Privacy Policy

Last updated: May 17, 2026 Effective date: May 17, 2026

This Privacy Policy explains how 1001511837 ONTARIO INC. ("Ameleva", "we", "us", "our") collects, uses, shares, and protects your personal information when you use the Ameleva mobile application and any related services (together, the "Service").

We are based in Canada and serve users globally, including in the European Economic Area (EEA), the United Kingdom, the United States, Canada, and Latin America. We comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), and other applicable privacy laws.

If you have questions, write to contact@ameleva.com or use the contact form at https://ameleva.com/contact. Words like "Ameleva", "we", "us" and "our" refer to the same company throughout this Policy.

1. Who we are

Data Controller: 1001511837 ONTARIO INC. 1025 King Street East, Unit 107 Cambridge, Ontario, N3H 3P5 Canada Email: contact@ameleva.com Web: https://ameleva.com/contact

For users in the EEA and UK, this same entity acts as data controller. We do not currently maintain an EU representative because we do not meet the thresholds of GDPR Article 27. If those thresholds are met in the future, we will appoint and disclose one here.

2. What Ameleva is

Ameleva is an education and lifestyle mobile application offering:

short audio and text "scenes" (micro-learning lessons),
structured multi-day "journeys" (also referred to as multi-day challenges in earlier builds), covering Mind & Emotions, Productivity & Work, Communication, Relationships, and Healthy Habits,
daily journaling on user-defined templates,
custom habit tracking,
"moments" (private celebration cards for streaks and journey completions),
daily inspiration cards ("sparks") — short reflections and prompts you can save,
optional client-side encryption of your most sensitive entries.

Ameleva is listed under the Education category on the Apple App Store and Google Play, with Lifestyle as a secondary category on the App Store. It is an education and personal-growth product. It is not a medical device and not a substitute for professional mental health care. See our Terms of Use for the full disclaimer.

3. Personal data we collect

We collect only what we need to operate the Service. The categories below describe everything we collect today.

3.1 Identity and account data

Data	Source	Purpose
Email address	You, at sign-up	Account, login, password reset, transactional email
Full name (first + last)	You, at sign-up	Personalization, account management
Avatar URL	Optional, you	Profile display
Account password	You, hashed by our auth provider (Supabase)	Authentication
Language preference	Device + your selection	Localization
Device timezone	Device	Scheduling local notifications correctly

3.2 Behavioral and usage data

Data	Purpose
Last sign-in timestamp	Security, account recovery
Streak counters (current, longest, last activity date)	Display your progress
Action logs (completions of lessons and exercises)	Track what you finished
Custom habit logs (daily entries)	Habit tracking feature
Journey participation (joined, day-by-day completion, completed)	Journey progress
Onboarding completion flag	Skip onboarding on subsequent launches

3.3 Content you create ("user content")

Data	Encrypted?	Notes
Journal entries (free-form answers to your templates)	Optional client-side AES-256-GCM (see §6)	High-sensitivity by design
Custom journal templates	No	Your template structure is stored in plaintext
Custom habit definitions	No	Title, icon, configuration
Custom habit log values and notes	Optional client-side encryption	High-sensitivity by design
Action notes and reflection text	No	Free-form text you write while logging an action
Mood ratings (`hard`, `neutral`, `easy`)	No	See §4 — special category data
Feedback answers	Optional client-side encryption	Free-form responses to in-app questions
Personal notes	No	Your notes feature
Saved sparks (favorites)	No	References to public spark cards
Moment photos	No	Photos you optionally attach to a celebration card before sharing

3.4 Onboarding preferences

During onboarding we ask you about your interests and primary goal. Your answers (e.g., "sleep", "focus", "relationships") are stored in your account and used to personalize the feed. You may skip these questions and you may delete your account to remove them at any time.

3.5 Subscription data (via RevenueCat)

When you start a free trial or purchase a subscription, we use Apple In-App Purchase or Google Play Billing through RevenueCat (our subscription infrastructure provider). We store:

subscription status (trial, active, lapsed),
plan period (annual after the 7-day free trial, or monthly without trial),
trial start and end dates, grace period status,
the RevenueCat user ID (which is your Ameleva account UUID),
the product identifier and store (Apple App Store or Google Play),
payment events (renewals, cancellations, expirations) reported by RevenueCat webhooks.

We do not receive or store your credit card number, billing address, or full payment details. Those are handled by Apple or Google.

3.6 Notifications

Daily reminders, streak alerts, and journey reminders are scheduled locally on your device via the operating system. We do not currently use remote push notifications, so we do not collect or store push notification tokens on our servers.

3.7 Information we do not collect

To be explicit:

We do not collect your phone number, date of birth, postal address, or precise location (GPS).
We do not use third-party analytics SDKs (no Google Analytics, no Mixpanel, no Amplitude, no Firebase Analytics).
We do not use advertising SDKs and do not show third-party ads.
We do not currently use error-monitoring services in production.
We do not use AI/LLM features in the current production build. If we add them, this Policy will be updated and you will be notified.
We do not collect data from your contacts, calendar, photos (other than photos you explicitly attach to a moment), microphone, or camera (other than when you take a moment photo).

3.8 Age confirmation at signup

When you create an account, the signup screen asks you to confirm that you are at least the age of digital consent in your jurisdiction (see §12). You cannot complete signup without ticking that confirmation. If you provide false information about your age, we may suspend or delete the account when we become aware of it.

4. Special category (sensitive) data

Some of the content you create may reveal information about your mental, emotional, or physical health. Under GDPR Article 9 these are "special categories of personal data" and require an explicit legal basis.

Examples of fields where this data may appear:

Mood ratings on action logs (hard / neutral / easy)
Free-text journal entries and reflection text
Habit logs and custom habit notes
Feedback answers tied to Mind & Emotions or Healthy Habits content

Our basis for processing this data is your explicit consent (GDPR Art. 9(2)(a)). You give that consent by creating the content. You can withdraw consent at any time by deleting the entry, archiving the template, or deleting your account (see §10).

We strongly encourage enabling client-side encryption (§6) for these fields if you intend to record sensitive personal content.

5. Why we process your data and the legal basis (GDPR / UK GDPR)

Purpose	Legal basis
Create and maintain your account	Performance of contract (Art. 6(1)(b))
Deliver the Service (lessons, journeys, journals, habits, streaks)	Performance of contract (Art. 6(1)(b))
Process subscription, trial, and payment events	Performance of contract (Art. 6(1)(b))
Send transactional emails (password reset, email confirmation)	Performance of contract (Art. 6(1)(b))
Schedule local reminders and notifications	Your consent at OS level (Art. 6(1)(a))
Personalize the feed using your interests/goal	Your consent (Art. 6(1)(a))
Store sensitive content (mood, journals, habit notes)	Your explicit consent (Art. 9(2)(a))
Comply with legal obligations	Legal obligation (Art. 6(1)(c))
Protect the security of the Service and users	Legitimate interests (Art. 6(1)(f))

6. Optional client-side encryption

Ameleva offers an optional client-side encryption mode you can enable from Settings → Encryption.

We use AES-256-GCM with a 256-bit key derived from your encryption password via PBKDF2 (100,000 iterations, SHA-256, 16-byte salt, 12-byte nonce).
The key is derived on your device. We never receive your encryption password and we never receive the derived key. Without your password, encrypted entries cannot be decrypted.
When enabled, the following data is encrypted before being sent to our servers: journal entries, custom habit log values and notes, and feedback answers.
The following data is not encrypted even with encryption enabled: your email, name, account metadata, the structure (titles) of your templates and habits, your streak counters, and which actions/journeys you completed.
If you forget your encryption password, your encrypted content cannot be recovered. We have no key recovery mechanism by design.
Encryption is opt-in and disabled by default.

7. Who we share your data with

We share data only with the limited set of providers below, and only as necessary to deliver the Service.

7.1 Sub-processors

Provider	Role	Data shared	Location
Supabase Inc.	Backend database, authentication, file storage	All account and user-content data described in §3	United States (with EU regions available)
RevenueCat, Inc.	Subscription, trial and IAP infrastructure	Account UUID, subscription tier, trial dates, store, product identifier, purchase events	United States
Apple Inc.	App Store hosting, In-App Purchase processing on iOS	Purchase events, Apple ID-linked transactions	United States
Google LLC	Google Play hosting, Play Billing on Android	Purchase events, Google Account-linked transactions	United States
Email service used by Supabase Auth	Sends transactional emails on our behalf (confirmation, password reset)	Email address, user ID, transactional message body	United States

We sign data processing agreements (DPAs) with each sub-processor where required by law.

7.2 No sale, no rent, no advertising

We do not sell your personal information.
We do not rent your personal information to anyone.
We do not share your personal information with advertisers or data brokers.
We do not use your personal content (journals, notes, habit logs, mood, feedback) to train artificial-intelligence or machine-learning models, ours or anyone else's.

7.3 Legal disclosures

We may disclose personal information when required by valid legal process (court order, subpoena, regulatory request) or to protect the rights, property, or safety of Ameleva, our users, or others. Where legally permitted, we will notify you of such requests.

7.4 Business transfers

If 1001511837 ONTARIO INC. is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you and post a notice in the app before any change of controller takes effect.

8. International data transfers

Personal data is stored on servers operated by Supabase in the United States. RevenueCat is also located in the United States.

When personal data of EEA, UK, or Swiss users is transferred outside those regions, we rely on:

Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914) and the UK International Data Transfer Addendum, signed with our processors;
additional safeguards as needed (encryption in transit and at rest, access controls);
the adequacy decision for the United States under the EU-US Data Privacy Framework where the processor is certified.

For Canadian users, data transfers comply with PIPEDA. For California users, our processors are bound to the same protections we provide.

You can request a copy of the relevant transfer mechanism by writing to contact@ameleva.com or via https://ameleva.com/contact.

9. How long we keep your data

Data	Retention
Account data	While your account exists
User content (journals, habits, notes, logs, moments, journey progress)	While your account exists
Subscription history	While your account exists; financial/tax records may be retained up to 7 years where required by Canadian or local tax law
Authentication logs	90 days (managed by Supabase)
Backups	Up to 30 days after deletion before being purged from rolling backups

If you delete your account, we hard-delete your records (see §10). After hard deletion, residual copies in encrypted backup snapshots are purged on the rolling backup cycle within 30 days.

10. Your rights

Depending on where you live, you have the following rights regarding your personal data.

10.1 Universal rights (all users)

Access — get a copy of your personal data.
Rectification — correct inaccurate data.
Deletion — delete your account and personal content. You have four equivalent ways to do this:
1. From within the app: Today tab → profile icon → Account → Delete account.
2. By email to contact@ameleva.com from the address tied to your account.
3. Via our online contact form at https://ameleva.com/contact.
4. Via our public account-deletion page at https://ameleva.com/delete-account (no app install required).
Any of the four triggers a server-side function that hard-deletes your records across our database. Backup snapshots are purged on the rolling backup cycle within 30 days.
Portability — export your journal entries as Markdown, JSON, or PDF from the journal section. For other categories of data, request an export by emailing contact@ameleva.com or via https://ameleva.com/contact.
Withdraw consent — disable optional features (notifications, encryption, personalization) at any time from Settings.

10.2 EEA / UK additional rights (GDPR / UK GDPR)

Right to restrict or object to processing.
Right not to be subject to automated decision-making with legal or similarly significant effects (we do not perform such processing).
Right to lodge a complaint with your local supervisory authority. List at https://edpb.europa.eu/about-edpb/about-edpb/members_en. UK users may complain to the ICO: https://ico.org.uk/.

10.3 California rights (CCPA / CPRA)

Right to know what personal information we collect, use, disclose, and the categories of sources and recipients.
Right to delete your personal information.
Right to correct inaccurate personal information.
Right to opt out of sale or sharing of personal information. We do not sell or share your personal information as those terms are defined under the CCPA. There is no need to opt out, but you may confirm by writing to us.
Right to limit use of sensitive personal information. We use sensitive personal information only as necessary to provide the Service you requested.
Right to non-discrimination for exercising your rights.

To exercise your rights, write to contact@ameleva.com from the email address linked to your account, submit a request at https://ameleva.com/contact, or use the in-app Delete account flow. We respond within 30 days (extendable to 90 days for complex requests under CCPA).

10.4 Canadian rights (PIPEDA)

You may request access to and correction of your personal information by writing to contact@ameleva.com or via https://ameleva.com/contact. You may also file a complaint with the Office of the Privacy Commissioner of Canada: https://www.priv.gc.ca/.

11. Security

We protect your data with:

TLS 1.2+ for all network traffic between your device and our servers;
encryption at rest for our databases;
row-level security policies in our database so each user can access only their own rows;
PBKDF2 + AES-256-GCM client-side encryption for sensitive content when you opt in (§6);
secure storage on device for the encryption session key (iOS Keychain, Android Keystore) when encryption is unlocked;
principle of least-privilege access for our team to production data.

No system is perfectly secure. If we discover a personal-data breach affecting you, we will notify you and the relevant supervisory authority within 72 hours, as required by GDPR Art. 33-34 and equivalent laws.

12. Children

Ameleva is not directed to children under 13 and we do not knowingly collect personal data from anyone under 13. In the EEA, the age is 16 unless your local Member State law sets a lower digital age of consent (typically 13 to 16). You may not create an account if you are below the applicable age in your jurisdiction.

If you become aware that a child has provided us with personal information, please contact us at contact@ameleva.com or via https://ameleva.com/contact and we will delete the account.

13. Cookies and similar technologies

The Ameleva mobile app does not use browser cookies. The app stores small pieces of data on your device (preferences, your auth session token, your encryption salt if you enabled encryption) using standard mobile storage APIs. You can clear them by signing out, deleting your account, or uninstalling the app.

14. Third-party links and external content

The Service may include links to third-party resources (for example, regulator registries, helplines, or money-counselling charities mentioned in lessons). We are not responsible for the privacy practices of those third parties. Please read their privacy notices before sharing personal data with them.

15. Changes to this Policy

We may update this Privacy Policy as our Service evolves or as the law requires. The "Last updated" date at the top reflects the most recent revision. For material changes, we will notify you in-app or by email at least 30 days before they take effect.

16. Contact us

For privacy questions, complaints, or to exercise your rights:

1001511837 ONTARIO INC. 1025 King Street East, Unit 107 Cambridge, Ontario, N3H 3P5 Canada Email: contact@ameleva.com Web: https://ameleva.com/contact

This Privacy Policy is provided in English, French, and Spanish. In case of any conflict between versions, the English version prevails.

Your data, explained.