Your privacy is important to us. This policy explains what data we collect, why we do it, and what rights you have. We've written it in plain language β but if anything is unclear, feel free to contact us.
1. What data do we collect?
Account data
When you create an account, we store your name, email address, and password (encrypted). If you log in with Google, we receive your name and email address from Google.
Health data
Cipoli is built on your answers in our health assessments. This may include diet, sleep, exercise, mental health, substance habits, and other lifestyle factors. This data is classified as sensitive personal data (health data) under GDPR.
Activity data
We save which activities and habits you activate, your progress, check-in history, and focus areas.
Technical data
If you accept cookies, we collect anonymized visitor statistics via Google Analytics (page views, approximate location, device type). We also use Vercel Analytics, which is completely cookie-free and does not collect personal data.
2. Why do we collect this data?
3. Legal basis
Explicit consent (Art. 9.2a) β For health data, we ask for your explicit consent at registration. You can withdraw your consent at any time by deleting your account.
Contract (Art. 6.1b) β Account data and activity data are needed to deliver the service you signed up for.
Consent (Art. 6.1a) β Google Analytics cookies require your active consent via our cookie banner. You can change your choice at any time.
4. Who has access to your data?
We never sell your data. The following services process data on our behalf (as data processors):
5. How long do we keep your data?
We keep your data as long as you have an active account. If you delete your account, we permanently remove all your data within 30 days.
Inactive accounts (no login for 24 months) may be deleted after we've contacted you by email.
Anonymized statistics (with no connection to you) may be retained to improve the service.
6. Your rights under GDPR
As a user in the EU/EEA, you have the following rights:
7. Cookies
Necessary cookies β We use session cookies to keep you logged in. These are necessary for the service to function and do not require consent.
Statistics cookies (Google Analytics) β If you accept in our cookie banner, Google Analytics cookies are set to measure visitor statistics. These cookies do not personally identify you. You can change your choice at any time via the cookie settings at the bottom of the page.
Cookie-free analytics (Vercel) β Vercel Analytics collects anonymized visitor statistics without cookies and does not require consent.
8. Security
We protect your data with encryption in transit (TLS/HTTPS), encrypted storage in Supabase with Row Level Security (RLS) that ensures only you can see your own data, and encrypted passwords (bcrypt). We conduct regular security reviews of our infrastructure.
9. Contact
Do you have questions about how we handle your personal data, or do you want to exercise your rights? Contact us:
Email: privacy@cipoli.com
Supervisory authority: The Swedish Authority for Privacy Protection (IMY)
10. Changes to this policy
We may update this policy. For significant changes, we will notify you by email or a notice in the app. The latest version is always available on this page.
11. US State-Specific Privacy Rights
The following rights apply in addition to the other sections for users residing in the United States, depending on your state of residence.
11.1 We Do Not Sell or Share Your Personal Information
Cipoli does not sell your personal information and does not share it with third parties for cross-context behavioral advertising as defined under the California Consumer Privacy Act (CCPA/CPRA). We use your data solely to provide and improve the Service, and to comply with our legal obligations.
11.2 California Residents (CCPA / CPRA)
If you are a California resident, you have the following rights: (1) the right to know what categories of personal information we collect and how it is used, (2) the right to delete personal information, (3) the right to correct inaccurate information, (4) the right to opt out of the sale or sharing of personal information, (5) the right to limit the use of sensitive personal information, and (6) the right to non-discrimination for exercising your rights. Health data is classified as Sensitive Personal Information under the CPRA β we use this data only to provide the Service.
11.3 Washington Residents (My Health My Data Act)
If you are a resident of Washington State, the My Health My Data Act (MHMDA) applies. You have the right to (1) confirm whether we collect, share, or sell your consumer health data, (2) confirm which third parties receive your consumer health data, (3) withdraw consent at any time, and (4) request deletion of your consumer health data. We neither sell nor share your health data with third parties, except for the subprocessors required to operate the Service (e.g., Supabase for data storage, Stripe for payment processing).
11.4 Other States (Virginia, Colorado, Connecticut, Utah, Texas, and others)
If you are a resident of Virginia, Colorado, Connecticut, Utah, Texas, or other states with comprehensive privacy laws, you generally have the right to (1) access your personal information, (2) correct inaccurate information, (3) delete your information, (4) obtain a copy in a portable format, and (5) opt out of targeted advertising and profiling. Cipoli does not use your data for profiling or targeted advertising.
11.5 How to Exercise Your Rights
Send your request to privacy@cipoli.com. Include your name, registered email address, and which right you wish to exercise. We will respond within 45 days (CCPA) or 30 days (other states). We may need to verify your identity before fulfilling your request. You may designate an authorized agent to act on your behalf.