Privacy Notice

Between Sessions is operated by Wanakee Smith, a sole proprietor ("we", "us", "our"). We act as the data controller for the personal data we collect through the Between Sessions application and website (the "Service").

You can reach us at kekee28@gmail.com for any privacy-related questions or to exercise your rights.

We collect the following categories of personal data:

• Account data: email address and a hashed password used to create and authenticate your account.
• Reflection content: the check-ins, feelings, body sensations, statements, and reflections you write in the Service.
• Subscription data: your subscription status, plan, billing period, and a customer identifier from our payment processor (Paddle). We do not see or store your full payment card details.
• Support communications: the name, email, subject, and message you submit via the support form, plus any follow-up correspondence.
• Technical data: IP address, browser/device information, and basic usage logs collected for security, abuse prevention, and reliability.

• Provide the Service — create and manage your account, store your reflections, generate summaries. Legal basis: performance of a contract with you.
• Process payments and manage subscriptions — through our Merchant of Record, Paddle. Legal basis: performance of a contract.
• Customer support — respond to your messages and resolve issues. Legal basis: legitimate interest in supporting our users.
• Security and fraud prevention — detect and prevent abuse, unauthorized access, and policy violations. Legal basis: legitimate interest in keeping the Service safe.
• Product improvement — understand how features are used in aggregate. Legal basis: legitimate interest in improving the Service.
• Legal compliance — comply with applicable laws and respond to lawful requests. Legal basis: legal obligation.

We do not use your reflection content to train machine-learning models, and we do not sell your personal data.

We share personal data only with the following categories of recipients:

• Service providers (subprocessors) who help us run the Service, including hosting, database, authentication, and email infrastructure providers. These providers process data only on our instructions.
• Paddle.com Inc. and Paddle.com Market Ltd., our Merchant of Record for the sale of subscriptions, payment processing, billing, tax compliance, and invoicing.
• Professional advisers such as legal and accounting professionals, where necessary.
• Authorities where required by law, court order, or to protect rights, safety, or property.

Some of our service providers may be located outside your country of residence, including in the United States and the European Economic Area. Where personal data is transferred internationally, we rely on appropriate safeguards such as Standard Contractual Clauses or adequacy decisions.

We keep your account and reflection data for as long as your account is active. If you delete your account or request deletion, we will delete or anonymize your personal data within a reasonable period, unless we are required to retain certain information for legal, tax, or fraud-prevention reasons.

Support correspondence is typically retained for up to 24 months. Billing records are retained as required by tax and accounting law.

Depending on where you live, you have the right to:

• access the personal data we hold about you;
• request correction of inaccurate data;
• request deletion of your data ("right to be forgotten");
• request restriction of, or object to, certain processing;
• request a portable copy of your data;
• withdraw consent where processing is based on consent;
• lodge a complaint with your local data protection authority (for users in the UK/EEA).

To exercise any of these rights, email us at kekee28@gmail.com. We will respond within one month.

We use appropriate technical and organizational measures to protect your data, including encryption in transit, access controls, hashed passwords, and row-level security on your reflection data so that no other user can read it. No system is perfectly secure, but we work to minimize risks and respond quickly to any incident.

We use a small number of essential cookies and local storage to keep you signed in and remember your preferences. These are required for the Service to function. We do not use advertising or tracking cookies. If we add analytics cookies in the future, we will update this notice and, where required, ask for your consent.

The Service is not directed to children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us so we can delete it.

We may update this Privacy Notice from time to time. If we make material changes, we will notify you through the Service or by email. The "Last updated" date above shows when this notice was most recently revised.

For privacy questions or to exercise your rights, contact kekee28@gmail.com.