): Mobile app purchases are processed through RevenueCat and respective app stores. Data shared includes anonymous user ID, purchase and subscription status, transaction receipts, and device identifiers for fraud prevention. See RevenueCat's privacy policy at revenuecat.com/privacy.
  • Webhook Events: We receive webhook notifications for subscription events (creation, renewal, cancellation), payment success or failure, refund requests, and dispute notifications.
  • What This Means For You: We do not store complete credit card numbers. Payment data is handled securely by our certified payment processors.

14. Third-Party Services

  • The following third-party services receive data as indicated:
  • Authentication Services: Auth0 receives email, name, and auth tokens for primary authentication. Firebase Authentication receives email and auth tokens as backup authentication. Google Sign-In receives email and name for social login. Apple Sign-In receives email (can be hidden) and name for social login.
  • Analytics & Feedback: PostHog (EU-hosted) receives anonymous usage patterns for product analytics. Wiredash receives feedback text and session metadata for in-app feedback.
  • Search & Content: Datamuse API receives search terms only (no user identifiers) for synonym expansion.
  • On-Device ML: Google ML Kit processes camera images on-device only for face detection and image labeling. Google Places SDK provides location type context.
  • Cloud Infrastructure: AWS Frankfurt (EU) stores encrypted backups if enabled. Render (EU region) hosts our API services.
  • Payment Processing: Stripe receives payment and billing data for expert subscriptions. RevenueCat receives transaction data for in-app purchases.
  • Scheduling: Calendly receives name and email when users book expert sessions.

15. Cookies & LocalStorage

  • Essential Cookies: Session authentication (session duration), CSRF protection (session duration), and cookie consent preferences (1 year).
  • Analytics Cookies: PostHog analytics (_ph_* cookies, 1 year) for anonymous usage tracking. You can opt out in settings.
  • Functional Cookies: Theme preference (1 year), language preference (1 year), and recently viewed items (30 days).
  • Marketing/Tracking: Affiliate tracking (_sia_ref, 30 days) and conversion tracking (30 days).
  • LocalStorage: Authentication tokens, UI preferences, form data persistence, and offline data cache.
  • Cookie Consent: On first visit, we display a cookie consent banner allowing you to accept or reject non-essential cookies. Your preferences are saved and can be changed at any time. Essential cookies required for basic functionality do not require consent.
  • Managing Cookies: You can manage cookies through your browser settings or our cookie preferences center. Note that disabling essential cookies may affect app functionality.

16. Email Communications

  • User Emails: Welcome and onboarding emails, account security notifications, cloud backup confirmations, newsletter (if subscribed), and product updates (if opted in).
  • Expert Notification Types: Application status updates (submission, approved, rejected), new lead notifications, booking confirmations and reminders, subscriber milestones, content approval notifications, payment and payout confirmations, monthly performance digest, platform announcements, feature updates, subscription renewal reminders, trial expiration notices, compliance and policy updates, community highlights, and weekly engagement summaries.
  • Admin Alerts: System health notifications, security alerts, and moderation queue updates.
  • Unsubscribe: All marketing emails include an unsubscribe link. Transactional emails (security, payments) cannot be disabled while you have an active account.

17. User-Generated Content

  • Expert Content: Experts may publish articles, techniques, guided sessions, courses, and other content. This content is publicly visible and associated with your expert profile. You retain intellectual property rights but grant us a license to display and distribute the content.
  • Questions & Support: When you contact support or submit questions, we store your inquiry, our response, and associated metadata to improve our services.
  • Messages: If you use messaging features (expert-user communication), message content is stored securely. Both parties can delete their copy of messages.
  • Sessions: Booking and session data with experts is stored for service delivery, dispute resolution, and quality assurance.
  • Moderation: We may review user-generated content for compliance with our community guidelines and terms of service.

18. Mobile App-Specific Features

  • Deep Linking: We use deep links to navigate directly to app content. Deep link parameters may include content identifiers and referral sources.
  • On-Device Storage: The app stores data in platform-secure storage (iOS Keychain, Android Keystore for sensitive data; encrypted SQLite for other data).
  • Push Notifications: If enabled, we send notifications for daily reminders and affirmations, crisis support prompts, feature updates, and expert communications. You can disable notifications in device settings.
  • Offline Functionality: The app works offline. Local data syncs to cloud backups (if enabled) when connectivity is restored.
  • App Permissions: Camera (for Sia Sense, optional), Microphone (for Sia Sense, optional), Location (for Sia Sense, optional), and Notifications (optional). All permissions are optional and can be revoked in device settings.

19. Data Security

  • Encryption: All local MySia data is encrypted using AES-256. All network communications use TLS 1.3 encryption. Authentication tokens are stored in platform secure storage (iOS Keychain, Android Keystore). Cloud backups are encrypted at rest and in transit.
  • Access Controls: Employee access to user data is strictly limited and logged. We use role-based access controls. Regular security audits are conducted.
  • Sia Sense Security: Camera images are processed on-device and immediately discarded. Audio is analyzed in real-time and never recorded. Location data is used for context only and not stored long-term.
  • Incident Response: We have procedures in place to detect, respond to, and report data breaches. In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours as required by GDPR Article 33. If the breach is likely to result in high risk to your rights and freedoms, we will also notify affected users directly with information about the breach and recommended protective measures.

20. Data Retention

  • Local Data (on your device): Remains until you delete it or uninstall the app. Journal entries limited to 50 most recent by default.
  • Authentication Data: Retained while account is active. Deleted within 30 days of account deletion request.
  • Usage Analytics: Anonymous analytics may be retained indefinitely. Identifiable logs deleted after 30 days.
  • Cloud Backups: Auto-backups overwritten on each sync. Manual backups retained until you delete them. All backups deleted within 30 days of account deletion.
  • Expert Data: Profile data retained while account is active. Published content retained unless you request deletion. Lead data retained for 2 years for attribution purposes. Payment records retained for 7 years (legal requirement).
  • Support Tickets: Retained for 3 years for quality assurance and dispute resolution.
  • Marketing Data: Newsletter subscriptions retained until unsubscribe. Consent records retained for 5 years (legal requirement).

21. Your Privacy Rights

  • All Users Can: View all information stored about you, update your profile and preferences, delete your local data, download your personal information, manage cloud backups, disable Sia Sense anytime, opt out of analytics, and unsubscribe from marketing.
  • GDPR Rights (EU/EEA Users): Right to Access (request a copy of your data), Right to Rectification (correct inaccurate data), Right to Erasure ("right to be forgotten"), Right to Restrict Processing, Right to Data Portability, Right to Object (to processing based on legitimate interest), Right to Withdraw Consent (at any time, without affecting the lawfulness of prior processing), and Right to Not Be Subject to Automated Decisions.
  • To Exercise GDPR Rights: Email hello@entersia.com with subject "GDPR Request". Include your account email and specific request. We will respond within 30 days. You may also lodge a complaint with your local Data Protection Authority.
  • CCPA Rights (California Users): Right to Know (what data we collect and why), Right to Delete (request deletion of your data), Right to Opt-Out (we do not sell personal data), Right to Non-Discrimination (equal service regardless of privacy choices), and Right to Correct (inaccurate personal information).
  • To Exercise CCPA Rights: Email hello@entersia.com with subject "CCPA Request". Include your account email and specific request. We will respond within 45 days (may extend to 90 days for complex requests).

22. Children's Privacy

  • Age Requirement: The App is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13.
  • Parental Guidance: For users aged 13-17, we recommend parental guidance. Parents should review this privacy policy with their children. Consider using Guest mode for enhanced privacy.
  • Age Verification: The app includes an age confirmation during onboarding. For users aged 13-17, we recommend enabling parental oversight. If we learn that a child under 13 has provided personal information without parental consent, we will take steps to delete that information promptly.
  • If You Believe a Child Has Provided Data: Please contact us immediately at hello@entersia.com. We will promptly delete any information from children under 13.

23. Health & Wellness Data Disclosure

  • The App processes wellness-related data including mood tracking, breathing session records, HSP assessment results, and technique effectiveness ratings.
  • Important Transparency: This data is stored locally on your device with encryption and is never transmitted to our servers unless you enable cloud backup. While we categorize this as "not collected" for app store purposes (because it never leaves your device by default), we want to be transparent that the App does process this sensitive information locally.
  • Not Medical Data: Sia is not a medical device. Wellness data in Sia is for personal insight only and does not constitute medical diagnosis or monitoring.

24. International Data Transfers

  • Our primary data storage is in the European Union (AWS Frankfurt, PostHog EU). However, some data may be transferred internationally:
  • US-Based Services: Auth0 (authentication), Stripe (payments for US experts), and AI services (OpenAI, Anthropic, Perplexity) if Enhanced Mode is enabled.
  • Safeguards: We rely on Standard Contractual Clauses (SCCs) approved by the European Commission. Where applicable, we use supplementary measures including encryption and access controls. We verify that third-party services have adequate data protection measures.
  • What This Means For You: Your data is primarily stored in the EU. When transfers to other countries occur, we ensure appropriate safeguards are in place.

25. Changes to This Policy

  • We may update this Privacy Policy to reflect changes in our practices, legal requirements, or services.
  • Notification Methods: Material changes will be announced via email to registered users (at least 30 days before changes take effect), in-app notification, and website banner.
  • Version History: See the changelog at the end of this page for a summary of changes between versions.
  • Your Continued Use: Using our services after changes take effect constitutes acceptance of the updated policy. If you disagree with changes, you may delete your account.

26. Account Deletion

  • In-App Deletion: Open Sia, go to MySia tab, tap Settings (gear icon), scroll to Account section, tap "Delete Account," and confirm your choice.
  • Email Request: Send an email to hello@entersia.com with subject "Delete My Account" from your registered email address.
  • What Gets Deleted: Account profile and authentication data, cloud backup data (if any), newsletter subscription (if any), expert profile and content (if applicable), and lead and conversion data associated with you.
  • What Stays Local: Data stored on your device remains until you uninstall the app. We cannot delete local data remotely.
  • Timeline: Account deactivated immediately upon request. All data permanently deleted within 30 days. Confirmation email sent upon completion.
  • Expert Accounts: Experts should contact hello@entersia.com to discuss content preservation or transfer before deletion.

27. Contact Information

  • Data Controller: Peaceflow OÜ
  • Address: Harju maakond, Tallinn, Kesklinna linnaosa, Tornimäe tn 5, 10145, Estonia
  • Email: hello@entersia.com
  • For GDPR requests: Include "GDPR Request" in your subject line.
  • For CCPA requests: Include "CCPA Request" in your subject line.
  • Response Times: General inquiries: 5-7 business days. Privacy rights requests: 30 days (GDPR) or 45 days (CCPA). Account deletion: Completed within 30 days.
  • Data Protection Officer: Based on our assessment of processing activities, we have not appointed a Data Protection Officer as our core activities do not require one under GDPR Article 37. However, all privacy inquiries are handled with the same care and can be directed to hello@entersia.com.

28. Dispute Resolution

  • Informal Resolution: If you have concerns about our privacy practices, please contact us first at hello@entersia.com. We will work to resolve your concern informally.
  • Supervisory Authority: EU/EEA users may lodge a complaint with their local Data Protection Authority or the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) at aki.ee.
  • EU Online Dispute Resolution: For disputes related to online purchases, EU consumers can use the Online Dispute Resolution platform at ec.europa.eu/consumers/odr.
  • This policy is governed by the laws of Estonia. Any formal disputes will be resolved in Estonian courts, subject to applicable consumer protection laws in your jurisdiction.