Legal Document

Privacy Policy

Version 1.0 — April 2026  ·  Android Application — France & EU  ·  Contact: privacy@zenith2app.com

Zenith ("the Application") is developed and published with respect for your privacy. This policy informs you transparently about the collection, use, retention, and protection of your personal data, in accordance with the GDPR (EU Regulation 2016/679).

1. Data Controller

2. Data Collected

2.1 Identification Data

Data	Usage	Category
Email address	Firebase Authentication	Personal
First name / nickname	Display in app	Personal
Age range	UI adaptation	Personal

2.2 Behavioral Health Data (Art. 9 GDPR)

• Targeted impulse type (screens, nutrition, stress, finances, sleep, other)
• Behavioral events: victories, slips, SOS sessions (type, timestamp)
• Emotional triggers: boredom, anxiety, frustration, sadness, anger
• Personal reflections: AES-256-GCM encrypted — inaccessible even to our teams
• Personalized coping plan (trigger → action plan)
• Personal aspirations and attempt history

2.3 Progress Data

• XP score, level, streak (consecutive days)
• Focus Score (personal indicator — non-medical)
• Unlocked badges and achievements

2.4 Technical Data

• Firebase Identifier (UID) — non-personal, non-reusable
• FCM Token for push notifications (weekly summaries)
• Billing data: processed exclusively by RevenueCat
• Encryption keyset (technical key encrypted PBKDF2 + AES-256-GCM)

3. Legal Bases for Processing

Purpose	Legal Base
Service provision (auth, dashboard, tracking)	Art. 6.1.b — Contract performance
Behavioral health data	Art. 9.2.a — Explicit consent
Billing and subscription	Art. 6.1.b — Contract performance
Aggregated and anonymized analytics	Art. 6.1.f — Legitimate interest
Billing data retention	Art. 6.1.c — Legal obligation

4. Protection of Minors

Zenith is accessible from age 14. For users aged 14 to 17:

• Mandatory parental consent before account activation
• Account pending until explicit parental approval
• Legal representatives have all GDPR rights on behalf of the minor
• No minor data is used for commercial purposes
• In accordance with Art. 8 GDPR and local laws

5. Security and Encryption

• E2E Encryption: AES-256-GCM via Google Tink for all reflections
• Key derivation: PBKDF2 with unique per-user salt (600,000 iterations)
• Recovery code: BIP39 — 12 mnemonic words to restore your data
• Firebase App Check: application integrity attestation
• Screenshot protection: FLAG_SECURE on sensitive screens
• Transit: HTTPS/TLS 1.3 only

6. Subprocessors

Subprocessor	Role	Location
Google Firebase	Auth, database, App Check	USA — EU SCCs
RevenueCat Inc.	Billing and subscriptions	USA — EU SCCs
Google Play Store	App distribution	International

No data is sold to third parties. Zenith contains no ads.

7. Retention Period

• Active account data: for the entire duration of use
• Behavioral data: 24 months after the last event
• Billing data: 5 years (legal obligations)
• After account deletion: permanent purge within 30 days

8. Your GDPR Rights

• Access (Art. 15): export your data via Settings → "Export my data"
• Rectification (Art. 16): modify your profile directly in the app
• Erasure (Art. 17): Settings → "Delete my account" — purge within 30 days
• Portability (Art. 20): JSON export via Settings → "Export my data"
• Objection (Art. 21): objection to any processing based on legitimate interest
• Withdrawal of consent: applicable to health data, no retroactive effect

To exercise your rights: privacy@zenith2app.com — response time: 30 days maximum.

9. Notifications

Zenith uses notifications for daily reminders, streak alerts, post-SOS follow-up, and weekly summaries. You can disable them at any time in Settings or Android system settings.

10. Modifications

In the event of a substantial modification, you will be informed by in-app notification at least 30 days before it takes effect. Continued use constitutes acceptance.

11. Contact