BreathClock
Privacy Policy
Effective date: February 24, 2026
BreathClock ("we", "us", "our") operates the BreathClock platform, including the meditation timer progressive web application (PWA) served at *.breathclock.com subdomains and custom domains, the tenant admin dashboard at my.breathclock.com, and the marketing site at breathclock.com.
This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data.
1. End-User Data (Meditation App Users)
1.1 Device-Local Session Data
All meditation session data — including session history, streaks, preferences, and settings — is stored exclusively on your device using browser-local storage (IndexedDB). This data is never transmitted to our servers. No account is required to use the meditation app.
1.2 Anonymous Aggregate Usage Events
When a meditation or breathwork session completes, a single anonymous event is sent containing only:
- Session type — timer or breathwork (no pattern details)
- Duration bucket — a range such as "5–10 minutes" (never the exact duration)
- Calendar date — date only, no time of day or timezone
These events are aggregated into daily counts per tenant at write time. Individual event records are not stored. We do not track:
- User identity or device identifiers
- IP addresses (explicitly discarded at the application level)
- Individual session details, breathwork patterns, or chime settings
- Location data
- Any data that could reconstruct individual habits
1.3 No Cookies or Tracking on the PWA
The meditation app does not use cookies, localStorage for tracking, or any third-party analytics scripts. Theme preferences and settings are stored in device-local IndexedDB and are never transmitted.
1.4 Optional Encrypted Backup
Users may opt in to an encrypted session backup feature. When enabled, session data is encrypted on-device using AES-256-GCM with a user-generated backup key before being stored on our servers. We cannot decrypt this data — only the user holds the decryption key, and it never leaves their device.
2. Tenant Data (Studio Owners and Coaches)
2.1 What We Collect
When you sign up as a tenant (studio owner, coach, or therapist), we collect:
- Email address
- Business name
- Billing information (processed by Stripe; we do not store card numbers)
- Branding configuration (colors, fonts, logo, favicon)
- Custom audio uploads (you are responsible for usage rights)
- Custom breathwork pattern configurations
2.2 How We Use Tenant Data
- Service delivery — rendering your branded app, processing billing
- Communication — transactional emails (magic links, onboarding, renewal notices)
- Aggregate reporting — anonymous usage summaries for your admin dashboard
- Platform health — error monitoring and service reliability
3. Sub-Processors
We use the following third-party services to operate the platform:
| Service | Purpose | Data Processed |
|---|---|---|
| Cloudflare | Infrastructure (D1 database, KV cache, R2 file storage, Pages hosting, Workers) | Tenant data, branding assets, aggregate usage data |
| Stripe | Payment processing | Tenant billing information |
| Resend | Transactional email | Tenant email addresses |
| Sentry | Error monitoring | Stack traces, request metadata (no user PII) |
We do not sell or share personal data with third parties for marketing purposes.
4. Data Retention
| Data Category | Retention Period |
|---|---|
| Anonymous usage events | 24 months, then auto-deleted |
| Tenant account data | Until deletion request + 30-day grace period |
| Authentication tokens | Magic links: 15 minutes; JWT blocklist: until original token expiry |
| Error logs (Sentry) | 90 days |
| Payment data | Per Stripe's retention policy |
5. Your Rights
5.1 End Users
Your session data is stored on your device and under your control. You can export your data as CSV or delete all data from Settings at any time. No request to us is needed — you have full control.
5.2 Tenants (GDPR)
If you are a tenant based in the EU/EEA, you have the right to:
- Access — export your usage data via the admin dashboard
- Deletion — delete your account via the admin dashboard; 30-day grace period applies
- Portability — export usage data in machine-readable format
- Rectification — update your business name and branding at any time
Account deletion removes all associated data from our systems: D1 database records, R2 files (logos, audio), KV configuration entries, and Stripe subscription.
5.3 Legal Basis for Processing
We process tenant data under contractual necessity (Article 6(1)(b) GDPR) for service delivery, and legitimate interest (Article 6(1)(f) GDPR) for aggregate usage reporting that helps tenants understand app engagement.
6. Cookies
The meditation PWA uses no cookies. The admin dashboard stores
authentication tokens in memory only (not in cookies or localStorage). A
referral tracking cookie may be set on the my.breathclock.com
domain during signup if an affiliate referral code is present (60-day expiry).
7. Analytics
We use Cloudflare Web Analytics, which is a cookieless, privacy-first analytics service. It does not use cookies, does not track individual users, and does not collect personal data.
8. Security
All data in transit is encrypted via HTTPS/TLS. Tenant data at rest is stored in Cloudflare's infrastructure with industry-standard security controls. Authentication uses short-lived magic links and JWT tokens with rotation and blocklist enforcement.
9. Children's Privacy
BreathClock is not directed at children under 13. We do not knowingly collect personal information from children. The meditation PWA collects no personal data from any user of any age.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated to tenants via email. The effective date at the top of this page indicates when the policy was last revised.
11. Contact
For privacy inquiries, data subject requests, or questions about this policy, contact us at [email protected].