01Who we are
StrideFlow ("StrideFlow", "we", "us") is a mobile app that helps you turn personal goals into a calendar plan with an AI assistant. This policy explains what data we collect when you use the StrideFlow iOS app, how we use it, who we share it with, and the choices you have.
The data controller is Diarra Sory Brahim, operating as a sole proprietor from 92, Av Albert 1er, 92500 Rueil-Malmaison, France. You can reach us at support@strideflow.ai for any privacy question or request.
02The short version
- We collect what's needed to run the service: your account, the goals and calendar entries you create, and the messages you exchange with the AI assistant.
- We do not show ads, do not sell your data, and do not track you across other apps or websites. No advertising identifier (IDFA) is ever read.
- Your content is linked to your account so it can sync across your devices. It is not used to train any AI model.
- You can delete your account at any time from Settings Privacy, which permanently wipes your data from our systems.
- Minimum age is 16.
03What data we collect
3.1 Information you give us
- Account identifiers: your email address, your name (if you provide one or your sign-in provider shares it), and the unique user ID generated by Firebase Authentication when you sign up.
- Onboarding answers: your date of birth (used to verify you are at least 16), goals, preferred pace, and a small set of context questions you answer during the first-run flow. You can change or delete most of these later in Settings.
- Content you create: calendar blocks (title, time, duration, completion status), goals (title, target date, history), task lists, chat messages you send to the AI, and "facts to remember" you add to your user memory.
- Subscription information: if you subscribe to a paid plan, your transaction is processed by Apple through the App Store. We receive a transaction identifier and entitlement state via our subscription provider RevenueCat we never see your full payment details.
- Optional profile fields: gender, preferred units (metric/imperial), preferred language, date format, time zone. All optional; can be left blank or "Prefer not to say".
- Settings preferences: notification toggles, quiet hours, AI assistant preferences.
3.2 Information collected automatically
- AI assistant exchanges: the messages you send to the AI assistant, and the responses it generates, are stored on our backend so you can return to your conversations across devices. To answer you, we forward your message plus relevant context (the goals and calendar entries needed to respond) to our AI provider Anthropic (see Section 5).
- Product analytics: we record actions like "signed in", "chat message sent", "block created", "paywall shown", "purchase completed". These events are linked to your account ID so we can understand which features work and which break. We do not record the contents of your messages, your screen contents, or anything you type. Our analytics provider is PostHog.
- Crash and diagnostic data: if the app crashes or encounters a non-fatal error, we send a stack trace, the OS and device model, and a short "breadcrumb" trail of recent actions to Firebase Crashlytics. This is linked to your account so we can fix bugs.
- Authentication tokens: short-lived tokens are stored on your device's keychain so you stay signed in.
3.3 Calendar connection (optional)
StrideFlow can connect to your device calendar so it can plan around the time you are already busy. This is optional. You can turn it on during onboarding or later in Settings, under Calendar, and you control it for each calendar.
- Busy times by default: for a connected calendar, StrideFlow reads only your busy time slots (when you are occupied), not what each event is.
- "Share details" is opt-in, per calendar: if you set a calendar to "Share details", StrideFlow also reads that calendar's event titles, locations, and notes, so it can build a smarter plan. We never collect event attendees.
- Where it goes: your busy times, and any details you choose to share, are sent to our backend, and where relevant to our AI provider (see Section 5), solely to generate your plan.
- Write-back: if you leave write-back on, the sessions StrideFlow creates are added to a dedicated "StrideFlow" calendar on your device. Your other events are never changed.
- Disconnecting: you can disconnect at any time in Settings, under Calendar. We then stop reading your calendar, remove the sessions we added, and clear the busy data from our backend.
Calendar connection relies on your consent (Article 6(1)(a) GDPR). You can withdraw it at any time by disconnecting, or by turning off "Share details" for a calendar.
3.4 Information we do not collect
We do not access or collect:
- Your precise or coarse location
- Health, fitness, or HealthKit data
- Photos, camera, microphone, or video
- Your iOS contacts or reminders
- Your advertising identifier (IDFA)
- Browsing history outside StrideFlow
- Any biometric data
If we add a feature that needs one of these, we will update this policy and ask for your permission first.
04How we use your data
We use the data above to:
- Create and maintain your account and let you sign in
- Sync your goals, calendar, and chat history across your devices
- Generate AI responses tailored to your goals and schedule
- Send notifications you have opted into (daily reminders, calendar block alerts)
- Process subscriptions and grant access to paid features
- Diagnose crashes and bugs
- Measure which features are used and how often, so we can improve the product
- Communicate with you about service updates, security, and support requests
- Enforce our age minimum and detect abuse
We do not use your data to train AI models, our own or anyone else's.
The legal bases on which we rely (Article 6 GDPR) are: performance of the contract you enter into when creating an account (account, sync, AI assistant, subscriptions); our legitimate interests in keeping the product working and improving it (crash reporting, product analytics, abuse prevention); your consent where required (notifications); and compliance with legal obligations (tax, fraud prevention).
05Third-party AI processing
StrideFlow uses a third-party AI provider to generate, improve, and adjust your plans. These AI planning features run only when you choose to use them, for example when you message the assistant or ask it to build or rearrange your plan.
When you use an AI planning feature, StrideFlow sends selected information to our AI provider, Anthropic (Anthropic, PBC, USA), so it can respond. Depending on what you are doing, this may include:
- Your goals and planning preferences (such as your preferred pace)
- Your availability and plan details (calendar blocks, tasks, durations, completion status)
- The chat messages you send to the assistant
- Relevant "facts to remember" from your user memory
- Calendar context, as described below
By default, calendar context includes only your busy times (when you are occupied), not what each event is. If you turn on "Share details" for a calendar, it may also include that calendar's event titles, locations, and notes. We never send event attendees, and this stays off for every calendar unless you turn it on (see Section 3.3).
StrideFlow uses this information only to provide AI planning features, such as creating a plan, improving a plan, or rearranging your schedule when life changes. We do not send your payment or subscription billing details to the AI provider, and your data is never used to train any AI model. You decide when this sharing happens by choosing to use an AI feature, and you can limit what your calendar contributes, or disconnect it entirely, at any time in Settings (see Section 3.3).
Our current AI provider is Anthropic. Anthropic processes your information transiently to generate a response and, under its commercial terms, does not use it to train its models. We require the third-party service providers that process your personal data, including our AI provider, to provide the same or equal protection for that data as described in this Privacy Policy.
06Who we share data with (sub-processors)
We rely on a small set of vetted service providers to run StrideFlow. Each one only receives the data needed for its role and is bound by a written data-processing agreement that requires it to protect your personal data to the same or equal standard set out in this policy, to act only on our instructions, and to use the data solely to provide its service to StrideFlow. Apple and Google also handle the limited sign-in or payment data they receive under their own privacy policies.
| Provider | What they do | What they receive |
|---|---|---|
| Google Firebase (Google LLC, USA) | Authentication, crash reporting | Your email, account ID, sign-in metadata, crash traces |
| Google Cloud Platform (Google LLC, USA) | Hosts our backend at api.strideflow.ai | All data you sync (calendar, goals, chat, memory) |
| Anthropic (Anthropic, PBC, USA) | Powers the AI assistant (Claude model family) | The chat message you send plus the relevant goals / calendar context needed to answer it. Anthropic processes this transiently to generate a response; per Anthropic's commercial terms it is not used to train their models. |
| RevenueCat (RevenueCat, Inc., USA) | Subscription billing and entitlement state | Your account ID, transaction identifiers, subscription status |
| PostHog (PostHog Inc., USA) | First-party product analytics | Your account ID and event records (action names, timestamps, anonymized properties). No message content. |
| Apple | App Store distribution, Sign in with Apple, in-app purchases | Whatever Apple's services require to process payments and authenticate you (governed by Apple's privacy policy) |
| Google Sign-In | OAuth sign-in when you tap "Continue with Google" | Your name and email from your Google account (only if you choose this method) |
We do not sell your personal information, and we do not share it with advertisers, data brokers, or analytics networks that operate across other companies' apps.
07International transfers
Our service providers listed above are based primarily in the United States. Because the data controller is located in France, when you use StrideFlow your personal data is transferred to and processed in the United States by these providers. We rely on:
- The EU-US Data Privacy Framework where the provider is certified, and/or
- the European Commission's Standard Contractual Clauses (SCCs), supplemented as required by the relevant guidance from the European Data Protection Board, for all other transfers.
Copies of the safeguards in place are available on request at support@strideflow.ai.
08How long we keep it
| Data type | Retention |
|---|---|
| Account, profile, goals, calendar, chat history | While your account is active. Deleted within 30 days of account deletion. |
| User memory facts | Same as above. Can be wiped at any time from Settings "Forget everything". |
| Analytics events (PostHog) | 12 months after the event date, then aggregated or deleted. |
| Crash data (Firebase Crashlytics) | 90 days. |
| Backups | Encrypted backups containing operational data may persist for up to 30 days after primary deletion, then expire on rotation. |
| Logs (application + access logs) | 30 days. |
Legal, tax, or fraud-prevention obligations may require us to retain a narrow subset (e.g. transaction records) for longer. We will store the minimum required and delete it when the obligation ends.
09Your rights
Under the GDPR and French law (Loi Informatique et Libertés), you have the right to:
- Access the personal data we hold about you (Article 15 GDPR)
- Rectify inaccurate or incomplete data (Article 16); most fields are editable directly in Settings
- Erase your account and all associated data (Article 17) Settings Privacy Delete account
- Restrict processing (Article 18)
- Object to processing based on our legitimate interests (Article 21)
- Portability receive your data in a structured, machine-readable format (Article 20); we will provide an export on request
- Withdraw consent for processing where consent is the legal basis (e.g. notifications toggle off in Settings)
- Define directives for what happens to your data after death, under article 85 of the French Data Protection Act
- Lodge a complaint with a supervisory authority. In France that is the Commission nationale de l'informatique et des libertés (CNIL), 3 Place de Fontenoy, 75007 Paris, www.cnil.fr. If you live elsewhere in the EEA, the UK, or Switzerland, you can also lodge a complaint with your local data protection authority.
To exercise any of these, email support@strideflow.ai. We respond within one month (extendable by two further months for complex requests, in which case we will tell you within the first month).
Account deletion
From within the app: Settings Privacy & Data Delete account. Confirming this action will:
- Sign you out
- Send a deletion request to our backend (
DELETE /v1/users/me) - Permanently delete your account, profile, goals, calendar, chat history, and user memory within 30 days
- Cancel any active access from our third-party processors (RevenueCat will revoke entitlement; PostHog event records keyed to your account ID are deleted; Firebase Auth user is removed; Crashlytics records keyed to your ID are deleted)
Apple manages your subscription separately if you have a paid plan, you must also cancel the subscription in iOS Settings Apple ID Subscriptions or it will continue to bill. Deleting your StrideFlow account does not cancel the App Store subscription.
If you didn't request the deletion (e.g. someone with access to your device deleted your account), email us at support@strideflow.ai within 30 days and we may be able to recover it.
10Children
StrideFlow is intended for users aged 16 and over, which aligns with the age of digital consent in France under article 7-1 of the French Data Protection Act. We do not knowingly collect personal data from anyone under 16. During onboarding we ask for your date of birth, and accounts identifying as under 16 are blocked from completing setup.
If you believe a child under 16 has provided us with personal data, please contact support@strideflow.ai and we will delete it.
11Security
We protect your data with industry-standard measures:
- All data in transit is encrypted with TLS 1.2+
- Data at rest in Google Cloud is encrypted by default
- Authentication tokens are stored in the iOS Keychain
- Access to production systems is restricted to authorized personnel using multi-factor authentication
- We log and review administrative access
No system is perfectly secure. If we become aware of a data breach affecting your personal information, we will notify the CNIL within 72 hours and, where the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay (Articles 3334 GDPR).
12Notifications and permissions
StrideFlow may ask for permission to send you notifications. This is optional the app's core features all work without notifications. If granted, we use them only for:
- Daily reminders at the time you choose (with quiet-hours respected)
- Alerts before scheduled calendar blocks
- Confirmation prompts on calendar block actions (mark done, snooze)
You can disable notifications at any time in Settings Notifications inside the app, or in iOS Settings StrideFlow Notifications.
We do not send marketing push notifications.
13California residents (CCPA / CPRA)
If you live in California:
- The categories of personal information we collect are listed in Section 3.
- We have not "sold" or "shared for cross-context behavioral advertising" any personal information in the preceding 12 months, as those terms are defined under the CCPA/CPRA.
- You have the right to know, the right to delete, the right to correct, the right to opt-out of sale/sharing (not applicable since we don't), and the right not to be discriminated against for exercising your rights.
- To exercise these rights, email support@strideflow.ai from the address associated with your account.
- We do not have actual knowledge that we sell or share personal information of minors under 16.
14Changes to this policy
We may update this policy from time to time. If we make a material change, we will:
- Update the "Last updated" date at the top
- Post the new policy at this URL
- Notify you in-app or by email before the change takes effect, for any change that materially expands how we collect or use your data
Continued use of StrideFlow after a change takes effect means you accept the updated policy.
15Contact
For privacy questions, requests, or complaints, email support@strideflow.ai.
Postal address: Diarra Sory Brahim, 92, Av Albert 1er, 92500 Rueil-Malmaison, France.
This policy is governed by the laws of France, without prejudice to the mandatory consumer-protection rules of the country where you have your habitual residence.