Primary Purposes (Necessary):

1. Service Provision (legal basis: performance of contract, Art. 6(1)(b) GDPR):

Provide story, meditation, and sleep audio functionalities

Stream multimedia content hosted on GHL servers

Save progress and settings locally on the device

2. Technical Support (legal basis: performance of contract, Art. 6(1)(b) GDPR):

Resolve issues reported by the User

Improve Application performance

Detect and fix errors

3. Security (legal basis: legitimate interest, Art. 6(1)(f) GDPR):

Fraud prevention

Protect the integrity of the Application

4. Legal Compliance (legal basis: legal obligation, Art. 6(1)(c) GDPR):

Tax obligations

Legal requirements from competent authorities

Secondary Purposes (Optional) (legal basis: consent, Art. 6(1)(a) GDPR):

With additional consent:

Improvement and personalization of the User experience

Aggregated and anonymized usage analysis (without identifying individual users)

You may object to secondary purposes without affecting the basic functionality of the Application.

6. WHO WE SHARE INFORMATION WITH

We NEVER sell, rent, or commercialize your personal data.

Third parties involved:

1. Apple Inc. (Payment processing and distribution)

Purpose: Application distribution and purchase processing

Location: United States

Safeguards: Apple Privacy Policy, EU-U.S. Data Privacy Framework

Data Apple processes: Apple ID, payment method, purchase history. We DO NOT have access to this information

2. GHL – Go High Level (Multimedia content hosting)

Exclusive function: GHL acts solely as a hosting provider for the videos, audios, narrated stories, and guided meditations that are part of the Application. Content is delivered via streaming.

Data GHL receives:

Device IP address: Technically necessary for multimedia content transmission via streaming (TCP/IP protocol). GHL does not use this information to identify, profile, or track Users

No other personal data: GHL does not receive names, emails, device identifiers, purchase data, or any other personal data from the User

Server location: United States

Safeguards:

TLS encryption for content transmission

GHL Privacy Policy applicable to its hosting service

3. Competent authorities (only when legally required):

Court order from a competent authority

Fraud prevention

Protection of children’s safety

IMPORTANT: The vast majority of data and ALL User-created content is stored ONLY on the User’s local device.

7. INTERNATIONAL TRANSFERS

Since the Application is sold worldwide, minimal data may be transferred to the United States (where Apple and GHL servers are located), in compliance with:

EU Standard Contractual Clauses (Implementing Decision 2021/914)

EU-U.S. Data Privacy Framework

Transfer Impact Assessments (in accordance with the Schrems II doctrine)

Adequate safeguards as required by the User’s jurisdiction

In the case of GHL, multimedia content owned by the Controller is transferred, and, due to the technical necessity of streaming, the User’s device IP address to establish the connection. GHL does not use said IP address for identification, profiling, or tracking purposes.

8. HOW LONG WE RETAIN DATA

During active license: Minimal technical data necessary for the Application’s operation.

After exercising deletion rights:

Minor’s data: Deletion within 7 business days

Other data: Deletion within 15 business days

Exception: Data required by law (tax obligations: 5 years)

Technical logs: Maximum 90 days, then automatically deleted

IP addresses at GHL: IP addresses transmitted during streaming are not persistently stored by GHL in accordance with their standard retention policy

On-device content: Entirely controlled by the User, automatically deleted upon uninstalling the app

9. SECURITY

We implement robust technical and organizational measures:

Technical:

TLS 1.3 encryption (in transit) and AES-256 (at rest)

Strict access controls

Continuous security monitoring

Secure backups

Organizational:

Internal information security policies

COPPA and child protection training

Security incident management

Periodic audits

Security breach notification:

To authorities: 72 hours (GDPR) / immediately (COPPA)

To affected users: When there is a high risk to their rights

10. YOUR RIGHTS

Rights of parents/guardians regarding the minor’s data:

Access: See what data we hold (response within 1 month)

Rectify: Correct inaccurate data (response within 1 month)

Erase/Delete: “Right to be forgotten” (deletion within 7–15 business days)

Restrict: Temporarily restrict processing

Port: Receive data in a structured format (JSON, CSV)

Object: To specific processing activities

Withdraw consent: At any time, without retroactive effect

No automated decisions: We DO NOT use profiling or automated decision-making affecting Users

COPPA Rights (United States):

Review the child’s information

Request complete deletion

Refuse future collection

ARCO Rights (Mexico):

Access, Rectification, Cancellation, Opposition

Response period: 20 business days

How to exercise your rights:

Email: [email protected]

Include:

Full name of parent/guardian

Name of the minor

Right you wish to exercise

Identity documents (government-issued ID) and the minor’s birth certificate

INAI Form (Mexico): Available at https://home.inai.org.mx

11. LOCAL STORAGE TECHNOLOGIES

The Application, being a native iOS app, does not use browser cookies. Instead, it employs local device storage mechanisms (such as iOS UserDefaults) exclusively to:

Save User configuration preferences

Store language preferences

Maintain session state within the app

These mechanisms operate solely within the Application and on the User’s device.

We DO NOT use:

Advertising or third-party cookies

Cross-site or cross-app tracking

Behavioral profiles

Fingerprinting technologies

Local storage: Progress, settings, and User-created content are stored exclusively on the device

12. RIGHTS BY JURISDICTION

Since the Application is sold worldwide, we recognize the privacy rights of Users in the following major jurisdictions:

European Union (GDPR):

All rights described in Section 10. Right to lodge a complaint with the data protection authority of your country. ODR Platform: https://ec.europa.eu/consumers/odr

EU Representative: In accordance with Article 27(2)(a) of the GDPR, the Controller has determined that the data processing it carries out is occasional, does not include large-scale processing of special categories of data (Art. 9) or data relating to criminal convictions and offenses (Art. 10), and is unlikely to result in a risk to the rights and freedoms of natural persons. Accordingly, the appointment of a representative in the EU is not required. Nevertheless, the Controller is available to address any request directly at [email protected].

United States (COPPA):

Full parental rights. FTC: www.ftc.gov | 1-877-FTC-HELP

California (CCPA/CPRA): Right to know, delete, correct. We DO NOT sell personal data (opt-out of sale does not apply).

Mexico (LFPDPPP):

Full ARCO rights. INAI: www.inai.org.mx | 800 835 43 24

Canada (PIPEDA): Privacy Commissioner: www.priv.gc.ca

Brazil (LGPD): ANPD: www.gov.br/anpd

United Kingdom (UK GDPR): ICO: www.ico.org.uk

Other jurisdictions: If your country has data protection legislation, we will respect your rights in accordance with applicable local regulations.

13. SPECIAL PROTECTION OF MINORS

Principles:

Best interest of the child. Enhanced protection. Mandatory parental supervision. Digital education.

Parental consent verification – Methods:

Express declaration upon first use of the Application

Acceptance of Terms and Conditions and Privacy Policy

App Store purchase barrier (credit/debit card) – method recognized by the FTC

iOS parental controls (optional, configurable by the parent/guardian)

We acknowledge: No parental verification method is 100% infallible. We implement reasonable efforts in accordance with FTC, ICO, and EDPB guidelines.

Appropriate content:

All content is reviewed to ensure age-appropriateness. No third-party advertising. No external links leading outside the app. No interaction with strangers or social features.

14. MODIFICATIONS TO THIS POLICY

Minor changes: Updated publication in the app + updated effective date

Substantial changes:

Email notification to the address linked to the Apple Account

Prominent notice within the Application

30 days to review changes before they take effect

New consent if legally required

Continued use = acceptance of the changes made

15. POST-UNINSTALLATION DATA

Upon uninstalling:

Local data: Automatically deleted by iOS

Data at Apple: Subject to Apple’s privacy policy

Multimedia content on GHL: Contains no User data; remains as content owned by the Controller

To delete EVERYTHING:

Uninstall the Application

Request data deletion by writing to: [email protected]

Contact Apple to manage purchase history