Privacy Policy

Last updated: March 2026

TATU, TOO ("Dihalé," "we," "our," or "us"), a company registered in the Republic of Kazakhstan, operates the Dihalé mobile application ("App"). We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, and safeguard your information when you use our App.

1. Information We Collect

We collect only the minimum data necessary to provide our services:

• Account Information: Email address and display name when you create an account. Authentication is handled by Firebase Authentication (Google LLC). If you sign in via Google or Apple, we receive only your email and name — never your password.
• Profile Data: Optional information you choose to provide, such as a profile picture (stored on our cloud storage).
• Usage Data: Listening history, favorite tracks, ritual completions, and session durations to personalize your experience and provide recommendations.
• Device Information: Device type, operating system version, app version, and language preference for technical support and analytics.
• Push Notification Tokens: If you enable notifications, we store your device push token to deliver reminders you configure.

2. Information We Do NOT Collect

• We do not collect advertising identifiers (IDFA/GAID) or track you across other apps.
• We do not collect precise location data.
• We do not access your contacts, photos (except when you explicitly choose a profile picture), health data, or financial information.
• Diary entries in our "Burning Letters" feature are never stored — text exists only on your device during the ritual and is discarded immediately (privacy by design).

3. How We Use Your Information

• Providing Services: To maintain your account, sync preferences, and deliver audio content.
• Personalization: To recommend content based on your listening history and time of day.
• Analytics: To understand how the App is used and improve our features (via self-hosted Umami — no data shared with third parties).
• Crash Reporting: To identify and fix technical issues (via Sentry — minimal device/error data only).
• Communication: To respond to your feedback and support requests.

4. Third-Party Service Providers

We use the following trusted service providers to operate the App. They process data on our behalf under strict data protection agreements:

• Firebase Authentication (Google LLC): Account authentication and identity verification.
• Timeweb Cloud: Server hosting (VPS) and S3 object storage for audio/image content. Servers located in Russia.
• Umami Analytics: Self-hosted, privacy-focused analytics. No personal data leaves our server. No cookies, no cross-site tracking.
• Sentry: Crash and error monitoring. Receives only technical error data, device type, and OS version.
• Apple / Google: In-app purchase processing (subscription payments are handled entirely by the platform; we do not receive or store payment details).

We do not sell, rent, or share your personal data with third parties for marketing or advertising purposes.

5. Data Retention

• Account data is retained as long as your account is active.
• Usage data (listening history, analytics) is retained for up to 24 months.
• When you delete your account, all associated personal data is permanently removed within 30 days.

6. Your Rights

Regardless of your location, you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Delete your account and all associated data. You can request account deletion directly within the App (Profile → Settings) or by emailing us.
• Export your data in a portable format upon request.
• Withdraw consent at any time where processing is based on consent.

7. European Users (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland:

• Our legal bases for processing are: contract performance (providing the service), legitimate interest (analytics, security), and consent (notifications).
• You have additional rights including the right to restrict processing and the right to lodge a complaint with your local data protection authority.
• Data transfers outside the EEA are protected by appropriate safeguards.

8. California Users (CCPA)

If you are a California resident, you have the right to:

• Know what personal information we collect and how it is used.
• Request deletion of your personal information.
• Opt out of the sale of personal information — we do not sell your data.
• Non-discrimination for exercising your privacy rights.

9. Children's Privacy

The App is not directed to children under 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected data from a child under 13, we will delete it promptly.

10. Data Security

We implement industry-standard security measures including encrypted data transmission (HTTPS/TLS), secure authentication tokens, rate limiting, and regular security audits. However, no method of transmission over the Internet is 100% secure.

11. Changes to This Policy

We may update this privacy policy from time to time. The updated version will be indicated by the "Last updated" date above. We encourage you to review this page periodically.

12. Contact Us

If you have any questions about this privacy policy or wish to exercise your rights, please contact us at feedback@dihale.app.