Privacy Policy

This Privacy Policy describes how Bartłomiej Ćwiąkała, a sole proprietor (Jednoosobowa Działalność Gospodarcza) registered in Poland (NIP 8851638988, REGON 367176810, registered address: KOLONIA 31, 57-400 Dzikowiec, województwo dolnośląskie, Poland) collects, uses, stores, and shares your personal data when you use the unfucg web application at unfucg.comand the Unfucg iOS app (collectively, the “Service”).

We've written this policy in plain language because the General Data Protection Regulation (GDPR) Article 12(1) requires it. Where we cite a specific legal article, we link to it so you can verify the source.

Definitions (per GDPR Article 4):

• Personal Data — any information relating to an identified or identifiable natural person.
• Processing — any operation performed on personal data (collection, storage, use, transmission, deletion, etc.).
• Controller — the entity that determines why and how personal data is processed. For unfucg, that's us.
• Processor — a third party that processes personal data on our behalf (e.g. our hosting provider).
• Special Category Data — sensitive data such as health information, given heightened protection by GDPR Article 9.

The data controller for the purposes of GDPR Article 4(7) is:

• Bartłomiej Ćwiąkała — sole proprietor (JDG)
• NIP: 8851638988
• REGON: 367176810
• Address: KOLONIA 31, 57-400 Dzikowiec, województwo dolnośląskie, Poland
• Privacy contact: support@unfucg.com

We are not required to appoint a Data Protection Officer under GDPR Article 37, because we are a small business that does not engage in large-scale systematic monitoring or large-scale processing of special category data as a core activity. The privacy contact above handles all inquiries directly.

We collect the following categories of personal data:

• Account data — your email address and a hashed password. Hashing is performed by Supabase Auth (Argon2); we never see your plaintext password.
• Profile data — name, age, sex (biological, used for health calculations), main longevity goal, list of connected wearables (e.g. Oura, WHOOP), preferred locale, and quiz answers from onboarding.
• Health data — special category under GDPR Article 9 — bloodwork uploads (PDF/CSV files), biomarkers extracted from those files, training metrics (sets, reps, load, RPE), sleep / heart-rate variability / recovery / strain data fetched from connected wearables, and any health goals you set. This receives the highest level of protection (see Section 13).
• Chat content— your questions to the AI, AI responses, and queries you send via the “war-room” multi-expert interface, plus optional feedback (thumbs up/down) on AI replies.
• Behavioural data — bookmarks, episode views, expert follow lists, training plan progress, daily-task completion.
• Device data — Apple Push Notification service (APNs) tokens, app version, bundle identifier, device locale, iOS version (derived from the User-Agent header), and the timestamp of last registration. Stored in our user_devices table to deliver push notifications.
• Payment data — handled entirely by Stripe (web subscriptions) and Apple (iOS in-app purchases). We never receive or store full card numbers. We only store: your Stripe customer ID, your Apple original_transaction_id, your subscription tier, and renewal/cancellation status.
• Communications — bug reports you submit (including the description, optional screenshot/log, app version, device, iOS version), support emails, and any messages you send us.
• Technical data — IP address (used for rate-limiting and abuse prevention), user-agent string, request timestamps, and error logs (stored in our app_errors table for debugging).
• Analytics data — aggregated, first-party event data (page views, feature interactions, session duration). We do not embed third-party advertising pixels or cross-site trackers.

We collect personal data in three ways:

• Directly from you — when you register an account, fill out your profile, take the longevity quiz, send a chat message, upload a bloodwork file, log a workout, follow an expert, or submit a bug report.
• Automatically— through cookies, server logs, the iOS shell's push-token registration, and first-party analytics events (e.g. which page you viewed and when).
• From third parties — Stripe webhooks (subscription status), Apple App Store Server Notifications (iOS purchase status), and OAuth-connected wearable providers Oura and WHOOP (sleep, HRV, strain, recovery — only after you explicitly authorise the connection).

GDPR Article 6 requires us to identify a lawful basis for every processing operation. Per data category:

• Account & profile data — Article 6(1)(b): performance of the contract you enter when you sign up.
• Health data — Article 9(2)(a): your explicit consent. You give this consent by uploading bloodwork, connecting a wearable, or entering health metrics. You may withdraw consent at any time via Settings → Health → Delete Health Data, which removes the data without affecting the rest of your account.
• Chat content — Article 6(1)(b) for performance of the contract (so we can deliver an answer), and Article 6(1)(f) legitimate interest in improving the Service via aggregate quality analysis. We do NOT use your chat content to train any AI model.Your messages are sent only to the AI provider that generates the response (see Sub-processors), and they are governed by that provider's zero-retention contract terms.
• Behavioural & analytics data — Article 6(1)(f): legitimate interest in improving and securing the Service. You may object under Article 21 (see Section 9).
• Marketing emails (e.g. weekly digest) — Article 6(1)(a): consent. You can unsubscribe from any email or via Settings → Notifications.
• Payment & invoice records — Article 6(1)(b) performance of contract, and Article 6(1)(c) compliance with a legal obligation (Polish accounting / tax law requires retention of invoice data for at least 5 years).
• IP-based abuse prevention — Article 6(1)(f): legitimate interest in protecting the Service from fraud, brute-force attacks, and credential stuffing.

We use the following sub-processors. For each non-EU sub-processor, the legal mechanism for international transfer is the European Commission's Standard Contractual Clauses (SCCs, Decision 2021/914), supplemented where applicable by the EU-US Data Privacy Framework (adequacy decision of 2023-07-10).

You can request a copy of our Standard Contractual Clauses with any sub-processor by emailing support@unfucg.com.

Some of our sub-processors are located outside the European Economic Area (EEA), primarily in the United States. We transfer your personal data to these countries on the basis of:

• Standard Contractual Clauses (Decision 2021/914) — a European Commission-approved set of contractual safeguards.
• The EU-US Data Privacy Framework (adequacy decision of 2023-07-10) — for sub-processors certified under the framework (currently Anthropic, OpenAI, Apple, Stripe, Resend).
• Your explicit consent, where neither of the above applies (Article 49(1)(a)).

You may request a copy of the safeguards we rely on for any specific transfer by emailing the address in Section 18.

We keep personal data only as long as necessary for the purposes for which it was collected, plus any legal-obligation period.

• Account data — for the lifetime of your account, deleted within 30 days of account deletion (backups overwritten within 90 days).
• Health data — for the lifetime of your account, deleted on demand at any time via Settings → Health → Delete Health Data.
• Chat content — retained for 90 days for active users to power conversation history; deleted earlier on request.
• Payment & invoice records — 5 years (Polish accounting law obligation under the Ustawa o rachunkowości).
• Bug reports & support emails — 2 years.
• Marketing consent records — until you withdraw consent, plus 3 years for proof of compliance.
• IP rate-limit & error logs — 30 days, then automatically purged.
• Push tokens — until you log out of the device or 90 days of inactivity, whichever comes first.

If you are in the EEA, the UK, or Switzerland, you have these rights:

• Right of access (Article 15) — request a copy of all personal data we hold about you. Use Settings → Export My Data, or email support@unfucg.com. Response within 30 days.
• Right to rectification (Article 16) — correct inaccurate or incomplete data via Settings, or email us.
• Right to erasure / “right to be forgotten” (Article 17) — delete your account from Settings, or email us. Response within 30 days. Exceptions: data we must keep to satisfy a legal obligation (e.g. invoices for tax purposes).
• Right to restriction (Article 18) — ask us to limit processing while you contest accuracy or object.
• Right to data portability (Article 20) — receive your data in a structured, machine-readable format (JSON). Available via Settings → Export My Data.
• Right to object (Article 21) — object to legitimate-interest processing, including analytics. Email us.
• Right to withdraw consent (Article 7(3)) — for any processing based on consent (health data, marketing emails). Has no effect on processing that occurred before withdrawal.
• Right to lodge a complaint with a supervisory authority — in Poland, the Urząd Ochrony Danych Osobowych (UODO). You may also complain to the supervisory authority in your country of residence.

Exercising any of these rights is free of charge. If a request is manifestly unfounded or excessive (e.g. repetitive), we may charge a reasonable fee or refuse, per Article 12(5).

If you are a California resident, the California Consumer Privacy Act (Cal. Civ. Code §1798.100 et seq.), as amended by the CPRA, gives you additional rights:

• Right to know — what categories of personal information we collect, why, and to whom we disclose it (this policy).
• Right to delete — request deletion of personal information we've collected from you.
• Right to correct — request correction of inaccurate personal information.
• Right to opt-out of sale or sharing — we do not sell or share personal information as defined by Cal. Civ. Code §1798.140(ad), and we have not sold or shared in the preceding 12 months.
• Right to limit use of sensitive personal information — health data is used only to deliver the Service; you can delete it via Settings.
• Right to non-discrimination — we will not deny service, charge a different price, or provide a different level of service because you exercised any CCPA right (per §1798.125).
• Authorised agent — you may designate an authorised agent to make a request on your behalf. We will require proof of the agent's authorisation and verification of your identity.

To exercise these rights, email support@unfucg.comwith subject line “CCPA Request”. We respond within 45 days.

“Shine the Light” (Cal. Civ. Code §1798.83): we do not disclose personal information to third parties for their direct-marketing purposes.

The Service is not directed to children. We do not knowingly collect personal data from anyone under 16 (the GDPR Article 8 default for digital-services consent in the EU) or under 13 (the COPPA threshold in the US).

If you are a parent or guardian and believe a child has provided us with personal data, contact us at support@unfucg.com and we will delete the account and the data within 30 days.

The web app uses a small set of strictly necessary cookies:

• Supabase Auth session cookie — required to keep you signed in. Strictly necessary; no consent banner needed under ePrivacy Directive Article 5(3) exception.
• unfucg_locale — stores your preferred interface language (en / pl / es). Functional preference cookie.
• unfucg_native— set by the iOS shell so the web app knows it's embedded in a native container. Strictly necessary for the iOS experience.
• Cookie consent banner state — remembers that you dismissed the banner.

The iOS app uses no third-party tracking cookies, no cross-site or cross-app tracking, and no advertising identifiers. We do not trigger Apple's App Tracking Transparency (ATT) prompt because we do not engage in any activity that would require user permission under ATT.

Health data — bloodwork, biomarkers, sleep, heart rate, recovery metrics, training load — is “special category data” under GDPR Article 9 and receives additional protection:

• We process health data only on the legal basis of your explicit consent (Article 9(2)(a)).
• We never use health data for marketing, advertising, or commercial profiling.
• We never share health data with any third party other than the sub-processors strictly required to deliver the Service (Section 6).
• We never use health data to train AI models, our own or anyone else's.
• You can delete all health data without deleting your account, via Settings → Health → Delete Health Data.
• Apple HealthKit integration is not yet enabled. When it ships, HealthKit data will only be read after you grant per-data-type permission in iOS, and per Apple App Store Review Guideline 5.1.3, HealthKit data will never be transmitted to our servers or shared with third parties without your explicit, separate opt-in for each sync.

We use AI models from Anthropic (Claude family) and OpenAI (GPT family), reached via the OpenRouter routing layer, to:

• Answer your questions in chat using context from our knowledge base of expert content.
• Generate summaries, episode briefs, and comparisons.
• Power the “war-room” multi-expert query interface.

When you send a chat message, the message text and the relevant knowledge-base context are sent to the AI provider, which generates a response. The provider operates under zero-retention API terms — your messages are not stored by the provider beyond the time needed to generate the response, and are not used to train models.

We name these AI providers explicitly to comply with Apple App Store Review Guideline 5.1.2(i) (November 2025 update), which requires apps that share user data with third-party AI to disclose the providers in the privacy policy.

This is not automated decision-making within the meaning of GDPR Article 22 — the AI surfaces information from public expert content; it does not make decisions that produce legal effects or similarly significantly affect you. The Service does not provide medical advice, diagnosis, or treatment. Always consult a qualified healthcare professional.

We implement the following technical and organisational measures:

• Encryption in transit — TLS 1.3 for all client-server traffic.
• Encryption at rest — AES-256 for databases and file storage (managed by Supabase + Hetzner).
• Password hashing — Argon2id (Supabase Auth default).
• Row-Level Security (RLS) — every user-data table enforces “you can only read your own rows” at the database layer.
• Bearer JWT authentication with rotation and short token lifetimes.
• Rate limiting per user, per IP, and per endpoint to mitigate abuse.
• Secret management — environment-variable based, no secrets in source control.
• Restricted access — only the data controller has production database access; access is logged.
• Vendor diligence — every sub-processor is reviewed for a Data Processing Agreement and SCCs before being used.

In the event of a personal data breach, we will:

• Notify the Polish supervisory authority (UODO) within 72 hours of becoming aware of it, per GDPR Article 33.
• Notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms, per GDPR Article 34.
• Provide timely notice to the California Attorney General and affected California residents, per Cal. Civ. Code §1798.82, where applicable.

We will update this policy when our processing practices change. Material changes (new sub-processors, new data categories, new purposes) are announced in-app and by email at least 14 days before they take effect. For changes that require a new legal basis (e.g. extending health-data processing to a new purpose), we will request renewed consent.

Continued use of the Service after the notice period constitutes acceptance of the updated policy. The “Effective” date at the top of this page reflects the latest version.

For any privacy-related question, request, or complaint:

• Email: support@unfucg.com
• Postal: Bartłomiej Ćwiąkała, KOLONIA 31, 57-400 Dzikowiec, Polska
• Response time: 30 days (GDPR), 45 days (CCPA).

Polish supervisory authority for complaints: Urząd Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warszawa.

See also our Apple App Store privacy labels for the data-collection disclosures we file with App Store Connect.