This Privacy Policy explains how PathlyAI ("we", "us", "our") collects, uses, shares, and protects personal data when you use the PathlyAI mobile app and related websites (together, the "Service"). PathlyAI is a wellbeing tool. People may choose to share personal and potentially sensitive information when using the Service. We take that seriously and aim to minimize data collection and use your data only for clear, stated purposes. If you do not agree with this Privacy Policy, please do not use the Service. Last updated: 2026-01-26

Data Controller: - Legal entity: PathlyAI, d. o. o. - Address: Ljubljana, Slovenia - Privacy contact: [email protected] Support contact: [email protected]

This Privacy Policy applies to: - the PathlyAI mobile application, - websites and pages operated under the PathlyAI brand, - customer support communications related to the Service. It does not apply to third-party websites, apps, or services that may be linked from the Service or integrated through third-party providers (for example Apple, Google, payment processors, or AI service providers). Those third parties have their own privacy practices.

We collect data in three main ways: (a) data you provide, (b) data collected automatically, and (c) data from third parties (limited). A) Data you provide - Account data: email address, login credentials (stored securely), and optional profile information (if you choose to provide it). - Session inputs: text you enter during check-ins, exercises, or guided flows. - Support communications: information you share when contacting support. Important note about sensitive data The Service is not a medical app and does not require you to provide medical information. However, you may choose to share information that could be considered sensitive (for example information about mood, stress, or mental wellbeing). Please do not enter highly sensitive information into the Service, such as medical records, diagnoses, detailed treatment information, medication lists, government IDs, or financial account numbers. If you choose to enter potentially sensitive information, we process it only to provide the Service and for the limited purposes described in this Policy. Where required by applicable law, we rely on your explicit consent or another lawful basis for processing sensitive data. B) Data collected automatically - Device and app data: device type, operating system, app version, language, time zone, and basic diagnostic data. - Log and usage data: feature usage, timestamps, in-app events needed to operate and secure the Service. - Security data: IP address and related signals used for fraud prevention, abuse detection, and security monitoring. C) Data from third parties (limited) - App stores: we may receive high-level purchase and subscription status information from Apple App Store or Google Play to enable entitlements and customer support. - Payment providers (if you purchase on the web): billing metadata needed to process payments and handle disputes (we do not receive full payment card details if processed by a third-party processor).

We use personal data only for specific purposes: - Provide and operate the Service (account access, session functionality, saving your progress where applicable). - Generate responses and guidance within the Service based on your inputs (where the Service includes automated or AI-based features). - Maintain safety and security (prevent abuse, detect fraud, protect accounts, and ensure system integrity). - Provide customer support and respond to requests. - Improve reliability and performance (debugging, crash diagnostics, service monitoring). - Comply with legal obligations (for example accounting, tax, lawful requests).

If you are in the EU/EEA (or where GDPR applies), we process personal data under one or more of these legal bases: - Contract: processing is necessary to provide the Service you request (for example account access and core functionality). - Legitimate interests: processing is necessary to secure the Service, prevent abuse, and improve reliability, provided those interests are not overridden by your rights. - Consent: where required (for example optional features, certain analytics settings, or sensitive data processing where consent is the appropriate basis). You can withdraw consent at any time where consent is used. We will identify the applicable basis depending on the data and context.

Some features use automated systems (including AI) to generate guidance based on your inputs. External AI providers (current) To operate AI features, relevant portions of your session inputs may be transmitted to and processed by external AI service providers acting as our processors. They process data only to provide the requested output on our behalf, under contractual confidentiality and security obligations. What this means in practice - We send relevant portions of your input to generate a response. - We receive and display the generated response in the app. - We do not use automated processing to make decisions that produce legal or similarly significant effects about you. Model improvement (future) Over time, we may develop and use internal models. If we introduce any use of your content for training or improving models beyond what is necessary to operate the Service, we will update this Policy and, where required, provide additional choices and obtain consent. If you want to limit what you share, you can choose to avoid entering sensitive details. You remain responsible for deciding what to enter and whether to act on any guidance.

We do not share your personal data except in the situations below. We do not sell your personal data. We do not share your session content for third-party advertising purposes. A) Service providers (processors) We may share limited data with vendors who help us run the Service (for example hosting, databases, AI inference providers, analytics, customer support tooling, email delivery, and security monitoring). They process data only on our instructions and under contractual confidentiality and security obligations. B) App stores and platform providers Apple and Google may process certain data related to subscriptions and in-app purchases under their policies. We may share limited information with them as needed to manage entitlements or handle support/refund-related requests. C) Legal and safety reasons We may disclose data if required by law, court order, or a valid request by competent authorities, or to protect rights, safety, and security (for example to investigate abuse or fraud). D) Business changes If we undergo a merger, acquisition, restructuring, or asset sale, personal data may be transferred as part of that transaction. We will provide notice where required by law.

Your data may be stored and processed in: EU/EEA (primarily), and other countries where our service providers process data on our behalf to operate the Service (which may include countries outside the EU/EEA) If data is transferred outside the EU/EEA, we use appropriate safeguards, such as: Standard Contractual Clauses (SCCs), and other lawful safeguards where required (such as adequacy decisions or equivalent mechanisms).

We retain personal data only as long as necessary for the purposes described in this Policy. Typical retention: - Account data: for as long as your account is active - After you request account deletion: typically up to 30 days, unless we must retain certain data for legal or security reasons - Encrypted backups: typically up to 90 days in encrypted backups (until rotated), where feasible - Billing and tax records (where applicable): as required by applicable accounting and tax laws We may retain limited data for longer where required by law, to resolve disputes, enforce our terms, or protect the Service from abuse (for example, limited security logs).

You can request account deletion within the app (Profile -> Settings -> Delete Account) or by emailing [email protected] with the subject "Account Deletion Request" and your account email (and user ID if available). To protect your privacy, we may ask for verification before deleting. Deletion effects: - Your account is deactivated. - Personal data and stored content are removed or anonymized within a reasonable period, except where retention is required for legal compliance or security. - Data may persist in encrypted backups for a limited period until rotated, but is not actively accessible in the Service.

We implement technical and organizational measures designed to protect personal data, such as: - access controls and least-privilege permissions, - encryption in transit where feasible (for example HTTPS/TLS), - secure storage practices for credentials, - monitoring and logging for security events. No system can be guaranteed 100 percent secure. You are responsible for keeping your credentials confidential and using secure devices.

Our websites may use cookies or similar technologies to: - keep the site working (for example session and security cookies), - remember settings, - measure performance and reliability. Where required by law, we will request consent for non-essential cookies. You can control cookies through your browser settings, and you may be able to manage consent preferences via our cookie settings (if available). Mobile apps do not use browser cookies, but may use similar technologies (such as device identifiers) for essential functionality, security, and (where enabled) analytics.

We may send you: - service-related emails (for example verification, security alerts, and essential operational notices), - support responses when you contact us. If we send optional marketing messages, we will do so only where permitted by law and you can opt out at any time through the unsubscribe method in the message or by contacting [email protected].

The Service is intended for adults (18+). We do not knowingly collect personal data from children. If you believe a child has provided personal data, contact us at [email protected] and we will take appropriate steps, including deletion where required.

Depending on where you live, you may have rights regarding your personal data. If GDPR applies, your rights may include: - Access: request a copy of your data. - Rectification: correct inaccurate data. - Erasure: request deletion (where applicable). - Restriction: limit certain processing. - Objection: object to processing based on legitimate interests. - Portability: receive certain data in a machine-readable format. - Withdraw consent: where processing is based on consent. To exercise your rights, contact: [email protected] You can also lodge a complaint with your local data protection authority.

The Service may contain links to third-party sites or services. We are not responsible for their privacy practices. Please review their policies before providing any information to them.

We may update this Privacy Policy from time to time. If changes are material, we will provide notice within the app or on our website, and where required, seek consent. The "Last updated" date at the top indicates when this Policy was last revised.

Privacy and data protection inquiries: [email protected] Support: [email protected] When contacting us, please include your account email and a description of your request.