Privacy Policy

1. Who we are

Grounded is a wellbeing and habit-building service operated from the Netherlands. The legal entity behind Grounded is currently being formalised; once registered, full company name, KvK number and registered address will be added here. Until then, the responsible controller can be reached at contact@grndd.app.

2. What data we collect

• Account data — name, email address, password (hashed), language preference.
• Profile & intake data — answers you give in the onboarding intake to personalise your routine (e.g. goals, lifestyle, focus areas).
• Usage data — check-ins, completed routines, journal entries, mindfulness sessions, badges, in-app messages with your buddies and AI coach.
• Payment data — handled by Stripe. We receive a customer ID, subscription status, plan and the last 4 digits of your card; we never see or store your full card details.
• Technical data — IP address, device/browser type, basic logs needed to operate the service securely.

3. Why we use it (legal basis)

• To provide the service (account, personalised routine, buddy matching, coach, payments) — performance of a contract (Art. 6(1)(b) GDPR).
• To keep the service secure (fraud prevention, abuse detection, logs) — legitimate interest (Art. 6(1)(f) GDPR).
• To comply with legal obligations (e.g. accounting, tax) — Art. 6(1)(c) GDPR.
• To send service emails (receipts, password resets, important updates) — performance of a contract.

We do not currently use your data for advertising and we do not sell your data.

4. How long we keep it

• Account & profile data: as long as your account is active, then deleted within 30 days of account closure unless we are legally required to keep it longer.
• Journal entries & check-ins: stored as long as your account is active; deleted with your account.
• Payment & invoicing records: 7 years, as required by Dutch tax law.
• Support emails: up to 2 years after the last contact.

5. Who we share it with (processors)

We only share data with carefully selected processors who help us run the service:

• Lovable Cloud / Supabase — hosting of database, authentication and storage (EU region).
• Stripe — payment processing (EU/US, GDPR-compliant safeguards in place).
• Email provider — sending transactional emails (receipts, password resets).
• AI provider — for the in-app AI coach. Conversations may be processed by a third-party model provider to generate responses; we do not allow your data to be used to train their models.

6. International transfers

Data is primarily stored within the European Union. Where a processor (e.g. Stripe) processes data outside the EU, we rely on the EU Standard Contractual Clauses and/or adequacy decisions to protect your data.

7. Your rights

Under the GDPR you have the right to:

• Access the personal data we hold about you.
• Have inaccurate data corrected.
• Have your data deleted (right to be forgotten).
• Restrict or object to certain processing.
• Data portability (receive your data in a machine-readable format).
• Withdraw consent at any time, where processing is based on consent.
• Lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

To exercise any of these rights, email contact@grndd.app. We respond within 30 days.

8. Children

Grounded is not directed at children under 16. If you believe a child has provided us with personal data, please contact us so we can remove it.

9. Security

We use encryption in transit (HTTPS), encrypted storage at our hosting provider, and role-based access control. Passwords are stored hashed. No system is 100% secure, but we take reasonable technical and organisational measures to protect your data.

10. Changes to this policy

If we make material changes we will notify you by email or via an in-app notice before they take effect. The "Last updated" date at the top of this page always reflects the current version.