Privacy Policy Evaari

EVAARI — PRIVACY POLICY Effective date: November 2, 2025 Controller/Operator: “Evaari” (“Evaari,” “we,” “us,” “our”) Contact: [email protected] 1) Scope & Who We Are This Privacy Policy explains how Evaari collects, uses, shares, and protects personal information when you use our mobile apps, websites, and related services (the “Services”). By using the Services, you acknowledge this Policy. Well-being Notice (not medical/therapy): Evaari provides daily reflection, affirmations, and gamified motivation. We do not provide medical, psychological, or professional advice. If you are in crisis, call local emergency services (U.S.: 911 or 988 for the Suicide & Crisis Lifeline). 2) Personal Information We Collect A. Information you provide • Account & profile: email, display name, language, time zone, notification preferences. • Reflections: text input, voice notes and transcripts (speech-to-text), daily logs, goals, tags, and feedback. • Support messages: requests, bug reports, survey responses. B. Information collected automatically • Device & usage: IP address, device identifiers, OS/app version, settings, feature usage, crash/diagnostics, push token. • Approximate location: derived from IP/time zone (no precise GPS unless you explicitly allow it). C. Purchases & subscriptions • Plan type, renewal status, store receipts/tokens, trial status, country/currency. Payments are processed by Apple App Store or Google Play; we do not receive full card numbers. • Subscription analytics are processed with Adapty (to measure trials, renewals, churn and similar metrics). D. Information from partners (processors) • AI processing: OpenAI (GPT API) to analyze/refine reflections, generate feedback and affirmations. • Notifications & infrastructure: Firebase (including Firebase Cloud Messaging). • Subscription analytics & paywalls: Adapty. • Web analytics (if used on our site): privacy-respecting analytics and/or Google Analytics. E. Sensitive information & consent Your reflections may include sensitive information (e.g., health, beliefs, mental state). Where required by law, we rely on your explicit consent to process such data solely to provide the Services (analysis, feedback, progress visualization, and safety/abuse prevention). You can withdraw consent at any time (Section 10), though features relying on that processing will stop working. 3) How We Use Personal Information (Purposes & Legal Bases) • Service delivery (Contract/Legitimate Interests): create and maintain your account, run sessions, calculate scores/avatars, send confirmations, and provide support. • AI processing (Contract/Consent): send your texts/voice transcripts to OpenAI to analyze depth/intent and generate guidance/affirmations. • Communications (Legitimate Interests/Consent): transactional messages (e.g., purchase receipts, changes to terms/policies). Marketing messages only if you opt in; you may opt out anytime. • Analytics & improvements (Legitimate Interests/Consent): usage metrics via Adapty/Firebase to improve reliability, UX, and pricing; A/B testing. • Safety, fraud, and legal (Legal Obligation/Legitimate Interests): detect abuse, secure the Service, comply with law, and enforce Terms. 4) How We Share Information We share only what’s necessary with: • AI processor: OpenAI (GPT API) — prompts/transcripts strictly to fulfill your requests. Where available, we instruct providers not to use your data for training. • Infrastructure & analytics: Firebase (hosting, notifications, diagnostics), Adapty (subscriptions analytics), and similar service providers bound by contract. • App stores & payment partners: Apple App Store/Google Play for purchase validation, refunds, and fraud prevention. • Professional advisors & legal authorities: if required by law or to protect rights and safety. • Business transfers: in the event of a merger, acquisition, or financing, as permitted by law. We do NOT sell your personal information for money. Certain disclosures for analytics or cross-context behavioral advertising may be deemed “sharing” under CPRA; see Section 8 for your rights. 5) International Transfers Your information may be processed in the United States and other countries. Where required, we rely on Standard Contractual Clauses and similar safeguards. You may request copies (with redactions) at [email protected]. 6) Data Retention We retain information only as long as needed for the purposes above: account data while your account is active, logs/diagnostics for a commercially reasonable period, and generated content you saved until you delete it or close your account. 7) Security We employ administrative, technical, and organizational safeguards (encryption in transit, access controls, monitoring). No method is 100% secure. Use a strong password and keep your device updated. 8) Your Privacy Rights U.S. (e.g., CA, CO, CT, VA, UT): rights to know/access, delete, correct, opt out of sale/share and targeted advertising; non-discrimination. EEA/UK/Switzerland: rights to access, rectify, erase, restrict, portability, object, and withdraw consent where processing is based on consent. How to exercise: email [email protected] with “Privacy Request,” stating your country/state and request type. We may verify identity and use authorized agents where permitted. CPRA “Do Not Sell or Share”: email subject “Do Not Sell or Share My Personal Information.” We will make commercially reasonable efforts to honor Global Privacy Control (GPC) on the web where technically feasible. 9) Children’s Privacy The Services are not intended for children under 13 (or the age of digital consent where you live). If you are 13–17, a parent/guardian must review this Policy and consent to your use. Do not upload recordings of minors without verifiable parental consent. 10) Your Choices & Controls • Access, deletion, correction: email [email protected]. • Consent withdrawal (sensitive data): you may withdraw consent; affected features will stop working. • Marketing emails: use the unsubscribe link; push notifications can be disabled in device settings (transactional notices may still be sent). 11) AI Usage & Training Evaari does not use your reflections to train its own models. We instruct our AI vendor(s) (e.g., OpenAI) not to use your data for their training where such controls exist; see their policies for details. 12) Cookies/Tracking (Web) Our website may use cookies or similar tech for essential functions and analytics. Where required, we present a consent banner. You can adjust browser settings to refuse cookies (some features may not function). 13) Third-Party Links We are not responsible for third-party privacy practices. Review their policies before providing personal data. 14) Changes to This Policy We may update this Policy. Material changes will be notified in-app and/or by email. Continued use after the effective date constitutes acceptance. 15) California “Notice at Collection” Categories: identifiers (email, device IDs, IP), Internet activity (usage logs), commercial data (purchases/receipts), approx. location, audio/text content (reflections/voice transcripts), inferences (engagement), sensitive data (potential beliefs/health mood content). Purposes: service delivery, AI generation, analytics, communications, safety/fraud, legal compliance. Retention: as described in Sections 6–7. Selling/Sharing: no monetary sales; see Section 8 for CPRA opt-out. Contact: [email protected]