Privacy Policy for AffirmateMe

Last updated: May 29, 2026

1. Introduction

This Privacy Policy explains how AffirmateMe (the "App") processes personal data and other information in connection with the App and related services.

AffirmateMe is a wellness and motivational content app. The App does not require account registration, and it does not ask users to submit their name, email address, phone number, postal address, contacts, camera data, microphone recordings, precise location, or photo library content in order to use its core features.

This Privacy Policy is intended to satisfy the transparency requirements that apply under the General Data Protection Regulation ("GDPR") and other applicable privacy laws. It describes:

who controls the processing
what data is processed
why the data is processed
the legal bases we rely on
who may receive the data
how long the data is kept
what rights users may have

2. Data Controller

Unless another controller is clearly identified for a specific service, the controller for personal data processed through the App is:

Viacheslav Shkurychev
conducting business under the name Napoka Systems
business address: Swieradowska, 51-57, 50-559, Wroclaw, Poland
privacy contact email: kluj.napoku@gmail.com

We have not publicly identified a separate data protection officer for the App. If that changes, we will update this Privacy Policy.

If you have questions about this Privacy Policy or want to exercise privacy rights, please contact the controller using the details above.

3. Personal Data We Process

We process different categories of data depending on how you use the App.

A. Data stored locally on your device

The App stores your settings and preferences locally on your device, including:

selected affirmation and quote topics
reminder time preferences
theme choice and other app preferences
premium status flags
a pseudonymous app token generated for the App

B. Data sent to our backend or infrastructure

When App features are used, the App may transmit data to our backend, including:

a pseudonymous app token used to recognize the device record on our backend
device and request technical data, such as timezone, language settings, the App version
your content and reminder preferences, such as selected topics and reminder time settings
a push-notification registration token used to deliver reminders and notifications
subscription validation data used to confirm and manage premium access
security and anti-abuse verification data, currently used in observation mode to assess App and device integrity and possible future enforcement
app usage and engagement events, sent to our backend for first-party usage measurement under the applicable analytics collection and consent settings

Our backend keeps a device-level record associated with the pseudonymous app token so that it can deliver content, reminders, and device authentication. The specific data fields held in that record may change as the App evolves; the categories of data and the purposes for which they are used are described in this Privacy Policy, and the current set of recipients and processing locations is published on the providers and recipients page referenced in Section 10.

C. Data processed by SDKs, platforms, and service providers

The App uses third-party SDKs and platform services that may process data such as:

device and app metadata
identifiers assigned by SDKs, platforms, or your device
network and diagnostic information, which may include IP address and approximate location inferred from network data where applicable
crash and error diagnostics
usage and engagement events
backend technical logs and metrics
notification delivery data
advertising and consent-related signals
subscription and billing-related data
fraud, abuse, or other security signals

The specific service providers and other recipients involved, their roles, the categories of data each receives, the location of processing, and the transfer mechanism that applies are listed on the providers and recipients page referenced in Section 10.

D. Topic preferences and potentially sensitive themes

Some topic selections may relate to personal interests or preferences, including themes such as well-being, relationships, faith, or health-oriented content. We use these selections only to return the content you request and to personalize your App experience.

We do not use the App to create a medical record, diagnose medical conditions, or make decisions producing legal or similarly significant effects. We do not intentionally use topic selections to infer sensitive-category facts beyond what is necessary to deliver the content you choose to receive.

4. Sources of the Data

We collect personal data:

directly from you when you select topics, choose reminder settings, buy a subscription, or interact with consent and privacy choices
automatically from your device and the App when content is requested, notifications are configured, or security and diagnostics events occur
from Google where needed to validate subscriptions, deliver notifications, or manage ads and consent status

5. Purposes of Processing and Legal Bases

Where the GDPR applies, we rely on one or more of the following legal bases under Article 6 GDPR:

performance of a contract under Article 6(1)(b)
legitimate interests under Article 6(1)(f)
consent under Article 6(1)(a)
compliance with legal obligations under Article 6(1)(c)

We generally use the data described above for the following purposes:

to provide affirmations, quotes, meditations, audio playback, and other App content legal basis: performance of a contract
to remember your settings, selected topics, theme, and feature preferences legal basis: performance of a contract
to generate and manage the device token used for authenticated App requests legal basis: performance of a contract and legitimate interests in securing the service
to schedule and support reminder notifications using timezone, reminder time, and push-notification registration data legal basis: performance of a contract
to validate, manage, restore, and support premium subscription access legal basis: performance of a contract and compliance with legal obligations where required for financial or tax records
to request, measure, and support ad-funded features and to store or honor ad-consent choices legal basis: consent where required by law and legitimate interests in operating an ad-supported service where permitted
to measure usage, monitor performance, fix bugs, investigate crashes, and improve reliability legal basis: legitimate interests, or, for users shown the European regulations (GDPR) consent message (typically users in the EEA, the United Kingdom, or Switzerland), consent under Article 6(1)(a). For those users, crash reporting, usage analytics, and first-party usage measurement are disabled by default and are enabled only after you give the corresponding consent. The consent mechanics for each of these and how to change your choices are described in Section 7.
to observe security and integrity signals, protect the App, users, and infrastructure against fraud, abuse, and other security risks, and assess whether stricter integrity enforcement should be enabled later legal basis: legitimate interests
to keep operational logs, monitor incidents, and alert maintainers about service failures or security events legal basis: legitimate interests
to comply with legal obligations, enforce rights, and handle disputes or claims legal basis: legal obligation and legitimate interests

Where we rely on legitimate interests, those interests generally include operating, securing, maintaining, and improving the App and defending legal claims.

6. Whether You Must Provide the Data

You do not need an account to use the App, and most of the data described above is generated automatically as you use the App rather than actively submitted by you. Some features, however, only work if the data they depend on is available:

to receive daily content, the App needs your selected topics and timezone
to receive reminders, the App needs your reminder time, timezone, and a push-notification registration
to unlock and keep premium access, your subscription purchase must be validated
to use ad-supported free features, your ad-consent or privacy choices must allow ads to be shown

If the data a feature depends on is not available — for example, because you decline a permission or choice, or do not complete a purchase — that feature may not work, or may work only in a limited way.

7. Advertising and Privacy Choices

The App uses Google AdMob and Google's User Messaging Platform ("UMP") to help present and manage certain advertising-related privacy notices, consent prompts, and privacy options.

Whether such notices, prompts, or options are shown may depend on your region, applicable law, and the configuration of the privacy messages used in the App.

Your privacy choices may affect whether certain ads can be requested or shown. Some free features of the App depend on ad-supported flows, so declining or changing certain advertising-related choices may affect access to those free features.

You can review or update your advertising-related privacy choices from within the App through the privacy options flow. This flow is available to users shown the European regulations consent message (typically users in the EEA, the United Kingdom, or Switzerland), where applicable law requires it; in other regions it may not be shown. You may also be able to use device-level controls provided by Android or Google.

The UMP consent message also governs crash reporting in the App. For users shown the European regulations consent message (typically users in the EEA, the United Kingdom, or Switzerland), Google Firebase Crashlytics is used only after you give consent for the "Develop and improve services" purpose in that message. Crash reporting is disabled by default for those users and is enabled only after consent is granted. You can change this choice at any time through the privacy options entry point in the App; if you revoke consent, crash reporting stops and any locally stored pending crash reports are discarded. For users outside those regions, crash reporting is enabled by default in line with the legitimate interests basis described in Section 5.

The UMP consent message also governs analytics collection in the App. The App uses Google Consent Mode to gate Google Firebase Analytics on a per-purpose basis covering analytics storage, advertising storage, ad user data, and ad personalization. For users shown the European regulations consent message, these purposes default to denied; analytics and related advertising data are processed only after you accept the corresponding purposes in that message, and the choice is communicated to Google's services through the IAB Transparency and Consent Framework. You can change these choices at any time through the privacy options entry point in the App; if you revoke a purpose, processing tied to that purpose stops. For users outside those regions, the analytics and advertising storage purposes are granted by default in line with the legitimate interests basis described in Section 5; ad user data and ad personalization remain governed by Google's region-based consent policy.

The UMP consent message also governs first-party usage measurement processed on our own backend infrastructure. For users shown the European regulations consent message, this measurement is disabled by default and is enabled only after you give consent for the "Measure content performance" purpose in that message. You can change this choice at any time through the privacy options entry point in the App; if you revoke consent, first-party usage measurement on our backend stops for the App on that device. For users outside those regions, this measurement is enabled by default in line with the legitimate interests basis described in Section 5.

If processing is based on consent, you may withdraw that consent at any time. Withdrawal does not affect processing that took place before withdrawal.

8. Push Notifications

If you enable reminders or notifications, the App may use your notification permission together with your push-notification registration data, reminder time, and timezone to support notification delivery and reminder scheduling.

If you do not want to receive notifications, you can disable them in your device settings.

9. Subscriptions and Payments

Premium purchases and subscription payments are processed through Google Play, not directly by us.

To enable and validate premium access, the App and our backend may process purchase-related identifiers and subscription metadata, including subscription purchase identifiers and status information. This processing is used to confirm entitlement, manage premium access, and support subscription-related functionality.

We process this data only to the extent needed to confirm and manage your entitlement, and retain it as described in Section 12 (Data Retention).

Google Play and related Google services process data under their own terms and privacy documentation.

10. Sharing and Recipients

We may share personal data with recipients or categories of recipients such as:

backend infrastructure, database, and content delivery / edge proxy providers supporting the App
analytics and measurement providers
crash reporting and diagnostics providers
push messaging and notification providers
advertising and consent-management providers
subscription and billing platforms
public authorities, advisors, or counterparties where required by law or necessary to establish, exercise, or defend legal claims

We share data only to the extent reasonably necessary for the purposes described in this Privacy Policy.

A current list of the specific service providers and other recipients used in connection with the App, including their roles, the categories of data each receives, the location of processing, and the transfer mechanism that applies, is published at Processors and Recipients page, We update that page when material providers or recipients are added, replaced, or removed.

11. International Transfers

The App and its service providers may process personal data in countries other than the country where you are located, including outside the European Economic Area ("EEA"). In particular, some of our analytics, advertising, content delivery, and infrastructure providers process data in the United States.

Processing personal data outside the EEA is permitted under the GDPR when the data is protected by appropriate safeguards; what matters is not the location itself, but whether your data keeps a level of protection essentially equivalent to that guaranteed within the EEA. Where required by applicable law, we rely on one or more of the following safeguards for such transfers:

Adequacy decisions, including the EU-U.S. Data Privacy Framework. Where a U.S. provider is certified under this framework, the European Commission has formally decided that it offers an adequate level of data protection, so the transfer is treated like a transfer to an area with comparable protection and no additional measures are required.
Standard contractual clauses ("SCCs") approved by the European Commission, combined with any additional technical and organizational measures needed for the specific transfer. We rely on these where an adequacy decision does not apply, and they remain available as a fallback if an adequacy decision is later changed or withdrawn.

So where your data is processed outside the EEA, including in the United States, it is handled under one of these recognized safeguards rather than without protection.

The specific transfer mechanism that applies to each listed provider or recipient is shown on the published providers and recipients page referenced in Section 10.

You may contact us if you want more information about, or a copy of, the safeguards used for a particular transfer.

12. Data Retention

We retain personal data for as long as reasonably necessary for the purposes described in this Privacy Policy.

In practice, this generally means:

data stored locally on your device remains there until it is updated, overwritten, cleared through your device settings, or removed when you uninstall the App
backend device records are retained for as long as needed to provide content history, reminders, device authentication, fraud prevention, security, and troubleshooting, and in any case are automatically deleted by our backend after the device has been inactive for more than twelve months
push-notification registration data, reminder data, and device-level settings may be removed or overwritten when they become invalid, are replaced, or are no longer needed for the feature
security and anti-abuse verification data is currently used in observation mode and may be kept in diagnostic or analytics systems for reliability, fraud-prevention, anti-abuse monitoring, and assessing possible future enforcement
backend operational logs, metrics, and backend analytics event logs stored within our backend infrastructure are retained for up to one year
analytics, crash, consent, and billing records may be retained for operational, compliance, accounting, fraud-prevention, and legal-defense purposes for the period reasonably required by us or the relevant provider

We may retain certain information longer where required by law, needed for legal claims, or kept in backups and disaster-recovery systems for a limited period.

13. Privacy Center, Data Export, and Deletion

The App provides a privacy center within the App settings for all users.

Through that privacy center, you can:

view this Privacy Policy
export data associated with the App
delete data associated with the App
access advertising-related privacy options through the in-App privacy options flow, where required by applicable law (currently for users shown the European regulations consent message)
contact us about other privacy questions or requests

Because the App does not use accounts and your data is associated only with a pseudonymous on-device identifier, deletion is provided as a self-service action within the App. When you delete your data, the App removes the backend device-level record associated with the App and clears the App data stored locally on your device in a single step, and this takes effect immediately.

Data export provides the data held in the backend device-level record associated with the App.

Some information may nevertheless be retained where required by law, necessary for fraud prevention or security, needed to establish, exercise, or defend legal claims, or retained for limited backup and disaster-recovery purposes.

Step-by-step instructions for deleting your data are also published at Data deletion page.

14. Security

We use technical and organizational measures designed to protect data processed through the App. These measures may include encrypted communications, access controls, logging, monitoring, and other security safeguards.

No method of transmission, storage, or security control is guaranteed to be completely secure, and we cannot guarantee absolute security.

15. Automated Decision-Making

The App uses automated logic to personalize content based on your selected topics and settings, and to operate advertising and subscription flows (for example, ad selection and subscription validation). Where advertising involves profiling, it is governed by your consent and privacy choices as described in Section 7.

We do not carry out solely automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR.

16. Your Rights

Depending on your location and applicable law, you may have rights regarding your personal data, including the right to:

request access to your personal data
request rectification of inaccurate data
request erasure of personal data
request restriction of processing
object to processing based on legitimate interests
request portability where applicable
withdraw consent where processing is based on consent
lodge a complaint with a supervisory authority

Because the controller is established in Poland, you may lodge a complaint with the President of the Personal Data Protection Office (UODO). You may also lodge a complaint with the supervisory authority in the EU/EEA country where you live or work, or where the alleged infringement took place.

You can exercise available controls by:

using the privacy center made available in the App settings
contacting us at kluj.napoku@gmail.com
uninstalling the App
clearing App data using your device settings
disabling notifications in device settings
changing privacy or advertising choices where the App provides those controls
managing subscriptions through Google Play

The App provides self-service access (data export) and erasure (data deletion) tools, which you can use directly from the privacy center in the App settings. You can also correct or update much of your data — such as your selected topics, reminder settings, theme, and other preferences — by editing it directly in the App.

For rights that do not have a dedicated in-App control — including restriction of processing, objection to processing based on legitimate interests, and rectification of data you cannot edit yourself — you can contact us at kluj.napoku@gmail.com, and we will act on your request in accordance with applicable law. Contact-based requests also remain available for any other privacy questions or complaints.

We may need to verify your identity before acting on a request. Because the App does not use accounts, your data is identified by a pseudonymous device token. When you use the in-App "contact us" option to send a privacy request by email, the App automatically includes this token in your message, which lets us locate the corresponding device record. If you contact us by other means, we may ask you to provide this token. As permitted under Article 11(2) GDPR, where we cannot identify your data using the information provided, some rights may not apply unless you give us additional information that enables identification.

Where the GDPR applies, we generally respond without undue delay and within one month of receiving a valid request, subject to extensions permitted by law.

17. Minors

The App is intended for adult users and is not directed to individuals under 18 years of age. We do not knowingly collect personal data from individuals under 18.

If we become aware that personal data has been collected from an individual under 18, we will take reasonable steps to delete that data and to stop any associated processing. Because the App does not use accounts and data is associated only with a pseudonymous on-device identifier (see Section 13), such data is deleted using the same installation-level deletion mechanism, which removes the backend device-level record and clears the data stored on that device.

If you are a parent or legal guardian and believe that a minor has provided personal data through the App, you can delete that data directly using the in-App deletion option on the child's device, or contact kluj.napoku@gmail.com so that we can investigate and assist. Because the data is pseudonymous and is not linked to identity, we may need information that helps identify the relevant app installation in order to act on a request sent by email.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date above. Material changes may also be communicated through the App or by other appropriate means where required.

19. Contact

For privacy questions, requests, or complaints, please contact us at kluj.napoku@gmail.com. The full identity and address of the controller are set out in Section 2 (Data Controller).