BreatheFlow  /  Privacy

Privacy Policy

Last updated: April 2026

BreatheFlow is designed to be private by default. Most data lives only on your device. This page explains exactly what we collect, why, and how to remove it.

What stays on your device

Your breathing sessions, BOLT scores, preferences (voice pack, accent, language, haptics), and onboarding progress are stored in your browser's local storage. They never leave your device unless you sign in.

When you sign in

Signing in with Google creates an account via Supabase (our hosted database). We store your email, user ID, and sync your sessions and BOLT history so you can practice across devices. We do not receive or store your Google password — authentication happens through Google's OAuth flow. Sign-in is optional; the app works fully as a guest.

Third parties we use

Supabase (EU/US) — account + synced session data. Google — sign-in only (OAuth). Resend — if you send feedback, we relay the message to the maintainer via Resend's transactional email API. Google Fonts — serves the typefaces. That's the full list. No analytics, no ads, no trackers, no third-party SDKs.

Feedback messages

When you use "Send feedback" we stamp the message with your app version, browser user-agent, and (if signed in) your user ID and email so we can follow up. The payload is relayed to the maintainer via Resend. We don't share it with anyone else.

Children

BreatheFlow is a wellbeing tool and is not directed at children under 13. We do not knowingly collect personal data from children. If a parent uses a "kids mode" or practice-with-family feature to create a profile for a child on the parent's own account, that profile's data sits under the parent's account and is the parent's responsibility to manage and delete.

Your rights

You can: (1) export or delete local data by clearing your browser storage for this site; (2) delete your synced account and all server-side data from Settings → Delete account when signed in; (3) ask us anything about your data by emailing hello@breatheflow.app. Under GDPR / UK GDPR / CCPA you have rights of access, rectification, erasure, and portability; we'll honour them within 30 days.

Retention

Local data persists until you clear your browser storage. Synced data persists until you delete your account. Feedback emails are retained in the maintainer's inbox and in Resend's logs per their standard retention.

Data controller

EK Cyber and Media — contact hello@breatheflow.app.

Changes to this policy

We'll update this page when the data flows change and bump the date at the top. The current version of this policy also ships inside the app under Settings → Privacy.

Home Terms of Service privacy@breatheflow.app