This Privacy Policy explains how Charos S.r.l. ("Charos", "we", "us") collects, uses, and protects your personal data when you use Progredi. We act as the data controller under the EU General Data Protection Regulation (GDPR โ Regulation (EU) 2016/679).
Charos S.r.l., Italy โ charossrl@gmail.com
When you register, we collect:
Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
When you complete check-ins, we collect mood, sleep quality, stress, focus, and energy ratings, KSS scores, games played, session duration, time of day, habit streaks, and reward points.
This data is health-adjacent personal data under Art. 9 GDPR. By voluntarily entering it, you explicitly consent to its processing (Art. 9(2)(a) GDPR). You may withdraw consent at any time by deleting your account.
Device OS and version, authentication tokens (short-lived JWTs stored in encrypted device storage), and app error logs if crash reporting is enabled.
Legal basis: legitimate interest in maintaining service security (Art. 6(1)(f) GDPR).
Your subscription status (active/inactive) is received from RevenueCat. We do not process or store payment card information โ all payments are handled by Apple App Store or Google Play.
| Purpose | Legal basis |
|---|---|
| Creating and managing your account | Contract (Art. 6(1)(b)) |
| Delivering session check-ins and history | Contract (Art. 6(1)(b)) |
| Generating AI Coach insights | Contract + Consent (Art. 6(1)(b), Art. 9(2)(a)) |
| Managing your Premium subscription | Contract (Art. 6(1)(b)) |
| Security monitoring and fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) |
We do not sell your data. We do not use your data for advertising.
The AI Coach transmits a summary of your session data to OpenAI, L.L.C. (USA) to generate personalised insights. OpenAI acts as a data processor under a Data Processing Agreement. Under our agreement, your data is not used by OpenAI to train its models.
| Processor | Purpose | Location |
|---|---|---|
| Google Firebase | Authentication and token storage | EU / USA |
| OpenAI | AI Coach insight generation | USA |
| RevenueCat | Subscription management | USA |
| AWS (via Supabase) | Database hosting | USA |
| Railway | Application server hosting | USA |
| Apple App Store / Google Play | Payment processing | USA |
International transfers to US-based processors are governed by Standard Contractual Clauses (Art. 46(2)(c) GDPR) or the EUโUS Data Privacy Framework.
To exercise any right, email charossrl@gmail.com. We will respond within 30 days.
You may also lodge a complaint with the Italian supervisory authority: Garante per la Protezione dei Dati Personali โ garanteprivacy.it
If you are a California resident, you have the right to know what data we collect, to delete it, and to opt out of its sale. We do not sell personal information. Contact us at charossrl@gmail.com to exercise these rights.
The App is not directed to children under 13. We do not knowingly collect data from anyone under 13. If we become aware of such data, we will delete it promptly. Users aged 13โ15 in the EU must have parental consent. Parents may contact us at charossrl@gmail.com.
We implement HTTPS/TLS encryption, cryptographically hashed passwords, short-lived JWT tokens stored in encrypted device storage, and server-side access controls. No internet transmission is 100% secure; you use the App at your own risk.
Material changes will be communicated in-app at least 14 days before taking effect. Continued use after the effective date constitutes acceptance.
Charos S.r.l. โ Italy
charossrl@gmail.com
To request data access, correction, or deletion, email us with the subject line "GDPR Request".