Privacy Policy

This Privacy Policy describes how EQ Flow, a product of Astrolabe Labs LLC ("we," "our," or "the Service"), collects, uses, protects, and shares your information when you use our emotional wellness platform. We are committed to protecting your privacy and giving you control over your data.

By using EQ Flow, you agree to the collection and use of information as described in this policy.

1.1 Information You Provide

Account information:

• Email address, name, and password (hashed with bcrypt)
• Optional: profile photo, notification preferences

Emotional and wellness data:

• Check-in entries: emotions, intensity ratings (1-10), somatic awareness data (breathing, body, mind, energy scales), context categories, free-text notes
• Journal entries: free-text content and AI-generated theme analysis
• Vision statements: titles, descriptive text, target emotions
• Meditation sessions: duration, completion status, personal notes
• Pattern data: emotional sequences, triggers, trends detected by our system

Health & biometric data (optional, iOS only):

• If you enable Apple Health integration, EQ Flow reads: heart rate variability (HRV), resting heart rate, walking heart rate, heart rate, blood oxygen (SpO2), sleep analysis, step count, active energy burned, and exercise minutes
• Raw health values are processed entirely on your device — only qualitative interpretations (e.g., "HRV below your personal baseline") are sent to our servers
• This feature requires your explicit opt-in in Settings and consent via the iOS Health permissions dialog
• You can disable Apple Health access at any time in Settings — check-ins continue to work without it

Genetic data (optional):

• If you upload a raw DNA file (from AncestryDNA, 23andMe, or similar), EQ Flow extracts approximately 50 specific genetic markers (SNPs) entirely on your device. The raw DNA file is immediately discarded after extraction and is never transmitted to our servers, stored in any database, or shared with any third party — including our AI provider
• Only the extracted SNP results (e.g., genotype at specific markers) are stored locally on your device to provide phenotype confirmation, supplement protocol suggestions, and health insights
• Genetic data never leaves your device
• This feature requires explicit opt-in and cannot be activated without your direct action (file upload)
• You can delete all genetic data from your device at any time in Settings

Supplement tracking data:

• Supplement protocols are generated entirely on your device by a deterministic rules engine — no AI is involved in generating supplement suggestions
• Daily supplement adherence data (which supplements you checked off and when) is stored on your device and synced to our servers to enable cross-device access, streak tracking, and restock reminders
• Supplement adherence data is never transmitted to our AI provider or any third party
• Supplement suggestions are derived from your extracted genetic markers using published research — the rules engine does not use AI and operates without network access

1.2 Information Collected Automatically

• Usage analytics: screen views, session duration, feature interactions
• Device information: platform (iOS, Android, web), app version
• Error and performance data via Sentry (crash reports, stack traces)
• Check-in timestamps and frequency patterns

1.3 Information We Do NOT Collect

• GPS location or precise geolocation data
• Contacts, photos, or files from your device
• Browsing history or activity outside of EQ Flow
• Advertising identifiers or tracking pixels
• Raw health measurements from Apple Health — numeric values (heart rate, HRV, steps, etc.) never leave your device
• Raw DNA files — genetic data is processed entirely on your device and never transmitted to or stored on our servers
• Supplement adherence data shared with AI providers or third parties — adherence data synced to our servers is used only for your cross-device access and streak tracking

Your most sensitive data is protected with AES-256-GCM server-side encryption, the same standard used by banks and governments.

Encrypted (unreadable without your key):

• Journal entry text
• Check-in free-text notes and triggers
• Vision description fields (how it feels, experiences, things, imagery)
• Meditation session personal notes
• Sensitive AI analysis fields (insights, alignment notes, protective language notes)

Not encrypted (used to provide insights):

• Emotion selections from our predefined taxonomy
• Intensity ratings, base type (expansive/contractive)
• Context categories (work, relationships, health, etc.)
• Somatic data scales, word counts, timestamps
• AI-generated metadata: key themes, emotional tone, detected emotions, confidence scores
• Biometric interpretations from Apple Health (qualitative signals only, no raw values)

2.2 Health & Genetic Data Protection

• Raw biometric values from Apple Health are processed entirely on your device and never transmitted to our servers
• Only qualitative interpretations (e.g., "below baseline," "elevated") are stored server-side alongside your check-ins
• Health data is not stored in iCloud
• Health data is never used for advertising, marketing, or data mining
• Biometric interpretations follow the same retention and deletion policies as other check-in data

Genetic data protection:

• Raw DNA files are processed entirely on your device and immediately discarded after marker extraction
• Extracted genetic markers (SNPs) are stored only on your device, never on our servers
• Genetic data is never transmitted to our AI provider (Anthropic)
• Genetic data is never used for advertising, marketing, insurance underwriting, or data mining
• Genetic data is not included in data exports unless you explicitly request it
• We comply with the Genetic Information Nondiscrimination Act (GINA) — genetic information is never used for discriminatory purposes
• Phenotype classifications (e.g., "Architect," "Catalyst") may be stored on our servers to personalize your experience, enable cross-device access, and improve narrative reports. These labels do not contain genetic markers, alleles, or any data from which your DNA can be reconstructed. The same classifications can be derived from behavioral check-in data alone, without DNA

2.3 Key Derivation

• A master encryption key generates per-user keys via HMAC-SHA256
• Each user's data is encrypted with a unique key — compromising one key does not expose other users
• We cannot decrypt your content without the master key and your user identity

2.4 Additional Security Measures

• All connections encrypted with SSL/TLS (HTTPS)
• Hosted on SOC 2 compliant infrastructure
• Passwords hashed with bcrypt (never stored in plain text)
• JWT authentication tokens with 7-day expiry
• Optional biometric authentication and passkey (WebAuthn) support
• Optional two-factor authentication (TOTP) with backup codes

3.1 To Provide the Service

• Display your emotional check-in history and patterns
• Generate AI-powered insights, pattern detection, and emotional maps
• Track growth, streaks, and progress toward your visions
• Personalize recommendations and meditation suggestions

3.2 AI Processing

We use Anthropic's Claude AI to analyze your emotional data:

• Check-in text is temporarily decrypted for analysis, then re-encrypted
• When Apple Health is enabled, qualitative biometric interpretations (not raw values) may be included to detect mismatches between your reported emotional state and body signals
• Raw health measurements (heart rate numbers, exact sleep hours, step counts) are never sent to any AI provider
• User identifiers are anonymized via SHA-256 hashing before being sent to AI
• Anthropic does not use your data to train their models
• Anthropic does not retain your data beyond the processing window
• Genetic data (SNP results) is never sent to any AI provider. Phenotype classification from DNA is performed entirely on-device using deterministic logic, not AI processing
• Supplement protocol generation is performed entirely on-device using a deterministic rules engine — it is not AI-generated and no supplement data is sent to any AI provider

3.3 To Improve the Service

• Aggregated, anonymized usage analytics to understand feature adoption
• Error tracking (Sentry) to fix crashes and bugs
• No individual user data is used for marketing or advertising

4.1 What We Never Do

• Sell your personal data to third parties
• Share your data with advertisers
• Use tracking pixels or ad networks
• Share identifiable data without your explicit consent
• Share raw Apple Health data with any third party — raw values never leave your device
• Use health or biometric data for advertising, marketing, or data mining

4.2 Limited Sharing

We may share data only in these circumstances:

• With Anthropic (AI provider) — anonymized emotional data for analysis only
• With Sentry — anonymous error and crash reports
• With email service (Resend) — your email address for transactional emails only
• If required by law — in response to valid legal process (subpoena, court order)

Genetic & supplement data:

• Genetic data is never shared with any third party under any circumstance
• Raw DNA files never leave your device
• Extracted genetic markers never leave your device
• Supplement protocols are generated entirely on your device and never leave your device

5.1 Access & Export

• Export all your data anytime from Settings in JSON format
• View all stored check-ins, journals, patterns, and insights in-app
• Request a copy of your data by emailing privacy@eqflow.app
• Genetic data is excluded from standard exports by default. You may request inclusion of your extracted SNP data in exports via Settings
• Delete all genetic data independently of your account at any time

5.2 Correction & Deletion

• Edit your profile information from Settings
• Delete individual check-ins, journal entries, or visions
• Delete your entire account from Settings or by emailing privacy@eqflow.app
• Upon deletion: account is immediately deactivated, all personal data permanently removed within 30 days, deletion is irreversible
• Data removed from backups within 90 days of deletion
• Certain anonymized records are retained as required by law (see Section 9)

5.3 Consent & Opt-Out

• Toggle anonymous data contributions on or off in Settings
• Disable notifications and reminders anytime
• Revoke access by logging out — JWT tokens expire after 30 days

If you are a Texas resident, the Texas Data Privacy and Security Act (TDPSA), effective July 1, 2024, provides you with the following rights regarding your personal data:

Right to Know

You may confirm whether Astrolabe Labs LLC is processing your personal data.

Right to Access

You may request access to the personal data we have collected about you.

Right to Correction

You may request that we correct inaccuracies in your personal data.

Right to Deletion

You may request that we delete your personal data. You can also delete your account and all associated data directly from Settings within the app.

Right to Portability

You may request a copy of your personal data in a portable, readily usable format. Data export is available directly from Settings within the app.

Right to Opt Out

• The sale of personal data (we do not sell personal data)
• Targeted advertising (we do not engage in targeted advertising)
• Profiling that produces legal or similarly significant effects

Sensitive Data

Genetic data, health data, and biometric data are classified as sensitive data under the TDPSA. We process sensitive data (genetic markers, emotional check-in data, health integrations) only with your explicit consent, which you provide through affirmative actions such as uploading a DNA file, completing a check-in, or enabling Apple Health integration.

To Exercise Your Rights

Contact privacy@eqflow.app or privacy@astrolabelabs.com. We will respond within 45 days. If we need additional time, we will notify you of an extension of up to 45 additional days.

Appeals

If we decline your request, you may appeal by contacting us at the same email addresses. If your appeal is denied, you may file a complaint with the Texas Attorney General at texasattorneygeneral.gov.

In the event of a data breach involving your health information, genetic data, or other sensitive personal data, Astrolabe Labs LLC will:

• Notify affected individuals within 60 calendar days of discovering the breach, as required by the FTC Health Breach Notification Rule (16 CFR Part 318)
• Notify the Federal Trade Commission if 500 or more individuals are affected
• Provide notification that includes: a description of the breach, the types of data involved, steps you can take to protect yourself, and contact information for Astrolabe Labs LLC

A "breach" includes any unauthorized acquisition or disclosure of identifiable health information, whether resulting from a cybersecurity incident, unauthorized access, or inadvertent disclosure.

Because genetic data and supplement adherence data are processed and stored entirely on your device and never transmitted to our servers, a server-side breach would not expose this data. However, this commitment applies to all health-related data within our systems, including emotional check-in metadata, pattern analysis results, and account information.

EQ Flow may contain links to third-party retailers (such as Amazon, iHerb, Seeking Health, Thorne, and others) where you can purchase dietary supplements referenced in your personalized protocol.

Commission Disclosure

When you purchase products through links in EQ Flow, Astrolabe Labs LLC may earn a small commission from the retailer. This is at no additional cost to you.

Independence of Recommendations

Supplement recommendations are generated by our deterministic rules engine based on published genetic research and your individual genetic markers. Affiliate relationships do not influence which supplements are recommended, the forms suggested, the dosages indicated, or the brands displayed. Your protocol would be identical whether or not affiliate links are present.

You are not required to purchase supplements through links in the app. The same supplements are available from any retailer of your choice.

You may delete your account at any time from Settings within the app or by emailing privacy@eqflow.app. Upon receiving your deletion request:

1. Your account is immediately deactivated (no further login possible)
2. All personal data is permanently removed from our servers within 30 calendar days
3. Deletion is irreversible — we cannot recover your data after this period

Data We Retain After Deletion (Legally Required)

• Transaction and payment records: retained in anonymized form for up to 7 years from the transaction date, as required by U.S. tax law (26 USC 6501)
• Consent records: anonymized records that you accepted our Terms of Service and provided consent for genetic data processing, retained for up to 3 years after deletion
• Account lifecycle dates: your account creation and deletion dates, retained in anonymized form for up to 3 years

All retained records are anonymized using a one-way cryptographic hash. They cannot be linked back to your identity, email address, or any personal information.

Data Stored on Your Device

Genetic markers, supplement protocols, and pharmacogenomic data are stored only on your device and are not affected by server-side account deletion. Supplement adherence history is synced to our servers and will be deleted as part of account deletion. To remove device-only data:

• Go to Settings > Clear Genetic Data to remove genetic information
• Uninstall the app to remove all locally stored data

Data Not Retained

We do not retain your email address, name, check-in history, journal entries, pattern analysis, meditation history, circle memberships, or any other personal data after the 30-day deletion window.

Active Account Retention

• Active accounts: data stored as long as your account is active
• Inactive accounts: we may delete accounts inactive for 24+ months after notice
• Backups: removed from backup systems within 90 days of deletion
• AI processing logs: anonymized, no personal data retained by AI provider

EQ Flow is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If you believe a child under 18 has provided us with personal data, please contact us at privacy@eqflow.app and we will promptly delete it.

Your data may be processed and stored in the United States. By using EQ Flow, you consent to the transfer of your information to the United States and other jurisdictions where our service providers operate. We ensure appropriate safeguards are in place to protect your data in accordance with this Privacy Policy.

• We use local storage (AsyncStorage) to store your authentication token and app preferences
• We do not use tracking cookies or third-party analytics cookies
• Session data is stored locally on your device and not shared

We may update this Privacy Policy from time to time. We will notify you of material changes by email or in-app notification at least 30 days before they take effect. Continued use after changes constitutes acceptance of the updated policy. The "Last Updated" date at the top reflects the most recent revision.

If you have questions about this Privacy Policy or your data, contact us at:

privacy@eqflow.app

By using EQ Flow, you acknowledge that you have read, understood, and agree to this Privacy Policy.