Legal

Privacy Policy

Effective: April 2026 Last updated: April 2026 Controller: Jakub Radziejewski, Kraków, Poland Contact: hello@overthinkr.me
Contents
  1. What data we collect and why
  2. How we use your data
  3. Third-party services
  4. AI features — Milo coach disclosure
  5. Data storage and security
  6. Community anonymity
  7. Children's privacy
  8. Data retention and deletion
  9. Your rights under GDPR
  10. Contact information
  11. Cookies and tracking
  12. Changes to this policy

1. What data we collect and why

We collect only what we need to provide the service.

Account data

  • Email address — to create and authenticate your account
  • First name — to personalise your experience
  • Legal basis (GDPR): Contract performance (Art. 6(1)(b))

Onboarding quiz answers

  • Overthinking type, severity level, worst time of day, duration, life impacts, and personal goal
  • Legal basis: Contract performance — this data powers your personalised plan

User-generated content

  • Thought dumps (text entries)
  • Worry vault entries
  • AI coach (Milo) chat messages
  • Community posts (stored anonymously — see Section 6)
  • Legal basis: Contract performance

Usage & behavioural data

  • Streak data, daily challenge completions, panic button usage logs
  • Legal basis: Legitimate interests (service improvement, personalisation)

Analytics data

  • Anonymised events: screen views, button taps, feature usage (via Mixpanel)
  • No personal content is ever sent to analytics
  • Legal basis: Legitimate interests

Subscription & payment data

  • Subscription status, purchase history (managed by Apple / RevenueCat)
  • We never see or store your payment card details
  • Legal basis: Contract performance

2. How we use your data

We use your data to:

  • Create and maintain your account
  • Deliver personalised overthinking support and daily challenges
  • Power Milo, your AI coach, by sending your messages to the Anthropic Claude API for processing
  • Categorise your thoughts and provide insights
  • Track your progress (streaks, challenge completions)
  • Manage your subscription
  • Improve the app using anonymised analytics
  • Send optional push notifications (only if you opt in)
  • Respond to support and data requests

We do not sell your data to third parties, show you advertisements, share your personal data with advertisers, or use your data to train AI models.

3. Third-party services

We work with the following trusted processors. Each has been selected for EU/GDPR compliance.

Firebase Authentication (Google LLC) USA — SCCs
PurposeSecure user authentication
DataEmail address, authentication tokens
Policypolicies.google.com/privacy
Supabase EU — Frankfurt
PurposeDatabase storage for all app data
DataAll user-generated content and profile data
Policysupabase.com/privacy
Anthropic USA — SCCs
PurposeAI processing for Milo coach and thought categorisation
DataChat messages and thought entries (processing only — not stored or used for training)
Policyanthropic.com/privacy
Mixpanel USA — SCCs
PurposeProduct analytics
DataAnonymised usage events only — no personal content, no message text
Policymixpanel.com/legal/privacy-policy
RevenueCat USA — SCCs
PurposeSubscription management and purchase tracking
DataSubscription status, Apple transaction IDs (no payment card data)
Policyrevenuecat.com/privacy
Superwall USA — SCCs
PurposePaywall A/B testing and conversion optimisation
DataAnonymised paywall interaction events
Policysuperwall.com/privacy

4. AI features — Milo coach disclosure

Overthinkr includes an AI coach called Milo, powered by Anthropic's Claude API.

How it works

  • When you send a message to Milo or submit a thought for categorisation, that text is transmitted to Anthropic's API for processing
  • Anthropic returns a response, which is displayed to you in the app
  • Your messages are used only for real-time processing — they are not stored by Anthropic and are not used to train any AI model

Important limitations

  • Milo is not a licensed therapist, psychologist, or medical professional
  • Milo's responses are AI-generated and may not always be accurate or appropriate
  • Milo should not be used as a substitute for professional mental health care
  • If you are in crisis, please contact a qualified professional immediately

If you are in crisis or experiencing a mental health emergency:

EU Emergency: 112

Poland — Telefon Zaufania dla Dorosłych: 116 123

International Association for Suicide Prevention: iasp.info

5. Data storage and security

Where your data is stored

  • Primary database: Supabase on AWS eu-central-1 (Frankfurt, Germany)
  • All data is stored within the European Union

How we protect your data

  • Encryption at rest: AES-256
  • Encryption in transit: TLS 1.2+
  • Row-Level Security (RLS) enforced at the database layer — you can only access your own data
  • Firebase Authentication handles session tokens securely
  • We conduct regular security reviews

International transfers: For processors based in the USA (Firebase, Anthropic, Mixpanel, RevenueCat, Superwall), transfers are made under the European Commission's Standard Contractual Clauses (SCCs) in accordance with GDPR Chapter V.

6. Community anonymity

Community posts in Overthinkr are designed to be anonymous:

  • Your posts are stored without any link to your user identity in the database
  • No username, email, or profile information is attached to community posts
  • Other users cannot identify you from your posts
  • Moderation is performed on post content only, not linked to personal accounts

Please do not include personally identifiable information in your community posts. We cannot be responsible for information you choose to share publicly.

7. Children's privacy

Overthinkr is not intended for use by anyone under the age of 13.

  • We do not knowingly collect personal data from children under 13
  • If you are between 13 and 18, we recommend using the app with parental guidance
  • If we become aware that a child under 13 has provided personal data, we will delete it promptly
  • If you are a parent or guardian and believe your child has provided us with personal data, please contact us at hello@overthinkr.me

8. Data retention and deletion

How long we keep your data

  • Account and profile data: retained for the duration of your account
  • User-generated content (thought dumps, worry vault, chat history): retained for the duration of your account
  • Analytics data: anonymised, retained for up to 24 months

Your right to deletion

You can request complete deletion of your account and all associated data at any time by emailing hello@overthinkr.me with the subject line "Data Deletion Request". We will confirm deletion within 30 days.

Data export

You can request a copy of all your personal data in JSON format by emailing hello@overthinkr.me with the subject line "Data Export Request". We will respond within 30 days.

9. Your rights under GDPR

As an EU resident, you have the following rights under the General Data Protection Regulation:

Art. 15
Right of access

Request a copy of all personal data we hold about you.

Art. 16
Right to rectification

Request correction of inaccurate or incomplete personal data.

Art. 17
Right to erasure

Request deletion of your personal data. We will comply within 30 days unless a legal obligation requires retention.

Art. 20
Right to data portability

Request your data in a structured, machine-readable format (JSON).

Art. 21
Right to object

Object to processing based on legitimate interests (e.g. analytics).

Art. 7
Right to withdraw consent

Where processing is based on consent (e.g. push notifications), you can withdraw at any time.

To exercise any right, email hello@overthinkr.me. We will respond within 30 days at no charge.

Right to lodge a complaint: You may complain to the Polish supervisory authority — Urząd Ochrony Danych Osobowych (UODO): uodo.gov.pl

California residents (CCPA): You have the right to know what data we collect, the right to delete it, and the right to opt out of its sale. We do not sell personal data. Email hello@overthinkr.me to exercise your rights.

10. Contact information

Data Controller: Jakub Radziejewski, Kraków, Poland

Email: hello@overthinkr.me

Please include "Privacy Request" in your subject line. We aim to respond to all requests within 30 days.

11. Cookies and tracking

Overthinkr is a native iOS app and does not use browser cookies.

We use the following tracking technologies:

  • Anonymous device identifiers — used by Mixpanel for analytics (no personal data attached)
  • Superwall session identifiers — anonymous, used for paywall A/B test assignment only

You can opt out of analytics tracking by contacting us at hello@overthinkr.me.

12. Changes to this privacy policy

We may update this Privacy Policy from time to time. When we do:

  • We will update the "Last Updated" date at the top of this page
  • For material changes, we will notify you via push notification or in-app banner
  • Continued use of the app after changes constitutes acceptance of the updated policy

We encourage you to review this policy periodically.