Get the app
Back to home

Legal

Privacy policy

This privacy policy explains which personal data is processed when you use the napolill.com website and the Affirmations by Napolill app, for what purposes, and what rights you have.

  • GDPR-focused
  • Encrypted
  • Transparent

As of: 29 March 2026

01

0) App languages & scope

The app interface is available in German, English, and Romanian. This privacy policy on the website is available in English and German. If the language versions differ, the German version prevails for the legal classification of processing.

The controller is located in the EU (Austria). For people residing or located in the European Economic Area (EEA), the rights described here follow primarily from the GDPR. For people in Switzerland, the applicable data protection rights under Swiss law apply (often broadly similar to the GDPR in practice).

The app may generally be downloaded and used worldwide. If you are outside the EEA, local privacy laws of your country or U.S. state may apply in addition or instead (e.g. rules on access, objection, or erasure). We describe processing primarily in line with the GDPR and the principles stated here; you can still contact us at the details below if you have questions about your local rights.

Transfers to third countries

Cloud services (e.g. Google/Firebase) may also process data in countries outside the EU/EEA. See section 8 for details.

03

2) Contact for privacy requests

If you have privacy questions or wish to exercise your rights, please write to:

Email: privacy@napolill.com

04

3) What app is this?

Affirmations by Napolill provides content such as affirmations and meditations (e.g. videos/audio), features like streak tracking, “Recently played”, optional mood check-ins, and an optional user account so you can save progress across devices.

05

4) What data do we process?

We process data in the following categories, depending on how you use the app:

4.1 Account and profile data (registration / sign-in)

If you create an account or sign in (e.g. email/password, Google sign-in, or Sign in with Apple), we process e.g.:

  • Email address
  • User ID (technical identifier)
  • display name where applicable (if you set it or the login provider passes it)
  • profile photo where applicable (only if you actively choose/upload it)

Purpose: provide the account, enable login, associate settings/progress, prevent abuse.

4.2 Usage and progress data (streaks & history)

So the app can work (streaks, badges, history), we process e.g.:

  • which content you played (category/file ID)
  • time and duration of use (e.g. session length)
  • streak information (e.g. consecutive days)
  • “Recently played”
  • optional: mood entries if you enter them in the app

Purpose: core app features (streaks/history), personalization (e.g. recently played), improving the experience.

4.3 Content you create (optional)

Where the app lets you create content (e.g. record your own affirmations or set a profile picture), we process that content only when you actively use the feature.

Purpose: provide the selected feature.

4.4 Device and technical metadata

We do not use a dedicated crash-reporting product (such as Firebase Crashlytics) that automatically collects detailed crash reports. Technical information may still arise in the normal course of app use and through services we use (e.g. Firebase/Google), such as:

  • device type/model, OS version (as transmitted by the platform or service)
  • app version
  • limited technical metadata related to authentication, configuration (e.g. Remote Config), and cloud connectivity

Purpose: provide and secure the app, abuse prevention, basic operation of the infrastructure.

4.5 Support communication

When you contact us, we process:

  • your contact details (e.g. email)
  • the content of your message
  • where needed, technical information for troubleshooting (only as necessary)

Purpose: respond to requests and provide support.

4.6 Use of the website (napolill.com)

When you visit the website, technical data sent by your browser or device may be processed automatically – e.g. IP address (possibly truncated/stored in server logs), date and time of access, page requested, browser type/version, operating system, and referrer URL – where required for secure operation, delivering the site, and abuse prevention.

We do not use third-party analytics or marketing cookies on this website that track you across sites. If your browser or device stores settings locally (e.g. theme), that usually happens without transmission to us.

Purpose: deliver content, IT security, stability, and abuse prevention.

06

5) Where is data stored?

Depending on the feature, data may be:

  • stored locally on your device (e.g. settings/progress), and/or
  • stored on our servers or in a database so sync, progress, and statistics work.

If we use cloud services (e.g. Google Firebase), data is processed in that infrastructure (see “Recipients / processors”).

Note on cloud sync

Short in-app messages may loosely refer to “anonymized” cloud storage. More precisely: if you use optional sync and have an account, your stored content and settings are linked to your user account or a technical user ID that is pseudonymous processing under the GDPR (personal data), not fully anonymous storage with no way to relate data to a person.

07

6) Legal bases (GDPR)

Depending on the processing, we rely on the following legal bases:

Art. 6(1)(b) GDPR (contract / steps prior to a contract): providing app features (account, streaks, history).

Art. 6(1)(f) GDPR (legitimate interests): security, abuse prevention, basic technical stability – including technically necessary processing for operating the website.

Art. 6(1)(a) GDPR (consent): where we use optional analytics/tracking or other optional processing that requires consent (if offered in the app).

To improve the app, we may evaluate usage data while you have an account and/or use the app – based in particular on the data described in this policy within our own infrastructure (Google Firebase: e.g. authentication, Firestore, Storage, and Remote Config as part of normal operations). We do not use third-party marketing tracking (e.g. ad networks or social pixels for ad profiling). We do not sell user profiles to third parties for advertising purposes.

08

7) Recipients & service providers (processors)

We may use service providers who process data on our behalf, e.g.:

  • Google Firebase / Google Cloud (e.g. authentication, Firestore database, Storage, Remote Config for app parameters; no Firebase Crashlytics in the current setup) – Google LLC / Google Ireland Ltd.
  • Google Play (distribution of the Android app, technical store processes)
  • Apple App Store (distribution of the iOS app, technical processes by Apple)
  • Hosting / email providers for the website and support email

Important:

We do not sell your data. Disclosure only occurs where necessary to provide the app, where you have consented, or where we are legally required to disclose.

09

8) Transfers to third countries (e.g. USA)

Depending on the providers used (e.g. Google), processing may also take place outside the EU/EEA (e.g. the USA). In those cases we rely on appropriate safeguards (e.g. EU Standard Contractual Clauses and/or other permitted transfer mechanisms).

10

9) Storage periods

We keep personal data only as long as necessary for the purposes:

  • Account data: while your account exists
  • Usage/progress data: while your account exists and as long as needed for streaks/history
  • Support data: as long as needed to handle the request, unless statutory retention obligations apply
  • Technical metadata via Firebase/Google: according to each platform’s retention/deletion rules and contract settings
  • Website logs (if kept): only as long as usual for these purposes or as required by hosting
11

10) Your rights

Subject to the relevant conditions, you have the following rights:

Access (Art. 15 GDPR)

Rectification (Art. 16 GDPR)

Erasure (Art. 17 GDPR)

Restriction (Art. 18 GDPR)

Data portability (Art. 20 GDPR)

Objection (Art. 21 GDPR)

You may also withdraw consent (Art. 7(3) GDPR) where processing is based on consent.

You may lodge a complaint with a data protection supervisory authority without prejudice to other remedies. The authority with jurisdiction may be that of your habitual residence, your place of work, or the place of the alleged infringement. In Austria this is the Data Protection Authority (DSB); in Germany you may contact the state data protection authority responsible for your place of residence.

12

11) App permissions (Android/iOS) – why we request them

The app may request device permissions depending on how you use it. On iOS, the same purposes are explained in system dialogs (usage descriptions). On Android, permissions may include:

Camera (android.permission.CAMERA)

Purpose: optional, e.g. to capture a profile photo or use a camera-based feature (if offered).

Important: the camera is used only when you actively start the relevant feature.

If you deny access, you can still use the app in general; some features may be unavailable.

Photos/media/storage (varies by Android version)

Purpose: optional, e.g. to pick a profile image from your gallery or save files locally.

Microphone (if recordings are offered)

Purpose: optional, e.g. to record your own affirmations.

Flash/LED (light pulse, if offered)

Purpose: optional in some sessions to provide a pulsing light via the device light – only when you enable it.

Depending on device and OS, the camera/flash API may be used; no image is recorded for this purpose.

Notifications (system push)

In the current app version we do not use operating-system push notifications from us (no lock-screen reminders or marketing push).

Hints such as new badges appear only inside the app during active use and do not require a separate push permission.

Important:

You can revoke permissions at any time in your device settings.

13

12) Children

The app is aimed at adults and teenagers and is not designed to knowingly process personal data of children under 16 without parental consent. If you believe we may process such data without valid consent, contact us at privacy@napolill.com.

14

13) Security

We implement appropriate technical and organizational measures to protect data (e.g. access controls, protection against unauthorized access). Absolute security cannot be guaranteed.

15

14) Delete account / delete data

You may request deletion of your account and stored data:

16

15) Changes to this privacy policy

We may update this privacy policy when the app or legal requirements change. The current version is always available at:

https://napolill.com/privacy