How Sia protects your personal data

Effective date: December 28, 2025 · Version 2.0. We developed Sia for highly sensitive people and treat privacy as part of the product experience. This policy outlines the information we collect and how you remain in control.

1. Introduction

Welcome to SIA (the "App"), a mobile application designed specifically for Highly Sensitive Persons (HSPs) and neuro-sensitive individuals. This Privacy Policy explains how we collect, use, protect, and share your information when you use our App.
We are committed to protecting your privacy. SIA follows a privacy-by-design approach, storing most of your personal data locally on your device with encryption, ensuring your sensitive information remains private and secure.

2. Information Stored Locally on Your Device

The following data is stored only on your device with encryption and is never transmitted to our servers:
MySia Personal Dashboard Data: Daily mood tracking, personal reflections, private journal entries, achievement tracking, breathing session logs, quick personal notes, personal affirmations, wellness metrics, technique effectiveness ratings, personal goals, HSP profile assessment results, personal emergency toolkit, saved techniques with context, and personal growth observations.
App Preferences: Display settings, technique settings, personal relief combo, and card style preferences.

3. Information We Collect and Process

Authentication Information: Basic profile information from social login providers (name, email), authentication tokens for secure access, device identifiers for session management, and login method (Google, Apple, or Guest).
Usage Information: Content requests (which techniques, situations, or quotes you access), search queries, app usage patterns (aggregated, anonymous), technical information (device type, OS, app version), and UI preference analytics (anonymized).
Cloud Backup Data (Optional): If enabled, encrypted backup data, backup metadata, auto-backups (single "latest" document overwritten on each sync), and manual backups (persist until explicitly deleted).

4. Sia Sense Feature Data (Optional)

When you enable Sia Sense for situation-aware recommendations:
Camera Analysis: Visual environment analysis, scene detection (office, outdoors, home), object recognition, and facial expression analysis—all processed on-device using Google ML Kit, never transmitted.
Audio Analysis: Ambient noise levels and audio environment detection. Audio is analyzed locally in real-time and is never recorded or transmitted.
Location Context: General location type (home, work, transit), activity recognition (walking, stationary, vehicle), and place context via Google Places SDK.
Important: All Sia Sense processing happens on your device. Raw camera images, audio recordings, and precise location data are never transmitted to our servers.

5. Third-Party Services

Authentication: Auth0 (primary authentication), Firebase Authentication (backup), Google Sign-In, and Apple Sign-In receive email, name, and authentication tokens.
Content & Search: Datamuse API receives search terms only (no user identifiers) for synonym expansion.
Analytics & Feedback: Wiredash receives feedback text, session metadata, and device info. Firebase Analytics receives anonymous usage patterns and crash data.
In-App Purchases: RevenueCat receives transaction data, device identifiers, subscription status, and anonymous user IDs for purchase processing and fraud prevention.
On-Device ML (No Data Transmitted): Google ML Kit processes camera images on-device only for face detection and image labeling. Google Places SDK provides location type context.
Cloud Infrastructure: Encrypted backup data (if enabled) is stored on GDPR-compliant AWS servers in Frankfurt (EU). Our API runs on Render (EU region).

6. Optional AI Services (Enhanced Mode)

When Enhanced Mode is enabled by developers (requires API keys), additional AI services may process data:
OpenAI (GPT-4o Vision): May receive environment images for advanced visual analysis.
Anthropic Claude: May receive image descriptions and context for synthesis and interpretation.
Perplexity: May receive location context queries for environmental understanding.
Note: These services are only active when explicitly configured. Images are processed for immediate analysis and are not stored by providers per their API data policies.

7. How We Use Your Information

Local Data Processing (On Your Device): Personalize your experience, track your progress, provide crisis support, generate insights, maintain your preferences, and detect situations for context-aware recommendations.
Server-Side Processing: Authenticate your account, deliver content, enhance search with synonym expansion, improve our services through anonymous usage analysis, provide support, process feedback via Wiredash, and process purchases via RevenueCat.
Legal Basis (GDPR): Consent (for optional features), Legitimate Interest (for core functionality), and Contractual Necessity (for requested services).

8. Information Sharing

We do not sell your personal information. We share limited information with trusted service providers as detailed above. Each provider receives only data necessary for their function, is contractually bound to protect your data, and cannot use it for their own purposes.
We may disclose information if required by law, to protect rights and safety, prevent fraud, or enforce our Terms of Service.

9. Data Security

All personal MySia data is encrypted on your device using AES-256. All network communications use TLS 1.3 encryption. Authentication tokens are stored in platform secure storage (Keychain/Keystore).
For Sia Sense: Camera images are processed on-device and immediately discarded. Audio is analyzed in real-time and never recorded. Location data is used for context only and not stored long-term.

10. Your Privacy Rights

Access and Control: View all information stored about you, update your profile and preferences, delete all local data, download your personal information, manage cloud backups, and disable Sia Sense anytime.
GDPR Rights (EU Users): Right to access, rectification, erasure, restrict processing, data portability, and object to processing.
CCPA Rights (California Users): Right to know, delete, opt-out of sale (we don't sell data), and non-discrimination.

11. Data Retention

Local Data: Remains until you delete it. Old journal entries limited to 50 most recent. All data deleted when you uninstall the App.
Server Data: Authentication data retained for 30 days after account deletion. Usage logs deleted after 30 days. Anonymous analytics may be retained indefinitely. Feedback submissions retained until manually deleted.
Cloud Backup Data: Auto-backups overwritten on each sync. Manual backups retained until you delete them. All backups deleted within 30 days of account deletion.

12. Children's Privacy

The App is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe your child has provided us with personal information, please contact us immediately.
For users aged 13-18, we recommend parental guidance and suggest using Guest mode for enhanced privacy.

13. Health & Wellness Data Disclosure

The App collects wellness-related data including mood tracking, breathing session records, HSP assessment results, and technique effectiveness ratings.
This data is stored locally on your device with encryption and is never transmitted to our servers. While we categorize this as "not collected" for app store purposes (because it never leaves your device), we want to be transparent that the App does process this sensitive information locally.

14. Contact Information

Company: Peaceflow OÜ
Address: Harju maakond, Tallinn, Kesklinna linnaosa, Tornimäe tn 5, 10145, Estonia
Email: hello@entersia.com
For GDPR requests, include "GDPR Request" in your subject line. For CCPA requests, include "CCPA Request".
Response Time: We will respond to privacy inquiries within 30 days.