Privacy Policy — Circle Mood & Wellness

Circle ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and website.

1. Information We Collect

1.1 Personal Information

Email address (required for account creation)
Display name and profile information
Date of birth (optional, for age verification)
Phone number (optional)

1.2 Wellness Data

Mood tracking entries (daily mood scores)
Journal reflections and gratitude entries
Circle posts, comments, and reactions
Messages sent within circles

1.3 Technical Data

Device information (type, operating system)
IP address and geolocation (country level)
App usage analytics (anonymized)
Push notification tokens

2. How We Use Your Information

We use your information to:

Provide and maintain the Circle app
Track your mood patterns and wellness journey
Enable connections within your circles
Send notifications about circle activity
Improve app features and user experience
Comply with legal obligations

3. Data Sharing and Disclosure

We do NOT sell your personal data.

3.1 Within Circle

Your profile information is visible to circle members
Posts and messages are shared only within your circles
Mood entries are private (only visible to you)

3.2 Service Providers (Sub-Processors)

We share data with trusted third-party service providers who help us operate the app. These providers are contractually bound to process your data only as directed by us and in accordance with applicable privacy law:

Supabase, Inc. — Database, authentication, and file storage. Data currently stored in Mumbai, India (AWS ap-south-1). A migration to Sydney, Australia (AWS ap-southeast-2) is planned to keep data within the ANZ region. We have a signed Data Processing Agreement (DPA) with Supabase that includes Standard Contractual Clauses (SCCs) for lawful international data transfer. Special categories of personal data (health/mood data) are declared under this DPA.
RevenueCat, Inc. — In-app subscription management. Not yet active — will be enabled in Phase 2. When active, processes subscription status and anonymised platform user IDs only. No mood data, journal entries, or personal health information will be shared with RevenueCat. RevenueCat Privacy Policy: revenuecat.com/privacy.
Sentry (Functional Software, Inc.) — Error monitoring and crash reporting. Receives anonymised technical error events only. We do not log mood data, journal content, or personal health information in error events. Sentry Privacy Policy: sentry.io/privacy.
Expo / EAS (Expo, Inc.) — App delivery, over-the-air updates, and push notification routing. Does not process personal user data.
Apple Inc. — App Store distribution, Apple Sign-In authentication.
Google LLC — Google Play distribution, Google Sign-In authentication.

3.3 Legal Requirements

We may disclose information if required by law or to:

Comply with legal processes or government requests
Protect the rights and safety of Circle users
Prevent fraud or security issues

4. Data Security

We implement industry-standard security measures:

Encryption: All data encrypted in transit (TLS/SSL) and at rest (AES-256)
Authentication: Secure password hashing with Supabase Auth
Access Control: Row-level security policies on all database tables
Monitoring: Security logs track access and suspicious activity

Important: No system is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

5. Data Storage

Your data is stored on secure servers provided by Supabase. Data centres are currently located in Mumbai, India (AWS ap-south-1 region) with physical and digital protections in place. A migration to the Sydney, Australia region (AWS ap-southeast-2) is planned to reduce latency for NZ and AU users and to keep data within the ANZ region.

6. Your Privacy Rights

6.1 Access Your Information

You can export all your data at any time via Settings → Privacy → Export Data. You'll receive a comprehensive JSON file within 24 hours (GDPR Article 20 compliant).

6.2 Correct Your Information

Update your profile, email, or settings at any time in the app (Settings → Edit Profile).

6.3 Delete Your Account

30-Day Grace Period: Account deactivated immediately; cancel deletion by logging back in within 30 days
After 30 Days: All personal data permanently deleted
Within 90 days: Backup systems purged
Email Reusability: You can re-register with the same email after deletion

Legal Retention Exceptions (cannot be deleted):

Financial records: 7 years (NZ Inland Revenue requirement)
Security logs: 90 days, anonymized (fraud prevention)
User blocking records: Community safety (GDPR Article 17(3)(f))
Anonymized analytics: No personal identifiers

Go to Settings → Privacy → Delete Account, or email hello@mycircle.co.nz for assistance.

7. Data Retention

Active Accounts: Retained while you use Circle
Day 0–30: Deletion pending (cancel by logging in)
Day 30: Automatic permanent deletion begins
Days 30–37: Complete removal from production database
Days 37–90: Removal from encrypted backups

8. Children's Privacy

Circle is intended for users aged 12 and older (NZ law). We do not knowingly collect information from children under 12. If we learn we have collected such data, we will delete it immediately.

9. International Users & Data Transfers

Circle is operated from New Zealand and available globally. Your data is stored and processed in Mumbai, India (AWS ap-south-1) by our infrastructure provider Supabase, Inc. We have a Data Processing Agreement (DPA) with Supabase that includes Standard Contractual Clauses (SCCs) for lawful transfer of personal data from the European Union and United Kingdom. A migration to Sydney, Australia (AWS ap-southeast-2) is planned to keep data within the ANZ region.

GDPR (EU/UK): Full compliance — right to access, erasure, and portability. Data transfers covered by SCCs under our Supabase DPA.
NZ Privacy Act 2020: Information Privacy Principles (IPPs) compliance. Overseas transfer safeguards in place per Principle 12.
CCPA (California): Applicable consumer rights honoured.

10. Cookies and Tracking

The Circle app does not use cookies. We use local storage for login sessions, anonymized analytics, and optional push notifications.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Significant changes will be communicated via email or app notification.

12. Contact Us

Email: hello@mycircle.co.nz
In-App: Settings → Privacy

🇳🇿 Made in New Zealand, Available Globally: Circle complies with NZ Privacy Act 2020, GDPR (EU/UK), CCPA (California), and international privacy standards.

← Back to Home