Sthira Me — Privacy Policy

Effective: 17/05/2026 | Version: 1.3

Summary

We are Sthira Me Limited, the UK company behind the Sthira Me app and the website at sthira.me. We collect as little about you as we can. Most of what the app knows about you — your name, your age, the body areas you want to be careful with, your health-condition self-tags, your session history, your streak — lives only on your phone and never reaches us. The few things that do reach our systems (your email if you join the waitlist; your subscription record if you go paid; a crash report if the app falls over) are kept for the reason we said we'd keep them, for the time we said we'd keep them, and shared only with the small set of suppliers we need to run the service.

You can ask us at any time what we hold, ask us to correct it, or ask us to delete it. Email our contact form and a real person will reply within 30 days. If we ever get something wrong, you can also speak to the Information Commissioner's Office (ICO), the UK regulator. The full Policy below sets out what we collect, why, who we share it with, how long we keep it, and what your rights are — in plain English.

1. Who we are

Field	Value
Controller name	Sthira Me Limited
Companies House registration	17167227
Registered office	Moda Business Centre, Stirling Way, Borehamwood, Hertfordshire WD6 2BW, United Kingdom
ICO registration	ZC137409
Director	Alpesh Patel
Privacy contact	our contact form
Postal address for privacy correspondence	Moda Business Centre, Stirling Way, Borehamwood, Hertfordshire WD6 2BW, United Kingdom
Country of establishment	United Kingdom

We are the data controller for the personal information described in this Policy. That means we decide what to collect, why we collect it, and what we do with it. Where we use a supplier to handle data on our behalf, we say so below and we have a written agreement with each one (a "data processing agreement" under Article 28 UK GDPR).

We have not appointed a Data Protection Officer because the law does not require us to at our current scale. The named contact for any privacy question is our contact form and the founder reads every email sent to that address.

2. What we collect, why, and what allows us to

This section is the one most people care about, so we have laid it out as a table — one row per type of information, with the lawful basis we rely on under UK GDPR Article 6 (and Article 9 where the information concerns your health). The internal record behind this table is our Record of Processing Activities (RoPA), which our regulator can request at any time.

Field	Value
What	Your email address; the count of people you have invited via your unique share link; which UTM parameters you arrived under; the timestamp at which you signed up; a record of your consent.
Why	To send you the welcome email and the 5-Day Desk Reset PDF; to deliver any reward you unlock by sharing (founder pricing, 30-day trial, founding-member status); to email you on the day the app goes live; to send you the yearly progress letter we promised.
Lawful basis	Consent — Article 6(1)(a). You opted in by submitting the form. You can withdraw consent at any time using the unsubscribe link at the bottom of every email, or by emailing our contact form.
Special-category data	None at this stage.
How long	While you remain on the waitlist + a further 7 years from the end of our relationship with you, to satisfy HMRC's commercial-records requirement. We honour erasure requests within 30 days regardless.

2.2 Inside the iOS app — the personal stuff stays on your phone

Field	Value
What	Your chosen display name; your age band; the body areas you have asked us to be careful with; the health conditions you self-tag during onboarding; your goals; the equipment you have; your session history; your streak; your daily body check-in.
Why	So the session builder can pick practices that suit the body you have today, route around the areas you flagged, and respect the age-appropriate gating we promised.
Lawful basis	Consent — Article 6(1)(a) — for using the app at all. For the health-condition self-tags, which the law treats as special-category data, we additionally rely on Article 9(2)(a) — explicit consent given at the onboarding step.
Where it lives	On your phone only. This is the promise we make on our home page and on `sthira.me/privacy`: session history, streak count, body check-in responses, caution areas, health-condition selections and onboarding choices are stored locally using Apple's built-in storage (SwiftData with `FileProtectionType.complete`). They are not transmitted to us. We could not see them if we wanted to.
How long	For as long as the app is installed. If you delete the app, or if you tap Delete account in Settings, the data goes with it.

2.3 Apple HealthKit (optional)

Field	Value
What	Mindful minutes written from the app to Apple Health when you complete a session, if you grant the HealthKit permission. From v1.1, with your separate permission, we may also read sleep data to support the Sleep pillar.
Why	So your practice shows up in the Apple Health ecosystem you already use, and so the Sleep pillar (v1.1+) can adjust to your actual rest.
Lawful basis	Consent — Article 6(1)(a) — granted via the iOS HealthKit permission prompt, which you can revoke any time in iOS Settings → Privacy → Health.
Where it lives	Apple HealthKit on your device, plus Apple's iCloud sync if you have that switched on. We do not receive your HealthKit data.
How long	You control this through Apple Health and iOS Settings.

2.4 Subscription and payment

Field	Value
What	An anonymous subscription identifier from RevenueCat (our subscription platform); the product you are subscribed to; whether you are in trial, active, lapsed, or refunded. Your card details never come to us. Apple handles the payment on the App Store; we never see your card number, your billing address, or your bank details.
Why	To run the paid service: to know whether to unlock Sthira Me Pro features, to apply the refund window we offer (days 31–90 of an annual subscription), and to comply with HMRC's tax-records requirement.
Lawful basis	Contract — Article 6(1)(b) — to deliver the service you have paid for. Legitimate interest — Article 6(1)(f) — for fraud prevention and churn analysis, where the interest is balanced against your privacy.
How long	While your subscription is active + 7 years thereafter, to satisfy HMRC.

2.5 Feedback and suggestions you send us

Field	Value
What	The category of your feedback (one of five); the free text you wrote; the email address you optionally added; the version of the app you were using; an anonymous device hash.
Why	To improve the product. To run the suggester gratitude flow we describe at `sthira.me/suggest` (one thank-you, one heads-up if it lands, nothing else). To check eligibility for the annual-plan refund window.
Lawful basis	Consent — Article 6(1)(a) — you tapped Submit. Legitimate interest — Article 6(1)(f) — for the anonymised intent telemetry, where the interest is improving the app for the people who use it.
How long	24 months for active feedback content; aggregated, anonymised statistics indefinitely.

2.6 Behaviour analytics — opt-in, never on by default

Field	Value
What	If you turn analytics on (we ship with it off at v1.0), pseudonymised event data through PostHog: which screens you opened, how long sessions ran, which features you used. No body data, no health tags, no name. On the website, with your cookie consent, the Meta Pixel and the Pinterest Tag send event data (page view / lead form fill / subscription) to Meta and Pinterest respectively. Pre-consent, neither pixel fires.
Why	To understand whether the app is helping people, and to reach more of the people the app might help.
Lawful basis	Consent — Article 6(1)(a) — for both the in-app analytics toggle and the website cookie banner.
How long	PostHog: 12 months. Meta: 13 months for pixel data.

2.7 Crash and error reporting

Field	Value
What	Crash stack traces, your iOS version, your device model, the app version, and a pseudonymised user identifier. No emails, no names, no health data, no session content. Sentry strips personal data at the SDK level.
Why	So that when the app falls over we can fix it. App stability is a safety matter as much as a quality matter.
Lawful basis	Legitimate interest — Article 6(1)(f) — keeping a wellness app stable is necessary for the people who rely on it. The data is minimal and stripped of personal identifiers, so the balance is in favour of processing.
How long	90 days (Sentry default).

2.8 Email automations (Kit and UpViral)

Field	Value
What	Your email; your first name if you gave it; tags that record where you are in our journey (founding circle, tier-N sharer, paid member, etc.); whether you opened or clicked our emails.
Why	To send the autoresponder series we promised (welcome, 5-Day PDF, milestone rewards, gratitude flow for suggestions, journal digest, yearly progress letter, launch-day announcement).
Lawful basis	Consent — Article 6(1)(a) — at signup. We comply with PECR by including an unsubscribe link in every marketing email.
How long	While you are subscribed + 7 years thereafter for tax-records compliance. Engagement metadata: 24 months.

2.9 What we do not collect

We do not collect, and we have designed the system so that we cannot collect:

Your card details, your bank account, or your billing address (Apple handles all payment).
Your real name, beyond an optional first name in your email profile and the display name you choose in the app.
Your phone number.
Your address.
Your facial image or any biometric identifier.
Your contacts list, your photo library, your microphone (the app does not request these permissions).
Any third-party advertising identifier. There are no advertising SDKs in the app.

3. Special-category data — your health information

The health-condition self-tags you choose during onboarding count as special-category data under Article 9 UK GDPR, because they are information about your health.

We process this data on the basis of your explicit consent — Article 9(2)(a) — given when you tap through the onboarding step. We process it on your device only. It is never sent to our servers. It is not visible to us, to our suppliers, or to anyone else. The session builder uses it locally to pick exercises that suit you and to route around areas you have asked us to be careful with.

If a future feature would require us to process health-condition data outside the device, we will tell you what changes, ask for your separate consent, and complete a Data Protection Impact Assessment first. We will not change the deal after the fact.

4. In-app audio coaching

The voice you hear in Sthira Me coaching sessions belongs to the founder, Alpesh Patel. Voiceovers are pre-rendered against scripts we author — no user data (your name, check-in answers, health-condition tags, session history) is sent off-device to render audio. The audio you receive is finished media; nothing about you is transmitted to render it.

Future versions of the app may add named, credentialled teacher voices for new pillars. We will tell you what changes in this Privacy Policy before any such expansion ships.

We do not sell your information to anyone. We do not share it with advertisers. We share what we have to share with the following suppliers, each of whom has signed a written data processing agreement with us under Article 28 UK GDPR.

Supplier	What they do for us	Where they process	Safeguard
Cloudflare	Hosts sthira.me and our database (D1); protects against bot traffic	Globally at edge nodes	Standard Contractual Clauses (SCCs) in the Cloudflare DPA
Kit (formerly ConvertKit)	Sends our marketing and transactional emails	United States	SCCs + UK adequacy reliance on the EU–US Data Privacy Framework (DPF)
UpViral	Tracks waitlist referrals and fires reward emails	United States	SCCs + DPF
PostHog	Behavioural analytics (only if you opt in)	EU Cloud — data stays in the EU	SCCs are not required for the EU region
Meta	Marketing pixel on sthira.me (only if you accept marketing cookies)	United States	SCCs + DPF
RevenueCat	Manages your subscription state	United States	SCCs + DPF
Apple	App Store, payment processing, iCloud sync	Apple's global infrastructure	Apple's Article 28 framework as our processor and data controller for the App Store relationship with you
Sentry	Crash reporting	United States	SCCs + DPF
Microsoft 365	Founder mailbox and operational tooling	EU and global	Microsoft's enterprise DPA

We use Buffer to schedule social posts. Buffer does not process any data about app users — only marketing content created by us.

If we add a new supplier we will update this Policy and the underlying RoPA before the new supplier starts processing.

6. International transfers

Some of our suppliers are based outside the UK, mostly in the United States. When we send personal data outside the UK we rely on one or both of the following:

Standard Contractual Clauses approved by the ICO. These are the contractual safeguards UK GDPR allows for transfers to countries without an adequacy decision.
The UK extension to the EU–US Data Privacy Framework, which the UK Government recognises as providing adequate protection for transfers to certified US suppliers.

We review the transfer position when we onboard a new supplier and at least once a year thereafter. If a safeguard becomes unsound we will say so and look for an alternative.

7. How long we keep things

The retention periods sit alongside each row in §2 above, but to summarise:

Category	Retention
Waitlist email + signup record	While on the waitlist + 7 years post-launch (HMRC)
In-app personal data (on your device)	Until you delete the app or clear app data
HealthKit writes	You control via Apple Health
Subscription record	Active + 7 years (HMRC)
Feedback content	24 months active; anonymised aggregates indefinitely
Behaviour analytics (PostHog)	12 months
Marketing pixel data (Meta)	13 months
Crash reports (Sentry)	90 days
Email engagement metadata (Kit)	24 months

We honour an erasure request within 30 days regardless of these retention periods, except where we are required by law to keep something (mainly HMRC tax records and any data subject to a regulatory hold).

8. Your rights

UK GDPR gives you a set of rights over the information we hold about you. We will respond to any of the following within 30 days of receiving the request, free of charge in almost all cases:

Right	What it means	How to use it
Right to be informed (Articles 12–14)	The right to know what we collect and why.	This Policy is how we meet that obligation.
Right of access (Article 15)	The right to ask for a copy of what we hold.	Email our contact form.
Right to rectification (Article 16)	The right to ask us to correct anything wrong.	In the app: Settings → edit profile. On the website: our contact form.
Right to erasure (Article 17)	The right to ask us to delete what we hold.	Email our contact form. We delete from D1, Kit, UpViral, RevenueCat, PostHog, and Sentry.
Right to restrict processing (Article 18)	The right to ask us to pause while a question is being looked at.	Email our contact form.
Right to data portability (Article 20)	The right to receive a copy of your data in a structured machine-readable form.	In the app: Settings → Export (v1.1+). On the website: email our contact form.
Right to object (Article 21)	The right to object to processing based on legitimate interest, including direct marketing.	Use the unsubscribe link in any marketing email, or email our contact form.
Rights re automated decision-making (Article 22)	The right not to be subject to a decision based solely on automated processing.	We do not make automated decisions about you. If this ever changes, we will ask for your separate consent and offer a human-review route.

Withdrawing your consent does not affect anything we did with your information before you withdrew. It just stops us from doing anything new with it.

9. Cookies and similar technologies

We say more about cookies in our Cookies Notice at sthira.me/cookies. The short version: we use a small number of cookies to make the site work; we ask for your consent before we set anything for marketing or analytics; and you can change your mind through the cookie banner at any time.

10. Children and the under-13 flow

The Sthira Me app is designed for ages 4 to 75. We take the under-13 audience seriously.

For users under 13, the onboarding flow includes a parental gate before any practice begins. We process the under-13 user's information on the same on-device basis as any other user — nothing leaves the phone — and we ask the parent to confirm before the app proceeds.

We do not market the app to children. The waitlist, the social channels, the email list and the website are all intended for adult sign-up; we do not knowingly accept a waitlist signup from a person we believe to be under 13.

If you believe we hold information about a child under 13 that should not be there, email our contact form and we will remove it immediately.

11. Security

We use proportionate technical and organisational measures to protect what we hold:

TLS 1.3 for everything that moves over the network.
Encryption at rest on Cloudflare D1 (AES-256, Cloudflare-managed) and on iOS (FileProtectionType.complete, Apple-managed).
Cloudflare WAF + Turnstile + Rate Limiting to protect all sthira.me forms (waitlist signup, contact, suggestion, feedback) from automated abuse, plus a server-side honeypot field and input validation in our signup Worker. (Previously the waitlist form was hosted by Kit and used Google invisible reCAPTCHA v3; the form is now self-hosted on Cloudflare and reCAPTCHA no longer applies. Privacy Policy updated M-524 2026-05-28.)
API keys held in server environment variables; never in the client app, never in the public repository.
Sentry PII-stripped at the SDK level so crash reports do not carry your data.
No payment data ever touches our infrastructure — Apple handles everything.

No system is invulnerable. If anything happens that we believe puts your rights and freedoms at meaningful risk, we will tell you.

12. If something goes wrong — breach notification

If we discover a personal data breach, the law requires us to notify the Information Commissioner's Office within 72 hours of becoming aware of it (Article 33), and to notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms (Article 34).

Our internal process for that — who detects, who assesses, who notifies, where it gets logged — sits in our breach register and our RoPA. The user-facing point is simple: if anything happens that affects you, you will hear from us, and you will hear from us promptly.

13. Changes to this Policy

We will update this Policy when something changes — a new supplier, a new feature, a change in how we process something. When we do:

The version number at the top of this Policy will increment (1.0 → 1.1, etc.).
The effective date will move forward.
For material changes — anything that affects what we collect or how we use it — we will email everyone on our list and surface an in-app notice.

We do not consider this a one-way obligation. If a Policy change does not work for you, your right to withdraw consent and ask for erasure is unchanged.

14. How to contact us

For anything privacy-related, email our contact form. The founder reads everything sent there.

By post:

Sthira Me Limited, Moda Business Centre, Stirling Way, Borehamwood, Hertfordshire WD6 2BW, United Kingdom

15. How to complain

If you are not happy with how we have handled a privacy question, you can complain to the UK regulator, the Information Commissioner's Office (ICO):

Information Commissioner's Office Wycliffe House Water Lane Wilmslow, Cheshire SK9 5AF United Kingdom 0303 123 1113 https://ico.org.uk/make-a-complaint/

We would prefer that you came to us first, because we would like the chance to put it right — but you are entitled to go directly to the ICO at any time.

Sthira Me Limited · Privacy Policy version 1.3.