Privacy Policy

1. Information We Collect

Account Information

When you create an account, we collect your email address and, if you sign in with Google, your name and profile picture. We do not collect your password directly — it is managed securely by Firebase Authentication.

Usage Data

We collect information about how you use the Service, including the breathwork sessions you complete, session duration, the number of rounds performed, and any feelings you log before or after a session. We treat feelings data with care; it is used solely to personalise your experience and is not shared with third parties who act as independent data controllers for any other purpose.

Device Information

We may collect information about your device, including device type, operating system version, and unique device identifiers, for analytics and troubleshooting purposes.

Error and Crash Reports

On the web app, we use Sentry to capture error reports and crash diagnostics. On the mobile app, we use Firebase Crashlytics. Both services may collect device type, operating system version, and a stack trace of the error. No personally identifiable information is intentionally included in these reports.

Cookies and Similar Technologies

We use cookies and similar tracking technologies on our website in accordance with the Privacy and Electronic Communications Regulations 2003 (PECR). We use two categories of cookies:

• Essential cookies: Necessary for the Service to function (e.g. authentication session cookies). These cannot be disabled.
• Analytics cookies: Set by Google Analytics / Firebase Analytics to help us understand how users interact with the Service. These are only set with your consent.

You can manage your cookie preferences at any time via the consent banner. You can also block or delete cookies through your browser settings; note that disabling analytics cookies does not affect your use of the Service.

2. Legal Basis for Processing

Under UK GDPR, we must have a lawful basis for processing your personal data. The table below sets out the basis we rely on for each type of processing:

• Account and session data — performance of a contract (providing the Service you have signed up for)
• Feelings and mood logs — your consent, given when you choose to log feelings within the app. We treat feelings data with care given its personal nature and process it only for the purposes set out in this policy.
• Analytics and usage patterns — your consent, given via the cookie consent banner
• Push notifications — your consent, given when you opt in to notifications through your device or browser settings
• Error and crash diagnostics (Sentry, Firebase Crashlytics) — our legitimate interest in maintaining a stable and reliable Service
• Fraud prevention and security — our legitimate interest in protecting the Service and its users
• Legal compliance — compliance with a legal obligation

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service
• Personalise your experience and track your progress
• Send you notifications related to the Service, where you have opted in
• Analyse usage patterns to improve features and content
• Diagnose and fix technical errors in the Service
• Detect and prevent fraudulent or unauthorised activity
• Comply with legal obligations

You can withdraw consent for notifications at any time through your device or browser notification settings.

4. Data Storage and Retention

Your data is stored on Google Firebase infrastructure (Firestore, Firebase Authentication, Firebase Remote Config), with servers located in the European Economic Area or the United States (see Section 6 for international transfer details).

We retain your data as follows:

• Account data (email, profile): retained for the lifetime of your account, then deleted within 30 days of account deletion (the delay reflects Firebase Authentication’s internal deletion process)
• Session and progress records: retained for the lifetime of your account, then deleted immediately on account deletion
• Feelings logs: retained for the lifetime of your account; deleted immediately on account deletion. You may also request deletion independently of your account at any time.
• Analytics data: retained in aggregated form for up to 26 months by Google Analytics, per Google’s data retention settings
• Error reports (Sentry): retained for 90 days

You may request deletion of your account and all associated data at any time by contacting us at info@sequence-studios.com.

5. Sharing Your Information

We do not sell, trade, or otherwise transfer your personally identifiable information to third parties, except as described below:

• Google Firebase (Firebase Authentication, Firestore, Remote Config, Firebase Analytics): used to operate and improve the Service. Google acts as a data processor on our behalf.
• Google Analytics / Firebase Analytics: used to analyse aggregated usage data. Only activated with your consent.
• Sentry: used for error monitoring on the web app. Processes device and diagnostic data only.
• Firebase Crashlytics: used for crash reporting on the mobile app. Processes device and diagnostic data only. Google acts as a data processor on our behalf.
• Firebase Cloud Messaging (FCM): used to deliver push notifications to your device when you have opted in. Google receives your device’s push notification token to route messages. Google acts as a data processor on our behalf.
• Legal requirements: if required by law, regulation, or valid legal process
• Business transfers: in the event of a merger, acquisition, or sale of all or a portion of our assets, with notice to you where required by law

Payment Processors

Subscription payments are processed by third-party providers, not by Breath Lab directly. We use:

• RevenueCat, Inc. — manages our subscription state across web, iOS, and Android. To do this, we share your account identifier, email address, and display name with RevenueCat. Their privacy policy: revenuecat.com/privacy.
• Stripe, Inc. — processes credit/debit card payments on the web. Stripe is a PCI-DSS Level 1 certified payment processor; we never see your full card number. Their privacy policy: stripe.com/privacy.
• Apple App Store and Google Play Store — process payments for subscriptions purchased through their respective mobile apps under their own terms and privacy policies.

These processors receive the minimum information needed to complete a transaction (your payment instrument, billing country, the subscription product you selected). They do not receive your breathwork session history, mood data, or in-app activity.

When payment information is collected. On the web, no payment information is collected during the 7-day free trial — your card details are only requested if you choose to convert to a paid subscription. On iOS and Android, the annual-plan free trial is operated as an introductory offer by the App Store or Google Play; a payment method on your Apple ID or Google account is therefore required by the store before the trial can begin. We do not directly receive or store your card details in either case.

Bot Protection (Google reCAPTCHA)

We use Google reCAPTCHA to protect our sign-in, sign-up, and account recovery flows from automated abuse. reCAPTCHA analyses hardware and software information — including device data and behavioural signals — and sends it to Google for analysis. Use of reCAPTCHA is subject to Google's Privacy Policy and Google's Terms of Service. We do not control and are not responsible for Google's processing of this data.

6. International Data Transfers

Some of our service providers, including Google (Firebase, Google Analytics), Sentry, RevenueCat, and Stripe, may transfer or store your data outside the United Kingdom. Where this occurs, we ensure appropriate safeguards are in place:

• Google (Firebase Authentication, Firestore, Firebase Analytics, Firebase Crashlytics, Firebase Cloud Messaging): transfers to the US are covered by Google’s UK International Data Transfer Addendum (UK IDTA) to the EU Standard Contractual Clauses, as recognised under the UK GDPR framework.
• Sentry: Sentry Inc. is certified under applicable data transfer mechanisms. Data may be processed in the United States.
• RevenueCat: RevenueCat Inc. is a US-based company. Data transfers are covered by Standard Contractual Clauses under the UK GDPR framework.
• Stripe: Stripe Inc. is a US-based company. Stripe is certified under applicable data transfer mechanisms, including Standard Contractual Clauses recognised under the UK GDPR framework.

You can request a copy of the relevant transfer safeguards by contacting us at info@sequence-studios.com.

7. Children’s Privacy

The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us so we can delete it.

We are aware of the ICO’s Age Appropriate Design Code (Children’s Code). We apply data minimisation and privacy-by-default principles to our Service and do not use personal data of younger users for profiling or targeted content.

8. Your Rights Under UK GDPR

You have the following rights regarding your personal data. If you are in the United Kingdom, these apply under UK GDPR and the Data Protection Act 2018. If you are in the European Economic Area, equivalent rights apply under EU GDPR:

• Right of access: request a copy of the personal data we hold about you
• Right to rectification: request correction of inaccurate or incomplete data
• Right to erasure: request deletion of your personal data where there is no compelling reason for us to continue processing it
• Right to restriction: request that we restrict processing of your data in certain circumstances
• Right to data portability: receive your data in a structured, commonly used format and transfer it to another controller
• Right to object: object to processing based on legitimate interests or for direct marketing
• Rights related to automated decision-making: we do not make decisions about you solely by automated means that produce legal or similarly significant effects

To exercise any of these rights, contact us at info@sequence-studios.com. We will respond within one calendar month. There is no charge for making a request.

If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO): ico.org.uk — 0303 123 1113.

If you are a California resident, you may also have rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to delete it, and the right to opt out of its sale. We do not sell personal information.

9. Security

We take reasonable technical and organisational measures to protect your information against unauthorised access, alteration, disclosure, or destruction. These include use of Firebase’s built-in security rules, encrypted transmission (HTTPS), and access controls limited to authorised personnel. However, no method of transmission over the internet or electronic storage is 100% secure.

In the event of a personal data breach likely to result in a high risk to your rights and freedoms, we will notify you without undue delay and report the breach to the Information Commissioner’s Office within 72 hours of becoming aware, as required by UK GDPR.

10. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes — changes that affect your rights or how we use your data in a significant way — we will notify you directly (via email or an in-app notice) and, where required by law, seek your renewed consent. Non-material changes will be indicated by updating the “Last updated” date at the top of this page.

11. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

Sequence Studios Ltd (Company No. 15455683)
71-75 Shelton Street, Covent Garden, London WC2H 9JQ
info@sequence-studios.com
ICO Registration Number: ZB798412

We have not appointed a Data Protection Officer as we do not currently meet the criteria requiring mandatory appointment under Article 37 UK GDPR.