Privacy Policy

How we treat
your data.

Plain language. No dark patterns. If something here is unclear, write to /supportand we’ll fix it.

Effective 2026-04-27.

The short version

Breathey is a breathing app. We try to keep things simple and private. The bullet points below are true; the rest of this page just unpacks them.

  • Your breathing sessions live on your device, encrypted at rest.
  • You can optionally back them up to your own private cloud (Firebase).
  • Analytics and crash reports are off by default. You explicitly opt in.
  • We don’t sell your data, ever. We don’t use ad networks.
  • You can delete everything at any time, from inside the app.

Who we are

Breathey is operated by Amaze Labs(“we”, “us”).

Registered office: 8 Mount Street, Auckland Central, Auckland, New Zealand.
NZBN: 9429053396341.

Questions about this policy or your data: breathey.app/support.

What this covers

This policy applies to:

  • The Breathey iOS app (the “App”).
  • The breathey.app website, including the newsletter and support form (the “Site”).

When we say “you” we mean the person using the App or the Site. When we say “your data” we mean information that identifies you or that’s tied to your use of Breathey.

What the App collects

The App is designed to do as much as possible on your device. Here is everything it touches.

Stored on your device (always)

  • Breathing sessions — start/end time, duration, pattern (inhale / hold / exhale / hold seconds), completion status, pause count. Stored in an encrypted local database (AES-256).
  • Settings— daily goal, sound & vibration preferences, theme, breath preset, session-completion notification, data-retention preference (none / 90 / 365 days).
  • Reminders— times and days you’ve scheduled. Local notifications only; nothing leaves your device.
  • Onboarding flag— so we don’t show you the welcome flow twice.

Anonymous account (always, automatic)

When the App first launches it creates an anonymous Firebase account. This is just a random identifier (a UID) — no email, no name, no profile. It exists so the App can later sync your sessions across devices if you choose to enable cloud backup.

Optional cloud backup (Firebase Firestore)

Off by default. If you turn on cloud backup in Settings, your sessions are copied to your private Firestore document — same fields as the local database, plus the device platform (ios/android) and an updated timestamp. Strict per-user rules mean nobody else can read your sessions.

Optional health sync

Off by default. If you grant the system permission, completed sessions over 60 seconds are written to Apple HealthKit (iOS) or Health Connect (Android) as Mindfulness minutes. We don’t store HealthKit data ourselves; the system does. You can revoke the permission anytime in iOS / Android settings.

Optional analytics & crash reports

Off by default and gated by an explicit consent prompt. If you opt in:

  • Firebase Analytics— high-level events (e.g. “reminder added”, “setting changed”, screen views) and a few aggregate properties (your daily goal, whether cloud backup is on). No content of your sessions or reminders is sent.
  • Firebase Crashlytics — crashes and non-fatal errors with stack traces, plus device model and OS version. Helps us fix bugs.

You can turn both off again at any time in Settings → Privacy.

iOS App Tracking Transparency

On iOS, the App may show the standard system prompt asking permission to use the device identifier for analytics. If you say no, nothing changes— analytics are off by default anyway. We don’t share any identifier with ad networks.

Permissions the App may ask for

  • Notifications — to deliver the reminders you scheduled.
  • HealthKit / Health Connect — only if you turn on health sync.
  • Background audio (Android) — to keep ambient sounds playing during a session.
  • Tracking transparency (iOS) — described above.

All permissions are optional and can be revoked from your device settings.

What the Site collects

Newsletter

If you submit your email to the newsletter form, we send it to Brevo (Sendinblue SAS)who hosts our contact list. We use it to email you occasional updates about Breathey. You can unsubscribe from any email we send. We don’t share the list with anyone.

Support form

When you write to us via /support, your name (optional), email, message and the type you picked (Bug / Feature / Question) are sent to our support inbox via Brevo’s transactional email service. We keep the message in our inbox so we can reply.

Server logs

Like every web server on the internet, ours records request lines (timestamp, IP address, path, user-agent) for short-term diagnostics and abuse prevention. Logs roll over and aren’t used to build profiles.

Cookies & trackers

The Site doesn’t set tracking cookies, doesn’t embed analytics SDKs, doesn’t embed ad pixels. Fonts are served by Google Fonts via Next.js (Google may see the IP that fetches them; no user identifier is sent).

Who else sees your data

We use a small number of carefully chosen processors. They act on our behalf, under contract, and only for the purposes listed.

  • Google / Firebase (Google LLC) — anonymous auth, optional cloud backup (Firestore), optional analytics, optional crash reports. Data may be processed in the United States and other regions where Google operates.
  • Brevo (Sendinblue SAS, France) — newsletter list and transactional email for the support form. Hosted in the EU.
  • Apple— distributes the App via the App Store and may collect download & crash metrics on its own under Apple’s privacy policy. If you enable health sync, the system writes Mindfulness minutes to HealthKit on your device.
  • Hetzner (Hetzner Online GmbH, Germany) — hosts the breathey.app website.

We do not sell your data, do not share it with advertisers, and do not use it to build profiles for anyone else.

How long we keep things

  • Local sessions— kept on your device until you delete them, or automatically pruned if you set the “auto-delete sessions older than” preference.
  • Cloud backup (Firestore) — kept until you turn off cloud backup or delete your data.
  • Newsletter email — until you unsubscribe.
  • Support messages — kept in our inbox for as long as needed to handle the request, then archived.
  • Server logs — short-term, typically rotated within 14 days.

Your rights

You can, at any time:

  • See your data — every breathing session you have is visible inside the App in the History view. Settings and reminders are visible in Settings. You can also ask us by writing to /support.
  • Correct your data — edit reminders and settings inside the App. If anything else is wrong, write to /support.
  • Export your data— write to /support and we’ll send you a copy of what we hold (newsletter status, cloud-backed sessions if any).
  • Delete everything — open the App → Settings → Privacy → Delete All Data. This wipes local sessions, reminders, settings, your cloud data and your Firebase account in one go. To unsubscribe from the newsletter, use the link at the bottom of any email or write to /support.
  • Withdraw consent — turn off analytics and crash reports in Settings → Privacy. Future events stop being collected.
  • Complain — if you’re in New Zealand, you can complain to the Office of the Privacy Commissioner. If you’re in the EU/UK, you can contact your local data-protection authority.

Children

Breathey isn’t directed at children under 13 (under 16 in the EU). We don’t knowingly collect data from them. If you believe a child has used the App and you’d like their data removed, write to /support.

Security

Local sessions are encrypted at rest with AES-256. Network calls go over HTTPS. Firebase uses per-user security rules so nobody can read your sessions but you. The App runs an integrity check (jailbreak/root detection) and warns you if the device is compromised. We’re a small team — we’re honest about that — and we’ll tell you if something goes wrong.

Changes to this policy

If we materially change anything that affects your data, we’ll update the “effective date” below and, if it’s significant, mention it in-app or by email to newsletter subscribers. Older versions are available on request.

Effective date: 2026-04-27.