Privacy Policy

Last updated: 2026-05-25

This Privacy Policy describes how PARWANAS ("we", "us", "our") collects, uses, and shares personal information when you use our products, including the LifeLines mobile application for iOS and Android (the "Service"). It is published under Articles 12, 13 and 14 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the French Loi Informatique et Libertés (loi n° 78-17 as amended). It is the version in force on the date indicated above.

1. Data controller

The data controller is PARWANAS, SASU (Société par Actions Simplifiée Unipersonnelle), registered with the Paris trade register under SIREN 101811255, with its registered office at 60 RUE FRANCOIS IER, 75008 PARIS, France. Contact: contact@parwanas.com.

PARWANAS has not designated a Data Protection Officer because the designation thresholds of Article 37 GDPR are not met. All data-protection requests should be sent to the contact email above.

2. Personal data we process

The categories below describe the personal data we collect, the source, the purpose, the legal basis under Article 6 GDPR, and the retention period. This section is structured to map cleanly onto the Apple App Store "Privacy Nutrition Label" and Google Play "Data safety" disclosures.

2.1 Data you provide

Account identifier and email address. Handled by our authentication provider (see §4). Linked to you. Purpose: account creation and authentication. Legal basis: contract (Art. 6.1.b GDPR). Retention: until you delete your account.
User content — timelines, journal entries, workouts, body measurements, photos, tags. Created by you inside the application. Linked to you. Purpose: providing the Service (storing, displaying and syncing your own content for you). Legal basis: contract (Art. 6.1.b GDPR). Retention: until you delete the item or your account. Content is encrypted on your device; when cloud sync is enabled, an encrypted copy is kept on our backend.
Support communications. Messages you send to support@parwanas.com. Linked to you. Purpose: responding to your request. Legal basis: legitimate interest in handling support (Art. 6.1.f GDPR). Retention: 3 years after the last contact, then deletion.

2.2 Data collected automatically

Anonymous product analytics. Events such as screen views, feature counts and feature-adoption signals. Not linked to you in a way that we can identify you from the analytics data on its own (events are keyed by a randomised pseudonymous identifier). Purpose: understanding how the Service is used so we can improve it. Legal basis: legitimate interest (Art. 6.1.f GDPR), with an in-app opt-out. Retention: aggregated indefinitely in non-identifying form; raw event records retained for 12 months. We do not send the content of journal entries, exercise names, workout weights, body measurements, photo content, or any user-typed content to analytics.
Crash and error reports. Stack trace, OS version, device model, and application version at the moment of crash. Not linked to you in a way we can identify you from the report alone (events are keyed by a randomised pseudonymous identifier). Purpose: diagnosing and fixing bugs. Legal basis: legitimate interest (Art. 6.1.f GDPR). Retention: 90 days, then deletion.
Subscription state. Purchase status, product identifier, trial / renewal status and an anonymised purchase token from Apple or Google. Linked to you. Purpose: granting access to paid features and operating the subscription. Legal basis: contract (Art. 6.1.b GDPR) and legal obligation for accounting records (Art. 6.1.c GDPR). Retention: 10 years for billing records (French commercial-law obligation, Article L123-22 of the Code de commerce); subscription state in the operational database is deleted with the account.
Web-server access logs (parwanas.com only). IP address, user-agent, requested URL, response code, timestamp. Linked to you in theory via the IP address. Purpose: security, abuse prevention, debugging. Legal basis: legitimate interest (Art. 6.1.f GDPR). Retention: 30 days.

2.3 Data received from third parties

Apple App Store / Google Play. When you purchase a subscription, the relevant store provides us with a receipt confirming the purchase, a purchase token, and the product identifier. We do not receive your full name, payment card details, or your store account email from the store.
Authentication provider. Verifies your identity and provides a stable user identifier. We do not receive your password or social-login credentials.

2.4 What we do not collect

We do not request the Apple App Tracking Transparency permission and we do not collect the IDFA / IDFV.
We do not use advertising identifiers, advertising SDKs, or third-party tracking pixels.
We do not share data with data brokers.
We do not sell personal information, in the sense of the CCPA or otherwise.
We do not perform automated decision-making with legal effects on you (Article 22 GDPR).
We do not use your content to train any machine-learning model.

3. Device permissions LifeLines requests on iOS and Android

The application requests the following operating-system permissions only at the moment a feature that needs them is first used. The on-screen permission prompts state, in plain language, what the permission is used for.

Photo library (read, selected items only). Used when you choose to attach a photo to an event, journal entry or workout. We read only the photos you explicitly pick.
Camera. Used only when you choose "Take a photo" inside the application. Camera frames are not transmitted or recorded beyond the photo you choose to save.
Push notifications. Optional. Off by default. Used for the reminders you configure (for example: a weekly journal reminder).
Apple Health (HealthKit) / Google Fit. Optional. Off by default. If you enable an import, we request read access only to the specific HealthKit / Fit data types you select (typically: workout sessions, body weight). Data read from HealthKit is processed solely to display and store it inside the application for your personal use, is never used for advertising, is never sold, and is never shared with third parties for their own purposes — consistent with the App Store Review Guidelines §5.1.3 (Health and Health Research).

4. How we use your data

Provide, maintain and secure the Service.
Sync your encrypted content across your devices when you enable cloud sync.
Process subscription state received from Apple and Google.
Respond to support requests.
Improve the Service via aggregated, anonymous usage analytics (with opt-out).
Diagnose crashes and bugs.
Comply with legal obligations (accounting records, lawful requests from competent authorities).

5. Processors and third-party services

We engage the following processors under written agreements meeting Article 28 GDPR. Each is engaged for a single, specific purpose, and is contractually bound not to use personal data for its own purposes.

Authentication. Clerk, Inc. — account creation, authentication, session management. Data processed: email address, account identifier. Country of processing: United States. Transfer mechanism: EU-US Data Privacy Framework and Standard Contractual Clauses. clerk.com/privacy.
Product analytics. PostHog Inc. — anonymous usage analytics. Data processed: pseudonymous event identifier, screen views, feature events. Country of processing: European Union (EU data residency configured). posthog.com/privacy.
Crash and error reporting. Functional Software, Inc. d/b/a Sentry — diagnostic stack traces. Data processed: pseudonymous event identifier, stack trace, OS / device model / app version. Country of processing: United States. Transfer mechanism: EU-US Data Privacy Framework and Standard Contractual Clauses. sentry.io/privacy.
Subscription management. RevenueCat, Inc. — purchase validation, entitlement state, subscription event hooks. Data processed: pseudonymous user identifier, purchase token, product identifier, subscription status. Country of processing: United States. Transfer mechanism: EU-US Data Privacy Framework and Standard Contractual Clauses. revenuecat.com/privacy.
Backend infrastructure (encrypted content storage and API hosting). Self-hosted on infrastructure rented from BrainStorm Network Inc. (operating as OneProvider), with the server physically located in a Paris-area datacenter. Country of processing: France (EU). oneprovider.com.
App distribution and in-app payments. Apple Distribution International Ltd. (App Store, iOS) and Google Commerce Limited (Play Store, Android). Each acts as a separate data controller for the payment transaction and provides us with the receipt and subscription state. Their respective privacy policies apply to the data they collect during the purchase.

We update this list when we add or remove a processor. Material changes are announced in-app at least 14 days before they take effect.

6. Legal basis for processing (Article 6 GDPR)

Contract (Art. 6.1.b): creating and maintaining your account, storing and syncing your content, operating your subscription.
Legitimate interest (Art. 6.1.f): anonymous usage analytics, crash diagnostics, support handling, security and abuse prevention. You may object to any processing based on legitimate interest by contacting us; the in-app analytics opt-out is the primary exercise of that right.
Legal obligation (Art. 6.1.c): retaining accounting records under French commercial law; responding to lawful requests from competent authorities.
Consent (Art. 6.1.a): for permissions that require explicit user authorisation under the App Store / Play Store policies (HealthKit / Fit access, push notifications, photo library, camera). Consent can be withdrawn at any time in the operating-system settings.

7. International transfers

Most processing happens in the European Union (backend in France, PostHog with EU data residency). Some processors — Clerk, Sentry and RevenueCat — are based in the United States; the corresponding transfers are governed by the EU-US Data Privacy Framework adequacy decision (Decision (EU) 2023/1795) and, as a secondary safeguard, by the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914).

Apple and Google process payment transactions through their own group entities; those flows are governed by each store's published privacy policy.

8. Data retention

Account and user content: retained until you delete your account.
Operational database backups containing user content: retained for 30 days after account deletion, then permanently erased.
Subscription and billing records: retained 10 years under Article L123-22 of the Code de commerce.
Support communications: retained 3 years after the last contact.
Crash reports: retained 90 days.
Raw analytics events: retained 12 months; aggregated, non-identifying counts retained indefinitely.
Web-server access logs: retained 30 days.

9. Your rights (GDPR Articles 15 to 22)

You have the right, free of charge, to:

Access the personal data we hold about you (Art. 15 GDPR).
Rectify inaccurate or incomplete data (Art. 16 GDPR).
Erase your data — the "right to be forgotten" (Art. 17 GDPR).
Restrict processing (Art. 18 GDPR).
Object to processing based on legitimate interest (Art. 21 GDPR).
Data portability — receive your data in a structured, commonly-used, machine-readable format (Art. 20 GDPR).
Define directives regarding the fate of your personal data after your death (Article 85 of loi n° 78-17).
Lodge a complaint with the French data-protection authority (CNIL — cnil.fr) or your local supervisory authority.

To exercise these rights, use the in-app controls (Profile → Settings → Export my data / Delete Account) or write to contact@parwanas.com with the subject line "GDPR — DSAR". We respond within 30 days. We may ask for proof that the request comes from you.

10. Children's privacy

In France, a minor may consent on their own behalf to the processing of personal data only from 15 years old, per Article 7-1 of the Loi Informatique et Libertés (loi n° 78-17 as amended by loi n° 2018-493 of 20 June 2018). Below 15, valid consent requires authorisation by the holder of parental responsibility. The threshold varies between 13 and 16 across the EU per Article 8 GDPR.

The Service is not directed at children below the applicable threshold for their jurisdiction. We do not knowingly collect personal data from such children without parental consent. If we become aware that we have collected data from a child below the applicable threshold without verifiable parental consent, we will erase that data.

11. Security (Article 32 GDPR)

We implement technical and organisational measures appropriate to the risk associated with the processing, including:

TLS 1.2+ encryption for all data in transit between the application and our backend.
Encryption at rest of user content on the device and on the backend.
Access control on the backend: least-privilege production access, audit logs of administrative actions.
Regular dependency and vulnerability monitoring on the application and the backend.
Documented incident-response procedure aligned with the 72-hour breach-notification obligation under Article 33 GDPR.

No system can be guaranteed to be fully secure; if you believe you have found a security issue, please write to contact@parwanas.com with the subject line "Security".

12. Cookies on parwanas.com

This website (parwanas.com) does not set tracking cookies, does not run analytics, and does not embed third-party scripts. The only HTTP requests triggered by visiting a page on this site are to our own origin. No consent banner is required because no processing covered by Article 82 of the Loi Informatique et Libertés is performed. The LifeLines mobile application is a native application and does not use browser cookies.

13. Changes to this policy

We post material changes here with the "Last updated" date refreshed. Where the change is material (for example: the addition of a new processor or a new category of personal data), we additionally notify you in-app at least 14 days before the change takes effect.

14. Contact

Data controller: PARWANAS, 60 RUE FRANCOIS IER, 75008 PARIS, France.

Email: contact@parwanas.com
For data-subject requests: same address with subject line "GDPR — DSAR".
Supervisory authority: CNIL — cnil.fr.