BeBored – Privacy Policy & Cookie Policy

Quick summary (non‑binding)

BeBored is for 16+, not medical advice, not for emergencies.
We collect name, email, avatar from Apple/Google sign‑in; device IDs, push tokens; usage/progress; crash/analytics events.
No ads or cross‑app tracking. Data primarily stored in the EU (eur3) on Firebase.
Delete your account in‑app; backups/logs cleared within 90 days.
For anything else: support@beboredapp.com.

Privacy Policy

1. Who is the controller?

Hitaya Kollektiv ApS is the controller for personal data processed via the BeBored app.

Contact: support@beboredapp.com
CVR: 45890899

2. Scope

This Privacy Policy applies to our mobile apps (iOS and Android). Our website is covered by the Cookie Policy below and any website-specific notices.

3. What data we collect

We collect the following categories of personal data:

Category – Account data
Examples: full name (when available from Apple/Google), email, profile photo/avatar
Source: Sign in with Apple / Google

Category – Device & app data
Examples: device model/OS version, device identifiers, push notification tokens, app version, language/locale
Source: Your device / app

Category – Usage & progress
Examples: session durations, minutes, streaks, badges, in-app actions and feature usage (non-sensitive)
Source: Generated during your use of the app

Category – AI journaling & moss summaries
Examples: text summaries or notes you provide when interacting with moss, including what you noticed in a session (e.g., thoughts, feelings, body sensations you choose to describe)
Source: Provided by you in the app

Category – Diagnostics
Examples: crash logs, performance events
Source: App/OS; Firebase Crashlytics and similar tools

We do not request you to upload public user-generated content (e.g., public posts or forums) in the app. Your content is private within your account unless we clearly say otherwise in a future feature.

We do not use third-party advertising SDKs or cross-app tracking in the app.

4. Purposes and legal bases (GDPR)

We process your data for the following purposes and legal bases:

Provide and operate the Service

Account creation and sign-in
Syncing your progress, minutes, streaks, badges
Running moss and other AI features based on your prompts and journaling
Managing your subscription status (e.g., whether you have Boredom Pass)
Legal basis: Contract (Art. 6(1)(b) GDPR) – necessary to provide the Service.

Analytics & product improvement

Understanding aggregate usage trends (which modes are used, session lengths, feature adoption)
Improving the Service and its performance
Legal basis: Legitimate interests (Art. 6(1)(f)) – to understand and improve the Service; analytics is not used for third-party ads or cross-app tracking.

Crash reporting & diagnostics

Monitoring stability, errors, and performance
Troubleshooting issues
Legal basis: Legitimate interests (Art. 6(1)(f)) – to maintain stability and security.

Push notifications & direct communications

Service messages (streak nudges, reminders, important account information)
- Legal basis: Legitimate interests (Art. 6(1)(f)).
Optional marketing or update communications (where enabled) via email or push (e.g., using OneSignal)
- Legal basis: Consent (Art. 6(1)(a)), obtained e.g. via a checkbox on account creation.

Security & fraud prevention

Protecting accounts and the Service
Preventing misuse or abuse
Legal basis: Legitimate interests (Art. 6(1)(f)).

Legal compliance

Responding to lawful requests, fulfilling legal obligations (e.g., tax, accounting, consumer rights)
Legal basis: Legal obligation (Art. 6(1)(c)).

Where we rely on legitimate interests, we balance our interests against your rights and expectations. You can object to processing based on our legitimate interests (see “Your rights”).

5. AI providers & data flows

For moss and other AI features, we use third-party providers such as:

OpenAI – for generating AI responses based on your journaling summaries or prompts.
ElevenLabs – for voice features (e.g., text-to-speech or voice interactions).
Vercel (and similar hosting/cloud providers) – for running backend code that connects the app to AI providers.

What is sent:

We send the text you provide (e.g., the summary of what you noticed in a session or what you type/say to moss) to AI providers to generate responses.
We aim to avoid attaching direct identifiers such as your email address to these requests. We may use technical or pseudonymous identifiers as needed to operate the feature reliably.

Retention and provider policies:

Your journaling summaries and moss entries are stored in our systems and kept until you delete them or delete your account (see Retention).
AI providers process your data under their own terms and privacy policies, which may include limited retention for safety, abuse prevention, or service improvement. We do not control their internal retention/training policies. For details, please refer to the providers’ documentation.

We do not use AI providers in the app for third-party advertising or cross-app tracking.

6. Sub-processors & international transfers

We use trusted providers to process data on our behalf, including (non-exhaustive list):

Google LLC / Google Ireland Limited – Firebase (Authentication, Firestore/Database in eur3 multi-region within the EU, Crashlytics, Analytics), Cloud Functions, Cloud Messaging.
Apple Inc. – Sign in with Apple (authentication). Apple may act as an independent controller for sign-in data.
OpenAI – AI model provider for moss and related features.
ElevenLabs – Voice/AI audio provider for voice-based features.
Vercel – Hosting and backend infrastructure to connect our app to AI providers and other services.
OneSignal – Communications provider for push notifications and, where enabled, email or in-app messaging.

Data is primarily stored in the EU (eur3) via Firebase. Where data is transferred internationally (for example, to the US or other countries for support or provider operations), we rely on appropriate safeguards such as the EU Standard Contractual Clauses (SCCs) or equivalent mechanisms where required by law.

7. Data retention

We keep data only as long as necessary for the purposes above:

Data – Account & profile (name, email, avatar, subscription status)
Retention: Kept while your account is active; deleted upon account deletion (subject to backup periods below).

Data – Usage & progress
Retention: Kept while your account is active; deleted upon account deletion.

Data – AI journaling & moss summaries
Retention: Kept while your account is active, unless you delete specific entries. Deleted when you delete the entry or when you delete your account.

Data – Crash logs & analytics events
Retention: Short to moderate periods needed for diagnostics/improvements (e.g., ~90–180 days), then aggregated or deleted.

Data – Backups & system logs
Retention: Deleted within 90 days after account deletion, subject to technical constraints.

If we need to keep specific data longer (for example, to comply with legal obligations or to resolve disputes), we will keep it only for that limited purpose.

8. Account deletion, moss deletion & data export

You can:

Delete individual moss entries in the app.
Delete your account anytime in the app: Profile → Delete Account.

When you delete your account:

Primary records of your account, progress, and moss entries are removed or anonymised in our production systems.
Backups and system logs that may still contain data are cleared within approximately 90 days.

Data export:
You can request a copy of your main data (e.g., account details, progress, and journaling summaries) by emailing support@beboredapp.com from your account email. We will respond in line with applicable law.

9. Your rights (EEA/UK)

Subject to conditions and limitations under GDPR, you have the right to:

Access your personal data;
Rectify inaccurate data;
Erase data (“right to be forgotten”);
Restrict processing;
Data portability (for data you provided to us); and
Object to certain processing based on legitimate interests (including some analytics and communications).

You also have the right to lodge a complaint with your local supervisory authority. In Denmark, this is Datatilsynet.

To exercise your rights, contact support@beboredapp.com. We may need to verify your identity.

10. Children’s privacy

BeBored is not for children under 16. If you believe a minor under 16 has created an account, contact us and we will take appropriate steps to delete the account and associated data.

11. Security

We use administrative, technical, and organizational measures appropriate to the risk, including:

Secure authentication via Apple/Google;
Encrypted transport (e.g., HTTPS);
Access controls and least-privilege practices;
Limiting access to personal data to a small internal team that needs it for their job, under confidentiality obligations.

No method is 100% secure, but we work to protect your data in line with industry practices.

12. No advertising & tracking in the app

We do not serve third-party ads or use third-party advertising SDKs in the app. We do not engage in cross-app tracking from the app.

Our website may use analytics or marketing pixels for performance marketing (e.g., Meta, TikTok) with your consent; see the Cookie Policy below.

13. Changes to this Privacy Policy

We may update this Policy as we evolve the Service (for example, if we add social features or new AI capabilities). We will notify you of material changes where required (e.g., in-app notice or website banner). Your continued use after the effective date constitutes acceptance of the updated Policy.

14. Contact

For privacy questions or requests: support@beboredapp.com

Effective date: [2025‑09‑17]

1. Who is the controller?

Hitaya Kollektiv ApS is the controller for personal data processed via the BeBored app.
Contact: support@beboredapp.com
CVR: 45890899

2. Scope

This Privacy Policy applies to our mobile apps (iOS and Android). Our website is covered by the Cookie Policy below and any website‑specific notices.

3. What data we collect

We collect the following categories of personal data:

4. Purposes and legal bases (GDPR)

Purpose

Legal basis

Provide and operate the Service (account creation; core functionality; progress syncing)

Contract (Art. 6(1)(b))

Analytics & product improvement (aggregate usage trends, feature performance)

Legitimate interests (Art. 6(1)(f)) – to understand and improve the Service; not used for ads or cross‑app tracking

Crash reporting & diagnostics

Legitimate interests (Art. 6(1)(f)) – to maintain stability and security

Push notifications (reminders, streak nudges)

Legitimate interests (Art. 6(1)(f)); you can opt out in OS settings

Security & fraud prevention

Legitimate interests (Art. 6(1)(f))

Legal compliance

Legal obligation (Art. 6(1)(c))

Where we rely on legitimate interests, we balance our interests against your rights and expectations. You can object to processing based on our legitimate interests (see Your rights).

5. Sub‑processors & international transfers

We use trusted providers to process data on our behalf:

Google LLC / Google Ireland Limited – Firebase (Authentication, Firestore/Database in eur3 multi‑region within the EU, Crashlytics, Analytics), Cloud Functions/Cloud Messaging. Transfers outside the EEA, if any, are protected by EU Standard Contractual Clauses (SCCs) and Google’s Data Processing Terms.
Apple Inc. – Sign in with Apple (authentication). Apple may act as an independent controller for sign‑in data.

Data is primarily stored in the EU (eur3). Where data is transferred internationally (e.g., for support or provider operations), we rely on appropriate safeguards such as SCCs.

6. Data retention

We keep data only as long as necessary for the purposes above:

Data

Typical retention

Account & profile (name, email, avatar)

Kept while account is active; deleted upon account deletion (see below)

Usage & progress

Kept while account is active; deleted upon account deletion

Crash logs & analytics events

Short to moderate periods needed for diagnostics/improvements (e.g., 90–180 days), then aggregated or deleted

Backups & system logs

Deleted within 90 days after account deletion

7. Account deletion & data export

Delete your account anytime in the app: Profile → Delete Account. Primary records are removed promptly; backups/system logs are cleared within 90 days.
Data export: Email support@beboredapp.com from your account email to request a copy of your data.

8. Your rights (EEA/UK)

Subject to conditions and limitations under GDPR, you have the right to access, rectify, erase, restrict, port, and object to certain processing. You also have the right to lodge a complaint with your local supervisory authority. In Denmark, this is Datatilsynet.

To exercise rights, contact support@beboredapp.com. We may need to verify your identity.

9. Children’s privacy

BeBored is not for children under 16. If you believe a minor under 16 has created an account, contact us and we will take appropriate steps to delete the account and associated data.

10. Security

We use administrative, technical, and organizational measures appropriate to the risk, including secure authentication via Apple/Google, encrypted transport, access controls, and least‑privilege practices. No method is 100% secure.

11. No advertising & tracking

We do not serve third‑party ads or engage in cross‑app tracking. Analytics is used only to understand app performance and usage in aggregate.

12. Changes to this Privacy Policy

We may update this Policy as we evolve the Service (e.g., if we add social features or payments). We will notify you of material changes where required (e.g., in‑app notice).

13. Contact

For privacy questions or requests: support@beboredapp.com

3) Cookie Policy (website)

This Cookie Policy explains how we use cookies on our website beboredapp.com (the “Website”). It does not apply to the mobile apps (see Privacy Policy above for app data).

1. What are cookies?

Cookies are small text files placed on your device to make the site work, keep it secure, and help us understand how it’s used. Similar technologies (like local storage) may be used for the same purposes.

2. How we use cookies

We aim to be minimal and privacy‑friendly:

Strictly necessary cookies – required for basic site functionality and security; cannot be switched off.
Analytics cookies (optional) – used to understand visits and improve the site. If used, these will run only with your consent (via a banner) and will not be used for advertising or cross‑site tracking.

3. Your choices

On your first visit, you may see a cookie banner. You can accept or reject analytics cookies and can change your choice at any time via the banner’s “Cookie settings” link (or your browser settings). Blocking some cookies may impact site performance.

4. Cookies we use (illustrative)

Necessary: session cookie to keep your preferences (expires at end of session or shortly thereafter).
Analytics (if enabled): a first‑party analytics cookie with a randomized identifier (e.g., 6–12 months expiry).

We will keep this section updated with the exact names and lifetimes if/when analytics is enabled.

5. Updates

We may update this Cookie Policy from time to time. Material changes will be communicated via the banner or on this page.

6. Contact

Questions about cookies? support@beboredapp.com