Crystal Ritual Privacy Policy

Effective Date: September 4, 2025
Last Updated: September 4, 2025

This Privacy Policy explains how Crystal Ritual ("Crystal Ritual," "we," "us," or "our") collects, uses, and protects information when you use our iOS app built with React Native/Expo.

Information We Collect

• Account Data: Email address, Firebase user ID, optional display name, verification status, created/updated timestamps. If you sign in with Apple, Apple may share your name and email on first consent; we store your email and optional display name. • Profile and Onboarding: First name, device timezone, crystal familiarity, spiritual practices, goals. You may optionally provide birth details (date, time with accuracy, city/region/country) to personalize future astrological features. • Practice Data: Crystal sessions you start, ritual dates, streak counts and milestones, unlock history, and optional “future message” to yourself. • Journal Entries (optional): Daily feeling and intention associated with a crystal session. • Feedback: Rating, free‑form comments, ritual count when submitted, crystal type, context (e.g., which step), and platform (iOS). • Device/App Data: App version and platform (iOS). We may read motion sensor state (with your permission) to auto‑start meditation; we do not store raw motion sensor streams. • Analytics Events: Screen views and in‑app actions (e.g., onboarding steps, crystal taps) sent to our analytics provider. Events are associated with your account to help us improve the product.

How We Use Information

• Provide the Service: Authenticate accounts, sync content, and render your crystals, rituals, and journal. • Improve and Diagnose: Measure feature usage and stability, and prioritize improvements. • Communicate: Send service notices or respond to support/feedback requests. • Safety and Integrity: Detect abuse and enforce our terms.

Where Data Lives

• Firebase (Google Cloud): Authentication, Firestore database, and Storage for app data. Data is encrypted in transit and at rest. Access is restricted to authorized personnel under least‑privilege. • PostHog (US region): Product analytics for screens/events. We identify events with your app user ID so we can understand flows and improve features. PostHog also receives network metadata (e.g., IP address) as part of normal request logs. • Your Device: Local caching and drafts (e.g., onboarding progress) in AsyncStorage to support performance and offline use.

Social and Visibility (Covens)

• Covens: If you join a coven, some of your user document may be readable by other members to enable social features. Today this can include your display name. Do not add sensitive information in your name you would not want other coven members to see. We are working toward additional field‑level protections for sensitive data.

Sharing and Disclosure

• Service Providers: Google Firebase (hosting/auth/database) and PostHog (analytics). Sign in with Apple routes your Apple identity token through Firebase solely to authenticate you. • No Sale or Ads: We do not sell your personal information and we do not use third‑party advertising networks. We do not sell or share personal information (as defined by the CPRA). • Legal/Compliance: We may disclose information when required by law or to protect users and the service.

Your Choices and Rights

• Access and Correction: You can view and update your account info in the app. Contact us for access to a copy of your data. • Deletion: Use Settings → Delete Account to remove your account and associated Firestore data (user document, crystal sessions, journal entries). Deletion of analytics events is available on request. • Analytics: If you prefer not to have your events associated with your account, contact us and we will disable identification for your profile going forward.

Legal Bases (EEA/UK)

Where EU/UK data protection laws apply, we process personal data under these legal bases: • Contract: To create and manage your account, sync your content, and provide the core Service. • Consent: For optional features you choose, such as birth details for astrological personalization and motion sensor access. You can withdraw consent at any time in device settings or by contacting us; some features may stop working. • Legitimate Interests: To improve and secure the Service (product analytics, troubleshooting, abuse prevention). We balance these interests against your rights and expectations. • Legal Obligation: To comply with applicable laws and enforce our terms.

California Privacy (CPRA)

• We do not “sell” or “share” personal information as defined by the CPRA, and we do not use cross‑context behavioral advertising. • Categories collected may include: identifiers (e.g., email, user ID), internet/network activity (analytics logs), usage data (in‑app events), and geolocation components you optionally provide for birth place (city/region/country and coordinates). Sensitive personal information (e.g., precise location within birth details) is used only to provide the requested feature and not to infer unrelated characteristics. • Your rights: to know, access, correct, delete, and to limit use of sensitive personal information (where applicable). You may also opt‑out of any future sale/share if our practices change. Submit requests at hello@theflowershop.tech. We will not discriminate against you for exercising your rights.

Retention

• Account and Content: Kept while your account is active. When you delete your account, we delete associated Firestore records. Backups and logs may persist for a limited period as part of routine operations. • Analytics: Kept only as long as needed for product improvement and safety, then deleted or aggregated. • Feedback: Retained to address issues and improve the product.

Children’s Privacy

Crystal Ritual is not directed to children under 13. We do not knowingly collect personal information from children under 13; if we learn we have, we will delete it.

International Transfers

We operate in the United States. Your information may be processed in the U.S. and other countries where our providers operate. We rely on appropriate safeguards provided by our processors for such transfers.

Security

We use industry‑standard protections including TLS in transit, encryption at rest in Firebase, authentication and authorization rules in Firestore, and role‑based administrative access. No method of transmission or storage is 100% secure, but we continuously improve our safeguards.

Changes to This Policy

We may update this Policy to reflect changes in our product or laws. We will update the "Last Updated" date and, where appropriate, provide additional notice in‑app.

Contact

Email: hello@theflowershop.tech
Website: https://crystalritual.app

If you are in the EEA/UK or California, you may have additional rights under local law. Contact us and we will help you exercise those rights.