Privacy Policy — Cirdia Apps

Effective Date: [set at publish]  |  Last Updated: 2026-06-17

Your privacy isn't a feature we bolt on — it's how we built the apps. This policy explains what the Cirdia apps collect, why, and exactly how we protect it.

This policy covers the Cirdia apps — Tapestry today, and Nourish and Groundwork as they launch. For how we handle our websites, our business contacts, or wellness practitioners, see the other policies on our legal hub. Cirdia Global S.L. is the data controller for your information.

1. Our Core Principle: We Never Store Your Health Data

Your wellness data — symptoms, habits, heart rate, sleep, energy, mood, cycle, movement — stays on your device. We do not store it in our databases. There is nothing to sell, nothing to breach, nothing to hand over.

When the app creates your weekly insights, your data is encrypted on your device and sent to a single processing instance. Your data never leaves that instance — all analysis is contained to the ephemeral process — which is destroyed afterward; your results return encrypted to your device. We never see it in unencrypted form. For the fuller picture of how this works, see our Privacy Architecture page.

2. What We Collect

Information You Provide

  • Account information — your first name and email when you create an account.
  • Your access status — purchases are made through the Apple App Store or Google Play. We receive whether your access is active; we never see or store your payment card details.

Collected Automatically

  • App usage and diagnostics — a privacy-preserving signal (app opens, whether notifications are on, whether you're on a trial or paid) and error reports, sent to our own servers so we can keep the app working. It's tied to your account, and it contains no health or wellness data.
  • Account identifier — so we recognize your account across reinstalls and keep trials fair.

Wearable Integrations (Apple Health & Google Health Connect)

If you choose to connect one:

  • We only read; we never write. Heart rate, resting heart rate, HRV, sleep, steps, and active energy flow into your app for your use only.
  • Nothing is stored in our database. This data is used on your device and never comes to us.
  • You control the connection. Disconnect at any time from your device settings.

Cirdia Wearable Devices

Contour and Noir are in development. When available, they will sync with the app and be processed locally on your phone — not sent to our servers.

3. What We Can't Do With Your Health Data

Most companies in this space make promises about what they won't do with your data. We built the apps so those things aren't possible:

  • We can't sell your health data — it's on your device, not in our databases. We don't have it to sell.
  • We can't use it for advertising — we never see your wellness data in unencrypted form, and none of it is ever sent to an advertising platform.
  • We can't share it with third parties — the only place it exists is on your phone and, briefly, inside the isolated instance that's destroyed after your report is generated.
  • We can't train AI on it — your insights are generated in an isolated instance that is destroyed after use. Nothing is retained or fed back into any model.

4. Signing In

We use magic sign-in links — no passwords. Tapping the link in your email signs you in. There's no password to steal, and no password database to breach.

5. Your Rights

Regardless of where you live, you can:

  • Access the data tied to your account.
  • Correct your name or email in the app.
  • Export your data — there's a CSV export in the app, and your on-device data is yours to take.
  • Delete your account and personal data.

When you leave Cirdia, we don't erase everything the moment you go. We keep a minimal record for a while — partly so we can welcome you back with an offer if you decide to return — then eventually erase what identifies you, keeping only the bare records the tax rules make us keep. Want it gone sooner? Just ask, and we'll erase what identifies you right away. And your health data lives on your device, not ours, so there's nothing health-related for us to delete anyway.

GDPR-level rights for everyone. We extend these rights — including the right to be forgotten — to every person who uses our apps, anywhere in the world, regardless of whether your local law requires it. To exercise any of them, email privacy@cirdia.com. We respond within 30 days.

6. For US State Residents

If you live in a US state with its own privacy law (such as California or Washington), you have the right to know what we hold, to delete it, and not to be treated differently for exercising these rights — all covered above. Under Washington's My Health My Data Act specifically: we don't collect or store your health data on our servers, so there is none for us to share or sell. (Our marketing website has a separate opt-out for ad measurement — see the Website & Cookies Policy — none of which runs in the app.)

7. Who We Share App Data With

We work with a small number of providers to run the apps — the app stores for payments, an email provider for sign-in links, EU hosting, and encrypted backups. Each processes data on our behalf and is bound by contract to protect it. The full list, with what each handles and where, is on our Sub-processors page.

8. Data Security

  • No passwords — we use magic links only. No password database to breach.
  • Token hashing — sign-in tokens are hashed before storage. Raw tokens never sit in our database.
  • Encryption in transit — all traffic uses HTTPS.
  • Encryption at rest — our database is encrypted, and off-site backups are encrypted before they leave the host and kept only for a short window.
  • EU storage, predominantly EU infrastructure — your data is stored on EU servers, and almost all of our systems are first-party and EU-based. The only part that runs outside the EU is the short-lived weekly-insights processing, which stores nothing.

9. Age Requirement

You must be at least 16 years old to use the apps. To purchase or enter into a contract with us, you must be at least 18 (or the age of majority in your jurisdiction).

10. Contact Us

Cirdia Global S.L. — Valencia, Spain Privacy: privacy@cirdia.com  |  Support: support@cirdia.com