We built Withinly to help you reflect deeply, not to exploit your data.
This policy explains what data we collect, how we use it, who we share it with, and your rights.
1. What We Collect
Account & Identity
- Email address — for login and communication
- Name (if provided) — to personalize your experience
- Password — stored securely (hashed, never readable)
Your Reflections & Insights
- Assessment responses — your answers to trait questionnaires
- Reports & insights — generated based on your responses
- Chat conversations — your messages with the AI consultant
- Goals & notes — anything you save in the app
Usage Data (Anonymous)
- Device type, operating system, browser
- Which features you use (traits completed, reports generated, chat usage)
- Session data (when you log in, how long you use the app)
- No IP addresses stored — we anonymize this data
Payment Data
- Transaction records — what you purchased and when
- Payment details — handled securely by Stripe (we never see your card numbers)
Partner Sync Data (If You Connect)
- Partner connection — the fact that you're synced with someone
- Couple reports — synthesized insights about your relationship patterns
- Note: Your individual traits and chat history stay private, even from your partner
2. How We Use Your Data
To Provide the Service
- Generate your trait assessments and reports
- Power the AI consultant with context about your patterns
- Save your progress and let you revisit insights
- Process payments through Stripe
To Improve Withinly
- Analyze usage patterns to improve features (anonymously)
- Identify bugs and technical issues
- Understand which features are most valuable
To Communicate With You
- Send account-related emails (login, password reset)
- Notify you of important updates (via Mailjet)
- Respond to your support requests
3. Who We Share Data With
We share your data with these services to make Withinly work:
AI Processing
OpenAI — We send your messages and trait data to OpenAI's API to generate insights and power the AI consultant.
- What they get: Your reflections, questions, and context needed for responses
- What they don't do: Train AI models on your data (per OpenAI's API terms)
- Where: OpenAI processes data in the US but complies with EU data protection standards
Payment Processing
Stripe — Handles all payment transactions securely.
- What they get: Email, payment details, transaction info
- What we never see: Your credit card numbers
- Where: Stripe is GDPR-compliant and processes securely
Analytics
Mixpanel — Helps us understand how people use Withinly (anonymously).
- What they get: Anonymous usage patterns (features clicked, time spent)
- What they don't get: Your actual reflections, messages, or personal insights
- Privacy: We anonymize identifiers before sending to Mixpanel
Email Delivery
Mailjet — Sends you account emails and updates.
- What they get: Your email address and message content we send you
- What they don't do: Use your email for marketing outside Withinly
Data Storage
MongoDB (AWS EU-Central) — Your data is stored in European data centers.
- Where: EU-Central region for GDPR compliance
- Security: Encrypted connections, regular backups
4. What We DON'T Do
- ✗ We don't sell your data — ever, to anyone
- ✗ We don't use your reflections to train AI models
- ✗ We don't share your personal insights with third parties (except the services above, which need them to function)
- ✗ We don't track you across other websites or apps
5. How We Protect Your Data
Security Measures
- Encrypted connections (HTTPS) — all data sent to/from Withinly is encrypted in transit
- Secure storage — data stored in EU data centers with modern security practices
- Password protection — your password is hashed and never stored in readable form
- Access controls — limited team access to user data, only when necessary for support
What You Should Know
- No system is 100% secure — we do our best, but online services have inherent risks
- You're responsible for keeping your password safe
- If you suspect unauthorized access, change your password immediately and contact us
Data Breaches
If a data breach occurs that affects your account:
- We'll notify you as quickly as possible (within 72 hours if required by law)
- We'll explain what happened and what data was affected
- We'll tell you what steps we're taking and what you should do
6. Your Privacy Choices & Rights
Access & Control
- View your data — see what data we have about you (contact us at hello@withinly.app)
- Delete your account — go to Profile → Delete Account
- All data deleted immediately (traits, reports, chat history)
- Some transaction records kept for legal/tax purposes (7 years)
- Couple reports deleted when either partner unlinks
- Clear chat history — delete your conversations anytime
- Export your data — request a copy of your data (contact us)
For EU Users (GDPR Rights)
You have the right to:
- Access your personal data
- Correct inaccurate information
- Delete your account and data
- Export your data in a readable format
- Withdraw consent (though this may require account deletion)
To exercise these rights: Email hello@withinly.app
Response time: Within 30 days
7. Data Retention
Active Accounts
- We keep your data as long as your account is active
- You can delete specific items (chat messages, reports) anytime
Deleted Accounts
- Personal data deleted immediately when you delete your account
- Transaction records kept for 7 years (legal/tax requirement)
- Backups purged within 90 days
Partner Sync
- When either partner unlinks, couple reports are deleted immediately
- Both partners lose access to shared insights
- Individual traits and chat history remain in each person's private account
8. Children's Privacy
Withinly is not intended for anyone under 16.
- We don't knowingly collect data from children under 16
- If you're under 16, please don't use Withinly
- If we learn we've collected data from someone under 16, we'll delete it immediately
9. International Data & GDPR Compliance
Where Your Data Lives
- EU users: Data stored in EU-Central (AWS Frankfurt region)
- Non-EU users: Currently also stored in EU-Central
Data Transfers
- OpenAI processing: Your data may be processed in the US for AI generation
- Legal basis: OpenAI complies with EU-US data protection frameworks
- Your control: By using Withinly, you consent to this processing
10. Changes to This Policy
- We may update this Privacy Policy as Withinly evolves
- You'll be notified in-app when changes occur
- Continued use after accepting changes means you agree
- We'll never make changes designed to harm your privacy
Review the full policy at: withinly.app/privacy
11. Chat & Conversation Privacy
Your conversations with the AI consultant are private and secure:
What We Store
- Your messages and the AI's responses
- Conversation history to provide context in future chats
- Summaries to help maintain continuity
What We Don't Do
- We don't read your conversations (except if you request support)
- We don't share them with anyone
- We don't use them to train AI models
- We don't analyze them for marketing
Your Control
- Delete anytime — clear your chat history whenever you want
- Private by default — even from partners in Partner Sync
- Used for your benefit — only to provide better, more contextual support
12. Contact Us
Questions, concerns, or data requests:
Email: hello@withinly.app
We'll respond as quickly as we can (usually within 48 hours, legally required within 30 days for GDPR requests).
Summary
- We collect: Email, your reflections, chat history, usage data, payment info
- We use it for: Providing insights, improving the service, processing payments
- We share with: OpenAI (AI), Stripe (payments), Mixpanel (analytics), Mailjet (emails)
- We don't: Sell data, train AI on your reflections, track you elsewhere
- You can: Delete your account, clear history, request your data anytime
- We store: In EU data centers (GDPR-compliant)
We take your privacy seriously. This tool is built to help you grow, and trust is everything.