01Who we are
StrideFlow ("StrideFlow", "we", "us") is a mobile app that helps you turn personal goals into a calendar plan with an AI assistant. This policy explains what data we collect when you use the StrideFlow iOS app, how we use it, who we share it with, and the choices you have.
The data controller is Diarra Sory Brahim, operating as a sole proprietor from 92, Av Albert 1er, 92500 Rueil-Malmaison, France. You can reach us at support@strideflow.ai for any privacy question or request.
02The short version
- We collect what's needed to run the service: your account, the goals and calendar entries you create, and the messages you exchange with the AI assistant.
- We do not show ads, do not sell your data, and do not track you across other apps or websites. No advertising identifier (IDFA) is ever read.
- Your content is linked to your account so it can sync across your devices. It is not used to train any AI model.
- You can delete your account at any time from Settings Privacy, which permanently wipes your data from our systems.
- Minimum age is 16.
03What data we collect
3.1 Information you give us
- Account identifiers: your email address, your name (if you provide one or your sign-in provider shares it), and the unique user ID generated by Firebase Authentication when you sign up.
- Onboarding answers: your date of birth (used to verify you are at least 16), goals, preferred pace, and a small set of context questions you answer during the first-run flow. You can change or delete most of these later in Settings.
- Content you create: calendar blocks (title, time, duration, completion status), goals (title, target date, history), task lists, chat messages you send to the AI, and "facts to remember" you add to your user memory.
- Subscription information: if you subscribe to a paid plan, your transaction is processed by Apple through the App Store. We receive a transaction identifier and entitlement state via our subscription provider RevenueCat we never see your full payment details.
- Optional profile fields: gender, preferred units (metric/imperial), preferred language, date format, time zone. All optional; can be left blank or "Prefer not to say".
- Settings preferences: notification toggles, quiet hours, AI assistant preferences.
3.2 Information collected automatically
- AI assistant exchanges: the messages you send to the AI assistant, and the responses it generates, are stored on our backend so you can return to your conversations across devices. To answer you, we forward your message plus relevant context (the goals and calendar entries needed to respond) to our AI provider Anthropic (see Section 5).
- Product analytics: we record actions like "signed in", "chat message sent", "block created", "paywall shown", "purchase completed". These events are linked to your account ID so we can understand which features work and which break. We do not record the contents of your messages, your screen contents, or anything you type. Our analytics provider is PostHog.
- Crash and diagnostic data: if the app crashes or encounters a non-fatal error, we send a stack trace, the OS and device model, and a short "breadcrumb" trail of recent actions to Firebase Crashlytics. This is linked to your account so we can fix bugs.
- Authentication tokens: short-lived tokens are stored on your device's keychain so you stay signed in.
3.3 Information we do not collect
We do not access or collect:
- Your precise or coarse location
- Health, fitness, or HealthKit data
- Photos, camera, microphone, or video
- Your iOS contacts, calendar (EventKit), or reminders
- Your advertising identifier (IDFA)
- Browsing history outside StrideFlow
- Any biometric data
If we add a feature that needs one of these, we will update this policy and ask for your permission first.
04How we use your data
We use the data above to:
- Create and maintain your account and let you sign in
- Sync your goals, calendar, and chat history across your devices
- Generate AI responses tailored to your goals and schedule
- Send notifications you have opted into (daily reminders, calendar block alerts)
- Process subscriptions and grant access to paid features
- Diagnose crashes and bugs
- Measure which features are used and how often, so we can improve the product
- Communicate with you about service updates, security, and support requests
- Enforce our age minimum and detect abuse
We do not use your data to train AI models, our own or anyone else's.
The legal bases on which we rely (Article 6 GDPR) are: performance of the contract you enter into when creating an account (account, sync, AI assistant, subscriptions); our legitimate interests in keeping the product working and improving it (crash reporting, product analytics, abuse prevention); your consent where required (notifications); and compliance with legal obligations (tax, fraud prevention).
05Who we share data with (sub-processors)
We rely on a small set of vetted service providers to run StrideFlow. Each one only receives the data needed for its role and is bound by a written data-processing agreement.
| Provider | What they do | What they receive |
|---|---|---|
| Google Firebase (Google LLC, USA) | Authentication, crash reporting | Your email, account ID, sign-in metadata, crash traces |
| Google Cloud Platform (Google LLC, USA) | Hosts our backend at api.strideflow.ai | All data you sync (calendar, goals, chat, memory) |
| Anthropic (Anthropic, PBC, USA) | Powers the AI assistant (Claude model family) | The chat message you send plus the relevant goals / calendar context needed to answer it. Anthropic processes this transiently to generate a response; per Anthropic's commercial terms it is not used to train their models. |
| RevenueCat (RevenueCat, Inc., USA) | Subscription billing and entitlement state | Your account ID, transaction identifiers, subscription status |
| PostHog (PostHog Inc., USA) | First-party product analytics | Your account ID and event records (action names, timestamps, anonymized properties). No message content. |
| Apple | App Store distribution, Sign in with Apple, in-app purchases | Whatever Apple's services require to process payments and authenticate you (governed by Apple's privacy policy) |
| Google Sign-In | OAuth sign-in when you tap "Continue with Google" | Your name and email from your Google account (only if you choose this method) |
We do not sell your personal information, and we do not share it with advertisers, data brokers, or analytics networks that operate across other companies' apps.
06International transfers
Our service providers listed above are based primarily in the United States. Because the data controller is located in France, when you use StrideFlow your personal data is transferred to and processed in the United States by these providers. We rely on:
- The EU-US Data Privacy Framework where the provider is certified, and/or
- the European Commission's Standard Contractual Clauses (SCCs), supplemented as required by the relevant guidance from the European Data Protection Board, for all other transfers.
Copies of the safeguards in place are available on request at support@strideflow.ai.
07How long we keep it
| Data type | Retention |
|---|---|
| Account, profile, goals, calendar, chat history | While your account is active. Deleted within 30 days of account deletion. |
| User memory facts | Same as above. Can be wiped at any time from Settings "Forget everything". |
| Analytics events (PostHog) | 12 months after the event date, then aggregated or deleted. |
| Crash data (Firebase Crashlytics) | 90 days. |
| Backups | Encrypted backups containing operational data may persist for up to 30 days after primary deletion, then expire on rotation. |
| Logs (application + access logs) | 30 days. |
Legal, tax, or fraud-prevention obligations may require us to retain a narrow subset (e.g. transaction records) for longer. We will store the minimum required and delete it when the obligation ends.
08Your rights
Under the GDPR and French law (Loi Informatique et Libertés), you have the right to:
- Access the personal data we hold about you (Article 15 GDPR)
- Rectify inaccurate or incomplete data (Article 16); most fields are editable directly in Settings
- Erase your account and all associated data (Article 17) Settings Privacy Delete account
- Restrict processing (Article 18)
- Object to processing based on our legitimate interests (Article 21)
- Portability receive your data in a structured, machine-readable format (Article 20); we will provide an export on request
- Withdraw consent for processing where consent is the legal basis (e.g. notifications toggle off in Settings)
- Define directives for what happens to your data after death, under article 85 of the French Data Protection Act
- Lodge a complaint with a supervisory authority. In France that is the Commission nationale de l'informatique et des libertés (CNIL), 3 Place de Fontenoy, 75007 Paris, www.cnil.fr. If you live elsewhere in the EEA, the UK, or Switzerland, you can also lodge a complaint with your local data protection authority.
To exercise any of these, email support@strideflow.ai. We respond within one month (extendable by two further months for complex requests, in which case we will tell you within the first month).
Account deletion
From within the app: Settings Privacy & Data Delete account. Confirming this action will:
- Sign you out
- Send a deletion request to our backend (
DELETE /v1/users/me) - Permanently delete your account, profile, goals, calendar, chat history, and user memory within 30 days
- Cancel any active access from our third-party processors (RevenueCat will revoke entitlement; PostHog event records keyed to your account ID are deleted; Firebase Auth user is removed; Crashlytics records keyed to your ID are deleted)
Apple manages your subscription separately if you have a paid plan, you must also cancel the subscription in iOS Settings Apple ID Subscriptions or it will continue to bill. Deleting your StrideFlow account does not cancel the App Store subscription.
If you didn't request the deletion (e.g. someone with access to your device deleted your account), email us at support@strideflow.ai within 30 days and we may be able to recover it.
09Children
StrideFlow is intended for users aged 16 and over, which aligns with the age of digital consent in France under article 7-1 of the French Data Protection Act. We do not knowingly collect personal data from anyone under 16. During onboarding we ask for your date of birth, and accounts identifying as under 16 are blocked from completing setup.
If you believe a child under 16 has provided us with personal data, please contact support@strideflow.ai and we will delete it.
10Security
We protect your data with industry-standard measures:
- All data in transit is encrypted with TLS 1.2+
- Data at rest in Google Cloud is encrypted by default
- Authentication tokens are stored in the iOS Keychain
- Access to production systems is restricted to authorized personnel using multi-factor authentication
- We log and review administrative access
No system is perfectly secure. If we become aware of a data breach affecting your personal information, we will notify the CNIL within 72 hours and, where the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay (Articles 3334 GDPR).
11Notifications and permissions
StrideFlow may ask for permission to send you notifications. This is optional the app's core features all work without notifications. If granted, we use them only for:
- Daily reminders at the time you choose (with quiet-hours respected)
- Alerts before scheduled calendar blocks
- Confirmation prompts on calendar block actions (mark done, snooze)
You can disable notifications at any time in Settings Notifications inside the app, or in iOS Settings StrideFlow Notifications.
We do not send marketing push notifications.
12California residents (CCPA / CPRA)
If you live in California:
- The categories of personal information we collect are listed in Section 3.
- We have not "sold" or "shared for cross-context behavioral advertising" any personal information in the preceding 12 months, as those terms are defined under the CCPA/CPRA.
- You have the right to know, the right to delete, the right to correct, the right to opt-out of sale/sharing (not applicable since we don't), and the right not to be discriminated against for exercising your rights.
- To exercise these rights, email support@strideflow.ai from the address associated with your account.
- We do not have actual knowledge that we sell or share personal information of minors under 16.
13Changes to this policy
We may update this policy from time to time. If we make a material change, we will:
- Update the "Last updated" date at the top
- Post the new policy at this URL
- Notify you in-app or by email before the change takes effect, for any change that materially expands how we collect or use your data
Continued use of StrideFlow after a change takes effect means you accept the updated policy.
14Contact
For privacy questions, requests, or complaints, email support@strideflow.ai.
Postal address: Diarra Sory Brahim, 92, Av Albert 1er, 92500 Rueil-Malmaison, France.
This policy is governed by the laws of France, without prejudice to the mandatory consumer-protection rules of the country where you have your habitual residence.