DRAFT — This document is a placeholder and has not been reviewed by legal counsel. It does not ensure GDPR or other regulatory compliance. Do not rely on this for compliance purposes until reviewed and approved by a qualified attorney.

Privacy Policy

Last updated: March 7, 2026

Mylestone (“we”, “our”, or “us”) is committed to protecting your personal information. This Privacy Policy explains what data we collect, how we use it, and your rights in relation to it.

1. Information We Collect

We collect the following categories of personal data:

Account information: your name, email address, and any profile details you voluntarily provide.
Content you upload: photos, videos, text notes, and milestone data you create while using the Service.
Usage data: pages visited, features used, and interaction patterns, collected to improve the Service.
Payment information: billing details are processed securely by Stripe. We do not store full card numbers.
Technical data: IP address, browser type, device information, and server log data.
Authentication data: if you sign in via Google, Apple, Facebook, or X (Twitter), we receive your name and email address from those providers.

2. How We Use Your Information

We process your personal data to:

Create and manage your account.
Provide, operate, and improve the Service.
Process payments and manage subscriptions.
Send transactional emails (account confirmation, password reset, billing notices).
Generate AI-powered progress insights from the content you upload (see Section 3 below).
Troubleshoot issues and ensure security.
Comply with legal obligations.

Legal basis (GDPR): Processing is based on contract performance (to deliver the Service), legitimate interests (security, fraud prevention, service improvement), and consent where required. [Placeholder — confirm legal bases with legal counsel.]

3. AI Processing

Content you upload (images, text) is processed by AI models to generate progress analysis. This processing is performed solely on your behalf to deliver the core Service features. We do not use your content to train AI models without your explicit consent. [Placeholder — confirm AI data handling with your AI providers.]

4. Sharing and Disclosure

We do not sell your personal data. We may share data with the following categories of recipients:

Infrastructure and service providers: Supabase (database and authentication), Stripe (payments), and AI model providers. Each is bound by a data processing agreement.
Legal requirements: when required by applicable law, regulation, court order, or to protect the rights and safety of us or others.
Business transfers: in the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction.

5. Your Rights (GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights:

Access: request a copy of the personal data we hold about you.
Rectification: request correction of inaccurate or incomplete data.
Erasure:request deletion of your personal data (“right to be forgotten”).
Restriction: request that we restrict how we process your data.
Portability: receive your data in a structured, machine-readable format.
Objection: object to processing based on legitimate interests.
Withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@mylestone.app. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority.

6. Data Retention

We retain your personal data for as long as your account is active. When you delete your account, your data is scheduled for deletion within 30 days, except where we are required to retain it for legal or regulatory reasons. [Placeholder — confirm retention periods before going live.]

7. International Transfers

Our service providers may process data outside your country of residence. Where we transfer data from the EEA, we rely on appropriate safeguards such as Standard Contractual Clauses. [Placeholder — confirm transfer mechanisms with legal counsel.]

8. Security

We implement industry-standard security measures including TLS encryption in transit and encryption at rest. However, no system is completely secure. We recommend using a strong, unique password and enabling two-factor authentication in your account settings.

9. Cookie Policy

Cookies are small data files placed on your device when you visit our website. We use cookies for the following purposes:

Essential Cookies

Required for authentication and session management. Without these cookies, you cannot sign in or use protected features. These cookies cannot be disabled.

Functional Cookies

Remember your preferences such as theme (light or dark mode) and language settings.

Analytics Cookies

We use Azure Application Insights (Microsoft) to collect anonymized usage data and performance metrics. This helps us understand how users interact with the Service, identify errors, and improve performance. Data collected includes:

Page views and navigation patterns
Time spent on pages
Browser type, device information, and screen resolution
Performance metrics (page load times, Core Web Vitals)
JavaScript errors and unhandled exceptions
API request performance and success rates

Application Insights does not collect personally identifiable information or link analytics data to your account. This data is retained according to Microsoft's standard retention policies. For more information, see the Microsoft Privacy Statement.

Third-Party Cookies

Our service providers may set their own cookies as part of delivering their services. Please refer to their respective privacy policies for details:

Stripe (payment processing): Stripe Privacy Policy
Supabase (authentication and database): Supabase Privacy Policy
Microsoft Azure (Application Insights analytics): Microsoft Privacy Statement

Managing Cookies

You can control non-essential cookies through your browser settings. Note that disabling essential cookies will prevent you from signing in to the Service. For more information on managing cookies, visit allaboutcookies.org.

10. Children's Privacy

The Service is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have collected such data, we will delete it promptly. If you believe your child has provided us with personal data, please contact us at privacy@mylestone.app.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will post any changes on this page and update the “Last Updated” date above. For significant changes, we will provide notice via email or a prominent notice on the Service.

12. Contact

For privacy-related questions, requests, or complaints, please contact us at privacy@mylestone.app.

Data Controller: Mylestone — privacy@mylestone.app [Placeholder — add registered address and legal entity name before going live.]