Privacy Policy

Flourishing — by I2 AI

Effective Date: 23 February 2026

This Privacy Policy explains how I2 AI (“we,” “us,” or “our”) collects, uses, stores, and protects your information when you use Flourishing (“the App”), available on the Apple App Store. We believe in transparency and have written this policy in plain language so you can understand exactly what happens with your data.

If you are between 13 and 17 years old, please read this policy with a parent or guardian. By using Flourishing, you agree to the practices described here. If you do not agree, please do not use the App.

1. Data controller

The data controller responsible for your personal data is:

I2 AI
[Insert registered address]
Email: developer@i2.ai

If you are in the EU/EEA or UK and we do not have an establishment in your jurisdiction, we will appoint local representatives under GDPR Article 27 and UK GDPR and update this section accordingly. Until a representative is appointed, all inquiries may be directed to the email above.

2. Information we collect

We collect information in three ways: information you provide, information generated by your use of the App, and information collected automatically by our technical services.

Information you provide through Sign in with Apple

When you create an account, we use Apple’s Sign in with Apple service. Depending on your choices, we receive: your name (which you can edit before sharing); your email address (either your real email or a private relay address generated by Apple if you choose “Hide My Email”); and a unique account identifier assigned by Apple. We do not receive your Apple ID password, payment information, or any other Apple account details.

Activity data generated by your use of the App

As you use Flourishing, the App creates records of your activity. This includes: philosophy course progress and lesson completions; quiz results and performance ratings used for difficulty scaling; deep work timer sessions; streak data; habit tracking records; and virtue development progress. This data is stored locally on your device. If you enable cloud backup, it is synced to our cloud servers so you can restore your progress if you change devices or reinstall the App.

Wellness and self-reflection data (sensitive data)

Certain features generate data that may be considered sensitive under privacy laws because it relates to your physical or mental well-being. This includes: mood and eudaimonia check-in ratings; fasting tracking logs (duration and completion); and meditation session logs.

Flourishing is not a medical device, health app, or diagnostic tool. We do not combine this data with any health sensors, wearable devices, or medical information. This data reflects personal self-reflection activities, not clinical measurements. Nevertheless, because regulators may classify such data as health-related, we treat it with heightened protection:

  • We collect and sync this data to our servers only with your explicit, separate consent, which you can grant or withdraw at any time in the App’s settings.
  • We never use this data for advertising, profiling, or behavioral targeting.
  • We never share this data with data brokers, insurers, employers, or any third party other than our cloud infrastructure provider (Firebase/Google) acting as a data processor on our behalf.
  • If you decline to sync this data, it remains stored only on your device and is never transmitted to our servers. All wellness features continue to function normally in local-only mode.

Information collected automatically

When you use the App, our technical services automatically collect certain data. We use Google Firebase to provide cloud backup, authentication, analytics, and crash reporting. The specific data collected depends on whether you have opted in to analytics (see Section 4).

For all users (required for the App to function): device type and operating system version; your IP address (processed transiently for security, authentication, and approximate geographic region — not stored long-term by us, though Firebase Auth retains logged IP addresses as part of its security features).

For users who opt in to analytics: app usage patterns such as which features you use, session frequency, and session duration; crash reports and performance data if the App encounters errors; Firebase app-instance identifier; and your device’s vendor identifier (IDFV). We do not collect the Advertising Identifier (IDFA) and have configured our app to exclude the AdSupport framework entirely.

Important: Firebase Analytics is not initialized until you provide consent. If you do not opt in to analytics (or if you later withdraw consent in Settings), no analytics identifiers are collected and no usage data is transmitted to Firebase Analytics.

Information we do not collect

We do not collect your precise location, contacts, photos, browsing history, or any biometric data. We do not access your device’s camera, microphone, or health sensors. We do not collect the IDFA. We do not collect your Apple ID password or payment card details — all subscription payments are processed entirely by Apple.

3. How we use your information

Providing the App

We use your account information to authenticate you and your activity data to deliver the core features of Flourishing: tracking your progress, maintaining streaks, providing difficulty scaling, and (if you enable it) syncing your data across devices via cloud backup. Difficulty scaling uses your quiz performance and ELO rating to adjust content difficulty automatically on your device; this does not produce legal or similarly significant effects and you can reset your difficulty level at any time in Settings.

Analytics and app improvement

If you opt in, we collect usage patterns and crash reports to understand which features are most valuable, identify and fix technical problems, and improve the App. We analyze this data in aggregate form wherever possible.

Subscription management and fraud prevention

We maintain records of your app usage, including session timestamps and feature engagement, for a limited period to manage your subscription. We retain this data based on our legitimate interest in preventing fraudulent refund claims (GDPR Article 6(1)(f)).

Separately, if you request a refund through Apple, Apple may send us a consumption inquiry. We will only share usage data with Apple in response to such an inquiry with your consent (GDPR Article 6(1)(a)), as required by Apple’s guidelines. Your consent for this specific sharing is requested at the time of the inquiry or during onboarding, and you may decline.

Communications

If you contact us for support, we use your information to respond to your inquiry.

4. Legal basis for processing (EU, EEA, UK, and Switzerland)

Under the GDPR and UK GDPR, we process your personal data on the following legal grounds:

  • Contract performance (Article 6(1)(b)): Processing your account data, non-sensitive activity data, and cloud backup data is necessary to provide you with the Flourishing service. This includes authentication, progress syncing, and difficulty scaling.
  • Explicit consent for sensitive data (Article 9(2)(a)): We process wellness and self-reflection data (mood ratings, fasting logs, meditation logs) only with your explicit, informed consent, obtained through a clear opt-in mechanism in the App. You may withdraw this consent at any time through Settings without affecting the core functionality of the App.
  • Consent for analytics (Article 6(1)(a)): We collect analytics data only after you opt in. You may withdraw consent at any time through Settings, and we will cease analytics collection promptly.
  • Legitimate interest (Article 6(1)(f)): We retain limited usage logs (session timestamps, feature engagement) for fraud prevention and refund dispute resolution. We have assessed that this interest does not override your rights, because we minimize data, retain it for a limited period (90 days), and do not use it for profiling.
  • Consent for refund data sharing (Article 6(1)(a)): We share consumption data with Apple in response to refund inquiries only with your consent.
  • Legal obligation (Article 6(1)(c)): We may retain certain subscription status records as required by applicable tax and financial reporting laws.

5. How we share your information

We do not sell your personal data. We do not share your information for third-party advertising. We share your information only in the following limited circumstances:

Google Firebase

We use Google Firebase for account authentication (Firebase Auth), cloud data storage and backup (Cloud Firestore), and — if you opt in — analytics and crash reporting (Firebase Analytics, Crashlytics). Google acts as a data processor on our behalf under a Data Processing Agreement that includes Standard Contractual Clauses for international data transfers. Google is certified under the EU-US Data Privacy Framework. For details, see Google’s privacy policy at policies.google.com/privacy and Firebase’s privacy documentation at firebase.google.com/support/privacy.

Apple

If you request a refund for your subscription, Apple may send us a consumption inquiry. With your consent, we may share usage data (such as how actively you have used the App) with Apple to respond to this inquiry. Apple processes all subscription payments and has its own privacy practices described at apple.com/legal/privacy/.

Legal requirements

We may disclose your information if required by law, regulation, legal process, or governmental request, or to protect our rights, privacy, safety, or property.

We do not share your data with data brokers, advertisers, or any other third parties.

6. Cloud backup and data storage

Local storage

All of your activity data is stored locally on your device by default. The App functions fully offline without an account or cloud connection. Difficulty scaling, habit tracking, and all training features work entirely on-device.

Cloud sync

If you enable cloud backup, your activity data is synced to our cloud servers. The location of your data depends on the Firebase service:

  • Cloud Firestore (your activity data): We have configured our database in the eur3 multi-region (Belgium, Netherlands, with a witness region in Finland — all within the EU).
  • Firebase Authentication (your account identifier, email, name): Processed in the United States. This cannot be changed and applies to all Firebase Auth users globally.
  • Firebase Analytics and Crashlytics (if opted in): May process data in the United States or other locations depending on Google’s infrastructure.

This means some of your personal data is transferred to the United States. These transfers are protected by Google’s certification under the EU-US Data Privacy Framework and Standard Contractual Clauses incorporated into our Data Processing Agreement with Google.

Encryption and isolation

All data transmitted between your device and our servers is encrypted using HTTPS/TLS. Data stored in Cloud Firestore is automatically encrypted at rest using AES-256 encryption. Your data is protected by Firestore Security Rules that ensure only your authenticated account can access your data. No other users can view your information.

7. Data retention

We retain your data for as long as your account is active, plus the following periods after account deletion or data removal:

  • Account and activity data: Deleted promptly upon your request. Google may take up to 180 days to fully purge data from backup systems.
  • Detailed usage data (session timestamps, feature engagement): Retained for 90 days for service improvement and refund dispute purposes, then deleted.
  • Aggregated analytics (non-identifiable statistics): Retained for up to 24 months.
  • Crash reports: Automatically deleted after 90 days.
  • Subscription status records (purchase validation tokens and subscription state — not payment card details or billing addresses, which we never possess): Retained for up to 10 years as required by applicable tax and accounting laws.

We have configured Firebase Analytics to retain user-level analytics data for no longer than 14 months, with the “reset on new activity” setting disabled. This means user-level data is deleted 14 months after the last data point, regardless of whether the user continues to be active.

8. Your rights

Depending on your location, you have some or all of the following rights regarding your personal data:

  • Access. You can request a copy of the personal data we hold about you.
  • Correction. You can request that we correct inaccurate data.
  • Deletion. You can delete your account and all associated data at any time through the App’s Settings. You can also request deletion by contacting us. We will process your request without undue delay and within 30 days at most.
  • Data portability. You can request your data in a structured, machine-readable format (JSON).
  • Restriction and objection. You can request that we restrict processing of your data or object to processing based on legitimate interest.
  • Withdraw consent. Where processing is based on consent (including sensitive data and analytics), you can withdraw it at any time through the App’s Settings. Withdrawal does not affect the lawfulness of processing performed before withdrawal.
  • Lodge a complaint. If you are in the EU/EEA, you have the right to lodge a complaint with your local Data Protection Authority. If you are in the UK, you may contact the Information Commissioner’s Office (ICO).

To exercise any of these rights, contact us at developer@i2.ai or use the in-app privacy request form in Settings. We will respond within 30 days (or within the timeframe required by applicable law).

9. Children’s and teen privacy

Flourishing is designed for users aged 13 and older. We do not knowingly collect personal information from children under 13. If you are under 13, please do not use the App or provide any information.

If we learn that we have collected personal information from a child under 13 without verifiable parental consent, we will delete that information as quickly as possible. If you believe a child under 13 has provided us with personal data, please contact us immediately.

Users aged 13 to 17

We apply privacy-protective defaults for all users. In the European Union and UK, the age at which a minor can independently consent to data processing varies by country (from 13 to 16). If we learn that a user is below the applicable age of digital consent in their country, we will disable optional analytics collection and request parental or guardian authorization before enabling any consent-based data processing (including syncing of wellness data).

We do not currently collect date of birth during account creation. If we implement age verification in the future, this policy will be updated accordingly. In the absence of age verification, we apply our most restrictive data practices by default: analytics are opt-in (not pre-enabled), and wellness data sync requires a separate explicit consent step.

For parents and guardians

You may contact us at any time to review, correct, or delete your child’s personal data, or to withdraw consent for further collection. We will honor such requests promptly.

10. Automated personalization

Flourishing uses your quiz performance and training results to automatically adjust content difficulty (via an ELO-based rating system). This personalization is performed entirely on your device and does not produce legal or similarly significant effects. You can view your current difficulty level and reset it at any time in the App’s Settings.

11. Additional information for California residents

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) may provide you with additional rights, depending on applicable thresholds:

  • Right to know. You may request disclosure of the categories and specific pieces of personal information we have collected, the sources, the purposes, and the third parties with whom we share it.
  • Right to delete. You may request deletion of your personal information, subject to certain exceptions.
  • Right to correct. You may request correction of inaccurate personal information.
  • Right to opt out of sale or sharing. We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
  • Right to limit use of sensitive personal information. Mood ratings, fasting logs, and meditation data may constitute “sensitive personal information” under CPRA. We use this data only to provide the App’s core features and do not use it for profiling or advertising. You may limit the use of sensitive personal information by disabling wellness data sync in Settings.
  • Right to non-discrimination. We will not discriminate against you for exercising any privacy rights.

Categories of personal information we collect (as defined by CCPA): Identifiers (account ID, email address, name); Internet or electronic network activity (usage data, feature engagement, crash reports); and Inferences drawn from the above (difficulty scaling, progress tracking).

To exercise your California privacy rights, contact us at developer@i2.ai or use the in-app privacy request form in Settings. We will verify your identity before processing your request.

12. International data transfers

If you are located outside the United States, some of your personal data may be transferred to and processed in the United States through Firebase services (see Section 6 for per-service locations). We protect these transfers using:

  • Google’s certification under the EU-US Data Privacy Framework, the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework
  • Standard Contractual Clauses approved by the European Commission, incorporated into our Data Processing Agreement with Google
  • Technical safeguards including encryption in transit (HTTPS/TLS) and at rest (AES-256)

Some Firebase services may process data in the United States or other locations depending on the specific service and Google’s infrastructure. We have documented the known processing locations in Section 6.

13. Data security

We implement appropriate technical and organizational measures to protect your personal data, including: encryption of data in transit (HTTPS/TLS) and at rest (AES-256); authentication via Sign in with Apple with token-based security; Firebase Security Rules enforcing strict user-level data isolation; access controls limiting who can access the Firebase project; and regular review of our security practices.

While we take reasonable measures to protect your data, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security.

14. Contact us

If you have questions about this Privacy Policy, want to exercise your privacy rights, or have concerns about our data practices, you may contact us by:

  • Email: developer@i2.ai
  • In-app: Settings → Privacy → Submit a Request
  • Mail: I2 AI, [Insert mailing address]

If you are in the EU/EEA or UK and have concerns about our data processing, you also have the right to contact your local Data Protection Authority or the UK Information Commissioner’s Office.

15. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by: updating the “Effective Date” at the top of this policy; providing a notice within the App; and, where required by law, obtaining your consent to the changes.

We encourage you to review this policy periodically. Your continued use of the App after changes are posted constitutes acceptance of the updated policy, except where consent is required by law.