Privacy Policy
She/Crea is committed to protecting your privacy and handling your personal data transparently and securely. This Privacy Policy explains how we collect, use, share, and protect your information when you use our Services. We comply with the Swiss Federal Act on Data Protection (FADP) and the European Union's General Data Protection Regulation (GDPR), where applicable.
1. Information We Collect
We collect information you provide directly to us when you create an account, use the Services, or communicate with us. This includes:
Account Information: Name, email address, password, date of birth.
User-Generated Content (UGC): The content you create and submit while using the Services, such as reflections, goals, journal entries, notes, and responses to exercises or prompts. This UGC may include sensitive personal data relating to your mental or physical health, philosophical or religious beliefs, sexual life, political opinions, or other categories considered sensitive under applicable data protection laws (FADP, GDPR).
We also automatically collect certain information when you use our Services:
Device Information: Device type, operating system, unique device identifiers, IP address, and other technical information.
Usage Data: How you interact with the Services, including features accessed, pages visited, and time spent on the platform.
Location Information: Approximate location based on your IP address.
2. How We Use Your Information / Lawful Bases
We use your information for various purposes based on specific legal grounds (lawful bases). The primary lawful bases for processing your data are: performance of a contract with you, your consent, our legitimate interests (where they do not override your rights), and legal obligations.
To Provide and Maintain the Services (Lawful Basis: Performance of Contract): We use your account information and UGC to operate the Services, deliver features like goal tracking and journaling, and ensure the Services function correctly.
To Personalize Your Experience and Provide Advisor/Coaching Features (Lawful Basis: Explicit Consent): With your explicit consent obtained during onboarding (via a checkbox), we process your User-Generated Content, which may include sensitive data, to personalize your experience, provide tailored prompts, deliver feedback, and help you track your progress within the Services. This processing involves automated analysis (profiling) of your data to understand your needs and tailor the service accordingly. This profiling is conducted to enhance your use of the Service and is not currently considered 'high-risk profiling' under FADP/GDPR, but this assessment is subject to change as the service evolves.
To Improve and Develop the Services (Lawful Basis: Legitimate Interests): We analyze aggregated and anonymized data about how users interact with the Services (excluding sensitive content unless specifically consented for research or anonymized securely) to understand usage patterns, identify areas for improvement, develop new features, and fix bugs. Our legitimate interest is to provide a better, more effective service.
To Communicate with You (Lawful Basis: Performance of Contract, Legitimate Interests, Consent): We use your contact information to send you service-related notifications, updates, and support responses. With your separate consent, we may send you marketing communications about She/Crea.
For Security and Fraud Prevention (Lawful Basis: Legitimate Interests, Legal Obligation): We process data to protect the security and integrity of the Services, prevent fraud, and comply with legal obligations.
To Enforce Our Terms and Policies (Lawful Basis: Performance of Contract, Legitimate Interests): We use data as necessary to enforce our Terms of Service, Community Guidelines, and other policies.
3. Processing Sensitive Data
As we mentioned earlier in Section 1 ("Information We Collect"), the beautiful and personal content you create on She/Crea – your reflections, goals, journal entries, and responses to prompts – may naturally include sensitive personal data about your life, your well-being, your beliefs, and your experiences. We understand that sharing this information is deeply personal.
We want to be very clear and transparent: We only process this sensitive data based on your explicit consent. This consent is obtained through a clear opt-in mechanism (a checkbox) that you see when you begin using the service. Your decision to provide this consent is entirely yours, reflecting our value of empowerment.
Your explicit consent allows us to use your sensitive data solely for the purposes of providing you with the core, personalized value of She/Crea, including:
Personalizing your She/Crea experience: Tailoring content, prompts, and your journey within the app specifically for you.
Providing tailored feedback and insights: Enabling features like our Advisor or Coaching prompts to offer more relevant support and analysis based on your inputs.
Helping you visually track your progress: Allowing the service to understand and display your growth and journey based on the themes and progress within your content.
These are the specific, defined ways we use sensitive data to enhance your self-discovery journey on She/Crea.
Withdrawing Your Consent:
You are always in control of your data and your journey. You have the right to withdraw your explicit consent for the processing of your sensitive data at any time. You can do this by:
Deleting specific content: You can delete individual journal entries, reflections, goals, or other User-Generated Content that contains the sensitive data you no longer wish us to process. Deleting the content removes it from our active processing.
Updating Privacy Settings: [Optional, confirm if you will have this feature:] If available in your account, you may be able to adjust your privacy settings to withdraw consent for certain types of sensitive data processing without deleting all content.
Contacting Us Directly: You can send a request to withdraw your consent to [She/Crea Contact Email].
Impact of Withdrawal:
Please be aware that because the core, value-added features of She/Crea – such as personalized recommendations, tailored feedback from Advisor/Coaching features, and visual progress tracking – are designed to work with and analyze your sensitive User-Generated Content, withdrawing your consent for sensitive data processing will significantly impact the functionality and personalization of these specific features. They may become limited, generic, or no longer available for the data where consent is withdrawn or for your experience going forward, as we will stop processing the sensitive data that powers them.
4. Your Privacy Rights
As the Data Controller of your personal data (including your sensitive data, processed with your consent), She/Crea is responsible for facilitating your data protection rights. Under applicable data protection laws (FADP, GDPR), you have certain rights regarding your personal data, including:
Right of Access: Request a copy of the personal data we hold about you.
Right to Rectification: Request correction of inaccurate or incomplete data.
Right to Erasure ('Right to be Forgotten'): Request deletion of your personal data (subject to certain legal exceptions).
Right to Restriction of Processing: Request that we limit how we use your data.
Right to Object to Processing: Object to our processing of your data based on legitimate interests or for direct marketing.
Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format.
Right to Withdraw Consent: Withdraw your consent at any time where processing is based on consent (e.g., for sensitive data processing or marketing).
To exercise any of these rights, please contact us at info@shecrea.com or use any applicable features within your account settings. We will respond to your request within one month (30 days), though this period may be extended for complex requests.
5. Sharing Your Information / Third-Party Processors
We do not sell your personal data. We may share your information with trusted third-party service providers (Data Processors) who perform services on our behalf, strictly under our instructions and in compliance with data protection laws. These processors help us operate and improve the Services. Categories of such providers include:
Cloud Hosting Providers: For storing data and running our services (e.g., DigitalOcean).
Payment Processors: For handling subscription payments (e.g., Stripe).
Analytics Providers: For understanding service usage (e.g., Matomo).
Customer Support Platforms: For managing communications with you.
Email Service Providers: For sending service notifications and marketing emails (if consented).
We enter into Data Processing Agreements (DPAs) with these third parties to ensure they protect your personal data and process it only according to our instructions and applicable data protection laws. We do not act as a Data Processor for your main service data; we are the Data Controller.
6. Data Security
We implement technical and organizational measures designed to protect your personal data against unauthorized access, use, alteration, and disclosure. These measures include:
Encryption of sensitive data at rest and in transit.
Access controls and role-based access limitations to data.
Regular security assessments and updates.
Secure data storage infrastructure (as provided by our hosting partners like DigitalOcean).
7. Data Retention
We retain your personal data only for as long as necessary to provide the Services to you and for legitimate and essential business purposes, such as maintaining the performance of the Services, making data-driven business decisions, complying with our legal obligations, and resolving disputes.
Account Data: We retain information associated with your account for as long as your account is active.
User-Generated Content: Your UGC (reflections, goals, etc.) is retained as long as your account is active to provide you with continuous access to your self-growth journey.
Upon Account Deletion: When you delete your account, your personal data, including your User-Generated Content, will be deleted or anonymized within 30 days, subject to a short retention period for backup or as required by law (e.g., for tax or legal compliance reasons). Data needed for legal obligations may be retained for longer periods as required by applicable law.
Inactivity: We may implement a policy for deleting data associated with accounts that have been inactive for a significant period, subject to prior notification to the user.
8. International Data Transfers
We understand that knowing where your personal data is stored is important. She/Crea primarily stores your data, including your personal information and User-Generated Content, on secure servers operated by DigitalOcean located within Europe (specifically within the European Economic Area - EEA). This means your primary data is held in a region with strong data protection laws, including the GDPR.
However, like most online services, we work with other trusted third-party service providers (processors) listed in Section 4 (such as analytics providers, email services, etc.), some of whom may operate or store data outside of Switzerland or the EEA.
When we transfer your personal data to countries outside of Switzerland or the EEA, we ensure that appropriate legal safeguards are in place to protect your data. These safeguards typically include:
Transferring data to countries deemed to have adequate data protection laws by relevant authorities (like the European Commission or the Swiss Federal Data Protection and Information Commissioner).
Using approved contractual clauses, such as the Standard Contractual Clauses, which are binding commitments to protect your data according to high standards.
For transfers to the United States, verifying that the recipient is certified under the Data Privacy Framework (DPF) program, which provides a legal mechanism for transfers to participating US companies.
By using our Services, you understand that while your primary data is securely stored in Europe, your information may be transferred to and processed in other countries via these trusted third parties, always subject to the protective safeguards mentioned above.
9. Children's Privacy
Our Services are not intended for individuals under the age of 18. We do not knowingly collect personal data from individuals under 18. If we become aware that we have inadvertently collected personal data from a user under the age of 18, we will take reasonable steps to delete such information from our records promptly.
10. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. We will post any changes on our website and notify you as law requires.
11. Contact Us
If you have any questions about this Privacy Policy, please get in touch with us at info@shecrea.com