Privacy Policy

Last updated: March 2026

1. Introduction

Wayfinity Ltd ("Company," "we," "us," or "our"), a company registered in Cyprus with its registered office at 77, Strovolos Center, Floor 4, Flat/Office 401, Strovolos 2018, Nicosia, Cyprus, is the data controller responsible for your personal data collected through the Rebirth mobile application ("App"). This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and what rights you have. We are committed to protecting your privacy and processing your data in accordance with the General Data Protection Regulation (GDPR — Regulation (EU) 2016/679) and other applicable data protection legislation. By using the App, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the App.

2. Data We Collect

We collect the following categories of personal data:

2.1 Data You Provide Directly

Account Information: Email address, display name (first name), and authentication credentials provided via Apple Sign In or email OTP
Profile Data: Your selected challenge tier, goals, motivations, and onboarding quiz responses
User-Generated Content: Journal entries, daily check-in responses, urge trigger logs, custom challenge configurations, custom task definitions, and digital signatures
Communication Data: Any information you provide when contacting us for support

2.2 Data Collected Automatically

Usage Data: Challenge progress, task completion status, day advancement history, streak data, momentum scores, and feature interactions
Device Information: Device model, operating system version, App version, timezone, and locale
Analytics Data: Screen views, button interactions, feature usage patterns, onboarding completion rates, and conversion events (collected via PostHog)
Notification Preferences: Your notification settings, scheduled notification times, and bedtime preferences

2.3 Data We Do NOT Collect

Payment card numbers or banking details (all payments are processed by Apple)
Precise geolocation data
Contacts, photos, or camera data
Health data from HealthKit or other health frameworks
Advertising identifiers (we do not serve ads)

3. Legal Bases for Processing (GDPR)

We process your personal data on the following legal bases:

Performance of Contract (Art. 6(1)(b)): Processing necessary to provide you with the App's services, manage your account, track your challenge progress, and fulfil your subscription
Legitimate Interests (Art. 6(1)(f)): Analytics and product improvement, fraud prevention, and ensuring the security of our services — balanced against your rights and freedoms
Consent (Art. 6(1)(a)): Push notifications (you can withdraw consent at any time via iOS Settings), optional session replay (controlled via feature flag, currently disabled)
Legal Obligation (Art. 6(1)(c)): Where we are required to retain data to comply with applicable law

4. How We Use Your Data

We use your personal data for the following purposes:

Providing, maintaining, and improving the App and its features
Creating and managing your account and authenticating your identity
Tracking your challenge progress, computing momentum scores, and managing day advancement
Syncing your data across sessions and devices via our backend
Processing and managing your subscription status and entitlements
Sending push notifications (daily reminders, task reminders, motivational nudges, streak alerts, weekly summaries, and review prompts)
Analysing aggregated usage patterns to improve the App experience
Responding to your support requests and communications
Detecting and preventing fraud, abuse, and security incidents
Complying with legal obligations

5. Third-Party Services and Data Sharing

We share your data with the following third-party service providers, who act as data processors on our behalf:

5.1 Supabase, Inc.

Purpose: Backend infrastructure, PostgreSQL database, user authentication (Auth), file storage (signature uploads), and Edge Functions (account deletion, webhook processing).

Data Processed: Account information, challenge data, task completions, day progress, journal entries, check-in data, signature images, and sync payloads.

Data Location: European Union. Row Level Security (RLS) policies ensure that each user can only access their own data.

5.2 RevenueCat, Inc.

Purpose: Subscription management, purchase verification, entitlement delivery, and webhook notifications for subscription lifecycle events (renewals, cancellations, billing issues).

Data Processed: App user ID, purchase receipts, subscription status, product identifiers, and transaction history.

5.3 PostHog, Inc.

Purpose: Product analytics, event tracking, feature flagging, and (when enabled) session replay for debugging and UX improvement.

Data Processed: Anonymised user identifiers, screen views, feature interactions, onboarding funnel events, device metadata, and App version.

Data Location: European Union (EU cloud instance). Session replay is controlled via a feature flag and is currently disabled (0% rollout).

5.4 Apple Inc.

Purpose: App distribution, payment processing, Sign in with Apple authentication, push notification delivery (APNs), and App Store review management. Apple processes your payment information directly; we never receive or store your payment card details.

We do not sell, rent, or trade your personal data to any third party. We do not share your data with advertisers. We may disclose your information if required by law, regulation, legal process, or governmental request, or to protect our rights, property, or safety.

6. International Data Transfers

Your data is primarily stored and processed within the European Union. Where data is transferred to processors outside the EU/EEA (such as RevenueCat, which operates from the United States), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, to protect your data in accordance with GDPR requirements.

7. Data Retention

We retain your personal data for as long as your account is active and as necessary to provide our services. Specific retention periods:

Account and challenge data: Retained while your account is active, deleted within 30 days of account deletion request
Analytics data (PostHog): Retained for up to 12 months, then automatically purged
Subscription records: Retained for up to 7 years after the end of the subscription for tax and accounting compliance
Support communications: Retained for up to 2 years after resolution
Server logs: Retained for up to 90 days for security and debugging purposes

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

Encryption of data in transit (TLS/HTTPS) and at rest
Row Level Security (RLS) policies on all database tables ensuring users can only access their own data
Secure authentication via Apple Sign In and email OTP (no passwords stored)
Access controls limiting employee access to personal data on a need-to-know basis
Regular security reviews of our infrastructure and third-party integrations
Secure file storage with authenticated access for signature uploads

While we strive to protect your data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but will notify you and the relevant supervisory authority of any data breach in accordance with GDPR requirements (within 72 hours of becoming aware).

9. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction with applicable data protection laws, you have the following rights:

Right of Access (Art. 15): Request a copy of the personal data we hold about you
Right to Rectification (Art. 16): Request correction of inaccurate or incomplete personal data
Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
Right to Restriction (Art. 18): Request restriction of processing of your personal data
Right to Data Portability (Art. 20): Request your data in a structured, commonly used, machine-readable format
Right to Object (Art. 21): Object to processing based on legitimate interests, including analytics
Right to Withdraw Consent (Art. 7(3)): Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection supervisory authority

To exercise any of these rights, contact us at contact@tryrebirth.com. We will respond within 30 days of receiving your request. We may ask you to verify your identity before processing your request. You can also delete your account directly within the App via Profile → Delete Account.

10. Children's Privacy

The App is rated 17+ and is not directed at children under the age of 17. We do not knowingly collect personal data from children under 17. If we become aware that we have inadvertently collected personal data from a child under 17, we will take immediate steps to delete such data. If you believe a child under 17 has provided us with personal data, please contact us at contact@tryrebirth.com.

11. Cookies and Tracking

The App itself does not use cookies. Our website (tryrebirth.com) may use essential cookies for basic functionality. PostHog analytics within the App uses a device-based identifier (not linked to advertising identifiers) to track feature usage. You can opt out of analytics tracking by contacting us.

12. Push Notifications

With your consent, we may send push notifications including daily task reminders, streak alerts, motivational nudges, weekly progress summaries, and review prompts. You can manage notification preferences within the App (Profile → Notifications) or disable them entirely via iOS Settings → Notifications → Rebirth. Disabling notifications will not affect the core functionality of the App.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by: (a) updating the "Last updated" date at the top of this policy; (b) displaying a notice within the App; and/or (c) sending you a notification. Your continued use of the App after the effective date of any changes constitutes your acceptance of the updated policy. We encourage you to review this Privacy Policy periodically.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Wayfinity Ltd (Data Controller)

77, Strovolos Center, Floor 4, Flat/Office 401

Strovolos 2018, Nicosia, Cyprus

Email: contact@tryrebirth.com