This Privacy Policy describes how Online Presence Builder SRL (“RespirAIA”, “we”, “us”) processes personal data in the RespirAIA mobile app, the marketing website respiraiapp.com, and related services.
We process your data lawfully, transparently, and only as needed to provide and improve RespirAIA. We are based in Romania, but we serve users globally.
1. Who we are
Controller / merchant of record:
| Legal name | Online Presence Builder SRL |
| Registered office | Bd. Siderurgiștilor 15, Bl. SD10B, parter, Galați, România |
| Romanian fiscal code (CUI/CIF) | 35799807 |
| EU VAT number | RO45030362 (intra-community operations only) |
| Trade Register | J17/450/2016 · J2016000450170 |
| Sole administrator | Gabriel Ursan |
| Public contact | [email protected] |
Data Protection Contact: Gabriel Ursan, reachable at [email protected].
2. What we collect
You provide
- Account info (email, optional name, password — hashed via Clerk)
- Profile (locale, timezone, date of birth for age verification)
- Smoking profile (daily count, years used, cost per pack, FTND score)
- Reasons for quitting and triggers
- Quit attempts, urge events, journal entries
- AI coach conversations
Generated automatically
- AI coach summaries and embeddings (so your coach has context)
- Crisis event metadata — the fact that a message was flagged + which layer flagged it. We do not store the message text itself.
- Subscription state from RevenueCat (Apple IAP + Google Play)
- App-usage analytics (only if you consent — Amplitude EU)
- Crash logs (Sentry)
- Audit logs (action timestamps with hashed IP + user agent)
What we don’t collect
- Health-record-grade data (blood pressure, lab results, etc.)
- Facebook, Google Analytics, TikTok, or any ad-tracking SDKs
- We do not sell your data, ever.
3. Why we process it (legal basis)
| Provide the core service | Contract (GDPR Art 6(1)(b)) |
| Process health-related data (smoking profile, journal, coach) | Explicit consent (Art 9(2)(a)) |
| Detect and respond to mental-health crisis | Vital interests (Art 9(2)(c)) + your consent |
| Bill you for Premium | Contract |
| Send transactional emails | Contract |
| Send marketing emails | Consent — opt-in, opt-out anytime |
| Detect fraud and abuse | Legitimate interest (Art 6(1)(f)) |
| Comply with law (taxes, ANSPDCP requests) | Legal obligation |
4. Sub-processors
We use third-party services to run RespirAIA. Each has signed a Data Processing Agreement and processes data only on our instructions.
| Processor | Purpose | Region |
|---|---|---|
| Render | Compute, web service, cron, logs | EU (Frankfurt) |
| Cloudflare R2 | Object storage, backups, GDPR exports | EU jurisdiction |
| Clerk | Authentication | EU configured |
| Anthropic | AI coach + classifier (Claude Sonnet + Haiku) | EU endpoint |
| RevenueCat | Apple IAP + Play Store IAP unification | US (SCCs) |
| Brevo | Transactional + marketing email | EU |
| Amplitude EU | Product analytics (consent-gated) | EU (Frankfurt) |
| Sentry | Error tracking | EU region (de.sentry.io) |
| Cloudflare Web Analytics | Marketing site analytics — cookieless | Global edge |
For US-incorporated processors we rely on Standard Contractual Clauses (SCCs) per GDPR Chapter V. We do not sell or share your personal data with advertisers, data brokers, or marketing networks.
5. How long we keep it
| Account info, smoking profile, journal, coach conversations | Until you delete your account |
| Crisis event metadata | 24 months, then anonymized |
| Audit logs | 12 months |
| Backups | 90 days, rolling |
| Tax invoices | 10 years (Romanian tax law) |
| Marketing email opt-in | Until you unsubscribe |
6. Your rights (GDPR + UK GDPR)
- Access the personal data we hold about you (Art 15)
- Correct inaccurate data (Art 16)
- Delete your data (Art 17)
- Restrict processing (Art 18)
- Receive your data in a portable format (Art 20)
- Object to processing based on legitimate interest (Art 21)
- Withdraw consent at any time (Art 7(3))
- Lodge a complaint with your supervisory authority — for Romania, ANSPDCP at dataprotection.ro
Most rights are exercisable directly in the app (Settings → Privacy). You can also email [email protected]. We respond within 30 days, usually faster.
7. Children
RespirAIA is for adults 18 or older. We do not knowingly collect data from anyone under 18. If you become aware that a minor has registered, please email [email protected] and we will delete the account.
8. Cookies
The marketing website uses Cloudflare Web Analytics — a cookieless, privacy-respecting analytics service. We do not set marketing or third-party cookies on this site. The mobile app does not use cookies at all. See our Cookie Policy for the full list of essential technologies in use.
9. Security
We follow industry best practices: TLS 1.3 in transit, encryption at rest (AES-256-GCM envelope encryption for sensitive content), least- privilege access, audit logging, secrets in 1Password, signed-URL access for stored media, quarterly security reviews.
In the event of a personal data breach, we will notify the Romanian ANSPDCP within 72 hours where required, and notify affected users where the breach poses a high risk to their rights.
10. International transfers
When data leaves the EEA, we use Standard Contractual Clauses (Module 2, controller-to-processor) and require the recipient to offer GDPR-equivalent protection.
11. Changes to this policy
We update this Policy when our processing changes. Material changes are notified by email and via in-app banner; the “Last updated” date always reflects the latest version.
12. Contact
Privacy questions: [email protected].