This Privacy Policy explains how Fernando Tang ("we", "us", "our"), the developer of the sharedBeat mobile application (the "App"), collects, uses, and protects your personal data. We are the data controller for the purposes of the EU General Data Protection Regulation (GDPR) and the Spanish Organic Law 3/2018 (LOPDGDD).
Contact: privacy@sharedbeat.app · https://sharedbeat.app
We are a solo developer based in Spain. We have not appointed a Data Protection Officer, as we are not legally required to. Our lead supervisory authority is the Agencia Española de Protección de Datos (AEPD).
1. Who can use sharedBeat
sharedBeat is intended only for users aged 18 and over. We do not knowingly collect data from anyone under 18. If you believe a minor has provided us data, contact privacy@sharedbeat.app and we will delete it.
2. What data we collect, why, and our lawful basis
We follow the principle of data minimisation — we collect only what the App needs.
| Data | Examples | Purpose | Lawful basis (GDPR Art. 6) |
|---|---|---|---|
| Account & identity | Email address; name and profile photo from your Google account; your user ID | Create and secure your account; authenticate you | Contract (6(1)(b)) |
| Profile | Display name, avatar, timezone | Show you to your groups; schedule reminders correctly | Contract |
| Your content | Goals, check-ins (text), check-in photos, reactions | Core features of the App | Contract |
| Social graph | Groups you join, seasons, leaderboard standings | Group features | Contract |
| Goal-setup answers | The categories, cadence and short free-text ("magic text") you enter in onboarding | Suggest relevant goals | Contract |
| Notifications | Push token; notification preferences | Send reminders and nudges you have enabled | Consent (6(1)(a)) for receiving push; you can disable any time |
| Security & abuse-prevention logs | Rate-limit counters, AI usage logs, technical error events | Keep the service stable, prevent abuse, control AI costs | Legitimate interest (6(1)(f)) |
| Crash & performance diagnostics | Device model, OS version, app version, crash stack traces, anonymous device identifier | Detect and fix crashes; keep the App reliable and secure | Legitimate interest (6(1)(f)) |
| Product analytics | Screens viewed, features used, anonymised usage events | Understand how the App is used and improve it | Consent (6(1)(a)) — collected only if you opt in |
We do not collect your precise location, contacts, or special-category data (health, religion, etc.). Please do not enter sensitive information into free-text fields.
3. How AI features work
sharedBeat uses an AI service (Groq, Inc., United States) to suggest goals during onboarding and to generate season-recap text. When you use these features, we send only the goal categories, cadence, and the short free-text you typed — we do not send your name, email, or account ID to the AI provider. AI outputs are automatically generated, may be imperfect, and are not professional, medical, financial, or legal advice. You can ignore suggestions; if AI is unavailable, the App falls back to curated suggestions. See our AI Transparency Notice. This processing is part of providing the App (Contract) and involves a transfer to the United States (see §6).
4. Who we share data with (processors / sub-processors)
We do not sell your personal data and do not share it for third-party advertising. We use the following service providers, who process data on our behalf under data processing agreements:
| Provider | Role | Data location |
|---|---|---|
| Supabase, Inc. | Authentication, database, file storage (your account, content, photos) | European Union (Frankfurt, Germany) |
| Groq, Inc. | AI inference for goal suggestions / recaps (minimised, non-identifying text) | United States |
| Google Ireland Ltd. | Google Sign-In; Android push delivery (FCM) | EU / global |
| Apple Distribution International Ltd. | iOS push delivery (APNs); app distribution | EU / global |
| Expo (650 Industries, Inc.) | Push-notification delivery service; build tooling | United States |
| Functional Software, Inc. (Sentry) | Crash & performance monitoring | European Union region |
| PostHog, Inc. | Product analytics (only if you opt in) | European Union (EU Cloud) |
We may disclose data if required by law, to protect our rights, or in connection with a business transfer (with notice to you).
5. Where your data is stored
Your account and content are stored in the European Union (Frankfurt). Some providers above process limited data in the United States (Groq, Expo). See §6.
6. International data transfers
When data is transferred outside the European Economic Area (to the United States via Groq and Expo), we rely on the European Commission's Standard Contractual Clauses (SCCs) and supplementary measures (data minimisation, encryption in transit) to protect it. You can request a copy of the relevant safeguards by emailing privacy@sharedbeat.app.
7. How long we keep data
| Data | Retention |
|---|---|
| Account, profile, content | While your account exists |
| After account deletion | Permanently deleted within 30 days (including photos in storage) |
| Backups | Roll off automatically within our provider's point-in-time-recovery window (up to 7 days) |
| Security / AI usage logs | Up to 90 days |
| Crash diagnostics | Up to 90 days |
| Analytics (if opted in) | Up to 14 months, in anonymised/aggregated form |
8. Your rights
Under the GDPR you have the right to: access your data; rectify inaccurate data; erase your data ("right to be forgotten"); restrict or object to processing; data portability; and to withdraw consent at any time (for push and analytics) without affecting prior processing.
How to exercise them:
- Delete your account & data: in the App, go to Settings → Delete account. You can also request deletion at https://sharedbeat.app/delete-account or by emailing privacy@sharedbeat.app.
- Access / export / correct: email privacy@sharedbeat.app; we respond within one month.
- Withdraw analytics consent / disable push: in the App settings or your device settings.
You also have the right to lodge a complaint with the AEPD (www.aepd.es) or your local EU supervisory authority.
9. How we protect your data (security)
We use HTTPS/TLS encryption in transit and encryption at rest; row-level security so users can only access data they're authorised to; server-side handling of all AI/API secrets; secure on-device storage of authentication tokens; and rate-limiting/abuse controls. No system is perfectly secure, but we work to protect your data appropriately (GDPR Art. 32).
10. Children
sharedBeat is for users 18+. We do not knowingly process data of minors.
11. Automated processing
We use light automation to personalise your experience (suggested goals; timing of reminders). These do not produce legal or similarly significant effects on you, and you remain in control. We do not make solely-automated decisions of the kind that would trigger Article 22 GDPR safeguards.
12. Changes to this policy
We may update this policy. Material changes will be notified in-app or by email. The "Last updated" date above always reflects the current version.
13. Contact
Questions or requests: privacy@sharedbeat.app. Data controller: Fernando Tang, Spain.