Privacy Policy

Effective Date: March 4, 2026 · Last Updated: April 8, 2026

VirWave ("we," "us," or "our") operates the VirWave mobile application (the "App"). This Privacy Policy explains how we collect, use, and protect your information when you use the App.

By using VirWave, you agree to the collection and use of information as described in this policy.

1. Information We Collect

Information you provide directly

Account information. When you create an account, we collect your email address and optional display name. You may also sign in using Google or Apple, in which case we receive the name and email associated with that account.
Event interest information. If you sign up for early access or event updates, we collect your email address, optional name, and your consent preferences. This information is stored separately from your app account.
Journal entries. If you use the journaling feature, your entries (text, mood, and tags) are stored in your account. Journal content is private to you and is never shared with other users or third parties.
Breathing session data. We record basic session metadata (duration, shape used, completion status) to support your session history. No biometric or health sensor data is collected.
Connections. If you connect with another VirWave user via a share code, we store the connection relationship. We do not access the other user's journal, sessions, or settings.
Emotional intelligence self-assessments. If you complete the optional reflective questionnaire, we store your responses to short questions answered on a 1–5 scale, covering emotional awareness and stress patterns. Your responses are timestamped, private to you, and never shared with other users. We use them to personalise your experience and to derive your Archetype Portrait.
Daily emotional check-ins. If you use the daily check-in feature, we store your optional symbolic entry for each day: a colour representing your emotional state, an animal metaphor, and an optional response to a reflective question. This creates a personal calendar history. Check-in data is private to you and never shared.
Group participation. If you create or join a group (Partner, Friends, Family, or Work), we record your membership status and the timestamp of your consent to join. We do not share your individual session data, journal entries, or self-assessment responses with group members. Your membership status (active, pending, or declined) is visible to the group creator.

Information derived automatically from your use of the App

Behavioral analysis signals. After each breathing session, we automatically derive aggregate signals from your session history: total session count, your typical time of day for sessions, average session duration, regulation style (reactive, proactive, or mixed), and shape preference (structured, open, or mixed). You never enter this data directly — it is inferred from your session patterns. It is stored in your account and updated after each session.
Archetype Portrait — public layer. Using your session patterns and self-assessment responses, we automatically derive a two-word personality archetype (for example, "Grounded Explorer"). You can choose to share this with your connections. This is automated profiling — see the section below on automated processing for your rights.
Archetype Portrait — private layer. We also derive a deeper inner portrait from the same data, offering more nuanced insight into your patterns. This layer is always private to you and is never visible to other users unless you explicitly enable sharing in Settings.
Bridge trigger signals. When your connection activity patterns suggest that you or a connection may benefit from outreach, the App generates a time-limited prompt (for example, "check in with Alex"). These prompts are based on aggregate behavioral signals — not the content of individual sessions or journal entries. Prompts expire automatically after 48 hours. The composite score that drives these signals is internal and is never displayed to any user, including you.

Information collected automatically

Device push tokens. If you opt in to notifications, we collect your device push token to send you app updates. You can revoke this at any time through your device settings.
Anonymous usage analytics. With your consent, we collect anonymous, non-identifying usage events (such as which features are opened and session completion) to improve the App. Analytics consent can be toggled in Settings at any time. We do not use third-party advertising or tracking SDKs.

Information we do NOT collect

We do not collect health, biometric, or sensor data.
We do not collect location data.
We do not collect contact lists or phone numbers.
We do not use cookies or web tracking in the App.
We do not sell, rent, or trade your personal information to third parties.

2. How We Use Your Information

We use the information we collect to:

Provide and maintain the App's core features (breathing sessions, journal, connections, settings).
Save your preferences and breathing configurations across devices.
Send you app updates and early-access notifications if you opted in.
Improve the App based on anonymous, aggregated usage patterns.
Respond to support requests.
Personalise your experience and derive your Archetype Portrait from your session history and self-assessment responses.
Generate time-limited connection prompts designed to encourage mutual support between you and your connections.

Automated processing

We use automated processing to derive your Archetype Portrait from your session and self-assessment data. This processing does not produce any legal effects or similarly significant effects on you — it is used solely to personalise your in-app experience. Under GDPR Art. 22, if you are located in the EEA or UK, you have the right to object to this processing and to request human review. Contact us at info@virwave.com to exercise this right.

3. How We Store and Protect Your Information

All user data is stored in Supabase (opens in new tab), a cloud database platform with encryption at rest and in transit.
Row-Level Security (RLS) policies ensure that each user can only access their own data. No user can read, modify, or delete another user's records.
Authentication is handled through Supabase Auth with support for email/password, Google, and Apple sign-in.
We do not store passwords in plain text.

4. Data Sharing

We do not share your personal information with third parties except in the following limited circumstances:

Service providers. We use Supabase for data storage and authentication, and Expo (EAS) for push notifications. These providers process data on our behalf and are bound by their own privacy policies.
Legal requirements. We may disclose information if required by law, regulation, or legal process.

We do not sell your data. We do not share data with advertisers.

5. Your Rights

You have the following rights regarding your data:

Access and export. You can export all of your VirWave data at any time from Settings > Data & Privacy > Export My Data.
Deletion. You can permanently delete your account and all associated data from Settings > Data & Privacy > Delete Account. Deletion is immediate and irreversible.
Consent withdrawal. You can withdraw marketing or analytics consent at any time through the App's Settings screen or by contacting us.
Correction. You can update your profile information at any time within the App.
Object to automated profiling. You can object to the automated processing used to derive your Archetype Portrait and request human review of that processing. Contact us at info@virwave.com to exercise this right.

For event-interest contacts who have not created an account: you may request deletion, export, or consent withdrawal by emailing us at the address below.

6. Data Retention

Account data is retained as long as your account is active. When you delete your account, all associated data is permanently removed.
Session-derived data (behavioral analysis signals, Archetype Portrait layers, emotional intelligence self-assessment responses, daily emotional check-ins, and bridge trigger signals) is retained while your account is active and permanently deleted when you delete your account.
Event interest data is retained for up to 12 months after collection. If you do not convert to an active user within that period, your contact information is deleted.
Anonymous analytics data is retained in aggregated, non-identifying form and cannot be linked back to individual users.

7. Children's Privacy

VirWave is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

8. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last Updated" date at the top of this page. Continued use of the App after changes constitutes acceptance of the updated policy.

9. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:

Email: info@virwave.com

10. International Users

European Economic Area, United Kingdom, and Switzerland

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the following applies in addition to the information above.

Legal basis for processing

We process your personal data under the following legal bases:

Performance of a contract (Art. 6(1)(b) GDPR): account data, breathing sessions, journal entries, connection data, and the personalisation features introduced with the full app release — including behavioral analysis signals, Archetype Portrait derivation, emotional intelligence self-assessments, daily check-ins, group participation, and bridge trigger signals — are processed to provide the App's features you have requested.
Consent (Art. 6(1)(a) GDPR): analytics data and push notification tokens are processed only with your explicit consent, which you can withdraw at any time in Settings.
Legitimate interests (Art. 6(1)(f) GDPR): we may process minimal data necessary to maintain the security and integrity of the App, where these interests are not overridden by your rights.

International data transfers

Your data is stored and processed in the United States via Supabase (Supabase Inc.). Transfers of personal data from the EEA or UK to the US are made under appropriate safeguards, including Standard Contractual Clauses approved by the European Commission. For more information, see Supabase's Privacy Policy (opens in new tab).

Your rights under GDPR

In addition to the rights described in Section 5, EEA and UK users have the right to:

Restrict processing. Request that we restrict processing of your data in certain circumstances.
Data portability. Receive your personal data in a structured, commonly used, machine-readable format.
Object. Object to processing based on legitimate interests.
Object to automated profiling. Under Art. 22 GDPR, object to automated processing used to derive your Archetype Portrait and request that a human review that processing. Contact us at info@virwave.com to exercise this right.
Lodge a complaint. File a complaint with your local data protection supervisory authority. In the EU, this is the authority in the member state where you reside, work, or where the alleged infringement occurred. In the UK, this is the Information Commissioner's Office (ico.org.uk (opens in new tab)).

The data controller is VirWave OAM. For data protection inquiries or to exercise your rights, contact us at info@virwave.com. We will respond within 30 days.

Canada

If you are located in Canada, we collect, use, and disclose your personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws. You have the right to access your personal information and to request correction of inaccuracies. To exercise these rights, contact us at info@virwave.com.

Australia

If you are located in Australia, we handle your personal information in accordance with the Australian Privacy Act 1988 and the Australian Privacy Principles. You have the right to access and correct your personal information held by us. To make a privacy complaint, contact us at info@virwave.com. If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (oaic.gov.au (opens in new tab)).

VirWave is built by VirWave OAM.