In short
Settl is built to keep your practice private. Almost everything you do in the app — your profile, your moods, your meditation and breathwork history, the personalized sessions you create — lives on your device and syncs to your own private iCloud, which we cannot read. We run no advertising and no cross-app tracking. The only time your information leaves your device is to deliver something you asked for: an Apple sign-in, a subscription, streamed audio, an AI-generated meditation, or a message you send our support team — plus anonymous crash reports and anonymous usage statistics (you can turn the usage statistics off in Settings) that help us keep the app stable and improve it. This policy explains exactly what happens, why, and what you can do about it.
This is the long version. We've put a one-line plain-language summary at the top of every section, then the precise legal detail underneath.
Contents
- Who we are
- Scope, and a few definitions
- The short version of how Settl handles data
- What we collect, and how
- Why we process it — purposes and legal bases
- Special-category (health and mood) data
- Who we share it with — third parties and sub-processors
- The personalized-meditation pipeline, explained in full
- International data transfers
- How long we keep things
- Security
- What we do not do
- Your rights
- US state privacy notices
- Children
- Deleting your account and data
- Changes to this policy
- How to reach us
1. Who we are
In short: Settl is run by a Polish sole proprietorship. We are the data controller, and you can complain to the Polish data-protection authority if you're unhappy with how we handle your data.
Settl ("Settl", "we", "us", "our") is an iOS app for guided meditation, breathwork, and AI-personalized meditation. The app is provided by:
- Genesso FMCG Jacek Kotowski, a sole proprietorship (jednoosobowa działalność gospodarcza) trading as "Settl"
- Registered address: al. Katowicka 7, Wolica 05-830, Poland
- Contact: hello@settl.co
- Website: settl.co
For the purposes of the EU General Data Protection Regulation (Regulation (EU) 2016/679, the "GDPR") and the corresponding Polish data-protection law, we are the data controller for the personal data described in this policy.
We are established in Poland (an EU Member State), so we are not required to appoint an EU representative under Article 27 GDPR.
We have not appointed a formal Data Protection Officer; we are not legally required to. A privacy contact handles all requests at hello@settl.co.
Your right to complain. If you believe we have handled your personal data unlawfully, you may lodge a complaint with the Polish supervisory authority:
- Prezes Urzędu Ochrony Danych Osobowych (UODO) — President of the Personal Data Protection Office
- ul. Stawki 2, 00-193 Warszawa, Poland
- uodo.gov.pl
If you live in another EU/EEA country, you may also complain to your local supervisory authority. We'd appreciate the chance to resolve things first — please reach out to hello@settl.co.
2. Scope, and a few definitions
In short: This policy covers the Settl iOS app and our website. A few plain definitions so the rest reads clearly.
This policy applies to the Settl iOS app and the settl.co website. It works alongside our Terms of Service (settl.co/terms), which govern your use of Settl. It does not cover third-party services you reach through Settl (for example, Apple's iCloud or the App Store), which are governed by their own privacy policies.
A few terms used below:
- Personal data — any information relating to an identified or identifiable person.
- Special-category data — sensitive data given extra protection under GDPR Article 9, including data concerning health. We treat your mood entries, your typed reflections, and any health-related inputs as special-category data.
- Processor / sub-processor — a company that processes data on our behalf and under our instructions (for example, a hosting provider).
- On-device — stored locally on your iPhone or iPad.
- Your iCloud (CloudKit private database) — Apple's encrypted iCloud storage tied to your Apple ID. We use it to sync your data across your own devices. It is your storage; we cannot read it.
3. The short version of how Settl handles data
In short: Most of your data never reaches us. There is no Settl account server. We can't see your practice history, your moods, or your reflections.
Settl is unusual, so it's worth stating plainly up front:
- There is no Settl-owned account backend. When you sign in or build up a practice history, that information is stored on your device and synced to your own private iCloud (the
iCloud.co.settl.appprivate database). We, the provider, cannot read that database. - Your credentials stay with you. Sign in with Apple and email/password sign-in are handled on-device, with secrets stored in the device Keychain and your iCloud. We do not operate a login server that holds your password.
- The only data that reaches our systems is what's needed to deliver something you asked for — a subscription (via Apple and RevenueCat), streamed guided audio (via Cloudflare), an AI-personalized meditation (via our stateless generation backend, Anthropic, and ElevenLabs), and any message you send us through email or the in-app support form (relayed via Resend to our inbox, where we receive and keep it to reply) — plus anonymous crash and diagnostic reports sent to our error-monitoring provider (Sentry) when the app hits a problem, and anonymous usage statistics sent to our analytics provider (PostHog), which you can turn off in Settings. Each of these is explained in Sections 4.6, 4.7, 4.8, 7, and 8.
- We run no advertising or attribution code, and we do not track you across apps or websites. We use two privacy-minimized tools: Sentry captures anonymous crash and error reports so we can fix bugs, and PostHog counts anonymous usage events (like "a practice was completed") so we can see what helps — neither collects an advertising identifier, links data to your identity, or tracks you across apps, and you can turn usage analytics off in Settings (Sections 4.7, 4.8, 7).
The rest of this policy is the detail behind those statements.
4. What we collect, and how
In short: Here's everything Settl handles, grouped by category, and how each item is collected. Most of it stays on your device and in your own iCloud.
We organize what Settl handles into the categories below. For each, "how collected" tells you whether it comes directly from you, is generated as you use the app, or comes from a third party (such as Apple).
4.1 Identity and account data
| Data | How collected | Where it's stored | Does it reach us? |
|---|---|---|---|
| Apple user identifier | From Apple, when you use Sign in with Apple | On-device + your iCloud; also used as your RevenueCat app-user ID | Only as an identifier shared with RevenueCat (Section 7); we do not hold an account record |
| Name (first/last) | From Apple, or typed by you | On-device + your iCloud | Only your first name — sent to generate a personalized meditation by default, unless you turn off name-addressing (Section 8) |
| Email address | From Apple (which may be a private relay address) or typed by you | On-device + your iCloud | No — it is not sent to any Settl server |
| Email-sign-in password | Typed by you | Device Keychain only | No |
| Date of birth | Typed by you during onboarding | On-device + your iCloud | No |
| Profile photo | Picked by you from your photo library | On-device + your iCloud | No |
We never block, de-prioritize, or treat differently an Apple private-relay email address.
4.2 Health and wellbeing data (special category)
Treated as GDPR Article 9 special-category data — see Section 6.
| Data | How collected | Where it's stored | Does it reach us? |
|---|---|---|---|
| Post-session moods and effectiveness ratings | Selected by you after a practice | On-device + your iCloud | No |
| "How are you right now?" state check-ins | Tapped by you | On-device + your iCloud | No |
| Your typed "what's on your mind" reflection (up to 1,000 characters) | Typed by you when creating a personalized meditation | On-device + your iCloud | Yes — sent transiently to generate that meditation (Section 8) |
| Mood-derived emotional state, chosen goal, and session choices | Selected by you in the personalized flow | On-device + your iCloud | Yes — sent transiently to generate that meditation (Section 8) |
| Mindful-minutes (HealthKit) | Written by Settl after a session, only if you enable the Apple Health toggle | Apple Health on your device (and your Health iCloud, if you sync it) | No — never sent to us or any third party |
4.3 Practice and usage data
All of this stays on your device and in your own iCloud; the data itself does not reach us. Separately, anonymous usage events (e.g. "a practice was completed") are counted by our analytics provider — see Section 4.8.
| Data | How collected | Where it's stored | Does it reach us? |
|---|---|---|---|
| Meditation, breathwork, and flow history (session type, narrator, soundscape, durations, timestamps) | Generated as you practice | On-device + your iCloud | No |
| Progression data (your "Stillness" level, totals, minutes practiced, streak/decay dates) | Generated as you practice | On-device + your iCloud | No |
| Liked/favorited practices | Tapped by you | On-device + your iCloud | No |
| Custom flows you build | Created by you | On-device + your iCloud | No |
| App preferences (default narrator and soundscape, haptic intensity, reminders, goals, daily-minutes goal, audio mix, hint state, the Apple Health toggle) | Set by you | On-device + your iCloud | No |
| Generated personalized-meditation script, summary, and audio file | Generated when you create a personalized session | On-device + your iCloud (audio stored as an encrypted iCloud asset) | The audio is downloaded from our backend once, then stored by you; the inputs were sent transiently (Section 8) |
| Offline-download bookkeeping | Generated when you cache audio | On-device only (never synced) | No |
| Launch and interface flags (e.g. whether you've completed onboarding) | Generated by the app | On-device only | No |
4.4 Device and network data
In short: When the app talks to a server, that server sees standard connection metadata, as any internet request does.
When Settl streams guided audio, generates a personalized meditation, sends a support message, transmits a crash/diagnostic report, or sends an anonymous usage event, the relevant server receives ordinary network metadata — for example your IP address, the requested file name, and your device's user-agent string — because that is how an HTTPS request works. Guided-audio streaming is anonymous: no account identifier, no cookies, no login. Our crash-reporting provider, Sentry, is configured not to store your IP address (Section 4.7), and our analytics provider, PostHog, discards IP addresses on its EU cloud (Section 4.8). See Sections 4.6, 4.7, 4.8, 7, and 8.
4.5 Purchase data
| Data | How collected | Where it's stored | Does it reach us? |
|---|---|---|---|
| Subscription receipt/transaction, purchased product IDs, entitlement status | From Apple's App Store when you subscribe | Apple and RevenueCat | We see entitlement status via RevenueCat; your payment card never touches Settl |
Your payment is processed entirely by Apple. Settl never sees or stores your card or payment details.
4.6 Support correspondence (when you contact us)
In short: If you email us or use the in-app "Contact support" form, your message and a few basic diagnostics reach us — we receive, read, and keep them so we can reply.
This is the one place in Settl where information you send is received and read by us, rather than staying on your device. When you email hello@settl.co or use the in-app Contact support form, the following is sent — through our Fly.io backend and our email-delivery provider Resend — to our support inbox, where we receive and store it to answer you and keep a record of the exchange:
| Data | How collected | Where it's stored | Does it reach us? |
|---|---|---|---|
| Your message (up to ~4,000 characters) | Typed by you | Our support inbox (delivered via Fly.io + Resend) | Yes — we receive, read, and keep it to reply |
| Your email address (so we can reply) | From you, or from your Apple sign-in | Our support inbox | Yes |
| Basic diagnostics (app version, device model, iOS version, subscription plan, locale) | Generated by the app and attached to your message | Our support inbox | Yes |
If your message describes how you're feeling, it may contain health- or mood-related details. We process those only to help you, on the basis of the explicit consent you give by choosing to send them (Section 6). We do not use support correspondence for any purpose other than handling your request.
4.7 Crash and diagnostic data
In short: When the app crashes or hits an error, it sends an anonymous technical report to our crash-monitoring provider, Sentry, so we can find and fix the problem. These reports carry no account identifier, no stored IP address, and none of your typed content.
To keep Settl stable, the app includes the Sentry crash- and error-monitoring SDK. When the app crashes or encounters an error, it sends a technical report to Sentry (stored in Sentry's EU region). We deliberately minimize what it contains:
| Data | How collected | Where it's stored | Does it reach us? |
|---|---|---|---|
| Crash reports, unhandled errors, and the technical stack trace | Generated automatically by the SDK when the app crashes or hits an error | Sentry (EU region) | Yes — anonymous |
| Basic device/app diagnostics (device model, OS version, app version) and a small sample of performance timings | Generated by the SDK | Sentry (EU region) | Yes |
| Breadcrumbs — a short trail of non-personal app events (e.g. "screen opened", "audio failed to load") before a crash | Generated by the SDK | Sentry (EU region) | Yes — no user text |
We configure Sentry for privacy: no account identifier (no Apple ID, email, or name) is attached, the IP address is not stored (both in the SDK and via Sentry's project setting), and none of your typed content — moods, reflections, personalized-meditation prompts, or support messages — is ever included. Sentry does not use this data to track you and feeds no advertising system. We process it on the basis of our legitimate interest in a secure, working app (Article 6(1)(f); Section 5).
4.8 Usage analytics
In short: The app counts a small set of anonymous usage events — like "a practice was completed" or "the paywall was viewed" — with our analytics provider, PostHog, so we can see which features help and where the app loses people. No account identifier, no stored IP address, no session recordings, none of your typed content — and you can turn it off in Settings.
To understand how Settl is used and to improve it, the app includes the PostHog analytics SDK, configured to send events to PostHog's EU cloud (hosted in Frankfurt, Germany). We deliberately minimize what it contains:
| Data | How collected | Where it's stored | Does it reach us? |
|---|---|---|---|
| Anonymous usage events (e.g. app opened, onboarding completed, a practice started or completed, the paywall viewed, a subscription or trial started, a personalized session generated) with basic event context (practice type, catalogue practice name, duration in minutes, plan) | Generated by the app at those moments | PostHog (EU cloud) | Yes — anonymous |
| Basic device/app context attached to events (device model, OS version, app version, locale) and a random per-install identifier | Generated by the SDK | PostHog (EU cloud) | Yes — anonymous |
We configure PostHog for privacy: events are anonymous — tied to a random per-install identifier, never your Apple ID, email, or name, and we never build user profiles from them; PostHog's EU cloud discards IP addresses; there is no session recording and no screen capture; and none of your typed content — moods, reflections, personalized-meditation prompts, or support messages — is ever included. A personalized meditation you create is counted only as "a personalized session was generated" — never its content. We process this data on the basis of our legitimate interest in understanding and improving the app (Article 6(1)(f); Section 5), and you can turn it off at any time in Settings → Integrations & Privacy → Usage analytics.
5. Why we process it — purposes and legal bases
In short: Every use has a lawful basis under GDPR. The sensitive parts (mood, health, your typed reflections) are only ever processed with your explicit consent.
We process personal data only where we have a legal basis to do so under Article 6 GDPR (and, for special-category data, Article 9). The table maps each purpose to its basis.
| Purpose | What it involves | Legal basis |
|---|---|---|
| Provide the app and your account | On-device storage, syncing to your own iCloud, signing you in, saving your profile and preferences | Article 6(1)(b) — performance of our contract with you (our Terms of Service) |
| Process your subscription | Validating purchases and managing your premium entitlement via Apple and RevenueCat | Article 6(1)(b) — contract |
| Generate a personalized meditation | Sending your chosen goal, mood-derived state, typed reflection, your first name (sent by default unless you turn name-addressing off), and choices to our backend, Anthropic, and ElevenLabs to produce a script and voice audio | Article 6(1)(a) consent — and, because these inputs are health-related, Article 9(2)(a) explicit consent (Section 6) |
| Record your moods, ratings, and state check-ins | Storing wellbeing inputs on-device/iCloud to power history and recommendations | Article 9(2)(a) explicit consent |
| Write mindful-minutes to Apple Health | Logging completed-session minutes, only when you enable the toggle | Article 6(1)(a) + Article 9(2)(a) explicit consent |
| Stream guided audio | Delivering catalogue audio over an anonymous HTTPS request | Article 6(1)(b) — contract |
| Respond when you contact support | Receiving your message, email address, and diagnostics via Fly.io and Resend, and keeping a record so we can reply | Article 6(1)(b) — handling your request under our Terms — and Article 6(1)(f) — our legitimate interest in keeping a support record; where your message contains health or mood details, Article 9(2)(a) explicit consent |
| Keep the service secure and working | Authenticating app-to-backend calls, preventing abuse, maintaining integrity | Article 6(1)(f) — our legitimate interest in a secure, functioning service |
| Understand how the app is used | Counting anonymous usage events (feature usage, practice completions, paywall views) via PostHog, with no account identifier and an in-app off switch (Section 4.8) | Article 6(1)(f) — our legitimate interest in improving the app; you can object at any time via the Settings toggle |
| Comply with the law | Meeting tax, accounting, and legal obligations connected to subscriptions | Article 6(1)(c) — legal obligation |
Withdrawing consent. Where we rely on consent, you can withdraw it at any time — by turning off the Apple Health toggle, by not using the personalized-meditation feature, or by deleting the relevant data (Section 13). Withdrawing consent does not affect processing that already took place.
No automated decisions with legal effect. The personalized-meditation feature generates content from your inputs; it does not make any decision about you that produces legal or similarly significant effects. There is no profiling for advertising.
6. Special-category (health and mood) data
In short: We treat your moods, your typed reflections, and any health inputs as sensitive data, processed only with your explicit consent. We never use it for advertising, we never use it to train AI, and we never sell it.
Because Settl is a meditation and breathwork app, some of what you enter reflects your emotional or mental state. We treat the following as special-category data under Article 9 GDPR:
- post-session moods and effectiveness ratings;
- "how are you right now?" state check-ins;
- your typed "what's on your mind" reflection;
- the mood-derived emotional state used to shape a personalized meditation;
- mindful-minutes written to Apple Health.
Most of this data — your moods, your state check-ins, and your typed reflections as you save them in the app — stays on your device and in your own iCloud and is never received by us, so we are not in a position to process it at all. The special-category data we actually process is narrower: the personalized-meditation inputs you submit (Section 8), the mindful-minutes you choose to write to Apple Health, and anything you volunteer in a support message (Section 4.6). For those, we rely on your explicit consent under Article 9(2)(a), given by a clear affirmative action — proceeding through the personalized-meditation flow after the in-app AI notice, turning on the Apple Health toggle, or choosing to send us a message that describes how you feel. You can withdraw consent at any time (Section 5).
HealthKit promise. Mindful-minutes that Settl writes to Apple Health are used only to log your practice in Apple Health. This data is never sold, never used for advertising or marketing, never used to train AI, and never shared with any third party. It stays in your Apple Health store under your control; we cannot read it back. This reflects both our commitment and Apple's HealthKit rules.
No HIPAA / not medical care. Settl is a consumer wellbeing app. We are not a HIPAA Covered Entity or Business Associate, and Settl does not provide medical advice, diagnosis, or treatment. Nothing in the app is a substitute for professional care.
7. Who we share it with — third parties and sub-processors
In short: A short, named list. Each company gets only what it needs to do its job. We do not sell your data to anyone.
We share personal data only with the service providers below, each acting as a processor or sub-processor under appropriate contractual terms, and only for the purpose stated. We maintain and review this list and will update it if it changes.
| Provider | Role | What it receives | Purpose |
|---|---|---|---|
| Apple | iCloud / CloudKit (your private database), App Store, Sign in with Apple, HealthKit | Your synced app data is stored in your own iCloud (we cannot read it); the App Store handles your purchase; Sign in with Apple provides your identifier, name, and email; HealthKit holds your mindful-minutes | Storage and sync to your devices, payment, authentication, health logging |
| RevenueCat, Inc. | Subscription management | Your App Store receipt/transaction, purchased product IDs, entitlement status, an app-user ID set to your Apple user identifier, and standard SDK device metadata | Validate and manage your premium subscription, restore purchases, and sync entitlement across your devices |
| Anthropic, PBC | AI script generation | The text prompt containing your chosen goal, mood-derived emotional state, your typed reflection, a system-set imagery field (not currently user-editable), and your first name (sent by default unless you turn name-addressing off) | Generate the wording of your personalized meditation |
| ElevenLabs, Inc. | AI voice synthesis (text-to-speech) | The generated meditation script (which contains your first name unless you turned name-addressing off) | Turn the script into spoken audio in a synthetic narrator voice |
| Fly.io (The Corporation for Public Internet, "Fly") | Backend hosting | The personalized-meditation request payload (processed in transit and in the machine's memory only) and any support message en route to our inbox | Run our stateless generation service and relay support email |
| Cloudflare, Inc. | Audio content delivery (R2) | Standard request metadata for anonymous audio streaming: your IP address, the requested file name, and user-agent | Stream guided-catalogue audio to your device |
| Resend, Inc. | Transactional email delivery | The contents of your support message, your reply-to email address, and the basic diagnostics attached to it | Deliver your support email to our inbox so we can reply |
| Sentry (Functional Software, Inc.) | Crash and error monitoring | Anonymous crash reports, unhandled errors, stack traces, basic device/app diagnostics, a small sample of performance timings, and non-personal breadcrumbs — with no account identifier, no stored IP address, and none of your typed content (stored in Sentry's EU region) | Diagnose crashes and errors so we can fix them and keep the app stable |
| PostHog, Inc. | Product analytics | Anonymous usage events (feature usage, practice starts/completions, paywall views, subscription starts) with basic device/app context and a random per-install identifier — with no account identifier, no stored IP address, no session recordings, and none of your typed content (stored on PostHog's EU cloud, Frankfurt); off switch in Settings | Understand which features are used so we can improve the app |
About the AI providers (Anthropic and ElevenLabs). Your inputs are used only to generate your meditation and are not used by Settl for any other purpose. Under our providers' API terms, the inputs we send them are not used to train or improve their AI models, and they process those inputs only to return the output we request. ElevenLabs synthesizes a generic, synthetic narrator voice from text — Settl does not capture, record, clone, or process your own voice, and we do not create a voiceprint of you.
The third-party SDKs bundled in the app are RevenueCat (subscriptions), Lottie (animation rendering, which sends nothing about you anywhere), Sentry (crash and error diagnostics — see the row above and Section 4.7), and PostHog (anonymous usage analytics — see the row above and Section 4.8). There are no advertising or attribution SDKs, and no advertising identifier. (Server-side processors such as Resend run on our backend rather than as SDKs inside the app; they are listed in the table above.)
We may also disclose data where strictly required by law, to comply with a valid legal request, or to protect our rights, safety, or the integrity of the service.
8. The personalized-meditation pipeline, explained in full
In short: When you create a personalized meditation, a small, pseudonymous package of your inputs is sent to generate it — then everything is deleted from our backend within about half an hour. Nothing about your account goes with it.
This is the one feature where sensitive inputs leave your device, so we explain it precisely.
What is sent. When you tap to create a personalized session, the app sends, over an encrypted connection, to our generation backend:
- your chosen goal;
- a mood-derived emotional state (from the mood pills you selected);
- your typed "what's on your mind" reflection (optional; capped at 1,000 characters);
- your session choices (technique, body-tension area, guidance density, guide persona, voice, duration), and a system-set imagery field (not currently user-editable);
- your first name — name-addressing is on by default, so your first name is sent unless you turn it off (you can do this per session);
- a random one-time request ID used to track that single generation.
What is not sent. No account identifier of any kind — no Apple user ID, no email, no device ID. At the backend, your request is therefore pseudonymous; your first name is the only directly identifying field, and it is sent by default unless you turn name-addressing off.
What happens next. The backend forwards your inputs to Anthropic to write the meditation script, then sends that script to ElevenLabs to synthesize the spoken audio. The finished audio is returned to your device and stored in your own iCloud so you can replay it; you can delete it at any time.
What the backend keeps — almost nothing. Our generation backend is stateless and in-memory. It uses no database and writes no inputs to disk. Your inputs, the script, and the audio live only in the running process's memory and are removed automatically: finished jobs are swept within about 30 minutes, and the audio download link expires after about 15 minutes, so the app downloads your audio immediately. Temporary rendering files are deleted as soon as the audio is read. Server logs record only sizes, counts, and timings — never your text or the script content.
Your consent. Before your inputs leave the device, you see an in-app notice that this feature sends your inputs to third-party AI to generate the session. Proceeding is your explicit consent (Section 6). If you don't want your inputs processed this way, simply don't use the personalized-meditation feature; every other part of Settl works without it.
9. International data transfers
In short: Some of our providers are based in the United States. Where they're certified under the EU-US Data Privacy Framework we rely on that; otherwise we use Standard Contractual Clauses.
Your data stored in iCloud and on your device stays under Apple's and your own control. We chose Sentry's EU region and PostHog's EU cloud (Frankfurt), so your crash, diagnostic, and anonymous usage data is stored within the EEA. Where we share data with providers outside the European Economic Area — including US-based providers such as RevenueCat, Anthropic, ElevenLabs, Fly.io, Cloudflare, Resend, Sentry, and PostHog (the latter two are US companies, though they store this data in their EU regions) — we rely on an appropriate transfer mechanism under Chapter V GDPR:
- the EU-US Data Privacy Framework (DPF) where the provider is certified under it; and
- the European Commission's Standard Contractual Clauses (SCCs) (with the UK Addendum and Swiss addendum where relevant) for any provider that is not certified under the DPF.
You can ask us which mechanism applies to a given provider, and request a copy of the relevant safeguards, by emailing hello@settl.co.
10. How long we keep things
In short: Your on-device and iCloud data stays until you delete it. Our backend keeps your personalized-meditation inputs for only about half an hour.
We keep personal data only as long as needed for the purpose it was collected for. In practice:
| Data | Retention |
|---|---|
| Everything stored on your device and in your iCloud (profile, preferences, practice and mood history, likes, flows, personalized scripts and audio) | Kept until you delete it — by removing individual items, by deleting your account in the app, or by signing out and removing the app's iCloud data. We cannot delete it for you because we cannot access it. |
| Personalized-meditation inputs, script, and audio on our backend | Held in memory only, then automatically removed within about 30 minutes (audio link expires in about 15 minutes) |
| Support correspondence (your message, email address, and diagnostics) | Held in our support inbox and by Resend per their retention; we keep it as long as needed to handle your request and keep a reasonable record, then delete it |
| Backend server logs (sizes, counts, timings — no user text) | Per our host's standard log retention; they contain no personal content, except that a failed support-email send may transiently log the reply-to email address |
| Guided-audio CDN request logs (IP, file name) | Per Cloudflare's standard edge-log retention |
| Crash and diagnostic reports held by Sentry | Retained about 30 days (our plan's retention window), then automatically deleted |
| Anonymous usage events held by PostHog | Retained on PostHog's EU cloud for up to about one year (our plan's retention window) |
| Subscription records held by Apple and RevenueCat | Per their policies and your relationship with them, and as required for tax/accounting purposes |
Mindful-minutes written to Apple Health are retained by Apple Health under your control, not by us.
11. Security
In short: Data is encrypted in transit, kept on need-to-know systems, and minimized by design — most of it never reaches us at all.
We take technical and organizational measures to protect your data:
- Encryption in transit. All connections between the app and our backend, the AI providers, and the audio CDN use HTTPS/TLS. Syncing to your iCloud is encrypted by Apple.
- Data minimization by design. The architecture itself is the strongest control: your account data, history, and moods stay on your device and in your own iCloud, which we cannot read. The generation backend sends no account identifier and keeps nothing. The two deliberate exceptions are the personalized-meditation inputs (held only in memory, then deleted — Sections 8 and 10) and any support message you choose to send us (Section 4.6).
- Credential protection. Sign-in secrets are stored in the device Keychain, not on a Settl server. Your payment details are handled only by Apple.
- Access control. App-to-backend requests are authenticated, and access to our limited operational systems is restricted on a need-to-know basis.
- Ephemeral processing. The personalized-meditation backend holds inputs only in memory and deletes them automatically (Sections 8 and 10).
No method of transmission or storage is ever completely secure, and we can't guarantee absolute security. If we become aware of a personal-data breach that affects you, we will act in line with our obligations under the GDPR, including notifying the supervisory authority and, where required, you.
12. What we do not do
In short: No selling, no tracking, no ads. We mean it.
To be unambiguous:
- We do not sell your personal data — to anyone, ever.
- We do not track you across other apps or websites. Settl contains no advertising SDKs, no attribution SDKs, and no advertising identifier (IDFA). Our two measurement SDKs — Sentry (anonymous crash and error reports) and PostHog (anonymous usage statistics, with an off switch in Settings) — are not linked to your identity, do not follow you outside Settl, and feed no advertising or data-broker system. Settl does not present an App Tracking Transparency prompt because it does nothing that would require one.
- We do not combine your data with third-party data for targeted advertising or advertising measurement, and we do not share your data with data brokers.
- We do not use your health, mood, or HealthKit data for advertising, marketing, profiling, or to train AI.
13. Your rights
In short: You have the full set of GDPR rights. Most of them you can exercise yourself, right inside the app.
Under the GDPR you have the right to:
- Access — get a copy of the personal data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure ("right to be forgotten") — have your data deleted.
- Restriction — limit how we process your data in certain cases.
- Portability — receive certain data in a structured, machine-readable format, or have it transferred.
- Objection — object to processing based on our legitimate interests.
- Withdraw consent — at any time, where we rely on your consent (this does not affect prior processing).
- Complain — to a supervisory authority, including UODO (Section 1).
How to exercise them. Because most of your data lives on your own device and iCloud, the fastest route is usually in the app:
- Access and portability — your full practice and personalized-meditation history is visible in the app and synced to your own iCloud.
- Rectification — edit your profile and preferences in Settings.
- Erasure — delete individual items, or delete your entire account and its data from the app (Section 16).
- Withdraw consent — turn off the Apple Health toggle, stop using the personalized feature, or delete the relevant entries.
- Object to analytics — turn off Share anonymous usage analytics in Settings → Integrations & Privacy; the app stops sending usage events immediately (Section 4.8).
For anything you can't do yourself — or to ask us a question — email hello@settl.co. We will respond within one month, as the GDPR requires (extendable by two further months for complex requests, in which case we'll tell you). We won't charge you, except where a request is manifestly unfounded or excessive. We may need to verify your identity before acting, to protect your data.
14. US state privacy notices
In short: For users in the United States — we still don't sell or share your data, and we honor the consumer-health protections of states like California and Washington.
These notices supplement the rest of this policy for users in the United States.
California (CCPA/CPRA). Over the preceding 12 months we have not sold and have not shared (for cross-context behavioral advertising) any personal information, and we do not do so now. We do not use or disclose sensitive personal information for any purpose other than providing the features you ask for. California residents have the rights to know, access, correct, and delete their personal information, to opt out of sale/sharing (not applicable, as we do neither), to limit the use of sensitive personal information, to non-discrimination for exercising these rights, and to appeal a decision. You may exercise these rights using the in-app tools above or by emailing hello@settl.co. Because we do not sell or share, there is no "Do Not Sell or Share My Personal Information" mechanism to operate, but we honor opt-out preference signals (such as Global Privacy Control) where they apply.
Washington "My Health My Data" Act (and similar consumer-health laws, e.g. Nevada). Mood entries, your typed reflections, and related wellbeing inputs may qualify as consumer health data. We collect such data only to provide the features you use, with your consent; we do not sell it, do not share it for advertising, and do not use it for any purpose unrelated to delivering Settl. Consumer-health data stays on your device and in your own iCloud, except for the transient, pseudonymous processing needed to generate a personalized meditation (Section 8) and anything you choose to include in a support message (Section 4.6). We collect and process your consumer health data only with your consent, and you may withdraw that consent, and exercise your rights to access and delete that data, via the in-app tools above or by emailing hello@settl.co. Nevada residents have comparable rights over covered health data and may contact us the same way.
15. Children
In short: Settl is for adults. It isn't directed to children, and we don't knowingly collect their data.
Settl is intended for adults. You must be 18 or older to use the app and agree to our Terms of Service (and 16 or 17 only with the consent of a parent or guardian where local law allows). Settl is not directed to children, and we do not knowingly collect personal data from anyone under 16 (the age of digital consent under Polish law). If you believe a child under 16 has provided us with personal data, please contact hello@settl.co and we will delete it. Note that, by design, a child's app data would live only on their own device and iCloud, which we cannot access.
16. Deleting your account and data
In short: You can delete everything from inside the app. It permanently removes your profile and all associated data from your device and your iCloud. We can't disconnect Sign in with Apple for you, but we show you how to do it.
Settl offers in-app account deletion. In the app, open Profile / Settings and choose to delete your account. This:
- permanently removes your profile and all associated data from your device; and
- syncs that removal to delete the same data from your iCloud (CloudKit) private database (your device needs to be online and synced for the deletion to propagate).
Deletion is permanent — it is not a temporary deactivation. Because your data lives only on your device and your own iCloud (which we cannot read), deletion is something you complete from your device. Any audio cached on your device for offline playback is cleared when you delete the Settl app from your device. Personalized-meditation inputs you previously generated were already removed from our backend automatically within about 30 minutes (Section 8), so there is nothing for us to delete server-side.
Sign in with Apple. Settl cannot revoke your Sign in with Apple credential — Apple does not allow apps to do this programmatically, and Settl has no account server that could. Deleting your account in Settl therefore does not, on its own, end that connection on Apple's side. To stop using your Apple ID with Settl, go to iOS Settings → [your name] → Sign-In & Security → Sign in with Apple → Settl → Stop Using Apple ID.
Subscription records held by Apple and RevenueCat are governed by their policies; manage or cancel your subscription through your Apple ID settings, and contact us at hello@settl.co if you also want a RevenueCat-side deletion request raised.
17. Changes to this policy
In short: If we change anything important, we'll tell you in the app and update the date at the top.
We may update this policy from time to time — for example, if we add a feature or change a provider. When we make a material change, we will notify you in the app and update the "Last updated" date above. Your continued use of Settl after a change takes effect means you accept the updated policy. We keep prior versions available on request.
18. How to reach us
In short: One address for everything privacy-related.
For any privacy question or request, or to exercise your rights:
- Email: hello@settl.co
- Provider: Genesso FMCG Jacek Kotowski, al. Katowicka 7, Wolica 05-830, Poland
- Website: settl.co
- Supervisory authority: Prezes Urzędu Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warszawa, Poland — uodo.gov.pl